On the surface, Windows XP will look the same on April 9 as it will on April 8. But behind the scenes, criminals and hackers will be quickly moving in.
On April 8, Microsoft will stop providing security updates and other patches to the 13-year-old operating system. The company wants its customers to upgrade to modern software. One consequence is that overnight, Windows XP will become a magnet for hacks, viruses, exploits and malware.
The risk confronts not only XP users and their information--it confronts anyone who connects to the Internet. Viruses that infect an XP machine can spread across the network. Hackers could rope compromised XP machines into denial-of-service attacks on networks and web resources.
Throughout UC Davis, people are working to identify and remove the remaining uses of XP on campus, or when that's not possible, to reduce the risk. Information and Educational Technology has created a website with information, options, and advice, for both departments and individuals.
Yes, for individuals, too. Not only for departments.
"There's a personal side to this," said Chief Information Security Officer Cheryl Washington. "This is not just an IT or UC Davis problem. This is an everyone problem."
The College of Engineering takes action
The College of Engineering began its response to the end of XP by sending a message about the problem to its chairs, management service officers and faculty. Then it assessed how many of its computers still use the software. One scan "found about 260 machines that appear to have Windows XP," said College of Engineering IT Service Manager Ken Jones. "That's out of about 2,000 computers we have."
The college has asked its departmental technologists to use the inventory as a starting point to find all of their XP machines. "I n the College of Engineering, nobody is leaving XP on machines just for fun," he said. "In general, it's all instrumentation, or old pieces of software critical for their research needs.
"Generally, we're trying to figure out how to keep the functionality, but get them off the Internet," Jones said.
UC Davis security standards prohibit computers from connecting to the campus network if those machines use unmaintained operating systems or application software.
The overall continued use of XP is a serious problem, said Jones, who also chairs the security subcommittee of the campus Technology Infrastructure Forum. The software remains widely used outside the United States, particularly in Asia.
"The best guess is that 25 to 29 percent of the computers connected to the Internet right now, worldwide, are running the XP operating system. There will inevitably be exploits that will turn those machines into bot zombies. So you have the potential for up to 30 percent of the machines to be in the hands of bad guys to do things like distributed denial-of-service attacks," Jones said.
"Also, the vast majority of the code base for XP is the same for Vista, 7, and 8 [Microsoft's more recent operating systems]. In the future, Microsoft will be sending out patches for Vista, 7, and 8. Patches identify a vulnerability, and bad guys will reverse-engineer the patches to build an exploit. Then they can exploit the vulnerabilities in XP that will never be patched."
A good approach to follow
No one knows how many machines that connect to the campus network still use XP. An estimate of 1,200 from IET's security group probably understates the total. They range from research machines to old computers used in offices and homes.
The campus and its departments have been working to reduce their exposure to Windows XP. The problem and potential sol utions have been discussed at many levels, including the Technology Infrastructure Forum and the Council of Deans and Vice Chancellors. CISO Washington will be talking to more groups and departments.
If units and individuals have not yet fully engaged the end of Windows XP, then they should now, she said. "I'm glad to see the steps the College of Engineering is taking. I hope similar efforts will be duplicated throughout the campus."