Survival Time for Unpatched Systems Cut by Half
UnderAttack writes "The Internet Storm Center published a graph
showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet.
Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year.
The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long
enough to download patches.
The Honeynet Project did publish a paper
with some stats back in 2001."
Microsoft should make Patch CD ISOs available. You could swing by a friend's house and get one, drop into your local computer store and have them burn you one for a few bucks, or pick up a Microsoft produced copy at your local gas station, like AOL CDs.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
The name "survival time" suggests that it's the average amount of time an unpatched system would last before being compromised. That assumes that every single worm targets every single unpatched system, and is always successful. That's not exactly realistic - many worms target specific programs which may well not be on the unpatched system, or target specific operating system versions.
It would be much more interesting to see average compromise times for a vanilla install of various different OS versions (with no ISP protection, of course). In the mean time, the name should be changed, in my view.
Microsoft should have an auto-update during install feature. (If you have broadband). During the install process it could run the windows update, blah blah blah once your nic was initialized for the first time and IP granted etc.
I boycott signatures
Thing is, Both MacOS and Linux have had numerous RELEASE updates in the time that Microsoft haven't changed anything with the default XP install CD. Which means that if you need to reinstall XP now, you run the risk of being pwned, but if you install Linux or MacOS, you will be doing it from a much more recent CD that is far less susceptible.
I don't know how often Mac users reinstall, but if they had to, and their hardware was good enough, I'm sure that they'd upgrade to the latest version at the same time. You simply can't do that with Windows, you have your 3 year old install CD. Of course, you didn't have to pay $120 each year since like with MacOS X, although you did get extra features with that as well as bug fixes.
I doubt that many people would burn a specialised SP2 CD and do it right. Human nature - their current system has it installed via Windows Update, why download it again as a whole? They probably wouldn't even know about it.
I do all my machine builds and initial updates with the box sitting behind a netgear router, fully NATted and with no port forwarding - i.e. the box is invisible to the net. I've merrily built and updated many machines in this way and have never been compromised (and my last step is to virus, spyware, and trojan scan with several of each type of tool).
If you just throw a cheap hardware router/NAT/firewall in front of your box when you build, this isn't really big deal I've found.
Please Rate my comment (and help support Fre
Perhaps a "TURN THE GODDAMN FIREWALL ON BEFORE YOU CONNECT TO THE NETWORK!" notice somewhere on the front page would get the point across? I've done exactly two Windows installs in my life and I know how how to safely set up a new XP system.
What I'm listening to now on Pandora...
I'm guessing here, but time between when machine is first brought online and when it's first discovered/probed/found alive by a worm or hax0r scanners - in other words, time before worm infection or other kind of intrusion, because after it dawns to the world that there's an unpatched system right before their noses, there sure isn't much time left before that system is owned.
A few weeks ago, I installed Win2k. I then proceeded to Windows Update and started the patching process.
I went for the big updates first (like Service Packs and IE upgrades) - but most of those require that they be installed alone with no other updates until the machine is rebooted. So you have this long drawn out process of download a single patch, reboot, download another single patch, reboot, download another patch, reboot, repeat ad-nauseaum and finally download all the straglers. I not sure how many reboot cycles I had to go through, but the whole install and patch process (including partitioning and formating) took over an hour. And that was attended.
My point here is that during the patch process with the constant reboots, it would be easy for somebody to walk away from a machine while it is downloading or rebooting and thereby leave it open to attack while it is idling. Of course, you ought to download all the patches on a secure machine and then patch-up you new box while inside your own secure net before exposing the box, but most people (like me) are going to connect direct to the internet to get "windows update". Luckily, I am behind a firewall, but you can easily imagine how ugly it could get if somebody were doing this outside a firewall. The single downloads and constant reboots are not going to help.
We're talking about people who want to install from the absolute latest Windows CD, and they have to take severe steps to avoid getting 0wned.
First of all, if you buy a new machine with the OS pre-installed, it will probably be patched almost up to date out of the box.
Second of all, if you're installing your own OS, you're taking on the responsibility to do things in a minimally competent way. That might mean a NAT router, a slipstream installed CD, or just a CD with the service pack burned on it, so you can install it before you plug into the net.
Third of all, you should be using a hardware firewall anyway.
Walk down the street in downtown Detroit counting $20 dollar bills and see how long it takes for you to get mugged. Then do the same on mainstreet in West Bumblefuck, Iowa (population 15, if'n Pastor Smith isn't out of town). Betcha you last longer in Iowa. In other words that time is probably dependant on how nasty the computing environment is.
IIRC Sasser and Blaster chose their target IP's at random, starting with IP addresses in the same subnet then moving to random IP's. So if a machine gets infected four seconds after it's plugged in, that's not just a product of how poorly secured windows is, it's also a product of U of Alberta having a network chock full of RPC 'sploiting goodness. Now, if they'd have plugged in the same in an environment that had been properly patched, firewalled, etc. The box would've been fine for hours, days, or maybe it would've never been comprimised at all.
Firewall and Snort logs can give you the true tale of the tape. Some days my home firewall (SBC residential DSL) is turning away worm attempts like a goalie on speed. Other days I go 10-12 hours without so much as a nibble or a port scan.
But it is so much fun to talk about how "WIUNDOWS IS TEH GHEY! IT GOTS PWN3D IN TEH SECONZ!!LOL!!!11ONE@!!!@!
There are some people that if they don't know, you can't tell 'em.
Firewall
Firewall
Firewall
XP has a built in firewall, did you know this? When it it turned on, even an unpatched system is protected from attempts at remote intrusion. You are still vulnerable to IE exploits, but if you're using IE on an unpatched system you need to be smacked. Actually if you're using IE at all you deserve to be smacked, just not as hard.
So, the next time you do a clean install of XP and need to download patches, turn on the firewall BEFORE you connect it to the network. Then immediately begin installing patches from windows update. Each time you need to reboot during this process, yank the network cable until the system has finished booting. The reason is that an unpatched and partially-patched Windows system is vulnerable during boot-up. It seems that the windows firewall is one of the last things to be turned on during boot up instead of the first, which creates a window of opportunity for attacks to succeed.
Once the system has installed all of the patches that are available, LEAVE THE FIREWALL ON unless you have a very good reason not to and know what the fsck you are doing.
If you'll follow this simple proceedure, patching your windows system is safe and easy.
I'm sick and tired of reading slashdot headlines that claim there are all kinds of problems patching a windows system. Windows may suck, but that is no excuse for lying about it. Propaganda and FUD are best left to the professionals in Redmond.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
This is why the average broadband connection should be behind at least a consumer router, even if it's the only machine connected. Routers are too cheap and easy to skip.
I've almost begun purchasing Linksys routers for my friends and family. At $40 a piece it's just ignorant not to have one. The basic firewalling that they do is pretty handy. And there are models that include client software controled firewalls. It's also nice to have a switch already at their house for when someone comes over with a laptop or such. Home networks, though still geeky, are becoming a nice thing to have with more networkable devices like game consoles (XBox, PS2) and media devices like a ReplayTV or TiVo. Also, if there are more than two people in the house you can almost be garounteed that there will be more than one computer.
No sig for you. YOU GET NO SIG!
Automatically downloads all current patches for WinXP, Win2000 or 2003 Server installations, slipstreams them and creates an ISO image. Fully configurable, including unattended install scripts through winnt.sif and first-boot application installs and regtweaks through cmdlines.txt. You can pick and choose which hotfixes and add-ons you want to apply.
Although the "current hotfix" list on the website doesn't yet reflect it, WindowsXP-KB835935-SP2-ENU.exe is now the default service pack for the hotfix autodownloader.
Did you ever learn anything about end users?
It's all well and good to say don't connect it to the network before patching, but end users don't know that. Nor should they have to know that. It is totally unreasonable to think that the first thought through Joe User's head should be "Right, I bought this brand new machine, but I shouldn't connect it to the network since it might be compromised."
End users are only very recently learning about service packs and patching, etc. Remember, prior to Windows XP, service packs were for business operating systems. How many end users did you see running NT 4? Even those folks running 2K at home were clueful folks - home PCs sold at CompUSA and the like shipped with 98SE or ME. You can't expect them to gain all this knowledge overnight.
have all relevant patches available on removeable media - that has been verified authentic - and install sans network.
And you obtain them how? In an IT environment, sure, it's trivial, beacuse you have N different computers, and probably N different platforms to use to create this media. Most folks still only have one PC. Sure, some people can burn CDs at work (but many workplaces severely limit what users can do on their machines, and lots of places prevent CD burning on work machines for corporate espionage reasons), and others might have friends with CD burners, but that's still a lot of effort, and it doesn't cover everyone.
It's totally unreasonable to expect a consumer to jump through all these hoops. (I'm not saying they shouldn't take these steps, just that they shouldn't *have* to take these steps in order to make a consumer electronics device work) Several changes need to be made. MS should produce a crapload of service pack CDs and give them to OEMs and every new computer should come with a current one. (They did this with NT4 SP3 and haven't done it since to my knowledge). They should also ship them to large stores (BestBuy, CompUSA, etc) and sell them for a low price (ie: $0.99) enough to prevent people from taking more than they need, but not terribly expensive. MS is notoriously tight-fisted when it comes to stuff like this, despite the fact it's their fault the product is insecure. Carmakers wouldn't get away with charging for recalled parts. For example, MS refuses to ship CDs to colleges. They'll ship one for every 50 or 100 students, but that's it, and that's ONLY if you have a Select license. Given that in that quantity the CDs cost fractions of a cent each, there's no reason for this. I can understand them being reluctant to make a CD with hotfixes, since those come out so frequently, but once a service pack is out, it's out, there's no reason not to make a CD except to penny-pinch.
There is no sig, there is only Zuul.
If you noticed, I didn't start with the Windows user completely re-installing the OS. Here's a typical after-install security sequence for Windows:
And two months later, you'll repeat the process yet again. It seems you forgot to apply the latest patches while on vacation, and some internet worm has taken over your machine....
Is this really any worse than installing Linux, once?
The society for a thought-free internet welcomes you.