3

While trying (and failing) to convice a certain older person who wanted me to "fix" their ~20 years old PC that they should not be connecting to the Internet with whatever version of Windows they have installed (they couldn't tell me) and they should rather buy a new PC I resorted to arguments of this sort:

The development cycle of software goes more or less like that: (a) A company releases software; (b) Usually in a short time security holes are found, some of them are published; (c) Exploits ("lockpicks") may be made and released to the public that allow your middle-school kid next door to break into your computer with little effort; (d) Some people try to automate such attacks, trying to target many computers connected to the Interned in a bulk; (e) After some (hopefully) short time the company releases a security patch that closes this hole, but (f) before users apply this patch they are open to all sorts of attacks (g) which is why it is recommended to apply updates as soon as possible and to only connect to the internet with up-to-date software, but (h) Windows XP stopped receiving such fixes in 2014(!)

I was pretty much repeating what I had been told.

Still, the person in question is still running their grossly out-of-date Windows version to perform the tasks they need to perform, which mainly boils down to receiving and sending important e-mails and using office software to read/edit/create attachments. When told about security their response was "Am I working in a three-letter agency?" and also "Who am I, a millionaire? Why would I be of any interest to anyone?"

I am wondering... Maybe they're correct? Security is not a binary thing, after all. It can only be sufficient or insufficient for a given threat model for a given situation.

In this situation, despite that their PC is theoretically open to all sorts of exploits:

  • I suppose routers / modems nowadays employ NATs / firewalls which while not perfect are enough to stop most of the en-masse portscanning? So their security should rise by the fact that they, by necessity, use the hardware from their ISPs?
  • Also, the use of such old Windows systems is in such a decline nowadays do people even bother looking for vulnerabilities in those en masse? So are they going to get infected only by the fact that they connect to the internet?
  • Gmail website and expected e-mails from trusted people are not going to contain malware as well...
  • If they were targetted then of course the above considerations would not apply but as they say, are they going to be specifically targetted?

I am wondering if counterintuitively, their setup is not actually secure enough for their peculiar purposes?

gaazkam
  • 5,607
  • 11
  • 24
  • 37
  • 1
    [Related](https://security.stackexchange.com/questions/221348/how-to-explain-to-traditional-people-why-they-should-upgrade-their-old-windows-x). – gaazkam Nov 16 '19 at 20:10
  • With using any certain software version without keeping it up to date there will come the date when protocols that are in use by this software will no longer be supported by the servers that the software is communicating with. For example: SSLv2 encryption was once standard, but since it has numerous flaws the industry moved beyond it and does not support it anymore. Nowadays it gets difficult to browse the web even with SSLv3. The industry and the web move slow, but the do indeed move. – Martin Weil Nov 18 '19 at 08:01
  • "Maybe they're correct?" Maybe they are! If they're behind NAT, they're only checking emails and not opening attachments, then I don't see the attack vector (apart from the generic home router, but that's out of the scope of your question). – Aaron F Nov 18 '19 at 12:52

1 Answers1

4

The argument "I am not of interest to anybody. Why would anybody want to attack me?" assumes that an attacker would only take one specific angle - that of a targeted attack.

However, more often than not, criminals will just run automated scripts that check for vulnerable machines and try the attack that will most likely work for that machine. Depending on the exploit, they can then use that machine for a number of malicious purposes, such as:

  • Sending out spam
  • Using it as proxy for other attacks
  • Deploying ransomware
  • Conduct DDoS attacks
  • Distribute malware
  • Etc.

But what about NAT and firewalls?

It depends on your setup and the kind of exploit. For example, Windows XP doesn't support modern browsers, so you are stuck with legacy versions of other browsers. Just to illustrate this, the last version of Chrome available for Windows XP was Chrome 49, which came out in February 2019. That means any bug fixed after that date will forever stay on Windows XP.

If you are stuck with an old browser, you open yourself up to all kinds of horrible browser-based exploits, which attackers can easily employ on the web. A firewall or a NAT will not help you at all there.

Are people even bothering to look for vulnerabilities in such old software?

Surprizingly, yes. Usually not specifically to Windows XP, but if someone were to find an exploit in some software, the vendor will then attempt to find when the bug was introduced in order to see who is affected.

In many cases, the bug was introduced in a very old version of the software, and if that happens to be the one you are using, then you're out of luck.

Furthermore, new technology to increase security gets employed. HSTS or OCSP Stapling, just to name some. If you use a legacy OS with legacy software, you will not have access to any of those, which will mean you are worse off.

But I only receive e-Mails from trusted parties. I'm not in danger!

Yes, until you don't. Forging an e-Mail to look somewhat passable is not as difficult as it may seem. Phishing is a difficult topic, because many people will think that they "are too smart to fall for this", until they're in a hurry once, just quickly want to check their mails and open an attachment. Sadly, their version of Office was too old to detect the macro in the document was issuing OS commands in the background.

But is it not secure enough?

Let me ask you a different question: Why are you not just getting a modern OS?

If all you do is check your e-Mails once in a blue moon or play some Solitaire, then get yourself a modern Linux distribution. Lubuntu, for example, runs decently well, even on Windows XP-era hardware.

And if your hardware is up-to-date and you just miss the look-and-feel of Windows XP, then use Windows 10 and get yourself one of the billion tools that make it look like Windows XP.

  • `If all you do is check your e-Mails once in a blue moon or play some Solitaire, then get yourself a modern Linux distribution. Lubuntu, for example, runs decently well, even on Windows XP-era hardware.` I agree, and this is what I was going to do *if they handed me their laptop*. Sadly I'm not sure if installing Lubuntu for a computer-almost-illiterate older person is a wise choice... – gaazkam Nov 16 '19 at 20:37
  • I'm sure there is some linux distro made specifically for beginners with no interest of learning how computers work. My grandmother uses Ubuntu though, because her old PC would not run Windows that well. I just set it up to auto-update without confirmation –  Nov 16 '19 at 21:51
  • Honestly, new flaws in Win XP in particular might be especially interesting to certain groups, depending on whether certain health care providers have been able to upgrade yet. – Justin Time - Reinstate Monica Nov 17 '19 at 08:46
  • 1
    @JustinTime2ReinstateMonica I honestly think that the fact that some critical systems still run Windows XP is grossly negligent and should have a definite deadline, after which it results in a fine. My proposed dealine is 2014. –  Nov 17 '19 at 16:49
  • Sadly, @MechMK1, some organisations had to keep it longer due to either software or hardware demands. Often a reliance on IE6 for internal sites, of all things, although in some cases critical components weren't actually compatible with newer systems. I believe some hospitals in particular had to keep XP for a long time because it was the last version of Windows that supported important hardware (possibly X-ray machines, I can't remember), and didn't have the funding to upgrade both their computers and the hardware that relied on XP. I _think_ most are airgapped now, at least, but still. – Justin Time - Reinstate Monica Nov 17 '19 at 18:00
  • I've worked at a hospital for a while, and I saw plenty of Windows XP (and even some Windows 98) machines there, attached to some medical equipment. As you suggested, it was all airgapped, but it is still a tragedy to think that such old OS's power medical equipment. –  Nov 17 '19 at 19:13
  • Chrome 49 came out in March 2016, and was the last version for XP, Vista, and Mac OS 10.6/10.7/10.8. https://en.wikipedia.org/wiki/Google_Chrome_version_history – Dan Is Fiddling By Firelight Nov 18 '19 at 11:31
  • 2
    "a tragedy to think that such old OS's power medical equipment" - on the contrary: tried and tested is far preferable to new and shiny when lives are at stake. – Aaron F Nov 18 '19 at 12:39
  • @AaronF The flip side of that coin is "vulnerable and compromised are not preferable to tried and tested when lives are at stake." – Carey Gregory Dec 28 '20 at 20:57