More than a year after Microsoft ended support for the aging OS, some high-profile organizations are still using Windows XP — and putting themselves at risk.
7 places you’ll be surprised to learn are still using Windows XP
Microsoft announced in April 2014 that it would no longer support the 13-year-old Windows XP operating system. However, now, more than a year later, Kaspersky Labs and Net Applications both report that between 16-17 percent of computer users still use XP. You may think that it’s mostly consumers, but the reality is that millions of business-critical systems are still running Windows XP, leaving them open to potential security issues. “When a company ends support, like Microsoft did, then vulnerabilities don’t get fixed. If these vulnerabilities get public, [they] will be all over the Internet and easy to exploit. The problem with XP is that it was such a good, robust system that is still has quite a large user base,” says Andrey Pozhogin, senior product marketing manager at Kaspersky Lab North America.
We were surprised to uncover some large organizations still relying on this retired technology. Here’s a look at seven places you wouldn’t expect to still be using Windows XP.
The U.S. Navy
According to a recently unclassified Navy document, Microsoft applications affect “critical command and control systems” on ships and land-based legacy systems, leaving them open to potential cybersecurity risks. But they aren’t standing idly by as they work to rid themselves of these legacy systems.
According to an IDG News Service report, the U.S. Navy just entered into a $9.1 million contract that would keep the XP security patches and updates coming until 2017. Over the entire length of the contract, the total will near $31 million.
“Without this continued support, vulnerabilities to these systems will be discovered, with no patches to protect the systems,” the Navy document says. “The resulting deterioration will make the U.S. Navy more susceptible to intrusion … and could lead to loss of data integrity, network performance and the inability to meet mission readiness of critical networks.”
The Navy is also paying for continued support for Microsoft’s Office 2003, Exchange 2003 and Server 2003. The Navy has been transitioning away from the obsolete systems but at the time of this report it has more than 100,000 workstations running Windows XP and other aging systems.
The U.S. Army
The Navy isn’t the only branch of the military struggling with outdated technology. The Army purchased a Microsoft Custom Support Agreement (CSA) for Windows XP last year. Like the Navy, the Army doesn’t want to give specifics on which systems are affected but the document states the following: “This procurement will ensure the Army has continued extended support to avoid security vulnerabilities on the existing licenses. The security updates for vulnerabilities rated ‘critical’ will be provided at no additional charge, but per hotfix, fees apply for security hotfixes rated ‘important.’ Non-security hotfixes are not available.”
This would seem to indicate that, like the Navy, some of these systems are mission critical.
Crown Commercial Service
The Crown Commercial Service, Great Britain’s government agency in charge of the improvement of commercial ties and procurement activities, has paid for XP extended support until 2015, but in May decided to end the contract, leaving thousands of computers at risk to attack from “low-level hackers,” according to a recent article from The Guardian. Government officials said the departments in question had known for seven years that this day was coming and they would need to migrate away from Windows XP. “We expect most remaining government devices using Windows XP will be able to mitigate any risks, using the CESG guidance. Where this is not possible, they may need to review their own short term transition support,” says Britain’s Government Digital Service tech blog.
The National Health Service
Another quick stop in Great Britain brings us to their National Health Service, an organization responsible for a publicly funded healthcare system — an enormous government agency. Last October, it reported that, “35 percent of NHS Trusts are still running Windows XP seven months after it reached end of life.” In fact, 14 percent of those NHS Trusts were so reliant that they were unable to set a date for transition. With the recent high-profile hacking cases, the NHS seems like it could be a privacy disaster waiting to happen.
In 2008, the NHS had implemented a plan to update systems across the entire organization to address these issues but abandoned the endeavor after pouring 12 billion pounds into the plan.
Atms still using Windows XP
ATMs around the globe
Last October, a whopping 95 percent of ATMs were still using Windows XP and hackers where exploiting this to drain ATM machines. In 2014, Kaspersky Lab’s Global Research and Analysis Team was hired as forensic investigators to find out how thieves were tapping ATM machines in Eastern Europe.
“During the course of this investigation, we discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation. At the time of the investigation, the malware (Backdoor.MSIL.Tyupkin) was active on more than 50 ATMs at banking institutions in Eastern Europe. Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China,” the Kasperky’s team reported.
As recent as May, incidents continue to be reported in both Eastern and Western Europe. In the most recent one, thieves made away with 1.23 million pounds. The European ATM Security Team (EAST), the arm responsible for oversight of trends in ATM fraud said, “As a significant number of Europe’s ATMs continue to use the Windows XP operating system, there are concerns that many remain vulnerable to ATM malware if the necessary preventative measures are not taken.”
Water utility companies using XP
Last year, Forbes reported that an alarming 75 percent of life-sustaining water utility companies were still operating using Windows XP. Numbers like that make this area vulnerable to cyber attacks. According to Matt Wells, general manager for automation software at GE Intelligent platforms, the utilities industry is slow to adopt new technologies but with the ending of XP support, cloud computing will help these outfits transition to newer technology.
The U.S. electrical energy industry
In a recent Forbes article by Michael Assante, the former vice president and CSO for the North American Electric Reliability Corp. and former CSO for American Electric Power Company Inc, Windows XP is still being used on workstations in a majority of the electric and gas utilities in the U.S.
The energy industry reported last August that they were worried, too. In fact, cybersecurity has moved onto the list of the top five concerns for U.S. electric utilities, according to data from a recent U.S. News and World Report article, which revealed that “…if only nine of the country’s 55,000 electrical substations were to go down — whether from mechanical issues or malicious attack — the nation would be plunged into a coast-to-coast blackout.” Federal regulators have stepped in adding cybersecurity standards for the electric industry. Cybersecurity, according to the report, has “surged in the ranking of the Top 10 industry issues … leapfrogging two spots to number four.”
Just for laughs
While not an XP issue, this Gizmodo article reports that in 1985, the Grand Rapids School District put into service a Commodore Amiga, programmed by a local student, to control heating and cooling services throughout its 19 public schools. Well, 30 years later, the Amiga is still faithfully performing its duties, although not without its share of repairs and replacement parts over the years. The best part is that the same student who originally programmed the system still lives locally and makes himself available to administer and repair any hiccups along the way. “The kid who programmed the machine is the only one who knows how to fix them,” Gizmodo reports.