What do the massive security breaches and theft of credit card information at The Home Depot and Target have in common? Both were allowed by a decade-old exploit in Windows XP Embedded, used in their point of sale systems.
In a detailed, if somewhat rambling piece, The Daily Tech concludes that the credit card losses – more than 100 million total – could have been avoided if Target and Home Depot simply upgraded to Windows 7 for Embedded Systems.
Both Home Depot and Target were hit with the same malware designed to steal credit card information that has been traced back to Russia, according to Brian Krebs, a security blogger for The Washington Post. Both firms were using Windows XPe (for embedded) SP3, which is not the last version of the XP-based embedded OSes. There was one more, called Windows Embedded 2009, that is based on XP.
The article notes Harry Brelsford, an IT consultant who runs the SMBnation blog, was an XP evangelist. Now he's trying to get people off XP and on to something newer. He's been working on a project called the "Million Mile Tour" in conjunction with the site XPMigrations.com. In a November 2013 post entitled "Show Us Your XP!", he called out Home Depot and others still running XPe.
It didn't work, and now Brelsford is issuing an I-told-you-so.
What’s sad is that (a) this didn’t have to happen and (b) the IT Pros who attended my Windows XP Migration Madness workshops (44 events in 2013 sponsored by Lenovo) did not follow my advice and contact Home Depot to help solve this problem. A missed opportunity.
Windows XPe SP3 will join consumer XP in the end-of-life category in 2016. Support for WE2009 ends in 2019. After support for XP ended last April, some people came up with a hack to get fixes for WE2009 on their XP boxes, which Microsoft was opposed to them doing.
Malware for embedded XP emerged in the middle of the last decade, using a technique called "RAM scraping." XP has relatively weak memory access protection, so once malware is inside a PC it has free reign to do its business. RAM scraping is how a hacker group stole credit card information from TJX Companies, TJ Maxx stores, Office Max, Dave & Busters, DSW, Heartland Payment, BJ's Wholesale Club, Barnes & Noble, and Sports Authority.
The Daily Tech story, while well-researched and complex, is a bit judgmental in casting retailers as uncaring and greedy in their continued use of old technologies. Retail isn't a very profitable business, and in case you haven't noticed, the last six years have been brutal economically, with many retailers going out of business.
For Home Depot to deploy all new POS systems at 2,200 stores, you are talking months if not years of testing, followed by many millions of dollars in the rollout, and for no visible ROI. That's a bit much to ask in tough economic times.
Of course, now they have a major incentive to upgrade, don't they?