Microsoft Ending Support for Windows XP and Office 2003 4/8/2014

Windows XP has reached end-of-life, and there will be no updates or security patches for XP after April 8, 2014.  The bad news is that CERT estimates that 30% of all internet-connected PCs are still running XP, so a lot of people are going to be exposed to the latest malware with no help from Microsoft.

If you’re running Windows XP,  it’s time to upgrade (or change to Mac or Linux).

 

NCCIC / US-CERT

National Cyber Awareness System:

03/10/2014 10:56 AM EDT
Original release date: March 10, 2014

Systems Affected

  • Microsoft Windows XP with Service Pack 3 (SP3) Operating System
  • Microsoft Office 2003 Products

Overview

Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:

  • Security patches which help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]

Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4]

Solution

Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.

Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.

There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.

Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to recieve support temporarily. Users should consult the support pages of their chosen alternative browser for more details.

References

Revision History

  • March 10, 2014 – Initial Release

FYI: CryptoLocker virus

CryptoLocker is a new virus that affects Windows PCs – if you get infected, a screen pops up telling you that your stored documents and images have been encrypted, and if you don’t pay $300 within 72 hours, the key required to decrypt your files will be destroyed and you’ll be out of luck.  There have been other ‘ScareWare’ viruses that popped up windows like this in the past, but this one actually does what it says.

Our spam filters do a very good job of blocking email that contains viruses, but since the bad guys are clever, it’s always possible for malicious email to get through until the spam filters figure out the new technique, and you could be exposed.  Also, if you have multiple PCs on your LAN, this virus can jump from an infected PC to the others over the ethernet or WiFi link, so you can be exposed that way as well.

Here’s the US-CERT announcement:    http://www.us-cert.gov/ncas/alerts/TA13-309A  Read this and follow their advice in the “Prevention” section of the writeup.

Other writeups on CryptoLocker:

Announcement: mail.his.com setting change for his.com and hers.com users

If you have a his.com or hers.com email address, check the settings in your email software (smartphone/tablet/laptop/computer/etc.) and make sure that mail.his.com is set as the hostname for both incoming and outgoing mail.  This has always been the correct setting, but for legacy reasons, using just his.com as the hostname has worked too.  Starting October 5, 2013, only mail.his.com will work as the hostname for his.com and hers.com users.

This change is being made for anti-spam reasons.  Some spammers (millions of them, actually) will attempt to bypass spam filtering by ignoring the official mail exchanger records in DNS and connecting to the hostname that resolves to the domain name.  We’re able to block most of this, but we need to block it all.

Summary:

  • this affects only users with his.com or hers.com email addresses.
  • check the settings in the email software on all your devices and make sure that mail.his.com is set as the hostname for both incoming and outgoing email.

We’ve been scanning the logs, and we think we’ve identified most of the folks who this applies to, and we’ve sent email everyone who we know needs to make the change.

his.com and hers.com users can access webmail as always at https://webmail.his.com

If you have any questions or need assistance, open a support ticket at https://support.his.com/contact

Barracuda update

spam.his.com is doing an excellent job of blocking spam without stopping non-spam – the only false positives we’re seeing involve mail from bulk sources (overstock.com, alert.ema.dc.gov, etc., where many messages with the same content come in at once, which is characteristic of spam – you may find that you need to whitelist these if they’re winding up in your quarantine.

The system is also learning, as we’ve had time now to train it with feedback about what’s actually spam and not-spam – we update this Bayesian database daily, and this helps fine-tune filtering accuracy.

Two major improvements over Postini:  little, if any, non-spam mail getting quarantined, and much faster reaction to new spam attacks that use new methods to get around filters.  Barracuda updates its filters three times/hour, vs. once every day or two on Postini, and we’ve seen the effect of this in action – it works.

We’ve made a few minor changes – you’ll no longer see mail marked “?SPAM?” in your inbox.  This was mail that Barracuda thought it might be spam but wasn’t sure so it didn’t quarantine it, but tagged it and passed it through.  In practice, we found that as much non-spam as spam getting tagged, so this tagging wasn’t helpful and we’ve turned it off. These messages are still passed through, but without the tag.

Zimbra users:  you have another layer of spam/virus/phishing filtering in Zimbra.  Mail that Zimbra thinks is spam will be put in your Junk folder, and this is separate from what spam.his.com does.  Check your Junk folder from time to time, and if any mail is there that isn’t spam, mark it as not-spam (you have to do this via webmail).  Likewise, if any spam gets past spam.his.com and you find it in your inbox, you can mark it as spam.  Zimbra’s spam filter learns from your feedback, and if you mark spam/not-spam for a week or two, its accuracy will improve.  Zimbra’s spam filter works at the individual mailbox level, so you do need to train it so it knows whether you agree with what it’s doing.

If you want, you can forward spam that gets to your inbox to spam@barracuda.com – this will help them recognize new spam tricks and update their filters.

If you have any questions, open a support ticket by clicking “Open a Ticket” at http://info.his.com/support/support.his.com.html.  Check our knowledgebase articles at https://support.his.com/kb/kb/browse/001925


											

		
	
	

							
	

				

						

				Spam filter change:  switching from Postini to Barracuda
			

											
		


							

												
We provide spam and virus filtering with all email accounts – you really can’t use email without it anymore.


We’ve used Postini for our premium spam filtering since 2001 (twelve years!).  Google bought Postini in 2007, and Postini continued to be excellent until about a year ago when we noticed that things were slipping – there were outages, a lot of mail that wasn’t spam started to get quarantined, things like that.  Then Google decided to discontinue Postini, along with quite a few other services.


We evaluated seven good alternatives, and Barracuda was the clear winner.  The spam/virus filtering is excellent – they push out updates to the filtering rules as often as three times / hour, so they do a great job of catching spam blasts that use new techniques to around the filters, and most people will find that they have few, if any ‘false positives’ (non-spam that gets quarantined).   We’ve been testing the Barracuda system and using it for our own email since February, and we think you’ll find it a real improvement.  We’re operating the Barracuda servers in our own cloud, so we have direct control of uptime and reliability.


We’re switching domains over in groups, and should have everybody switched by May 18.  You’ll get email announcing the change before your domain is switched.  The change will be almost completely transparent to you – the only real change you’ll have to make is the link to your spam quarantine, which will be in the announcement email.

											

		
	
	

							
	

				

						

				mail.his.com mailbox quotas increased
			

											
		


							

												
his.com and hers.com mailboxes on mail.his.com have been increased in size to 5 gigabytes.  You can add disk storage if you need it for $1/gb/month.


You can check your storage status by logging on to https://webmail.his.com and hovering your mouse over the bar under your name at the top of the screen.


Tip:  if you use the Zimbra web interface at  https://webmail.his.com, you can restore any messages that you delete for up to 30 days, even if you’ve emptied the trash.  Just right-click on the zimbra.trash icon.  This only works for mail deleted using https://webmail.his.com – if you’re using a regular email client (Thunderbird, Mac Mail, Outlook, etc.), mail that you delete from that program will be gone.

											

		
	
	

							
	

				

						

				ALERT:  major brute-force password-guessing attack on WordPress sites underway
			

											
		


							

												
There’s a significant attack by a botnet on WordPress sites, where the bots are trying to guess the passwords of common admin logins.  More info:  http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/


If you are using WordPress and are using a common username or a common password, change it immediately to something less obvious. Update your WordPress admin password when in doubt. Operators of WordPress sites can take other measures too, including installing security plugins such as this one: http://wordpress.org/extend/plugins/better-wp-security/ and this one: https://wordpress.org/extend/plugins/limit-login-attempts/, which close some of the holes most frequently exploited in these types of attacks.


WordPress creator Matt Mullenweg has released a statement regarding the issue:


Almost 3 years ago we released a version of WordPress (3.0) that allowed you to

pick a custom username on installation, which largely ended people using “admin”

as their default username. Right now there’s a botnet going around all of the

WordPresses it can find trying to login with the “admin” username and a bunch of

common passwords, and it has turned into a news story (especially from companies

that sell “solutions” to the problem).


Here’s what I would recommend: If you still use “admin” as a username on your

blog, change it, use a strong password … and of course make sure you’re up-to-

date on the latest version of WordPress. Do this and you’ll be ahead of 99% of

sites out there and probably never have a problem. Most other advice isn’t great

— supposedly this botnet has over 90,000 IP addresses, so an IP limiting or

login throttling plugin isn’t going to be great (they could try from a different

IP a second for 24 hours).


HIS advice:  remember that usernames are also passwords, so choosing a username like  ‘admin1492’ rather than ‘admin’  will help make your WordPress site much more secure.  Also, never use a password for your WordPress site or email that you’ve used somewhere else.  Yes, it’s a bother, but you should never use a password on more than one site.  Passwords should be 8 characters or longer and should contain at least one punctuation symbol, a mix of upper and lower case, and a number.

											

		
	
	

							
	

				

						

				Planned maintenance:  dc.his.com, mail.his.com upgrades  – Done
			

											
		


							

												
In order to expand disk space to accommodate larger user disk allowances, Zimbra servers mail.his.com and dc.his.com will be taken offline briefly this weekend:


    

  • mail.his.com – starting at 3 AM EDT, Saturday, April 6th – COMPLETED 5:20 AM April 6
    • 

  • dc.his.com – starting at 3 AM EDT, Sunday, April 7th – COMPLETED with no downtime.
    •