Slashdot Mirror
Windows Security Holes Go Mostly Unexploited
murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
of these holes are exploited by adults who are quiet about it instead of big-mouth children?
It's Christmas everyday with BitTorrent.
Thousands of people are in dark alleys every day and rarely are any shot, raped, mugged or sodomized.
Banaaaana!
because they don't notice these viruses.
Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.
Tons of people are infected with viruses and spyware (now that shit should be illigal, god damn) but they never notice or care, as long as their computers keep working.
autopr0n is like, down and stuff.
That's not the point. The point is that these flaws are not necessarily practical to exploit, or can't be because of a firewall/NAT.
This doesn't mean that Windows' security doesn't need a LOT of work - it does. It's just that practically speaking many exploits are not "the end of the world" as many news sites (*cough*) would like to make it seem.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.
The problem is that the article fails to mention that if the holes are not fixed, sooner or later the so called malicious hacker will find it and exploit it *quietly*. This is dangerous thing.
IMHO, better to expose it and then *quickly* fix it rather than do nothing.
The problem is now that Microsoft knows (or being told) about the holes but often takes a very long time to fix it and sometimes ditch the bugs as "unimportant". This is even worse as this *will* give a plenty opportunity for the hackers to implement the exploit.
--
Error 500: Internal sig error
- Steal the HS research paper on crop circles
- Grab secret financial information
- Use as a proxy to hide the hackers identity*
- Part of a DDOS attack*
Now, lets think of all the benefits of hacking a server/websiteAlso note the last 2 reasons for hacking a home computer are really for working with servers. The truth is, not too many people really care about hacking your computer, unless its a means to an end.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
That's not an exploit, the backdoor mirc 'bots' are delivered via trojan horses.
Ever join a chatroom and get mass autosends of crap like 'HoTCHICKandDOG.vbs'? Your girlfriend accepted and ran one of them. (Or maybe through an e-mail or a website or whatever)
So it's not what this article is about. Unless you consider user incompetence a security hole. And then, I don't know what you expect MSFT to do about it.
I don't need no instructions to know how to rock!!!!
Just because your girlfriend's computer got compromised doesn't make the article's position incorrect. Even a few hundred zombies on some script kiddy IRC channel doesn't invalidate the contention.
I really don't think you can use your indivdual experience as a barometer for the world at large. Being cracked isn't a unique experience, but it's not as common as the FUD-mongers would have us believe.
Do we doubt that there are malicious, destructive and/or idiotic people out there? Do we doubt that there are enough relatively easy-to-exploit bugs out there that can have amazingly destructive consequences?
While I would love for there to be a more holistic approach to security, as long as the majority software platform (with all of it's variants) is rife with holes and the security repair falls exclusively to the same people who built it bad in the first place, I'll take point-by-point/line-by-line review any day of the week and twice on Tuesday.
One thing that bugs me a bit about this article is that it defines an exploit as a security hole. While this is true, the tone of the article makes it sound worse than it really is.
I mean, think about what an exploit really is: Somebody has taken a feature of Windows and turned it against the user or the user's machine. The problem I see here is that you can't have a totally secure machine and have all those fancy features you like.
I'll give you an example: I use Outlooks's to do list to keep track of my tasks. There's a feature where you can attach shortcuts to each task. I've found this handy, whenever I need to do my time sheet I just pull up the task and double click the shortcut inside of it. Now, in order to 'crack down' on security on my computer, I turned off a bunch of those handy-dandy features and found myself unable to launch that shortcut anymore!
Now, before you start saying "Oh, MS could easily fix that...", instead think about the real problem here. Either I don't use that feature at all, or MS has to think of every single malicious use of a feature and only allow the non-dangerous ones. Sorry, that's not a good solution. You're holding MS (or anybody else) responsible for other people's creativity.
I'm not saying that MS is unfairly given a bad rap for this whole topic. I think their default choices are ill-thought and have caused serious damage. However, it needs to be considered that there is always an inherent risk with any piece of software you use. It's not a matter of security holes, it's a matter of deciding whether or not it's worth the risk.
I, for one, would never underestimate people's creativity. I read about an insurance scam once where this guy got fire insurance for each of his cigars, over $1,000 a piece. Then he smoked them. He took the insurance company to court, and the judge reluctantly ruled that the insurance company had to pay the guy $12,000. Fortunately for the insurance company, though, they were able to charge him with arson. Heh he got a hefty fine ($10,000 ish? I don't remember..) and served jail time.
Now, if you think about this insurance company, you probably wonder why they didn't a policy about cigars or items that were meant to work with fire? Well, it's simple: They never imagined that somebody'd do that. The only way they could be fraud proof is if they were to clearly define the rules for every ridiculous outcome they can think of. Know what'd happen then? There would be people unable to redeem fair claims because their unusual case strayed outside the boundaries that are clearly defined. There would also be that one guy who figures out a creative way to buck the system anyway. The insurance company is far better off coming up with ways to deal with the eventual fraud instead of over-relying on their policies and laws to protect them.
So where does that leave us computer people? Well, it's simple: Using a computer is risky. Take a few risks but protect yourself. Worried about people stealing your credit card info on-line? My answer is not: "well don't use one then!" Instead, my answer is: "Get a credit card with a company that'll protect you in that event." Worried about data loss? Make backups once in a while. Worried about hackers breaking in on your always on connection? Use a firewall, but use common sense too. A firewall is the equivalent of shutting a few windows, it's not a structural reinforcement.
Total security is a pipe dream. Instead of blaming Microsoft, take some sensible precautions to minimize the damage done. The benefit here is that you protect yourself from damage that can happen outside of the exploit world. (Lightning strikes, hardware failure, children...)
Likewise, every remote root exploit makes it technically possible for this to happen. Even if relatively few people are being hacked by script kiddies today, that says nothing about the odds of a highly skilled attacker pulling off a single massively devestating attack.
This report is no reason for complacency.
Too late, we're already infected.
We'd have to eradicate Microsoft before the KDE, Gnome, and Mono projects finish cloning all of their convenient but insecure features (autorun when someone puts a disk in your CD drive, macros in your documents, Visual Basic scripts in attachments, click and run everything). Trade press folks saying that Linux on the desktop will never succeed until the apps work exactly the same way, when many of the security holes are simply logical consequences of the features as designed.
You might want to check your sources, as NO virus to knowledge has nor will be able to destroy a Hard Drive or BIOS on the physical level.
Overwriting the BIOS with garbage is as good as destroying it, unless you have a system with dual BIOS chips. If you can't boot to DOS, you can't re-flash it with the correct software.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Most unlocked doors and windows don't result in a burglary, either, but for everyone to ignore the issue is a bad idea when there are bad guys running around out there who can just walk in at will.
Of course most vulnerabilities don't get exploited, it's just a matter of volume.
The many exploit-ers are not aiming at you in particular. Once an exploit is found, setting up an automated tool to hack random machines is not hard. You may just happen to be one of the random victims.
Random victims can then be staging points for many things such as: warez servers, DDOS attacks on someone else, automated hack stations to get more zombies, etc.
This is fairly short sighted. Yes it may be an annoyance to you, but when your machine and thousands of others are DDOS-ing etrade.com, I can't make trades. Now it annoys me.
The difference is that it is hard to set up a gun that fires non-stop at random people for long periods of time. And if it were not so hard, and if there was a low risk of being caught by the police, I'm sure that you would start wearing a bullet proof vest -- or risk getting maimed.
This is the sort of crappy reasoning that states that since most people don't get wacked by the Mob, the Mob doesn't mean much. In NYC for years everyone payed a 1 percent Mob tax. That was the amount prices were inflated to cover corprate losses to the Mob. If you wanted to build a building the cement was controlled by the Mob. Then you had, and have, labor rackettes.
If a company is hacked and blackmailed they often don't report it. But the cost is passed along to the consumer.
The biggest hole is the end user. Tight network security means nothing if the end user can run a trojanized screensaver sent to him by email or downloaded from Joe Blow's Web Emporium and infect his own machine.
And I have heard claims that as many as 90% of security breaches go undetected. Think about it. How many of even you Linux users actually run tripwire on your personal system? What percentage of people do you think even check the md5sum against their downloads before compiling as root? It is small I guarantee. I once posted the wrong md5sum for a release of an open source project and it was downloaded hundreds of times without anyone saying anything.
Another reason they go undetected is that many trojans are customized. If you were going to plant a keystroke logger on a target's computer would you use one that is found by McAfee antivirus? No. You'd compile your own; changing the signature, different size, different port, different protocol, and only use that particular version in that one instance.
Of the breaches that are detected, many are not reported. What bank or online retailer wants people to know that their personal data was stolen? So just because there hasn't been a Code Red lately doesn't mean all is well.
People who run antivirus software and keep it up to date are almost completely immune to this nonsense. And it's not like they haven't been warned; anyone who thinks about this knows. Almost everything out there that's prevelant in the wild was patched by MS or put in everyone's virus definitions long ago.
Here's the virus count for my gateway since July 4 of this year:
717 WORM_KLEZ.H
120 WORM_SIRCAM.A
45 WORM_YAHA.E
11 PE_NIMDA.E
6 WORM_BUGBEAR.A
2 WORM_HYBRIS.B
1 JS_NIMDA.A
1 WORM_HYBRIS.C
1 WORM_KLEZ.E
This is the 3rd article (yes I am sure there are many more) I have read this year telling me how little attacks and infections are actually occurring. The media only wants to report the big ones like LoveLetter or Code-Red. If it doesn't effect 10 million systems and it can't really be that bad can it?
I am a security professional. I teach many security course including antivirus administration. I have done trainings for companies with 100,000s of desktops that have full time staff dedicated to the irradication of viri. According to this article these people are wasting their time because it isn't a problem. But when I walk in and have a room full of enterprise level employees all there to learn about how to manage (not clean mind you) viri then I know there is a problem. No company is going to spend money when they don't have to. I would suggest that all these authors go read up on some basics of risk management.
We haven't had a fire in my building in over 30 years. Why do we keep wasting money on sprinkler systems?
It's not at all puzzling that we haven't seen malicious virii. Something which destroys its own host hampers its ability to spread (you can't keep infecting new computers after you destroy the current one).
Outbreaks of Ebola and other very quick killing virii stamp themselves out due to lack of new hosts.
Doug
Venn ist das nurnstuck git und Slotermeyer? Ya! Beigerhund das oder die Flipperwaldt gersput!
This seems a common sense. I don't think that anyone would be surprised that while the human body is vulerable to many things, most criminals prefer guns and knives. Were all lazy, or efficient depending on your point of view, and usually use the easiest method to acomplish the task at hand, if there is a well known and easily exploited hole, who should the cracker be expected to go find a new and completely different one just to 0wn j00?
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
yes, it is true that microsoft has alot of security flaws and they get the appropriate amount of flame for it, but the irony is how the open source losers completely ignore all the flaws that are publically addressed regarding their own "kind" get dismissed on grounds of "who cares? its been fixed.", "it's not that significant, its open source!"
Despite the thousands of known exploits and virii, most MS users aren't target of much harm
3 words... no shit sherlock. Despitesthe incredible stupidity of claims that klez is ineffective, I'd have to say the reason that thousands of different virii/exploits/etc aren't being used is because the existing ones work very well to nail a large range of people. If 2% of the exploits hit such a large audience of say 100000+ people, why bother trying to hack up new methods.
Once a given method begins to be less effective, then the hackers/etc can move onto something more effective.
It's like having a changeroom with 1000 peepholes. Why do you need 998 of them when the one or two in the corner are showing you all you need to see?
Don't blame Linux for your cluelessness.
I mean, seriously, you're running ZoneAlarm on the Windows box and have turned off non-essential services, and you're comparing that to an out-of-the-box, unhardened RedHat 6.2 install running every service under the sun with no firewall?
The first time it got cracked should have been a clue to wise up and secure the box. Is rpm -Uvh so difficult? As our illustrious president says, "Fool me once, shame on--shame on you. Fool me--you can't get fooled again."
If you had kids, would you buy two guns, put a trigger lock on one and store it in a safe, but leave the other one loaded, lying around with the safety glued off and the trigger guard sawed off? And then, when your kids keep shooting themselves, would you reload the gun and leave it in the same place? And then would you come onto some online gun forum and complain that the latter gun is so much less secure than the one you keep locked up?
Security is, and never will, be perfect but it does make it harder for an intruder to pull something off. Florida in the late '70s probably had the most stringent security of any airports in the states (lots of cuban hijackers wanting to go home, etc.). Nontheless, I was able to walk all over their security systems before I made the mistake of tellling someone what I'd just done (asking for help, I was).
It's not that most home users aren't affected by viruses, it's that most home users don't notic when they're infected. Most home users don't have the money to pay for someone who can watch their network on an ongoing basis for signs of intrusion. Even fewer are geekheads like me who can look at the blinking lights on my hub, go 'where did that traffic come from' and then load up ethereal and/or go through my firewall logs (firewall? what fireall) to figure out if what happened was really benign.
Even businesses -- One place that I do occasional work (the only Unix-head in a sea of Windows) didn't know that they were infected until I noticed way too much traffic for the time of day and started up ethereal. I told their admin, he plugged the holes, and a little while later I found more signs of exploitation on their net. The last time I told their Windows admin about a problem, he had given up trying to secure their boxes. Spammers are still using their proxy boxes to deliver email but most majour services (except Hotmail!) are refusing their connection, now.
If Al Quaida was using the thousands of 'benign' Windows exploits to setup a distributed meltdown of the internet, we wouldn't know it untill after the pieces fell down. They spent 4 years setting up September 11. How much damage could they do with 4 years worth of Windows exploits?
OS Software is like love: The best way to make it grow is to give it away.
Isn't this kind of like saying, "Small Countries go Mosly Uninvaded" or "Girls Alone walk Mostly Unharmed"? The reason everyone gets worked up about these things is because of how bad a single incident can be.
Yeah, a good firewall can stop a lot of this stuff from going on... even my little Linksys box does a decent job of firewalling me off from the world. But, its amazing how many people I know that have gotten DSL/Cable modems and install the shitty PPPoE software (or just as bad, are straight DHCP) and are on the "web" with no clue about what a "port" is, or any idea that they even *may* be vulnerable.
I had a friend of mine who I had go to the dslreports site and run a quick scan... no firewall of any kind, just hooked right up to DSL. I think 4 ports showed as open... and while there were no shares open (and Win2k *is* better than 98, and WAY better than 95), thats still not necessarily a good thing. Gee, why does she keep getting windows popups? Its annoying... she's been getting them for months (first time she'd said anything to me about it... stopped the messenger service), why does her machine run so slow (gee... bearshare running on startup, I wonder..?), she opened some email and thinks she may have gotten a virus (no virus scanner, I fixed that)...
90% of the *users* (Lusers) out there have no clue what a virus is, or what it means to be "hacked" (isn't that something you use a hacksaw for?), or just how insecure they really are. And probably most of them have no clue of how a virus comes in, to just delete spam emails (*GOD*, the number of chain mail letters I used to get from certain friends... poor johnnie dying of cancer, forward to 10 friends and reply to "ima-spammer.com" and we'll help him! yeah, sure).
People are mostly clueless... its like a hand drill, they don't want to know how to build a 110VAC reversable motor (ok.. cordless 18V these days), they just want to drill holes. They don't want to know how a computer or a network works, they just want to be on the "web" and "surf" and read emails. It takes most of their brainpower to do that, much less have the knowledge to know if they've been *hacked*.
Geez.. even in the old days when I had friends who had computers and almost never got online, they'd call me up thinking they had a "virus"... and later tell me their machine only started crashing after installing new game "X" on their machine (no virus, just some incompatible DLL or some other crap). How would they know?
In Sudan there are about 2 millions landmines remaining, and there are more than 700,000 landmines victims since WWII.
"The average citizens wouldn't know a hack if it walked up and bit them," Sweeney said. "And many of the so-called landmines require a very specific event to occur and the odds are very slim that it will occur. "
Idiot. People care about the security problems is like Sudan's citizens care about landmines problems. The fact that majority of them are not victims doesn't mean it's safe out there.