Slashdot Mirror
Survival Time for Unpatched Systems Cut by Half
UnderAttack writes "The Internet Storm Center published a graph
showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet.
Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year.
The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long
enough to download patches.
The Honeynet Project did publish a paper
with some stats back in 2001."
Install the Windows XP off a CD that includes SP2 slipstreamed in, and your survival time online 'unpatched' goes up dramatically. Something about a reasonably good firewall that is turned on by the default installation...
They do. At least in europe retailers are giving out 'Microsoft Windows Security Update CD's. Works on any windows version, but sadly is not quite up to date on XP patches anymore. Next edition is coming soon (called 'Windows XP Service Pack 2 CD') - I fully expect MS to hand out those for free via retailers as well. You can already order one via MS webpage.
err...they do. Free. Not as continuously up to date as it might be, but they do have them.
hmm...or rather, they did.
the important thing to note here is that that this ISN'T the time from an announced exploitable hole (and patch), it's the time an exploit actually takes once it starts propagating.
the time it takes for an exploit to be crafted has usually been sufficient to allow sysadmins to patch- 1 to 2 months usually.
doesn't mean it happens, obviously. and the time it takes for an exploit to be created is shrinking, too.
at this point, the clue should be received: firewalls. updates. secure systems.
(and microsoft, please fix your stuff pro-actively.)
stored on computers from birth to the grave
This is why the average broadband connection should be behind at least a consumer router, even if it's the only machine connected. Routers are too cheap and easy to skip.
I work for a Fortune 5 company and we've had to alter our standard load server procedure to go offline and apply some patches because we have estimated that one in six unpatched computers that we work with will get the Sasser worm (that annoying reboot prompted by LSASS).
If this happens in an enterprise environment, I pity all those clueless web users.
chances are you will get infected before the install is finished then
:
the trick is easy tho
1) unplug network
2) install xp
3) install firewall or activate build-in FW
4) plug and config network
5) patch the system
there 5 easy steps for a "safe" install
42
Breathe in, breathe out. This can be overcome!
1. Unplug your network connection before you install the OS.
2. Install the OS
3. Before you connect to the network, shut down every service you can shut down and make sure they don't start automatically.
4. Connect the computer to the network.
5. Run windows update until you're fully patched
6. Set up the firewall
7. Start enabling any service you might want to run.
This approach will hopefully keep you safe from harm - and it will definitely reduce your exposure!
Stop the brainwash
Did you ever learn anything about computer security? On a machine that you do not want to be compromised, absolutely do not connect it to the network/internet. have all relevant patches available on removeable media - that has been verified authentic - and install sans network.
Then once you are certain that everything is hunky dory, plug it into the network or internet with a firewall (for both incoming and outgoing).
And this isn't an issue with Windows or Linux or FreeBSD for all the fanboys out there. This applies to all OS's. Windows is targeted more because there are more people using it. There are plenty of exploitable vulnerabilities in any OS. It's a matter of work / payoff ratio.
Before you plug in the net cable turn on windows firewall. Its minimal protection but its better than nothing. One thing to make sure of after you have the firewall up is to not go to any sites or connect to any online services other than windows update until you are fully patched. I've never had a problem getting a machine patched once I adopted this method.
"You can now flame me, I am full of love,"
Read the bottom of that page...
" If you prefer to use a different Web browser, updates to Windows may be downloaded from the Microsoft Download Center."
With a link within the text "Microsoft Download Center." I'm guessing you can at least get some necessary patches from there (SP's, some critical patches) before letting your machine full-bore on the 'net without a firewall.
I know there are some home users out there that still aren't natting or using some sort of stateful firewall, but come on - you have 2 linux boxes there and can't get a nat to work? Hell, I'll buy you a linksys, they're getting darn cheap after rebates nowadays.
Karnal
Figure out what the latest service pack for the OS is, and apply that. That should let you get on long enough to use windows update to scan and get a list of the other KB-patches you need. Disconnect, patch, rescan. Repeat. If you want to learn how to use QChain, it can be faster, but that doesn't work on Win 98/ME.
For the truly paranoid, keep a list of what order you need to apply the patches in. Then wipe and reinstall the OS from scratch, and apply the needed patches in order without connecting to the net first.
However, it's a lot easier to use the Update CDs. It would be nice if there was a reliable torrent of the ISO somewhere....
//Information does not want to be free; it wants to breed.
Usually when I install a fresh copy of Windows I disconnect the ethernet cable before I've at least installed a firewall (if the computer isn't already behind a router/firewall) and done any updates.
The other day I was at my sister's house and installed her a fresh copy of w2k. For some reason I completely forgot to disconnect the network connection and not two minutes after Windows initially started, the machine had become infected with Nimda.
There is a ~140 meg Stand alone install... but you wind up downloading EVERYTHING and no just what your computer needs...
t es/sp1/network.mspx
http://www.microsoft.com/windowsxp/downloads/upda
Same is true for SP2...
I live in Soviet Canuckistan you insensitive clod!
The bottom of the page says that I must be running windows. None of that browser shit =)
From the SANS inst - a PDF file giving step by step, detailed instructions (suitable for newbies!) on how to setup a brand new, un-patched XP box, connect to the I-net, get it all patched and updated *WITHOU* getting it all FUBAR'd in the process.
Good read and should be a mandatory inclusion with every Smith's Club, Wally-World, Shack de Radio, Dell, HP/Compaq, ET-ware, Gamer's Hack Shack or any other end user PC appliance sold.
http://www.sans.org/rr/papers/index.php?id=1298
SANS server is amazingly slow today - here's an alternate:
http://www.cablemodemhelp.com/xpsurvivalguide.pdf
Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
My first recommendation is that you get a router with a hardware firewall--for the price, there's really no reason not to. And any ISP who discourages the use of routers is just plain irresponsible.
If you don't have a router, have the free version of ZoneAlarm handy, and a list of the services you can shut down on Windows (everything you don't need that uses ports or acts as a server.) Shut down these services and install ZoneAlarm before you plug the machine back into the internet. When you do connect to the web, no one will even know you're there.
Between my router, ZoneAlarm, Ad-Aware, and some good anti-virus software, I haven't been touched by anthing out there for 10 years, even when installing and patching.
Also, it's trivial to download a better firewall on another computer, smack it onto USB drive/CD and install that. Unlike downloading all the patches, which is not trivial at all.
im in ur
To verify: Start -> Control Panel -> Internet and Network
Connections -> Network Connection -> select your network
connection
verify using the same dialog as 'Client for Microsoft
Networks'
same dialog as 'Client for Microsoft Networks'. Select
'Advanced' tab.
Connect Network
Start -> Control Panel -> Windows Update -> Scan for
Updates
PS: If I remember correctly turning on the firewall (Pre SP2) will prevent you from communicating with other computers on your LAN. But you definitely want to turn it on until you get patched or download/buy another firewall.
For the rest of us...
Go into Computer Management. Expand the tree on the left to show the list of services. Bring up the properties for the RPC service. Find the option to choose what Windows does when the service fails from 'Restart the computer' to something more sane.
Go online and patch yourself up to the eyeballs. Then undo the change you made. Ta-da.
(sorry for the lack of detal above - Windows is what I do for work, I'm at home with my Linux and Mac machines so can't look this stuff up.)
That's one of the funny things about the whole Blaster situation. The reboots weren't directly caused by the worm. Rather, they were a result of Windows' default response the the RPC service failing (reboot). I wonder why the default couldn't have been the much friendlier option of 'Restart the service'.
*shrug*
What's the frequency, Kenneth?
I highly recommend building out a machine behind a NAT box, the price for a typical NAT box is no longer a factor and if you're not using one during a Windows OS install, you're an idiot. I highly recommend Autopatcher from http://www.autopatcher.com/
It's free.
They'll soon have versions for W2K and W2K3.
Put this on CD and you're good to go for a large majority of your OS patches. There is also a nice collection of tools and toys included in autopatcher to play with too. Check it out, it's worth your time.
Use autopatcher to install what you are missing and then visit WU to get up to date patches.
It's quicker and safer than the Windows Update download/reboot/download/reboot game when you're most vulnerable.
They even include some nice CD/DVD cover graphics too.
There simply is no excuse for being unpatched when there are solutions like this available, if you are still unpatched, you deserve what you get. No sympathy from me.
But I mean the standard cheap electronic store definition of router.
A standard router is "A device which forwards packets between networks. The forwarding decision is based on network layer information and routing tables, often constructed by routing protocols."
Nothing about stopping incoming worms there.
Looks like you're really talking about a "NAT router/firewall", which sometimes has reduced routing capabilites. I recently went to PC World (not hoping for much success) looking for a router, since I have a block of 8 public IPs on my LAN, and wanted routing between them and the Internet. I ended up buying one of the 'net since the guy at PC world was a little confused about what routers do and couldn't tell me if they actually sold a real router.
Follow me
If you aren't using windows, what you get is:
Thank you for your interest in Windows Update
Windows Update is the online extension of Windows that helps you get the most out of your computer.
You must be running a Microsoft Windows operating system in order to use Windows Update.