Pat Pilcher: Are Windows XP security threats overhyped?

With Windows XP support now at an end, debate is raging about what this means for home and business users once XP vulnerabilities start being exploited. Curious to get an experts view, I caught up with Alastair MacGibbon.

As the Director of the Centre for Internet Safety at University of Canberra, Alastair previously held senior IT security roles at the Australian High Tech Crime Centre and eBay. Often referred to as Australia's former top cyber cop, Alastair is well positioned to cut through the hype surrounding the XP issue.

PP: What's going to happen now that XP support has ended? Many say the whole XP issue is overhyped. Some are saying it's just a money-making scheme for Microsoft. How real are the security threats?

AM: Now that support has ended for XP there's several major issues that users will now face. Most importantly, they won't be getting any more security patches developed by Microsoft. This means their PCs will become increasingly vulnerable to criminals. They'll also find that software they have been running, and hardware connected will slowly start to fail, as third party developers will no longer be supporting XP either. So there's significant security and productivity hurdles to both home and business users.

It would be improper to say XP end of life is over-hyped. I'm of the view that there should be a lot more hype. I get worried when I go to a hotel or another business and I see the XP symbol bouncing across the screen-saver. It tells me I'm dealing with a business that isn't protecting my information, nor the information of other customers. And lots of government departments fall into that category too, sadly.

We don't expect Ford to be making parts for the Model T any more, nor should we be expecting Microsoft to be supporting old code for a system that was great when it launched, but doesn't meet modern user demands.... Mobility, the cloud, better security.

PP: What could some of these threats look like?

AM: The type of criminals who'll be exploiting PCs running XP will be after one thing: cash. They'll either take cash directly by stealing credit card details, eavesdropping on internet banking sessions, or plundering our identity information (usernames, passwords, online bills) which they either use to build up credit applications, or (more likely) sell to online. So there will likely just be increased volume of those types of surreptitious attacks. There'll also be an uptake in what's known as "ransomware" which involves crooks locking your files and demanding money to unlock them. In short, the increased vulnerabilities will lead to more... lots more... of the same.

Microsoft's most recent Security Intelligence Report showed that XP was nearly six times more vulnerable than Windows 8. This makes sense, because coding practices have really improved, engineers are more cognizant of the threat environment, and crooks haven't spent the last 13 years pulling it apart looking for vulnerabilities.

PP: What factors are causing some organisations to resist the move to upgrade away from XP?

AM: Great question. Firstly, it's not all doom and gloom. We know people have been shifting, but too slowly and there's hold outs.

At its most basic level, for home users there can just be resistance to change. People like what they know. For businesses it's more complex: they need to make sure any custom apps they've built will work on a new operating system, and that's really tough. Poor economic times haven't helped. IT areas haven't built the right business cases to get through their senior colleagues.

They need to look at this as a productivity issue: not only will Windows 8 be better suited to workers and customers (mobility etc), but it's a more stable platform, so less down time. Also, this should no longer be an IT question, but one for CEOs and Boards to be asking.

PP: Are any specific industries more exposed than others? I hear for instance that some ATM machines use XP?

AM: On face value it's worrisome that ATMs may be running on XP. They are likely to be running on "XP embedded" that is designed for these types of systems. That's supported until 2016, so there is a little runway for financial institutions to be mowing over to new systems. But supported or not, this is old software designed and released in a more benign security environment and a less demanding world.

I stay at hotels running XP, do business with retailers running XP and have services provided by government departments running XP. They should all know better because Microsoft has been sending this message out since 2007.

PP: What impacts could we see should these industries prove sluggish to migrate?
AM: An increase in loss of customer data. Your data and my data. As a consumer I'm not happy.

PP: Could the end of XP open a door to non-Microsoft OS's in business environments?
AM: Sure it could. And sensible businesses look around at options when they get a chance and there are some amazing things operating systems can do now.

My cautionary note would be that businesses also need to partner with mature software providers. Many of Microsoft's competitors are teenagers in terms of their lifecycle, bold, infallible. Microsoft's been in this game a long time and has always built products to work in enterprises. And, having just moved my business over to Windows 8, I can say it's pretty innovative and, dare I say it, cool.

PP: What should a small business look to do when migrating away from XP?
AM: Most importantly they need to make sure whatever operating system they choose meets the needs of the business and their customers. They'll need to check that custom software they run will work on Windows 8, or Windows 7. I think they'll work out there's money to accrete from spending a little on software again, through better productivity.

PP: And what about larger businesses?
AM: Same as above, but on a larger scale.