Slashdot Mirror
Survival Time for Unpatched Systems Cut by Half
UnderAttack writes "The Internet Storm Center published a graph
showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet.
Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year.
The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long
enough to download patches.
The Honeynet Project did publish a paper
with some stats back in 2001."
Microsoft should make Patch CD ISOs available. You could swing by a friend's house and get one, drop into your local computer store and have them burn you one for a few bucks, or pick up a Microsoft produced copy at your local gas station, like AOL CDs.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
The name "survival time" suggests that it's the average amount of time an unpatched system would last before being compromised. That assumes that every single worm targets every single unpatched system, and is always successful. That's not exactly realistic - many worms target specific programs which may well not be on the unpatched system, or target specific operating system versions.
It would be much more interesting to see average compromise times for a vanilla install of various different OS versions (with no ISP protection, of course). In the mean time, the name should be changed, in my view.
Microsoft should have an auto-update during install feature. (If you have broadband). During the install process it could run the windows update, blah blah blah once your nic was initialized for the first time and IP granted etc.
I boycott signatures
Thing is, Both MacOS and Linux have had numerous RELEASE updates in the time that Microsoft haven't changed anything with the default XP install CD. Which means that if you need to reinstall XP now, you run the risk of being pwned, but if you install Linux or MacOS, you will be doing it from a much more recent CD that is far less susceptible.
I don't know how often Mac users reinstall, but if they had to, and their hardware was good enough, I'm sure that they'd upgrade to the latest version at the same time. You simply can't do that with Windows, you have your 3 year old install CD. Of course, you didn't have to pay $120 each year since like with MacOS X, although you did get extra features with that as well as bug fixes.
I doubt that many people would burn a specialised SP2 CD and do it right. Human nature - their current system has it installed via Windows Update, why download it again as a whole? They probably wouldn't even know about it.
I do all my machine builds and initial updates with the box sitting behind a netgear router, fully NATted and with no port forwarding - i.e. the box is invisible to the net. I've merrily built and updated many machines in this way and have never been compromised (and my last step is to virus, spyware, and trojan scan with several of each type of tool).
If you just throw a cheap hardware router/NAT/firewall in front of your box when you build, this isn't really big deal I've found.
Please Rate my comment (and help support Fre
Perhaps a "TURN THE GODDAMN FIREWALL ON BEFORE YOU CONNECT TO THE NETWORK!" notice somewhere on the front page would get the point across? I've done exactly two Windows installs in my life and I know how how to safely set up a new XP system.
What I'm listening to now on Pandora...
I'm guessing here, but time between when machine is first brought online and when it's first discovered/probed/found alive by a worm or hax0r scanners - in other words, time before worm infection or other kind of intrusion, because after it dawns to the world that there's an unpatched system right before their noses, there sure isn't much time left before that system is owned.
I recently reinstalled winXP on my 'puter (shame on me) to be able to use the NetMD software. Well, I knew what was going to happen as soon as I plugged the ethernet in. So, as usual, I installed winblows, then McAfee Antivirus 7 + firewall, then plugged the cord to get the updates. 20 seconds later, mcafee stopped functionning. I received tons of windows messages about earning college degrees online, a couple porn ones and whatnot. Ok, so far, nothing (too) surprising. So, I take my courage with both hands, open up IE to go to windows update. BIG mistake. Instead of windows update, I ended up on some obscure casino website with so many popups I thought my system was going to jam. A few hundred clicks later, I finally see the new windows update page. Then, I start downloading the updates, like everybody else does. Of course, in the meanwhile I left a total security black hole open for every hacker in Beijing to try and read the lack of data on my drive. I can understand how some people overcome the integrated winXP firewall. But HOW in the world did they hack McAfee's to stop working? I had to download updates manually, and McAfee, just like windows update, REQUIRES IE, for some obscure non-standard non documented function. So... is M$ the only one at fault here? probably not, though I'm willing to bet it's because of winXP security failures that McAfee was disabled. Sometimes I think of WinXP of a sponge. So many many many holes... And they have to be filled one by one. No wonder winblows will never be secure. But, the reason lots of people use it, as my gf says: sponges are nicer, you don't wanna use a rock unless it's to crack heads. So, moral of the story? It's the opensource world's role to crack the big fat happy M$ head.
---- I am certain of only one thing : I know nothing else.
A few weeks ago, I installed Win2k. I then proceeded to Windows Update and started the patching process.
I went for the big updates first (like Service Packs and IE upgrades) - but most of those require that they be installed alone with no other updates until the machine is rebooted. So you have this long drawn out process of download a single patch, reboot, download another single patch, reboot, download another patch, reboot, repeat ad-nauseaum and finally download all the straglers. I not sure how many reboot cycles I had to go through, but the whole install and patch process (including partitioning and formating) took over an hour. And that was attended.
My point here is that during the patch process with the constant reboots, it would be easy for somebody to walk away from a machine while it is downloading or rebooting and thereby leave it open to attack while it is idling. Of course, you ought to download all the patches on a secure machine and then patch-up you new box while inside your own secure net before exposing the box, but most people (like me) are going to connect direct to the internet to get "windows update". Luckily, I am behind a firewall, but you can easily imagine how ugly it could get if somebody were doing this outside a firewall. The single downloads and constant reboots are not going to help.
We're talking about people who want to install from the absolute latest Windows CD, and they have to take severe steps to avoid getting 0wned.
With the amount of worms and viruses out there, even a clean format/install won't last more than a minute. I put a system up without a firewall and it got pounded by the Sasser Worm immediately. Even with Windows Update auto resume download it took me twelve tries, each time before forced to reboot by the worm, to get just that one small patch installed. After that patch, I patched like crazy, because there's so much more out there.
First of all, if you buy a new machine with the OS pre-installed, it will probably be patched almost up to date out of the box.
Second of all, if you're installing your own OS, you're taking on the responsibility to do things in a minimally competent way. That might mean a NAT router, a slipstream installed CD, or just a CD with the service pack burned on it, so you can install it before you plug into the net.
Third of all, you should be using a hardware firewall anyway.
Walk down the street in downtown Detroit counting $20 dollar bills and see how long it takes for you to get mugged. Then do the same on mainstreet in West Bumblefuck, Iowa (population 15, if'n Pastor Smith isn't out of town). Betcha you last longer in Iowa. In other words that time is probably dependant on how nasty the computing environment is.
IIRC Sasser and Blaster chose their target IP's at random, starting with IP addresses in the same subnet then moving to random IP's. So if a machine gets infected four seconds after it's plugged in, that's not just a product of how poorly secured windows is, it's also a product of U of Alberta having a network chock full of RPC 'sploiting goodness. Now, if they'd have plugged in the same in an environment that had been properly patched, firewalled, etc. The box would've been fine for hours, days, or maybe it would've never been comprimised at all.
Firewall and Snort logs can give you the true tale of the tape. Some days my home firewall (SBC residential DSL) is turning away worm attempts like a goalie on speed. Other days I go 10-12 hours without so much as a nibble or a port scan.
But it is so much fun to talk about how "WIUNDOWS IS TEH GHEY! IT GOTS PWN3D IN TEH SECONZ!!LOL!!!11ONE@!!!@!
There are some people that if they don't know, you can't tell 'em.
Firewall
Firewall
Firewall
XP has a built in firewall, did you know this? When it it turned on, even an unpatched system is protected from attempts at remote intrusion. You are still vulnerable to IE exploits, but if you're using IE on an unpatched system you need to be smacked. Actually if you're using IE at all you deserve to be smacked, just not as hard.
So, the next time you do a clean install of XP and need to download patches, turn on the firewall BEFORE you connect it to the network. Then immediately begin installing patches from windows update. Each time you need to reboot during this process, yank the network cable until the system has finished booting. The reason is that an unpatched and partially-patched Windows system is vulnerable during boot-up. It seems that the windows firewall is one of the last things to be turned on during boot up instead of the first, which creates a window of opportunity for attacks to succeed.
Once the system has installed all of the patches that are available, LEAVE THE FIREWALL ON unless you have a very good reason not to and know what the fsck you are doing.
If you'll follow this simple proceedure, patching your windows system is safe and easy.
I'm sick and tired of reading slashdot headlines that claim there are all kinds of problems patching a windows system. Windows may suck, but that is no excuse for lying about it. Propaganda and FUD are best left to the professionals in Redmond.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
This is why the average broadband connection should be behind at least a consumer router, even if it's the only machine connected. Routers are too cheap and easy to skip.
I've almost begun purchasing Linksys routers for my friends and family. At $40 a piece it's just ignorant not to have one. The basic firewalling that they do is pretty handy. And there are models that include client software controled firewalls. It's also nice to have a switch already at their house for when someone comes over with a laptop or such. Home networks, though still geeky, are becoming a nice thing to have with more networkable devices like game consoles (XBox, PS2) and media devices like a ReplayTV or TiVo. Also, if there are more than two people in the house you can almost be garounteed that there will be more than one computer.
No sig for you. YOU GET NO SIG!
Security-wise, you should probably handle vulnerable systems on a test lan isolated from the rest of the net by NAT, but still able to access the outside world, until it can be brought up to the current patch standard. Of course not everyone can afford VLANs and implementing best practices.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
putting the UK spellings in is somehow too difficult
Spelling error messages in British means that the expertise written in American becomes unavailable to people who type the error message into a search engine because Google considers "color" and "colour" separate words.
Automatically downloads all current patches for WinXP, Win2000 or 2003 Server installations, slipstreams them and creates an ISO image. Fully configurable, including unattended install scripts through winnt.sif and first-boot application installs and regtweaks through cmdlines.txt. You can pick and choose which hotfixes and add-ons you want to apply.
Although the "current hotfix" list on the website doesn't yet reflect it, WindowsXP-KB835935-SP2-ENU.exe is now the default service pack for the hotfix autodownloader.
Either way, 20 minutes is not long enough to download patches.
/. crowd? You are supposed to be IT adepts. Act like it and stop fucking whining.
One would think people are stupid here. Firstly, it's an AVERAGE of 20 minutes you idiot - this does not mean you have a 20 minute counter that starts from when you connect to the net. It means that ON AVERAGE machines connected by a novice will be compromised within 20 minutes.
For about the tenth time, here is how to do it.
NB. At no point connect the system to a network until the following has been carried out.
Install WindowsXP.
Set up Internet connection, but do NOT connect yet.
Right click on My Network Places > Properties
Right click on your Internet interface, >Properties.
UNTICK anything with "Microsoft" in the name. i.e. File and Print Sharing for Microsoft Networks, Client for Microsoft Networks. Leave TCP/IP ticked.
Click "Advanced".
Click "Protect My Computer"
Click OK.
right click on "My Computer" > Properties.
Click "Automatic Updates"
Turn on Automatic Updates using whatever option you prefer.
That's it - connect to the net and it will patch itself.
Why is this so fucking difficult for the
Between your latency-inducing router, cycle-whoring firewall and spyware scanner, and disk i/o-happy av program, your machine is running considerably slower than it could be. There's nothing wrong with that if the machine is still fast enough for you. But when you factor in the extra cost, effort, and resource drain, this isn't an option for most people (especially the non tech-saavy). I'd like to see most of these operations shifted to the ISP level, where people pay a few dollars more for access per month, but we have a much safer 'net. I'm probably dreaming, but I get worried that we're too forgiving when it comes to viruses/malware caused by a bunch of unpatched Windows machines. How far will we inconvenience ourselves before people have to start taking responsibility for their computers?
"God is a comedian playing to an audience too afraid to laugh." -Voltaire
Did you ever learn anything about end users?
It's all well and good to say don't connect it to the network before patching, but end users don't know that. Nor should they have to know that. It is totally unreasonable to think that the first thought through Joe User's head should be "Right, I bought this brand new machine, but I shouldn't connect it to the network since it might be compromised."
End users are only very recently learning about service packs and patching, etc. Remember, prior to Windows XP, service packs were for business operating systems. How many end users did you see running NT 4? Even those folks running 2K at home were clueful folks - home PCs sold at CompUSA and the like shipped with 98SE or ME. You can't expect them to gain all this knowledge overnight.
have all relevant patches available on removeable media - that has been verified authentic - and install sans network.
And you obtain them how? In an IT environment, sure, it's trivial, beacuse you have N different computers, and probably N different platforms to use to create this media. Most folks still only have one PC. Sure, some people can burn CDs at work (but many workplaces severely limit what users can do on their machines, and lots of places prevent CD burning on work machines for corporate espionage reasons), and others might have friends with CD burners, but that's still a lot of effort, and it doesn't cover everyone.
It's totally unreasonable to expect a consumer to jump through all these hoops. (I'm not saying they shouldn't take these steps, just that they shouldn't *have* to take these steps in order to make a consumer electronics device work) Several changes need to be made. MS should produce a crapload of service pack CDs and give them to OEMs and every new computer should come with a current one. (They did this with NT4 SP3 and haven't done it since to my knowledge). They should also ship them to large stores (BestBuy, CompUSA, etc) and sell them for a low price (ie: $0.99) enough to prevent people from taking more than they need, but not terribly expensive. MS is notoriously tight-fisted when it comes to stuff like this, despite the fact it's their fault the product is insecure. Carmakers wouldn't get away with charging for recalled parts. For example, MS refuses to ship CDs to colleges. They'll ship one for every 50 or 100 students, but that's it, and that's ONLY if you have a Select license. Given that in that quantity the CDs cost fractions of a cent each, there's no reason for this. I can understand them being reluctant to make a CD with hotfixes, since those come out so frequently, but once a service pack is out, it's out, there's no reason not to make a CD except to penny-pinch.
There is no sig, there is only Zuul.
All these horror stories I'm reading about peoples installations being destroyed within 5 seconds of turning on their modems are nothing like my experience of Windows.
Here's how my last windows installation went.
1)Install win98
2)Install Zone Alarm
3)Plug in modem
And that really is it. The box is still running fine 4 months later. I'm typing on it right now.
Why would anybody connect to the net before they have a firewall running?
I expect this will get modded down, since it's not another horror story, but I just don't have the problems you guys are talking about
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
Ok, I'll bite.
...... Really, when it comes down to it, why not just recommend Linux? With all the hoops you'd jump through to secure a Windows box"
"It seems as if we've forgotten who the typical Windows user is. No, they won't do any of the things mentioned above,
To be honest, the average user won't be installing an OS from scratch, so it's a moot point, but lets pretend they are. Which is easier?
When windows 98 (that is what we were talking about) has finished installing, install Zone Alarm before you go online.
OR
When Mandrake has finished installing, learn how to use a new OS and a whole new suite of applications?
Go on, answer that and stay fashionable.
I use Linux (Slackware) myself, and I agree it is easy to use, but if you think learning a new OS is easier than double clicking on the Zone Alarm installer, then you are, quite frankly, deluded.
As it happens, my brothers store bought XP system has just died. I'm going to wipe it and install windows 98 this weekend. I did think about recomending Linux. He's a reasonably IT savy chap, I figured I could teach him how to use it. But it's missing his one desperatly needed killer app, Championship Manager, so no go there.
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
If you noticed, I didn't start with the Windows user completely re-installing the OS. Here's a typical after-install security sequence for Windows:
And two months later, you'll repeat the process yet again. It seems you forgot to apply the latest patches while on vacation, and some internet worm has taken over your machine....
Is this really any worse than installing Linux, once?
The society for a thought-free internet welcomes you.