Slashdot Mirror
Survival Time for Unpatched Systems Cut by Half
UnderAttack writes "The Internet Storm Center published a graph
showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet.
Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year.
The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long
enough to download patches.
The Honeynet Project did publish a paper
with some stats back in 2001."
No, not joking. At work, somewhere, there is an infected computer and while rebuilding a computer I plugged it in to run the updates for 2K and antivirus. Less than a minute after pluging it in, I was crashing and burning.
Had to go to a patched computer, download the needed updates and burn them to CD and update the computer that way first before plugging it onto the network.
REALLY anoying.. and when I find the user with the infected computer.. well, lets say I'll have a new storage location for this dead notebnook hard drive...
...not suprised at all? This isn't intended to be a troll, but back when blaster was "new" and I was formatting, I was hit three times within two minutes of booting, which gave me a whopping 3 minutes to download (not an issue) and install (BIG issue) the corresponding patch.
In the end I had to swap some CD burners around, download+burn the patch, and then unplug the box from the internet while booting.
Put an old red-hat system up and see how long it takes before you're r00t3d!
Or watch an OS-9 system crash!
Best Buy can have you arrested
What do they mean by survival time?
Time before worm infection?
Time before the computer is brought down?
I'm learning python
Seems like cable and DSL modems need auto(ugh - scary)-updating firmware with firewall enabled by default. Stuff that will update without being plugged into a computer. I hate things that don't let you choose. This scenario sounds like you walk into a clinic for innoculations, but deadly disease agents are everywhere in the air. Try holding your breath while waiting...
Busy aligning my non-linear thoughts.
I had a a similar problem (albeit with a home box) under XP. The worst of it is that you can't just download the update installer and unplug the 'net connection because the installer itself does downloading. Since the other two boxes in my house run Gentoo and Redhat I couldn't download the patches from there (Does this look familiar?) and had to just race against time for 5 or 6 attempts before it worked.
They mean "average time between reports for an average target IP address".
Which means they assume all of those are from worms, and all worms are successful, etc.
It's still a bloody short time, though.
Every time I read about computer security compromises resulting from failure to patch/setup firewalls/etc, I can't help but think there's a better way to educate the public than to wait for them to be victims. With all the MS tutorials and "helpers" (stupid paperclip...how I hate you!), it never ceases to surprise me that when you first start up a new MS-based computer, you don't get a security tutorial. Really, how hard would it be to take users through the basics of computer maintenance (and scare them into compliance) when they go to set up a broadband connection, etc?
Live free or die
1. As previously noted (I think on /.) the one thing you do not do with an unpatched WinXP system is to go onto the 'Net. Indeed, ISO's with patches or prepatched install CD's might be a solution but I think that the virus/worm/malware writers can also get these and patch their wares. Given MS's track record it'll be weeks at least before the problem is recognized or solved. It might be better to not take any WinXP system onto an open network.
2. I note that despite increased awareness and MS's increased focus on security the average survival time shows a downward trend, with slight peaks shortly after high profile worm events. How come? Is the average user slacking off? Or are the worms/viruses/trojans/whathaveyou getting smarter? Or are there ever more on the loose, resulting in an ever increasing number of probes? Looking at my firewall, the number of probes I receive remains more or less constant (although I had a few more than usual on port 8000 today) so maybe that is not a good explanation (for the Netherlands at least). Anyone?
----- One learns to itch where one can scratch.
It would be much more interesting to see average compromise times for a vanilla install of various different OS versions (with no ISP protection, of course). In the mean time, the name should be changed, in my view.
/24 and /16. It doesn't seem to help too much. Either there are more and more infected machines or they just keep finding new hosts to attempt infection.
Worms target my Linux machine via port 80 about every 35 seconds (at least in the past two days, I don't feel like looking further back). I have blocked most of the local Comcast customers in my area through *A LOT* of
The record shortest survival time, last time I checked, at the University of Alberta is four seconds. That's from the time they plugged in an unprotected Windows XP machine until the time it was compromised.
That's not enough time to engage your software firewall pre-SP2. I'm not sure of the condition post-SP2.
Oceania has always been at war with Eastasia.
Ive personally seen XP machines get infected with Blaster, Sasser, etc, during the install of Windows. These days, if you install Windows with an active connection to the internet, or to a network of infected machines, your nuts.
I generally install Windows with the box disconnected from the network, install all the latest updates of a CD, then attempt to connect to the network. Most of the time, that works...
Honestly, isn't it obvious by now that if you put a old machine on the net it's going to get exploited? That's the case with Windows and Linux, put a Redhat 5 box up on a cable line and see how long before it's serving up the warez...
How much of that can be attributed to faster technologies ? Greater CPU speed, Connection Speed etc?
Nick...
Electronic Music Made Using Linux http://soundcloud.com/polyp
I'd be interested to know the average survival rates for a whole bunch of unpatched operating systems. I'd start with:
- Win95/98/Me
- WinNT4/2K/XP
- Win3.1 (with Trumpet Winsock)
- Mac OS (whatever the first version with a TCP/IP stack)
- Linux (various distros)
ALL unpatched.
Paradoxically, I reckon the newer Windows systems would go first (more services open to the world), along with older Linux distros (same problem).
Guys, you are so lame. All you have to do is to deactivate File and Printer sharing and some other crap, such es described here http://www.cablecom.ch/en/internet/hispeed/hispeed _products_support/support_themen/internet_support_ themen_sicherheit/internet_support_themen_sicherhe it_protect_pc-einstellungen.htm
You can do this with a disconnected network cable. After you do this, the worms propagating through this service (such as Blaster or Sasser, and also future worms exploiting future bugs), won't be able to infect you by network even if you don't have the updates installed.
This only shows how:
- even experienced Windows users are lame when it comes to security
- Microsoft has done very little to protect them (the most exploited service turned on by default without obvious hints to the users that this is dangerous)
- antivirus and firewall companies are lame as well. Installing a firewall while keeping the service running is extra lame, akin to hiring a doorkeeper while there is still a Homer Simpson inside your house shouting lout "I am vulnerable! I am vulnerable!" out of the window.
- Windows isn't suitable for normal home users, because it is non-trivial for them to keep themselves protected.
So how exactly does someone like me who is getting ADSL (1mb) in a month and nice new shiney PC to play doom 3 on at the same time handle this?
I can't DL 250 mb patchs on dial up and stay sane and I can't get online without them..
I plan for a router, firewall and all the likes built in and sitting at the connection point but if I have these security holes should I just give up and stick to this fully patch win 98 machine running like a tin can instead?
I like muppets.
I'm just trying to understand how you don't see the need to reinstall the OS 'every few months' as being a problem.
not trying to start a flame/OS/holy war, but I would deffinatly see this as a problem
In my case, when I reinstalled XP about a month ago, my computer was compromised 5 minutes after XP was running. That was not enough time to get SP1 downloaded (over a cable modem). Some mystery process was running that kept popping up dialogs.
All you have to do it plug a computer into a router. That's usually enough to stop incoming worms until everything's patched. But what's interesting is broadband providers seem to be opposed to that. Mention the word "router" to Bellsouth or Comcast and it's "sorry we don't support routers". You'd think they'd want the clueless to plug in through that extra layer of protection.
When I worked for a large cable company, those of us in the technology organization wanted to make it policy to recommend to subscribers that they have a firewall. The legal department made exactly this argument, that we exposed ourselves to liability lawsuits if we said, in effect, that the Internet was a dangerous place and you should take steps to protect yourselves. So the company did not give users warnings, and the network became one of the world's larger sources of various attacks...
Is a country-by-country study of this kind. I say that, because I read lots of comments here and on similar sites about all the probes and other unwanted network activity that people see, and yet my machine is usually on every waking moment, and is connected to the net via ADSL, yet I see almost no activity. Once every few days my software firewall (Sygate Personal Firewall) will tell me that a small handful of ports have been scanned. For example, I've actually had the machine on and connected for almost 3 days now, and my firewall is showing no unusual activity.
Now, either I'm just not logging enough (entirely possible), or I'm sat on a very, very quiet part of the net. I have to wonder how much one's country of residence influences this sort of thing, given that I'm in the UK and I'm guessing most people here are in the US.
It's official. Most of you are morons.
Indeed, the only time I've ever been infected with something is when I was trying to figure out parralel port networking and set C:/ to filesharing (not realising that I was online). Even then, it was easy enough to clean out the intruder with spyware software and manual deletion.
Are Scottish IP's immune to attack? Are my Built In Vunerability Features TM corrupted? Is my system secretly crawling with stuff that is completely undetectable? Have I got a mutant OS that I should reverse engineer and sell for millions?
Did you ever learn anything about end users?
The answer... yes, actually. My father is probably the best example of an end user that I can think of. He used to write code for his psychology tests, purchased his first computer the year I was born (1981) and has been using computers very successfully for nearly 25 years. The problem is that he has never had the need to understand them more as a means to an end, a tool. And in that sense, he is to me the quintessential computer user.
Most people I have encountered are just like my dad. They just need it to do something without any problems. Well that is all fine and dandy, but is not going to work anymore. There is one thing that I have heard more and more of, educate the user. And it is not our job to bitch and moan about what users should or should not have to do, but it is our job to teach them how to care for their computers and steps to take to protect their investments. Sure all of this seems pretty simple to us, so we must take measures to make it simple for them.
Example 1 : Instead of coming over and simply installing a personal firewall for them, walk them through the steps, take notes along the way, and explain them the advantages and what problems it may create.
Example 2 : Major vendors (Dell, Compusa, Best Buy, Fry's, etc) could offer supplementary pamphlets w/CD that would assist them in helping to set up their computers correctly.
People need to realize that they need to take responsibility for everything and understand that anything technological cannot be taken for granted. Would you tell the same person that they shouldn't have to worry about changing the oil in their car because it is not something that they should be concerned with? I hope not. Computers are a commodity now, not a privilage, similar to cars, the more people who have them, the more responsible everyone must be. Because in the end, one more person who knows how to take care of their computer, is one less person we have to worry about spreading the next virus.
www.autopatcher.com
'nuff said