Slashdot Mirror
The 12-minute Windows Heist
An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said
authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."
How is this figured? Are people just randomly surfing two-letters TLDs 12 minutes upon installing windows and hopping on the net?
You know, on second thought, the better idea is just get a Mac. The average PC user will find it safer and they can do 99% of what they were going to do anyways.
Strange women lying in ponds distributing swords is no basis for a system of government.
I'd like to see the actual numbers and the methodology of their study. It seems like all of the compromising attacks require action on the part of the user, like downloading unknown attachments, clicking spam links, and browsing shady porn sites.
I don't see how any of those could be affect turning on your computer and using automatic updates.
Perhaps part of the problem is people downloading their favourite infected app..
There are attacks which don't require your help; Sasser in particular goes through an open port rather than through Outlook or IE. There are a few others.
But that's pretty unlikely with a new PC, which presumably comes with the latest service packs. The article is incredibly short on actual data. There's nothing to support their 12-minute average. I get the impression that they chose the scariest headline to support an article which is mostly about phishing attacks, trojans, etc: attacks that require your help.
So for all I know they're talking about the fact that there are enough attackers that if you throw a Windows ME (or even unpatched XP) box on the Internet, yeah, you're hacked. That says a lot, but not about how insecure Windows is. It says that there are still plenty of computers running hacks like Sasser; if you're not protected against it, you're screwed.
That's mostly scaremongering, since unless you're installing a very out-of-date Windows, you're protected. You're not protected against new attacks, nor are you protected against many trojans. They're trying to convince you to buy software for that, which is relevant, by using scary but irrelevant numbers.
I wanna answer that with "because they're lazy"... but I don't even think that's the actual reason. Maybe a better answer is "because they're hermits"... because that's the only way you could not have fixed a problem for over 90 days...
Surely the diligence of the user needs to be taken into account.
Windows users are generally less inclined than linux users to work on securing their machines, and seem to be much less informed about whether they should really be downloading those smilies, or that cute pet that sits on their desktop.
The intelligence/experience of the user has a lot to do with how easily the PC can be compromised, and this is regardless of their choice of OS.
First Kaspersky, now Sophos... I've lost all respect for AV vendors. Using scare tactics to sell software is just sad.
Here's all it takes to keep your Windows box safe: a router (or SP2) and Firefox. Oh, and enough common sense to not run any executable file sent to you by a stranger.
There, I let the secret out.
smattawichu
Might be nice to have SP1 on disk too...
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
that actually it takes longer now to infect a Windows machine? It used to be 6 minutes...
I guess it all depends where you are connected. When I connect in Costa Rica I get DOZENS of threats (using Zone Alarm), almost all from local IP's. A good guess would be the local internet cafe's running dirty pirated windows OSes. Here in the US I get maybe 1 a day.
Since SP-2 I have run my Windows PC's with just the basic SP-2 firewall at times, with no intrusions.
I am as anti-microsoft as the next slashdotter, but credit has to be given where it is due. Pre-SP2 was a wide open OS, which is now fixed. Now you have to make a special effort to get your box pwn3d. The article is bogus IMO.
Seven puppies were harmed during the making of this post.
How the heck is a Firewall necessary to keep a default Windows box secure? In other words, if a Windows firewall is there to disallow services (or protocols) from receiving connections from the outside world, then what are these services, and why are they running in the first place?
I understand that by deceiving a user, a malicious service can be started up and listen on the internet, and become a vector for infecting your machine. But that requires an act of the user. If I NEVER enable any special services on my machine, than only the default services are running, and they must somehow be allowing malware to install, right? So, why aren't these services fixed, or disabled by default?
Finally, if these servies are necessary to the proper running of my machine, then when I use them the Windows firewall software will ask if I do not want to block that port, service, etc. Once that occurs, am I not just as unprotected as if I never used the firewall software? How does it really help?
So, that's a lot of questions, but I would appreciate an explanation. Are the attacks on windows solely due to users running malware directly, or are there vectors by which, without any user action (ie. no browsing w/ ActiveX controls, no javascript, no running malicious executables, no starting email attachments, etc) the machine can get infected anyway? If so, what are those services? It's not like a Windows machine, by default, needs to have an email/web/network disk/instant messaging service running, so why does it?
NOTE - I googled "insecure windows services" and got some info; indeed windows does have a bunch of services open to the world by default (un-f'ing believable). Can anyone say which ones are primarily allowing machines to become zombies?
http://www.ss64.com/ntsyntax/services.html
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
I hate to be the prick who answers the theoretical question, but clearly the first post. First post was one minute after the article went up, infection is 12 mins. The first poster would have time to get a cup of coffee and return to find his machine hax0red.
As I see it, there are only 4 solutions:
(1) before going on-line for the first time, purchase a router and configure the firewall, then immediately download all necessary patches, plus a good anti-spyware program,
(2) download all your Windows security atches, service packs, etcetra, third-party firewall and anti-spyware software from a friend's Mac OSX
machine and burn them all to CD/DVD. Apply all necessary patches and third-party software before venturing out onto the internet,
(3) choose not to play the MSFT security patch and upgrade revenue stream game - buy an Apple Mac, or reformat your hard drive and install any of these: linux, FreeBSD, OpenBSD, Solaris 10 x86, QNX. If in doubt, ask a knowledgeable friend for advice,
or
(4) buy the absolute fastest bad-ass big disk Wintel/AMD computer you can find to make that
broadband connection. Make certain that you have the OS media and valid cd-key, make backups of all
your important personal data, and figure on either (a) reformatting/reimaging your computer every three months, or (b) be prepared to buy a new computer every six months. Wash, rinse, repeat.
They DO install themselves. Get online with a clean, unprotected install of XP, and it will be 0wn3d in a few minutes. Not "may be", it WILL be.
Circumcision is child abuse.
I really find it quite ironic that there's so many MS apologists in this discussion willing to say that getting infected is the user's fault for being too stupid to have a commercial A/V package installed (at additional expense) and have a hardware firewall (at additional expense) between their system and the internet.
Yes, I know that AVG is free and very good, and Zone Alarm has a free version (I make sure both are on every MS box I have to look after).
But this ignores at least two problems. First, OEM PCs don't come with AVG or ZA, they come with Norton or Symantec or McAfee and a very short period of free support. Two months after you bring your new PC home and the new NetskyBlaster.z hits your hotmailbox, you're SOL. Why, if MS is so focused on improving security, do MS customers need to rely on 3rd party vendors for A/V security software?
Secondly, the firewall in XP SP2 is certainly an improvement over nothing at all (or over nothing useful, a category to which the the pre-SP2 firewall certainly belongs). So then why do I need to buy a $70 hardware firewall if XP has a firewall already?
Why does ZA tell me about so many more applications that want to reach the internet than the XP firewall? Why the hell does rundll need the internet (let alone Nero, or my printer for that matter), and why doesn't the XP firewall tell me about it?
For a commercial software vendor, MS's security record is beyond dismal. For a company that claims security as a priority, MS's poor performance would be laughable if it weren't so damned expensive and time consuming.
Why is it that Linux vendors can provide fully configurable firewalls that block anything and everything (if that's what you want) out of the box, but MS Windows insists on leaving open ports, enabling ActiveX, and phoning home to download updates whether you want it or not?
Why is it that wierdo hippy-commu-nazi Linux developers understand the difference between user and administrator but MS developers insist on every little widget having complete kernel access?
Why is it that MS thinks security is something to tack on to an OS through SPs, weekly downloads (with requisite reboots), patches, and 3rd party products, rather than something that is built into the code?
- a firewall is not enough
- using [insert safe browser] is not enough
- using anti-spyware in combination with antiviruses is not enough
- using all these all the above together is not enough
Point being, there's one thing missing from that list few of us have, common sense (reminds me of an old saying - "Common sense is not that common at all"). You can't just point at a pwn3d box and say - This is how bad guys crack computers, as if there's a limited number of ways it can be done. The bad guys are just as creative as we are, and so it's just a matter of time until they come up with a new method. As I said, common sence is the best tool you have, not just software. An example of common sence would be: When you're not using your computer, just turn it off. This alone will reduce the timewindow during which the box can be attacked and thus decrease the likelyhood of you getting cracked. Firewalls and antiviruses are useful, true, but in no way are they a silver bullet.MORE time?
I thought the last figure was twenty minutes, down from forty minutes the previous study.
At this rate, Windows will be owned BEFORE it goes on the Net next time - i.e., the CD will be compromised before you install it! Can't happen? Remember when Microsoft shipped a virus?
This ties in nicely with Microsoft buying Claria! You can now get Claria embedded in your Windows CD before you even install it!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Lets talk apples to apples here. When we are talking about viruses/worms coming through open ports on a system running Linux, this is not a fault in *Linux*; this is other various open-source software running.
Its not Linux that has your port 25 open; it's sendmail or exim. Its not Linux that has your port 22 open; its openssh. With Windows *IT IS* the operating system that has those ports open.
It really depends on your distro how secure the system will be out of the box. What software is enabled, what configuration settings that system has.
For example, Redhat ships SSH with default settings to downgrade the connection to v1 if v2 fails. This leaves Redhat open to SSH1 attacks. A system like Debian does not allow SSH1 by default.
Some distributions are secure, some are not. You cant lump them all together. And you cant blame the kernel for the shortcomings of some other open source software. Put blame where blame is deserved.
Secondly, with regard to malware - Linux systems are much less vulnerable simply because we dont surf the web or run our systems as the root or Administrator user. Yes, running as a limited account on Windows accomplishes the same thing, but less people actually do it.
A firewall doesn't protect everything. A firewall with a clueless user at the helm won't protect you from quite a lot. It won't protect you from buffer overflows, system exploits, or a lot of other automated exploits. It won't protect you from a lot of spoof attacks. It will make you non-pingable, which helps, but anything you have enabled might still be a way in. Saying that having the built-in XP firewall running gives you a 100% chance of not being compromised is like saying that having antilock breaks gives you 100% chance of surviving a crash. It helps, but if it's your only line of defense, you're screwed. Quite frankly it's grossly inappropriate to tell people to not worry anymore. Everyone should pick up a free firewall (of the kind that can detect outgoing traffic, as opposed to SP2), a free AV software package, and a free spyware detector or two.
We just had a bug fly around my work, owning the network. This was with a hardware firewall and AV. Both were working, it was just a bug that was too new and the AV vendor hadn't discovered it yet.
The ______ Agenda
I set up a fresh workstation PC for my mother barely a year ago. New Linux compliant components, a top grade Asus Mobo, Infineon RAM, a nice case, etc. Time was getting short and I in the last moment I decided to screw Linux and install Win2K to avoid the driver setup hassle and have her a more stable DVD playback. (turns out that was pointless, since Win2k had more driver hassle than Linux later on)l ing. Anything else I can't take serious anymore.
The first time it went onto the internet was across a brand new 56 anaog modem. I swear it was less than 15 Minutes when the first addware started to pop up - and we just had gone online for a very short period to test her mail account.
My mother emphasised a clear "No go" and I felt the very same way. I went to the next convienience store, got a copy of Aurox (a european/polish magazine fedora-variant Linux distro) and installed it right away.
I still use Win2K for the occasional task that can only be done with it, but I don't do anything mission critical with it anymore. Since 4 weeks ago my Mom has a Mac Mini (the PC had untracable power issues) and is happier than ever before.
Bottom line:
Mac to get the job done, x86 Debian or Ubuntu Linux for cheap PC workhorses/servers/tinkerboxes/old-hardware-recyc
We suffer more in our imagination than in reality. - Seneca
This is like your 5th time saying this. Methinks you have no damned idea about security, and whoever keeps modding you up needs to get a clue.
Let me help you out. The following things ARE NOT attributes of a computer that is powered on and connected to a network: 100% secure, untouchable, inpenetrable.
You should try reading some sites like securityfocus. I recommend a 2-part article that just came out, Software Firewalls: Made of straw? and part 2.
SWM seeks new sig for a brief fling
Sure, and anyone working retail knows that Winblows has been getting creamed for years, cable or no. This puts a number on that you can use, and the number has gotten smaller.
"But wait," you might plead, "I remember just a few months ago reading about a minimum time to exploit of four minutes. This is twelve, how can things be getting worse and how do you know?"
Well, Sophos knows because they have the thankless and hopless task of "protecting" hundreds of thousands of Winblows computers around the world. They came up with their figure by studying what their little clients fold them for the last six months. With so many clients, it's easy to watch them pop and extrapolate rates of infection, just like you can with radioactive material.
What they have told you is a Winblows computer now has a HALF LIFE of twelve minutes. That's much worse than a four minute minimum because half lives have a way of adding up quickly. In 24 minutes, a given machine has only a 25% chance of not being owned. In 36 minutes, the chances of being "factory new" are down to just 12.5%. After an hour, oh my, you have less than a one in fifty chance of being virus free. Needless to say, after a few hours on line, YOU WILL BE OWNED. This is why even dial up users are suffering quickly.
Notice that Sophos can be off by an order of magnitude and the results will be about the same. If the half life were really 120 minutes instead of 12 minutes, you would still be owned after a few days on line. There's little practical difference to the average user between 10 hours on line and 10 days. It's doubtful they are off by that much, given ammount of data they have available.
Just for fun, try this fun little half life game. It's a little fast and the lables are elements, but you can imagine different Winblows versions getting oowned and spewing out their toxic spam and trojans onto the rest of the world. Radioactivity, cancer and Microsoft, what great analogies. Given real world M$ performance and it's results, the cancer shoe fits much better on Steve Balmer than it does on any GPL'd project.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
It takes a lot less than 12 minutes to break into just about any car.
The reason Windows (and other OSs) fare so badly is the process is automated.
Whenever I've seen security reports on car break-ins, there's usually like 1 or 2 models (not manufacturers) that get a special mention because it takes longer than 90 seconds to get into them or something ridiculous like that. Most cars succumb to the tame car thief in the tests in about 15 seconds or less. Compulsory immobilisers (in the UK, at least) on new cars are helping, but it's still trivial to break into a car to steal property.
If there were armies of millions of car thief robots roaming the streets breaking into random cars at will and driving them into trees, then your analogy might be apt.
So I downloaded Firefox, then had to download a zip program to unzip.
Seems like it would have been smarter and easier to either (1) download the self-installing Firefox EXE, or (2) use the built-in support for ZIP files. (Since you were installing Firefox, I'm assuming you were installing WinXP which has always had native unzip capability.)
This further leads me to wonder what unzip software you chose, or more precisely, where you chose to download it from, since there are plenty of freeware or try-before-you-buy shareware unzippers available from countless legit sites.
Warez? Yeah, but it isn't your fault you got zapped...
Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
" ...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised."
/home every week, just to be on the safe side. I do not run untrusted binaries, since the chance of someone hacking a debian apt repository and generating the appropriate hash for it is much more remote than running a binary from "somewhere" which is practically a gamble. Life is much easier if you don't have to deal with broken architectures. That said, linux can do with a lot of coding improvements (like everything), but the overall design and philosophy is FINE. I also think it came a long way in the last 4 years.
Sheer ignorance. You _will_ get compromised. Personally i believe that apart from tracking cookies, everything else infecting your system means that something is wrong with your system either on design or coding level. The problem is, that even if you run a software firewall, a realtime spyware scanner and try to filter bad sites through a proxy, even then you're not safe, but you've just installed a bunch of resource-stealing applications. The underlaying problem is, that these programs try to fix design flaws, which is obviously not fully possible.
Let's imagine a computer scientist who got cast away to an island in the 1980s, before the Microsoft period. What would his reaction be, if he would be found now and tried to look at the computer operating systems? Probably he'd be amazed how much faster computers are today, etc etc. Secondly he'd try operating systems, so he gets a box with "windows" whatever it is because a lot of people are said to be using it. He starts using it for two minutes, but then he concludes that someone is playing a practical joke on him. Why? Because he is reasoning this way: if computers are so much faster now, why is it that this operating system is so slow to start up, if operating systems in the 1980s knew how to remain virus free, why this one has viruses, if operating systems in the 1980s provided more control and better architecture, then why is this "windows" or whatever is going backwards?
Think of it, why do you need to deal with adware, spyware, anti-spyware software, antivirus software, mail worms, firewalls? Because the design is flawed. Firewalls are not supposed to be the only defense in networking, they are supposed to be ANOTHER, optional line of defense, IN CASE a particular daemon or tcp stack is buggy in MISSION CRITICAL environments or merely a privacy tool (ignoring new incoming connections instead of the standard rfc "refused" reply). Antivirus? If a virus managed to write itself on the system, your whole system is already compromised, it is unreasonable to assume that given a smart virus writer, antivirus software can do anything at all. If you're not already compromised, then why do you need an antivirus software in the first place?
I decided 3-4 years ago that i don't want to deal with all this. I switched to linux, and since i'm using a desktop, i'm not running any daemons. So well, this means i don't need a firewall. Just to be on the safe side, i got one line in iptables, to drop all new connections initiated from outside. See, here a firewall is, what it's supposed to be: another line of defense, not a necessity. I almost forgot, I'm running as a non-priviledged user, using sudo if i need to do some root task. I have a simple backup script backing up my user's directory in
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Besides, these stats are for XP machines which, oddly enough, are what most of the worms are targeting.
Predictive text is shiv!