Slashdot Mirror
Windows Security Holes Go Mostly Unexploited
murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
As a contractor doing technical support for an ISP, I will attest to the fact that home users are hit very hard by problems such as Klez.
It's an epidemic.
On the other hand, we know of surprisingly few cases where machines were exploited on the network for other types of obvious security holes.
"We know of" being the key phrase.
The article mentioned does not specifically discuss Windows security holes (as the title of this thread suggests), but rather security holes in general, and goes on to mention the Linux Slapper worm in particular.
I find this typical of the slanted, Microsoft-bashing nature of posts here on Slashdot!
woah!
As we speak, someone is changing the news options on the RIAA website. However, they don't seem to be stopping them from doing it. I did grab a shot of a particularly amusing one though.
Oh, and just so everyone knows.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
each year, I might as well leave my front door unlocked, right? Or better yet, if I am a builder of homes, there is no reason to install those locks at all.
Quite a lot of virus names aren't coined by the virus writer, you know, but by the anti-virus labs' reverse-engineers trying to research the virus. Lots of viruses don't have strings detailing their names, even encrypted ones, so the labs just have to kind of make them up, and occasionally one sticks. The researchers aren't looking for something cool, they're looking for something uniquely identifiable that they can refer to it as during their research and writeup.
.well.. you can guess the rest.
The author did, however, name KLEZ and it's parasite, Elkern. KLEZ appears to be an acronym, though what it stands for is unknown.
Also, sometimes the author's names are simply ignored - for example, Nimda isn't actually called Nimda, it just wrote a file called ADMIN.DLL and while reversing it, the researchers..
Despite the thousands of known exploits and virii...
Public Memo:
Its "viruses", not "virii". Repeating, "viruses".
Did you also get the memo about the TPS report cover sheets?
Skiers and Riders -- http://www.snowjournal.com
EXACTLY!
99% of Windows users have no way of knowing if they're compromised!!
because they don't notice these viruses.
Very true. I worked a temp job doing warranty repairs on Gatway PCs (and wouldn't recommend a Gateway to my worst enemy). Sadly, since the Gateway Country stores don't employ any computer literate people, over half of the systems we were to "repair" involved popping in the restore CD.
But at the time (a few months back), I'd say about 10% of them were Klez-related (in order to tell the user what was wrong, we had to do a diagnosis including virus scan as a first step).
As well, my dad has restored his PC a multitude of times in the 3 years he's had it. He of course thinks it's because Microsoft sucks, or "that new MSN upgrade broke my system", but in reality I think it's because he'll download anything and everything he can get his hands on (he just loves that Bonzi buddy thing... ugh)
My point simply being that most of them probably didn't even know they were infected/exploited (I'm sure most don't read the paperwork we sent back). These statistics come from where, exactly? How many joe-sixpack users, who have already been ridiculed by their geek friends, are going to admit in a survey that they were stupid enough to click on the attachment against everyone's advice?
I just have to wonder where the stats come from. If it's from Wired readers, I'd say it's skewed as their average reader-base is probably a bit more savvy than average.
Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.
And since Code-Red, Nimda, etc use a semi-random IP selection routine, attempting to stay close to the current IP, home cable/DSL networks are the most affected. My DSL still logs around 80-100 attempts on port 80 per day (keeping in mind Nimda tries several variations per attempt).
Also, the majority affected aren't aware that they are even running a web server at all, much less that they're infected (and spreading infection). To this day, I can go to each IP in my logs, and see the IIS default page on the vast majority (indicating they aren't running IIS for a reason, and likely aren't aware that it's there).
Finally, I just want to say that just because not everyone has been exploited, should mean that we should look at the situation any lighter. The Code Red thing should have been a serious wake-up call to Microsoft. Same with iloveyou, melissa, et al. These things were highly public, and should have been viewed as a major fiasco. Maybe the scene has toned down in the last year or so, sure, but that doesn't mean we should just not worry about it. Hopefully not too many people will read the Wired article and become more lax in their practices...
NGWave - Fast Sound Editor for Windows
Yeah, the guy's obviously making it up.
And since it doesn't exist, there's no reason for MS to release a patch to fix the vulnerability, right?
Obviously, you're intelligent and checked Google before flaming away.
Your wrong, home users do have something that is worth stealing, bandwidth anonymouty.
Currently hackers use exploited/infected machines to abuse their bandwidth, and remain anonymous. The bandwidth is used for ddos attacks, you would be surprised what 500 infected cable customers machines can do to almost any network, regardless of its size.
There are also trojans that run as proxy servers and mail relays, to be abused by spammers to send mail and annoying messenger spam out, since it always looks like it came from an infected machine, and there are never logs on said infected machine.
I came, I conquered, I coredumped
They pointed out the real problems, like KLEZ. But that wasn't the point. The point was that out of the thousands and thousands of supposed security holes very few are ever exploited. They said nothing of the destructive power of the holes that were exploited.
Boobies never hurt anyone. - Sherry Glaser.
thats fine, until they load up a program that does something illegal, and the feds kick down your door, take your computer away and say "Prove it wasn't you"
The Kruger Dunning explains most post on
Negative.
I've been on the Road Runner network in Austin, TX for years.
*ssh's home*
I've been hit by an IIS rootkit 9 times in the last 24 hours.
And no, I'm not into port scanning, probing, etc.
~Dalcius
Rome wasn't burnt in a day.
- Anti-intrusion systems should be built into the OS.
This is a very, very good point. So far, the only systems I've installed that automatically install intrusion detection of any reasonable sort are Mandrake Linux and OpenBSD. I've been particularly impressed with OpenBSD's daily reporting facilities. By default, it mails a "daily insecurity report" and daily status report on your network interfaces and basic system information to me. In addition, when installing OpenBSD packages, the packages spit out a little blurb after they install, explaining what is left to configure the package, any general security concerns, and suggestions on additionally securing the service. It even installs those packages with decent default security settings. My only complaint is that I have difficulty recommending it, at this point, to my friends who are less experienced in the UNIX world.The political baggage OpenBSD carries with it is rather unfortunate, but I note that after I am port-scanned on my OpenBSD box, I've never had an intruder attempt to use an exploit. Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server. Oy, veh, annoying.
I think that user education is also critical for any operating system. Although you don't expect users to become security experts, it is the responsibility of the distribution designers to make sure the security information reported by their system is concise, easily understood, and presented in an obvious but non-annoying way.
Matthew P. Barnson
I learn what I think when I read what I write
I notice how the article failed to note that, in 2002, there were more Linux/Unix explots than in MS operating systems by a margin of 2 to 1.
Dolemite
Save the World! Use a Quote!
My lab used to have an unprotected DSL with out-of-the-box RedHat 6.x and unprotected Win95 boxes on it that we used for testing things. As far as I could tell, nobody ever successfully hacked the Windows box, and when I was running ZoneAlarm, it'd detect a lot of doorknockers but no real attack - No surprise, because we had file-system sharing turned off, a relatively obscure freeware web server, no Napster/Kazaa/Gnutella/Morpheus/etc., and not much else useful on it except clients so not much to crack.
But the main Linux box got broken into all the time - I eventually changed its name to "Kenny" because it was getting brutally killed every week. As far as I could tell, nobody seriously bothered it once I upgraded to RH 7.1 in a medium-secure mode (I didn't install FTP servers, for instance, and Apache didn't have any web pages complex enough to be exploited), but by then I wasn't doing much complex, and I'd replaced the highly reliable Pentium-66 with an faster el-cheapo machine that often died on its own so it wasn't available to crackers.
The most common attacks I was aware of were some rootkit followed by installing Staecheldraht DDOS and some IRC bots. (And after I'd wiped out Staecheldraht a couple of times, the loser got annoyed and wiped out my disk drive once.) I noticed the initial attack because one of Kenny's P66 cousins was used to run a tcpdump sniffer to monitor the LAN and it kept doing ICMP to machines at universities. At least one of the rootkits "fixed" ls and ps to not report on its directories and processes, but forgot about some other utilities like /proc, and forgot about semantics problems like
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Even processors (like Intel CPUs) have a form of firmware (microcode), but this is usually updated on boot by the bios or OS (think Linux) and not stored on the CPU itself.
As far as I'm aware there is no hardware which implements authentication of the firmware upgrade, the hardware would happily accept garbage. Reflashing a bios / firmware filled with garbage can also be a major task - not all motherboards have a jumper for reseting the bios, and I'm not sure how you would upgrade the bios of a pci card if it didn't show up as a valid card. Besides, just try to find the correct bios / firmware for your "made in mainland china with just a serial number on the circuit board" thingy if the board doesn't even boot.
If you're interested in a discussion of this google for "disk2brick", that should find the long and bitter flamewar on the linux-kernel list on the topic of "how to destroy eide disks using undocumented eide commands".
Oh, and imho - the reason virus makers aren't exploiting this (except for overwriting the bios of some intel motherboards) is that most of them are bored teenagers talking about "virii". If someone with a clue and resources enough to test various hardware put their mind(s) to it I'm sure something could be made that messed up much of the common hardware today - enough that fixing it might cost more than replacing the hardware itself.
Combine that with, say, the bugs in the MS network stacks that MS has admited to existing, and you have the potential of creating a lot of damage in a suprisingly short time.
But of course, that won't happen with the US govermnent becoming the Internet Police soon.. (Ok, so that last sentence was flamebait, sorry
"big guns such as Klez have had almost no effect on home users"
Bull!
I work at a PC shop, and at least lately, not a day goes by that I'm not cleaning Klez off a customer's PC. About half the time there's little damage.. But on a 98 box, well--I'm sure you all know how fragile they are.
Almost no effect? I think not!