Slashdot Mirror
The 12-minute Windows Heist
An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said
authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."
It takes slightly more time to get pwn3d now.
After all, I am strangely colored.
How is this figured? Are people just randomly surfing two-letters TLDs 12 minutes upon installing windows and hopping on the net?
From 11/29/2004: Unprotected PCs can be hijacked in minutes
That article used to say 5 minutes, but I saw he was running SP2 with McafNotFree and had to change the article a bit just before publication deadline to prove a point. Whoops.
the original can be found at: ww!@#$_
COCARRIER
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.
But wait, they're talking about spyware, viruses, and phishing. So, those things can install themselves now?
Don't get me wrong...viewed by itself, Windows has historically a dismally horrible track record. But a patched Windows XP SP2 machine behind a personal firewall/router with current anti-virus/anti-malware protection can be a secure system. Granted, it's been a long time coming, and it's easy for many users to fall into traps, but this seems like nothing more than a typical scare tactic by an AV vendor.
Never trust an AV vendor saying the sky is falling.
You know, on second thought, the better idea is just get a Mac. The average PC user will find it safer and they can do 99% of what they were going to do anyways.
Strange women lying in ponds distributing swords is no basis for a system of government.
8,000 new viruses? Say what?
How many of those are just viruses edited by some script kiddy to say "0wn3d by Fr0g3r" or some such shit?
Like sobig.a, sobig.b, sobig.c, sobig.d, sobig.e, etc...
What I'd like to know is how many unique types of attacks are exploited by new viruses, that would be a useful statistic...
I'd like to see the actual numbers and the methodology of their study. It seems like all of the compromising attacks require action on the part of the user, like downloading unknown attachments, clicking spam links, and browsing shady porn sites.
I don't see how any of those could be affect turning on your computer and using automatic updates.
And the next time it will be 23 minutes. And so on.
You could not pay me to put a Windows or Linux machine on my DMZ. They're all behind my $30 NAT router and they can be patched to my heart's content without having to worry about them getting p0wn3d. Oh, and to all you Linux fanboys who are going to be insulted by this - try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I love telling this story to people that ask why they should run Windows Update / run a firewall / get antitivirus, etc.:
I was at a client's site, and needed to do some testing on their backup DSL line. Since it was a backup meant to plug into the main firewall in case of an outage, the line had no firewall - It was wide open.
I had a laptop I had just rebuilt for an employee. Win2K, SP4. Unpatched, no antivirus. I planned on jumping on the line for all of five minutes to do some quick IP testing, and I just didn't think about it being vulnerable.
So, I change the IP and plug into the DSL line. I'm plugged in no more than two minutes, and I get the damn "Windows is shutting down" dialog box. It reboots, and all hell breaks loose. Within those two minutes the damn machine had contracted the Blaster worm. I formatted and reloaded it to be safe, and learned a fun lesson that day. Good thing the laptop didn't have any important data on it.
Perhaps part of the problem is people downloading their favourite infected app..
This is what brought me to Linux in the first place. The story takes place in February 2004. After an old hard drive failed on my PC and I bought a replacement, I re-installed Windows XP Pro and proceeded about my business, but within half an hour of getting online I got a typical windows error message pop-up about so-and-so process unexpectadly terminating, then Windows said it had to restart and gave me a 60-second countdown to save my work. I was like WTF!?!? So after several reboots and having the same virus compromise my system, I reformat, re-install XP, and then the second I get online I start downloading Windows updates....but the virus is too fast! It sees the Windows update process and goes "Woops, you don't want to do that now do you?" and kills the critical updates, along with my system again. Then I go to plan C, which is installing Norton Antivirus BEFORE updating Windows. Only problem is, the antivirus software has to be downloaded from my campus nextwork. So I re-format, re-install, and literally browse-and-click as fast as my hand could move the mouse to install that antivirus software. And it worked. Or so I thought. The virus then started automatically deactivating the AV software while I was using the computer, and I would continually re-activate it. But I couldn't keep this up forever. I mean, isn't the point of having a computer to be able to do something PRODUCTIVE with it instead of fighting viruses? Well, after the AV had been deactivated for more than 2 minutes the virus would kill that Windows process again and force yet another shutdown. I went battling this virus/these viruses for 2 damn weeks trying everything I could. God forbid, I even went to the DOS command-line to try some things, but to no avail.
And that frustration, my nerds, is what brought me out of the shadows and into the light that is GNU/Linux/OSS. It was the second best thing that happened to me in my life. I thank yee, virus writers, who allowed me to cast off the shackles of M$ and come to know the true meaning of computing and hacking. *salutes*
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
There are attacks which don't require your help; Sasser in particular goes through an open port rather than through Outlook or IE. There are a few others.
But that's pretty unlikely with a new PC, which presumably comes with the latest service packs. The article is incredibly short on actual data. There's nothing to support their 12-minute average. I get the impression that they chose the scariest headline to support an article which is mostly about phishing attacks, trojans, etc: attacks that require your help.
So for all I know they're talking about the fact that there are enough attackers that if you throw a Windows ME (or even unpatched XP) box on the Internet, yeah, you're hacked. That says a lot, but not about how insecure Windows is. It says that there are still plenty of computers running hacks like Sasser; if you're not protected against it, you're screwed.
That's mostly scaremongering, since unless you're installing a very out-of-date Windows, you're protected. You're not protected against new attacks, nor are you protected against many trojans. They're trying to convince you to buy software for that, which is relevant, by using scary but irrelevant numbers.
I can believe it. Ive spent the past 2 years of my life doing support for Verizon..DSL/FIOS seriously I cant even keep track of the amount of times i helped a customer get connected and by the end of the call their pc would be shutting down... Most of the time its thier fault..I laughed my butt of when transfering someone to a billing office and thier pc already had a virus when i just told the to do thier updates before doing anything else..... besides this is just another reason to use linux
Surely the diligence of the user needs to be taken into account.
Windows users are generally less inclined than linux users to work on securing their machines, and seem to be much less informed about whether they should really be downloading those smilies, or that cute pet that sits on their desktop.
The intelligence/experience of the user has a lot to do with how easily the PC can be compromised, and this is regardless of their choice of OS.
First Kaspersky, now Sophos... I've lost all respect for AV vendors. Using scare tactics to sell software is just sad.
Here's all it takes to keep your Windows box safe: a router (or SP2) and Firefox. Oh, and enough common sense to not run any executable file sent to you by a stranger.
There, I let the secret out.
smattawichu
After 12 minutes, an unprotected PC running Windows is both compromised and uncompromised until a tech collapses the state vector by producing a hefty bill for checking.
Might be nice to have SP1 on disk too...
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
that actually it takes longer now to infect a Windows machine? It used to be 6 minutes...
I guess it all depends where you are connected. When I connect in Costa Rica I get DOZENS of threats (using Zone Alarm), almost all from local IP's. A good guess would be the local internet cafe's running dirty pirated windows OSes. Here in the US I get maybe 1 a day.
Since SP-2 I have run my Windows PC's with just the basic SP-2 firewall at times, with no intrusions.
I am as anti-microsoft as the next slashdotter, but credit has to be given where it is due. Pre-SP2 was a wide open OS, which is now fixed. Now you have to make a special effort to get your box pwn3d. The article is bogus IMO.
Seven puppies were harmed during the making of this post.
How the heck is a Firewall necessary to keep a default Windows box secure? In other words, if a Windows firewall is there to disallow services (or protocols) from receiving connections from the outside world, then what are these services, and why are they running in the first place?
I understand that by deceiving a user, a malicious service can be started up and listen on the internet, and become a vector for infecting your machine. But that requires an act of the user. If I NEVER enable any special services on my machine, than only the default services are running, and they must somehow be allowing malware to install, right? So, why aren't these services fixed, or disabled by default?
Finally, if these servies are necessary to the proper running of my machine, then when I use them the Windows firewall software will ask if I do not want to block that port, service, etc. Once that occurs, am I not just as unprotected as if I never used the firewall software? How does it really help?
So, that's a lot of questions, but I would appreciate an explanation. Are the attacks on windows solely due to users running malware directly, or are there vectors by which, without any user action (ie. no browsing w/ ActiveX controls, no javascript, no running malicious executables, no starting email attachments, etc) the machine can get infected anyway? If so, what are those services? It's not like a Windows machine, by default, needs to have an email/web/network disk/instant messaging service running, so why does it?
NOTE - I googled "insecure windows services" and got some info; indeed windows does have a bunch of services open to the world by default (un-f'ing believable). Can anyone say which ones are primarily allowing machines to become zombies?
http://www.ss64.com/ntsyntax/services.html
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
So I decided to start over gain but just being curious I wanted to see what would happen again. Well this time I made it past the windows updates when I got hit again and infected. After That I stuck the WIN box behind my IP Cop box and I was fine after that install.
Yesterday I got a new box to mess with and started to install Win2000K Server. Got it installed and by the time I managed to go and download Outpost firewall I get hit with the some Blaster virus. I managed to delete it but with in minutes IE got hijacked and my CPU prosess's where being eaten up by WINAMP.EXE and other random letter exe files.
Im not sure about you guys but its quite amazing how quickly a windows machine will get infected if its not behind a firewall. Now I'v had people tell me Im stupid and should have gotten the MS Patch CD but WTF is a single computer joe/jane windows user to do?. Wait a week for the patch cd before they can reinstall their OS?
Anyways just an real world example of how quickly it can happen. Yes I do use windows for my daily computer as there is no other alternative that gives me the aps I need with out having to use alternatives or emulators which at the moment lack in features.
I'm a cumputer user I dotn need to know how to spell or punctuate.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
"Either it does, or it doesn't. Anything's fifty percent. Either I win the lottery, or I don't. Either I find that uber rare weapon in some random MMORPG, or I don't."
Let me guess... You failed math in high school?
http://www.microsoft.com/windowsserver2003/default .mspx
It's like "Windows 95" "Windows 98" "Windows 2000" but Windows 2003
-duh
I had Microsoft send me a free WinXP Service Pack 2 CD in anticipation of any future installations. This way I can get some of the patches, updated firewall, etc before going online to get more recent patches.
t es/sp2/cdorder/en_us/default.mspx
http://www.microsoft.com/windowsxp/downloads/upda
12 minutes after leaving the lot, 50% of new cars would be violently car-jacked, their owners left by the side of the road wondering why some zitty-faced kid just drove the shiny new car into a tree. And so car dealerships would stop selling cars without armour, bullet-proof glass and tires, and so on.
In order to test the malware-busting skills of new employees, I would routinely infect a test machine with adware and spyware. I had two methods, based on the two most common scenarios we've encountered:
I would use a stopwatch and time myself, stopping at 15 minutes. For Case 1, I'd search Google for "casino" or "sex" and hit those sites. For Case 2, I'd search for "lyrics" or "buddy icons" and hit the top ten or fifteen sites listed.
At no time did I ever click "yes" when prompted to install software. The point was to attract the "drive-by" malware, the ones that didn't put an entry in "Add/Remove Programs", the ones that were the hardest to remove (e.g., randomly named polymorphs, malware that sees if one tries to terminate the process or remove a registry key and re-installs, malware that prevents anti-spyware programs from running, etc.).
In fifteen minutes, I can infect an XP box with between 400 and 600 objects (by AdAware's count). That's the result of hitting between 10 and 15 sites. Often, that's enough to inflate the number of running processes from 30 or so to about 60. Pop-ups appear even if IE isn't explicitly running. Case 1 infections often leave the computer in an unusable state, and by unusable state I mean "tits and ass all over your screen".
I give a prospective employee two hours to disinfect the computer, though I do cut major slack if it takes longer but they've got the right attitude and methodology. If hired, I show them how to get this down to under an hour (AdAware, Spybot, UBCD, manual cleaning, etc.).
Malware removal is about 30% of our billable hours. Since our contracts with our clients call for a certain amount of hours of service and maintenance each quarter, bug hunting is a distraction from the real work of administration: keeping up to date with patches and software updates, implementing our infrastructure upgrade roadmap, and software support and training. In other words, nearly a third of the time we spend doing productive work for our clients is spent whacking malware that targets Windows PCs.
Finally, we do try to come to terms with the fact that sometimes this is a human resources problem and not a technological problem. In Case 1, Employee X should not be surfing pr0n or playing Texas Hold-em on the job. As contractors, we try to block certain sites at the firewall, though that's a game of whack-a-mole, and we encourage all workstations to have monitors that face a common area (knowing someone can randomly shoulder-surf you is a big deterrent). Case 2, the residential case, is more problematic, since the sites that install drive-by malware are pretty innocent (lyrics, IM buddy icons). Permissions/ACLs would help, but there are so many applications that need admin rights to run that it's a joke. I've steered a few residential customers towards Apple Mac Minis and iMacs and have had no complaints after the fact.
Bottom line: it's a fucking jungle out there.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
As I see it, there are only 4 solutions:
(1) before going on-line for the first time, purchase a router and configure the firewall, then immediately download all necessary patches, plus a good anti-spyware program,
(2) download all your Windows security atches, service packs, etcetra, third-party firewall and anti-spyware software from a friend's Mac OSX
machine and burn them all to CD/DVD. Apply all necessary patches and third-party software before venturing out onto the internet,
(3) choose not to play the MSFT security patch and upgrade revenue stream game - buy an Apple Mac, or reformat your hard drive and install any of these: linux, FreeBSD, OpenBSD, Solaris 10 x86, QNX. If in doubt, ask a knowledgeable friend for advice,
or
(4) buy the absolute fastest bad-ass big disk Wintel/AMD computer you can find to make that
broadband connection. Make certain that you have the OS media and valid cd-key, make backups of all
your important personal data, and figure on either (a) reformatting/reimaging your computer every three months, or (b) be prepared to buy a new computer every six months. Wash, rinse, repeat.
They DO install themselves. Get online with a clean, unprotected install of XP, and it will be 0wn3d in a few minutes. Not "may be", it WILL be.
Circumcision is child abuse.
Comment removed based on user account deletion
try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.
2.5 years and counting, here. Default workstation installs of RH8 and later don't leave any ports open. Same goes for every other Linux distro I've tried in the past couple of years.
Nice troll, though.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I really find it quite ironic that there's so many MS apologists in this discussion willing to say that getting infected is the user's fault for being too stupid to have a commercial A/V package installed (at additional expense) and have a hardware firewall (at additional expense) between their system and the internet.
Yes, I know that AVG is free and very good, and Zone Alarm has a free version (I make sure both are on every MS box I have to look after).
But this ignores at least two problems. First, OEM PCs don't come with AVG or ZA, they come with Norton or Symantec or McAfee and a very short period of free support. Two months after you bring your new PC home and the new NetskyBlaster.z hits your hotmailbox, you're SOL. Why, if MS is so focused on improving security, do MS customers need to rely on 3rd party vendors for A/V security software?
Secondly, the firewall in XP SP2 is certainly an improvement over nothing at all (or over nothing useful, a category to which the the pre-SP2 firewall certainly belongs). So then why do I need to buy a $70 hardware firewall if XP has a firewall already?
Why does ZA tell me about so many more applications that want to reach the internet than the XP firewall? Why the hell does rundll need the internet (let alone Nero, or my printer for that matter), and why doesn't the XP firewall tell me about it?
For a commercial software vendor, MS's security record is beyond dismal. For a company that claims security as a priority, MS's poor performance would be laughable if it weren't so damned expensive and time consuming.
Why is it that Linux vendors can provide fully configurable firewalls that block anything and everything (if that's what you want) out of the box, but MS Windows insists on leaving open ports, enabling ActiveX, and phoning home to download updates whether you want it or not?
Why is it that wierdo hippy-commu-nazi Linux developers understand the difference between user and administrator but MS developers insist on every little widget having complete kernel access?
Why is it that MS thinks security is something to tack on to an OS through SPs, weekly downloads (with requisite reboots), patches, and 3rd party products, rather than something that is built into the code?
Unpatched Win95 will last about 20 minutes, from what I can see with Snort, IF you have file shares bound to TCP/IP. There's still a lot of Opaserv traffic on cable/DSL ISPs.
:)
(For those that don't remember/didn't know, Opaserv was a fun worm that can crack any unpatched Win95/98 box with file sharing turned on, and bound to TCP/IP. How does it get in? Easy. Until patched towards the end of 1998, Windows 9x shares only authenticated the first character of the password. Opaserv just tried the first 40 or so possibilities. Took Microsoft over 3 years to patch this one
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
A whole slew of services: RPC, SMB/CIFS (file sharing), UPNP...
Ports: 135, 137, 138, 139, 145, 500, 1025...
Windows 2000/XP has a TON of default listening services, most of which have been exploited over the years by various worms. Only way to turn most of these "off" (other than to render your system unusable) is to run a software firewall, Microsoft's or 3rd party. They're turned on and listening for "convenience", I imagine. I will admit that in a corporate environment it's handy as hell to be able to admin just about anything on a box without doing a thing. Why the hell these were left on for home users is beyond me.
Ah, Blaster, Sasser, et al, you will always have special places in my heart.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Recently, when installing a friend's machine with windows, the damn thing got infected before I even had a chance to download and install SP2. :)
Needless to say, both he and I were quite angry by the second attempt. He is now a happy Ubuntu Linux user!
RebateFX.com - Spread rebates for Forex traders
Um, dude?
Here's the thing: I can't tell if you're kidding or not. Because sure, there's something to be said for the "security companies are blowing problems out of proportion" idea.
On the other hand, your nick is Saeed al-Sahaf.
So I can't help but wonder if there's going to be a follow-up about how at this moment you're personally grilling the stomachs of script kiddies in hell or something.
(For Slashdotters with no sense of history: Mohammed Saeed al-Sahaf was the Iraqi press secretary during the Gulf War. He was famous for his surrealistic press conferences which were completely detached from reality, like when he challenged reporters to claim there was even one American in Baghdad, as an M1A1 tank was clearly visible rolling down a street in the background.)
Lets talk apples to apples here. When we are talking about viruses/worms coming through open ports on a system running Linux, this is not a fault in *Linux*; this is other various open-source software running.
Its not Linux that has your port 25 open; it's sendmail or exim. Its not Linux that has your port 22 open; its openssh. With Windows *IT IS* the operating system that has those ports open.
It really depends on your distro how secure the system will be out of the box. What software is enabled, what configuration settings that system has.
For example, Redhat ships SSH with default settings to downgrade the connection to v1 if v2 fails. This leaves Redhat open to SSH1 attacks. A system like Debian does not allow SSH1 by default.
Some distributions are secure, some are not. You cant lump them all together. And you cant blame the kernel for the shortcomings of some other open source software. Put blame where blame is deserved.
Secondly, with regard to malware - Linux systems are much less vulnerable simply because we dont surf the web or run our systems as the root or Administrator user. Yes, running as a limited account on Windows accomplishes the same thing, but less people actually do it.
A firewall doesn't protect everything. A firewall with a clueless user at the helm won't protect you from quite a lot. It won't protect you from buffer overflows, system exploits, or a lot of other automated exploits. It won't protect you from a lot of spoof attacks. It will make you non-pingable, which helps, but anything you have enabled might still be a way in. Saying that having the built-in XP firewall running gives you a 100% chance of not being compromised is like saying that having antilock breaks gives you 100% chance of surviving a crash. It helps, but if it's your only line of defense, you're screwed. Quite frankly it's grossly inappropriate to tell people to not worry anymore. Everyone should pick up a free firewall (of the kind that can detect outgoing traffic, as opposed to SP2), a free AV software package, and a free spyware detector or two.
We just had a bug fly around my work, owning the network. This was with a hardware firewall and AV. Both were working, it was just a bug that was too new and the AV vendor hadn't discovered it yet.
The ______ Agenda
I set up a fresh workstation PC for my mother barely a year ago. New Linux compliant components, a top grade Asus Mobo, Infineon RAM, a nice case, etc. Time was getting short and I in the last moment I decided to screw Linux and install Win2K to avoid the driver setup hassle and have her a more stable DVD playback. (turns out that was pointless, since Win2k had more driver hassle than Linux later on)l ing. Anything else I can't take serious anymore.
The first time it went onto the internet was across a brand new 56 anaog modem. I swear it was less than 15 Minutes when the first addware started to pop up - and we just had gone online for a very short period to test her mail account.
My mother emphasised a clear "No go" and I felt the very same way. I went to the next convienience store, got a copy of Aurox (a european/polish magazine fedora-variant Linux distro) and installed it right away.
I still use Win2K for the occasional task that can only be done with it, but I don't do anything mission critical with it anymore. Since 4 weeks ago my Mom has a Mac Mini (the PC had untracable power issues) and is happier than ever before.
Bottom line:
Mac to get the job done, x86 Debian or Ubuntu Linux for cheap PC workhorses/servers/tinkerboxes/old-hardware-recyc
We suffer more in our imagination than in reality. - Seneca
Sure, and anyone working retail knows that Winblows has been getting creamed for years, cable or no. This puts a number on that you can use, and the number has gotten smaller.
"But wait," you might plead, "I remember just a few months ago reading about a minimum time to exploit of four minutes. This is twelve, how can things be getting worse and how do you know?"
Well, Sophos knows because they have the thankless and hopless task of "protecting" hundreds of thousands of Winblows computers around the world. They came up with their figure by studying what their little clients fold them for the last six months. With so many clients, it's easy to watch them pop and extrapolate rates of infection, just like you can with radioactive material.
What they have told you is a Winblows computer now has a HALF LIFE of twelve minutes. That's much worse than a four minute minimum because half lives have a way of adding up quickly. In 24 minutes, a given machine has only a 25% chance of not being owned. In 36 minutes, the chances of being "factory new" are down to just 12.5%. After an hour, oh my, you have less than a one in fifty chance of being virus free. Needless to say, after a few hours on line, YOU WILL BE OWNED. This is why even dial up users are suffering quickly.
Notice that Sophos can be off by an order of magnitude and the results will be about the same. If the half life were really 120 minutes instead of 12 minutes, you would still be owned after a few days on line. There's little practical difference to the average user between 10 hours on line and 10 days. It's doubtful they are off by that much, given ammount of data they have available.
Just for fun, try this fun little half life game. It's a little fast and the lables are elements, but you can imagine different Winblows versions getting oowned and spewing out their toxic spam and trojans onto the rest of the world. Radioactivity, cancer and Microsoft, what great analogies. Given real world M$ performance and it's results, the cancer shoe fits much better on Steve Balmer than it does on any GPL'd project.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
So I downloaded Firefox, then had to download a zip program to unzip.
Seems like it would have been smarter and easier to either (1) download the self-installing Firefox EXE, or (2) use the built-in support for ZIP files. (Since you were installing Firefox, I'm assuming you were installing WinXP which has always had native unzip capability.)
This further leads me to wonder what unzip software you chose, or more precisely, where you chose to download it from, since there are plenty of freeware or try-before-you-buy shareware unzippers available from countless legit sites.
Warez? Yeah, but it isn't your fault you got zapped...
Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
Besides, these stats are for XP machines which, oddly enough, are what most of the worms are targeting.
Predictive text is shiv!
1) How long does it take an out-of-the-box, default-install, brand new XP/SP2 machine to be infected, assuming the user only browses to www.microsoft.com, www.hispcmanufacturer.com, www.hisisp.com, and www.majorsecuritysoftwarevendor.com in the hours/days/years before his machine is fully hardened?
2) How long does it take a Windows98-1st edition box to be infected if it's behind a hardware firewall that blocks all inbound ports, assuming the same browsing restrictions above before the machine is hardened?
The former represents "new machines."
The block-all-inbound-ports represents what most home routers do out-of-the-box and what ISPs SHOULD be giving to users, until the users specifically request a port be opened.
Malware usually comes in one of the following ways:
1) open inbound ports + buggy/exploitable software
2) users browsing to web pages that force downloads using exploitable browsers
3) users reading HTML email using exploitable email clients
4) users doing whatever on the net using exploitable client software
5) users accessing an infected file, via disk, network-mounted drive, or other means.
2-5 usually require the user to take some affirmative step, such as loading a web page. #1 is the only one that "needs" to be locked down on freshly-installed systems. The rest just need to be locked down before the user starts doing things that could get him into trouble.
Here's a third question:
Why aren't ISPs blocking inbound traffic for customers that don't request it?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.