Slashdot Mirror
The 12-minute Windows Heist
An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said
authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."
From 11/29/2004: Unprotected PCs can be hijacked in minutes
I love telling this story to people that ask why they should run Windows Update / run a firewall / get antitivirus, etc.:
I was at a client's site, and needed to do some testing on their backup DSL line. Since it was a backup meant to plug into the main firewall in case of an outage, the line had no firewall - It was wide open.
I had a laptop I had just rebuilt for an employee. Win2K, SP4. Unpatched, no antivirus. I planned on jumping on the line for all of five minutes to do some quick IP testing, and I just didn't think about it being vulnerable.
So, I change the IP and plug into the DSL line. I'm plugged in no more than two minutes, and I get the damn "Windows is shutting down" dialog box. It reboots, and all hell breaks loose. Within those two minutes the damn machine had contracted the Blaster worm. I formatted and reloaded it to be safe, and learned a fun lesson that day. Good thing the laptop didn't have any important data on it.
They're probably looking at a normal distribution of times. If the mean is 12 minutes, then 50% are infected before then. If this is the case, the standard deviation must be pretty high. I hope.
After all, I am strangely colored.
This has only been an issue historically because:
- Pre-SP2, most Windows users didn't know to enable the firewall
- Router/firewall devices were much less prevalent
Now, all new machines ship with SP2, and it's much more common for cable and DSL operators to provide firewall/router type functionality with the customer hardware, as opposed to just giving you a raw modem. In addition, more people in general are purchasing said devices (when not provided by their internet provider). The point is that Sophos is trying to pimp their antivirus software, and using somewhat unrelated and dubious methods to do it. Sure, you should have current AV software. But if you want to protect from the "remote" attacks they're talking about, the best protection is simply a hardware or host-based software firewall, both of which are loads more prevalent than they were even a year ago (the software firewall mostly because of SP2). Anyone can take an unpatched Windows host and put it on the network with no firewall and say "Look! It got owned in X minutes!" The point is, they're saying this with the implicit purpose of saying "Buy our software", when the "solution" to the problem they're pimping is to, first and foremost, keep your machine patched and either enable the software firewall if you're pre-SP (or ensure it's still enabled on SP2) and/or get a little personal firewall/router - *in addition* to having AV software.
[i]..the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.[/i]
Uh... highly doubtful.
Spyware is included in this assessment. I'm guessing that if someone gets online, chances are they're going to go to one of the larger sites on the internet - many of them have spyware on them. Guess what? They'll probably do that within 12 minutes.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Right, that's why they say unprotected windows pc. Those items you mention are some sort of protection...
(so does that mean that you should always use protection when using windows..?
Place sig here.
"So I brought it up again, pulled the network cable from it, setup the firewall and happily patched the box."
I always make sure to be behind a firewall before bringing a Windows computer online. I use a hardware firewall in addtion to setting up a software one.
Install Windows.
Install latest service pack off CD.
Instal anti-virus.
Setup firewall.
Plus into local router with firewall.
Connect to net.
Patch.
Sometimes my arms bend back.
http://www.microsoft.com/windowsserver2003/default .mspx
It's like "Windows 95" "Windows 98" "Windows 2000" but Windows 2003
-duh
try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.
2.5 years and counting, here. Default workstation installs of RH8 and later don't leave any ports open. Same goes for every other Linux distro I've tried in the past couple of years.
Nice troll, though.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
A whole slew of services: RPC, SMB/CIFS (file sharing), UPNP...
Ports: 135, 137, 138, 139, 145, 500, 1025...
Windows 2000/XP has a TON of default listening services, most of which have been exploited over the years by various worms. Only way to turn most of these "off" (other than to render your system unusable) is to run a software firewall, Microsoft's or 3rd party. They're turned on and listening for "convenience", I imagine. I will admit that in a corporate environment it's handy as hell to be able to admin just about anything on a box without doing a thing. Why the hell these were left on for home users is beyond me.
Ah, Blaster, Sasser, et al, you will always have special places in my heart.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Wouldn't a lot of people on DSL / cable connections be safe behind their router? I imagine the majority of people use one with port forwarding turned off, as that's the setting by default.
PocketGamer.org - For the gamer on the go!
- Pre-SP2, most Windows users didn't know to enable the firewall
Pre-SP2, the firewall came online (I think) 4 steps after the network stack. At the height of Blaster et al, I watched a new install of XP, with firewall on, boot and immediately start with that 30 seconds til shutdown message. Forget 12 minutes, it got hit inside the second or two window between the network coming online and the firewall kicking in.
In 1996 and 2002
For preventative measures, you could try Startup Monitor by the same guy. I've not tried it - I'm trying MS Anti-Spyware at the moment, which does a similar thing as part of its protection.
Do you have OS X currently installed? yaboot? If so, chroot into the drive from OS X and install -- this might be tricky, but probably doable. Don't let the installer mess around with OpenFirmware. Then mess around with the yaboot.conf to make a new bootload item. I suspect that getting the right address requires a trip into OpenFirmware. There a couple of other great OpenFirmware references, but I can't seem to find any. I'll see what I can find later. Anyway, the basic idea is to get yaboot to take over bootloading duties, and make it aware of the kernel on your firewire drive. I have no idea if this will work, but I wouldn't be surprised if it did.
Another option would be to set up a "yaboot" file on your firewire drive like linux install discs have. Then you can just use OpenFirmware to boot the bootloader. This would be more portable since you could run linux on any mac with OF, but would be less convenient since you'd have to go into OF everytime you wanted to boot. Perhaps a combination of the two techniques would work (having a global yaboot installed on your mac so you wouldn't need OF, but also having yaboot on your firewire drive so you could boot elsewhere without touching the local disk).
After all, I am strangely colored.
If you didn't already know, this is what Microsoft's "Trusted Computing Initiative" is about. Hardware and software making sure that no one can tamper with any of it. The problem being that soon after this occurs, having a non-compliant system will be taken with the same disregard as operating a Freenet node is today. Eventually, these systems will become illegal. That's when the dystopia begins. I look forward to living in such interesting times.
No, I don't know of any job openings at the moment. I'm a (relatively new) faculty, and if I knew of some job openings, I'd probably hoard the info for my students. :-) I'll tell you what I tell my students, though -- any chance to get involved in any kind of project, for pay or not, is really important. I did tons of projects in my spare time as an undergrad and grad; some were research assistant jobs (even as an undergrad), some were just my own things, but done well enough that I could show them to other people. Summer jobs on some kind of research project really help. My second year as an undergrad, I started knocking on prof's doors until I found some willing to give me some work, which then led to more and more work. And so began the long path to my current job, which will be permanent if I can just make it through tenure.
I did a good dose of measure theory in grad school, and found it very interesting, but haven't really used it since then. And I've taken plenty of applied stats and mathematical statistics, but again I forget most stuff I don't use. Although I do teach elementary stats now and then, and a course in deterministic and stochastic modeling and simulation which involves a lot of Poisson processes.
Hmm, it's true that the exponential distribution has its mode at 0, so in some sense you're "most likely to be infected the moment you connect". But e.g. for an exponential with a mean of 17.3 like we were talking about, you have a 25% chance of first being infected in the first 5 minutes, but still a 19% chance of first being infected within the second 5 minutes, and a 14% chance in the third 5 minutes. So it's not all bunched up at 0 as much as you may imagine.
I think Poisson processes are pretty cool. I like putting them in my modeling class because I can use Poisson processes to tie together the following probability distributions and show relations between them all: continuous uniform, binomial, normal, exponential, and Poisson. Even the students that learned about them in basic probability/stats never realized they were all linked together. Sheldon Ross' book on "Intro to Probability Models" (up to about 9th edition or so now) is a pretty readable book which talks about them quite a bit. They're used to model e.g. failing parts in complex machines, incoming phone calls on a busy phone line, automobile traffic, etc.