Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development

London Police Busted For Windows XP Possession

Pity the Poor Plod Stuck with Microsoft's Finest, Circa 2001
London Police Busted For Windows XP Possession

Pity the poor plod - that's Brit-slang for a beat cop - who's stuck using Windows XP.

See Also: Webinar | Mythbusting MDR

But also spare a thought for anyone who's relying on London's Metropolitan Police Service to keep their personal details secure, in the wake of warnings that the Met is still using 27,000 PCs that run the outdated operating system.

It's not clear where having to use Windows XP fits into that old policing cliché - that police work is 99 percent irritation and boredom and 1 percent sheer terror. But what is clear is that the outdated XP operating system, which debuted in 2001 and which Microsoft stopped supporting in 2014, is no longer - as the Brits would say - "fit for purpose."

"The Met should have stopped using Windows XP in 2014 when extended support ended, and to hear that 27,000 computers are still using it is worrying," says London Assembly Member Andrew Boff, Conservative, in a statement. Boff is one of 25 elected London Assembly Members who are responsible for holding the London mayor to account. Some of those members also participate in the Metropolitan Police Authority, which oversees the Met. The police service is responsible for policing greater London, with the exception of the city's financial district.

"My major concern is the security of Londoners' information on this dangerously out-of-date system, but I would also like to know how much money the Met have wasted on bespoke security updates," Boff says.

Met spokeswoman Chioma Dijeh tells me that the migration plan has been complicated by older software on which the police force continues to rely. "The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment - including its desktop computers. However, the upgrade program is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely," she says. "Replacements or remediation for this software, which are compatible with a more modern operating system, have to be ready before the rollout is completed to ensure continued operational effectiveness."

Continued XP Use Costs

Since Microsoft pulled the plug on XP support, some organizations have been paying for pricey extended support contracts. That included the U.K. government, which reportedly paid £5.5 million ($7.2 million) for a one-year support contract. But the U.K. government in April 2015 said it chose to not renew the contract, even though some government departments were still running PCs with Windows XP.

"All departments have had seven years warning of the 2014 end of normal support and this one year agreement was put together with the support of technology leaders to give everyone a chance to get off XP," the government's technology team said in a blog post.

The Met, meanwhile, "has an extended support agreement running until April 2017 with Microsoft for all XP components," Dijeh says. "This has cost £1.65 million ($2.15 million) and means we have no security concerns as a result of our continued use of XP."

The Met didn't respond to my question about whether budgetary concerns had slowed its move away from XP.

Extended Patching is No Panacea

Despite the "no security concerns" claim, however, there's one very good reason to use a more modern Windows operating system: it's safer. Microsoft continues to add new security controls that make it harder for attackers to exploit and take control of Windows devices.

By contrast, paying for security patches isn't a foolproof way to keep Windows XP systems secure. For starters, Microsoft has stopped supporting older versions of Internet Explorer, and ceased issuing updates and signatures for XP's built-in anti-virus tool, Security Essentials. Although alternatives are available, many users no doubt continue to use those tools, including IE6, on which some older applications rely.

What's also worrying are the flurry of critical flaws that continue to be found in all versions of Windows operating systems - including XP - that attackers can exploit to gain full control of a system. Some of these flaws have been mitigated, via patches, in new versions of Windows. But the U.S. Computer Emergency Response Team has warned that other flaws - for example, affecting Windows XP, 2000, and 2003 - simply cannot be mitigated.

Met: First Outed in 2015

The Met's continuing XP reliance was first revealed last year by tech site Motherboard, which found via a Freedom of Information Act request that the police force was still using 35,640 PCs running Windows XP.

Motherboard asked for a detailed breakdown of which departments still used the outdated operating system, but the Met said it couldn't provide such an answer. "This is because many systems are shared and do not necessarily belong to an individual. MPS colleagues are able to hot desk between buildings. Therefore this information you seek is not held," read the response it received.

Move to Windows 8.1 Questioned

Since then, the Met says that it has migrated 8,000 of the PCs running XP to a newer version, and says it plans to update another 6,000 by next month, leaving 21,000 XP systems outstanding. "Further plans are being developed to address the remaining XP desktops including reducing the overall number used by the organization, replacing with laptops, tablets and disposing of equipment that cannot support Windows 8.1 and beyond," Dijeh says.

But Assembly Member Boff has also criticized the police force for only moving to Windows 8.1, which Microsoft will stop supporting - except for organizations that pony up for pricey extended-support contracts - in January 2018.

"I also question the choice to upgrade to Windows 8.1; this is neither the newest version of Windows nor the most used version of the software," he says. "Staff are likely to be more familiar with Windows 10, but most importantly it will be supported further into the future."

The Met, however, says that its only option was a move to Windows 8.1. "Upgrading our legacy systems to Windows 8.1 was the only approach recommended by Microsoft, as there was no direct upgrade path to Windows 10," Dijeh says. "Once completed it will be more straightforward to make the next upgrade to Windows 10 as they share a common kernel - we are starting to work with Microsoft on the upgrade to Windows 10."

If the Met continues at its current migration pace, however, it will just about have finished its migrating from Windows XP to Windows 8.1 by January 2018. At that point, this whole extended-Windows-support rigmarole may begin again.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.