Slashdot Mirror
Stop Christmas-Gift PCs From Feeding Worms
An Anonymous Reader writes "If you recently set up a new PC with Windows XP,
or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.
"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."
But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)
Check those links, people.
Click Start > Network and Dial up connections
Right click on your internet connection, choose "Properties"
Click "Advanced"
Click the box to turn on the firewall
Voila. You are safe from Blaster.
As an added precaution, deselect "Client for Microsoft Networks" from all interfaces except any you really need it on.
Our Server: Surviving the Slashdotting
Sig (appended to the end of comments you post, 120 chars)
Try this instead.
http://www.sans.org/rr/papers/index.php?id=1298
There's been a lot of "Slashdot posts ever anti-Windows article that exists", but this article debunks that.
I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.
This year I've also begun recommending anti-spyware as well. It's amazing how ubiquitous that stuff's become over the past year.
Ruby on Rails Screencast
I figure if you're reading this on slashdot you don't need screenshots to find your way around a monitor...
Obviously, this should be done before you plug the machine into any kind of internet connection.
-Go to Start and then Control Panel.
-Once in Control Panel, choose Network Connections
-Right click on your connection of choice (if there's more than one, do it for all of them) and choose Properties.
-Go to the advanced tab and check the Firewall check box.
If you want to know more about how to configure it and modify the settings, click the link below that checkbox for directions.
-
Click Start > Network and Dial up connections Right click on your internet connection, choose "DISABLE" Voila! The proper config for any Windows Box!
I had just plugged my joystick into the USB port when it started wildly moving in my hand! Worms infected it I swear!
It's a classic catch-22 when you need to download the patches, but the act of downloading them makes you vulnerable ... I have just bought my parents a new PC (with XP, they're not up to Linux just yet ...) and I never thought twice about doing the windows-update thing... OTOH, they are behind a decent firewall (that does run Linux :-) so the risk is pretty minimal.
:-)
Perhaps all these DSL/WiFi combo boxes will be a blessing in disguise because they all come with a firewall (on by default, with Cisco's Linksys ones
Simon
Physicists get Hadrons!
Some might argue that WinXP comes with the Best Before date already expired, but there's a lot of CDs for many OSs out there with "open security". (The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.)
One line blog. I hear that they're called Twitters now.
People should return non-patched systems that are shipped from the manufacturer, and return systems where the install CDs don't put them to the same patch level they are shipped with.
while this isn't a cure-all solution to the patch mania that is necessary, but will go a long way to help bring up the baseline security of all these end-user hosts on the internet.
Try first ten minutes.
Due to some oddities in the purchasing orders for new hardware this year, it ended up that some of us unix guys were tasked with hauling new windows boxes around the workplace for people. We weren't expected to set them up, just unpack, plug em in, and turn em on. Ignorant of how vulnerable windows boxen are, we did just that, doing the silly clicky crap that any OEM relase makes you do, and walked off.
Within ten minutes, the traffic sniffers the security team has up were getting alarms caused by the machines we had set up and their ports got blackholed in about 15 minutes. One of the machines was already being used as a spam relay, the rest all had whatever viruses are still floating around.
Was quite an eye opener, I'd thought those viruses were over and done with and weren't a cause for concern anymore. Made me wonder how much bandwidth is being wasted that we don't even acknowledge. Spam is easy because it generates email.. but there's this underlying background noise sucking up bandwidth that you don't even see.
Course us "unix guys" had a good laugh over it, patting ourselves on the back in true bigot fashion over how secure unices are. But later that afternoon the nfs server that serves our home directories puked it's guts up so it put us in our place pretty quick.
My systems are behind a Hardware Proxy and a software firewall. I feel safe and have not been compromised... yet.
Those poor home users who are not technically savvy are pretty screwed. They won't be able to figure out *nix and don't want to pay the bucks for Apple.
Microsoft should offer (no not MSN) a method for new Windows machines to dial direct for patches before connecting to the Internet.
This method should be over ridable for the safer crowd.
www.thejulingtoncreekplantaion.com
No, the proper technique is called a "reach around". You reach around behind the box, unplug the network cable or phone line (I caught a worm over dialup once, that was the most hilarious thing ever), and consider yourself lucky.
I recentally had to install xp from scratch (because my roomate downloaded some virus). After I get xp running again, and get all my programs installed again. I went and bought Nortin Anti-Virus. After the first scan a few hours after I re-insalled everything I already had the blaster worm and some other type of worm! I guess that is what I get for not installing the patches the moment I install xp...
Steve B and Bill G install a new Windows PC, without any help, or special privileges, or special help lines.
Now, that is what I call a reality show.
I do DSL tech support for a large telco with a three letter name starting with "S" and ending with "C" and I have to bite my lip every time these poor, dumb people call in connecting their brand new Dells and Compaqs to the DSL with no firewall and not a clue as to what Windows Update is and why they need it. The reason I bite my lip is that Windows Update and firewalls are outside my scope of support and I was already told by my team lead not to waste time helping people with that stuff. Even worse, offical training tells us to leave the Windows firewall off when configuring a PPPoE connection - I am not making that up!
It's sad and irresponsible to let these people wander onto the Internet with their unprotected Windows computers like dogs wandering onto the freeway.
Your ISP shouldnt have to filter out random ports because someone somewhere wrote some crap software which is now easily explotaible over those ports . .
The fault is all the users who didnt patch there systems
I dont know about you but when my ISP starts port filtering I get pissed off , that my decision to make not theres (stupid monkies blocked of port 20 through 25 . I had to run ssh on a different port!)
Compare that to a godawful dialup VNC session on a home shopping network XP box where I needed to fix blaster and the person didn't know how to get to system settings.
I sold a mac that day with "Guess what, buy a mac and you will never have to deal with this again."
(and I won't either, to myself) That's why it is the best Christmas present you can give yourself, if you are the designated "computer-guy". Not having to deal with other people's XP is worth its weight in Half-Life Gold, Al Franken, and Myth II: Soulblighter.
I'll probably be marked as a troll for this, but Roblimo is just wrong wrong wrong.
Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.[link to article]
Right, until his daughter/granny buys a webcam from the store and wants to hook it up and use it, etc. Or she wants to use x program that only runs on Windows. Grannies and relatives buy lots of this stuff off shelves at the store. The Sims, nearly another other quality game on the planet? Probably isn't going to run on Linux, is it?
She does websites for pay... what happens when she decides she needs something like Dreamweaver, or Frontpage (gag, but a lot of people still use it) or Photoshop, in those rare cases when the (superior, IMHO) The Gimp won't fulfill her needs?
Sure, you could use VMWare or some other such deal, but then you'll require a copy of Windows and you'll have spent more time and money than if you had just put Windows on the machine in the first place.
What a load of narrow-minded horseshit, Roblimo. Your job as a self-appointed Linux advocate should be telling it to the people straight, and you aren't. They'll listen to you and get burned, and won't trust you or any other Linux person, next time.
I understand wanting to advocate alternatives at all times, but come on now Rob.
There is no way in HELL that I'd consider giving a linux machine to a friend or relative who is light on technical ability.
I am already on call to fix the computers of my friends and family, my girlfriend, my girlfriend's best friend, my girlfriend's sister, and my girfriend's sister's girlfriend.
I'd easily double the amount of free support that I've have to give if I gave someone a linux machine. Even if most of the calls ended up being "No, I can't help you install 'Barbie goes to the beach' because the version that you have is for Windows", that is still crap that I don't want to deal with.
I'd rather burn a disk with Ad Aware and Spybot Search & Destroy and give it to people than to have to educate people on a system that they know nothing about.
So many people these days don't know a thing about DOS, so how can you expect them to take the time to learn bash? More times than I would like to remember, I had to use the console to fix a problem on one of my linux machines that just couldn't be done through X. Sometimes the problem was that I couldn't launch X.
Windows is the devil that most people know. As awful as the security is, as awful as Microsoft's business practices are, Windows is the top dog and most mundanes don't care about anything but being able to check the weather, get email, bring up a few web pages, and play some games. For most people, that is easier to do with Windows.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
you won't get any spyware or data-mining cookies sneaked onto your computer
What, you're saying that not a single Linux web browser supports cookies? A "data-mining" cookie is just a cookie to track you as you browse the web - one set by an advertising site such as doubleclick. They work just as well whatever OS you're running.
6. Use your new shiny computer as you're pleased
Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). It also pleases me to write code in C# (again, forget mono, it's not nearly there yet). Until Linux provides me the means to do these things, it'll always be my secondary OS, Windows will be my primary, and "advice" to secure my PC by wiping Windows and installing Linux will be treated with the contempt that it deserves.
However, none of those bugs/holes will expose your PC to worms such as Blaster
You are of course aware that the first internet-borne worm utilised a buffer overflow in sendmail to infect computers? Don't go getting over-confident - true, I can't think of any Linux-targetting worms at the moment, but it's been done before, and it will be done again.
It's official. Most of you are morons.
"...Mods - mod as troll all you want. I am not trolling, though - these are the facts. Windows really sucks..."
Why do people make statements such as this? We all know that mods can be biased, the system is imperfect, and karma really doesn't matter. What does matter is having the ability to state one's opinions/beliefs and being able to defend them.
(tig)
Ignorance and prejudice and fear
Walk hand in hand
is called "TCP/IP port filtering". I have encountered this experience personally, on my dorm network. When I reinstalled WinXP, I didn't even have time to download SP1 before a virus made its way onto my computer and the IS dept shut off my port. However, I've found that if I leave my network cord unpliugged (card disabled, etc) until I have setup my TCP/IP filtering settings to allow only port 80, I can then download the necessary patches, update, and remove the filter. No problems yet!
The power of Christ compiles you.
A Random Blog