Slashdot Mirror
The BBC's Honeypot PC
Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.
So we've learned that putting an unprotected windows box on the internet is a bad idea - well duh! It probably doesn't help that they didn't bother with any updates, or turning on the firewall.
Not one mention of which service pack had been applied, not very informative, not very interesting, not too surprising.
Of course, we all knew this already, didn't we? The results weren't suprising to me and I doubt that any of the regular /. crowd would be either. Yes, I mean you.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
This is a pretty bogus test. Obviously they didn't install security updates before going about their business, made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago. And IIRC, this is the first thing Windows will do upon connecting to the internet. They also mention IIS.... does home version even ship with IIS???
Similes are like metaphors
why is there such a thing as an "unprotected windows box"? Isn't this a serious fault of Microsoft that there's even a way to have an "unprotected" system on the internet? Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.
stuff |
I set up a friend's new computer and installed a firewall, before attaching to to internet for the first time and he was stunned how fast the log of probes filled up. He'd never used a firewall before on his old XP machine.
What bugs me is why there doesn't seem to be any decent coordinated effort to track the bots down and shut them down and to go after the perpetrators. Really, it doesn't seem that hard, it just seems like no government is interested in doing anything about it.
A feeling of having made the same mistake before: Deja Foobar
As long as we're offtopic...
Um, no. Potassium iodide will protect your thyroid from radioactive iodine. It won't protect you from an explosive coated with cesium or americanium, and it won't protect you from a nuclear warhead.
~ C.
"So were are the Linux and OSX Honeypot PC's?" I'm afraid you'll have to wait a while for those. Auntie BBC has just about heard of Macs, but Linux is definitely not on her radar.
So is there anyone reading this website who didnt know that ports are constantly being scanned? Or that hackers are trying to recruit your PC for a botnet? Or that connecting xp without any patches, sp1 or sp2 to the internet is asking for trouble?
It seems that this article is directed at people who have a very minimal amount of knowledge about computers.
Why post this? Is it just our daily reminder that older and unpatched MS operating systems are insecure?
this has been done before with WinXP SP1, we already know it's insecure. But you know what? Most home users have firewalls now, if only in the form of a hardware router from their ISP, and any new users are running XP SP2. A simple firewall and a few trips to www.windowsupdate.com takes care of most problems. Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall. Scared me for a moment.
I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.
This study was done years ago, when XP just came out. IIRC, it was done live on TechTV's "The Screen Savers" multiple times.
BBC would have made it more interesting if they tested this in various scenarios -- no updates/firewall, SP2 with no firewall, SP2 with hardware firewall, etc. That way we could see what step(s) really let malware in.
any OS that needs RPC bound to network socket for a stand-alone machine is a POS. Portmappers are for network file systems and even if this functionality is required, people generally don't want it bound to a fucking WAN. Welcome to 1996!
Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003.
...
The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible.
Wouldn't that include all patches that would specifically protect against Slammer and Blaster? Note, the article says "such as", not "similar to".
Research shows that 67% of those who use the term "research shows", are just making shit up.
I have windows XP and a $19 dlink router (and a lynksys before that) and I have had *zero* problems in 24 months.
So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Did they pass WGA?
americanium?
as in Futbol americanium?
Despite the articles efforts to point out how bad the malware situation really is for Windows users, this says less about Windows' built-in security measures and more about the ignorance of the users.
Is there any excuse for Blaster to still be out there in the wild? I realize that some people can't afford to upgrade or are locked into a particular version of Windows because software they depend on is no longer supported, but letting your computer become a spam-zombie is simply inexcusable.
Windows isn't the problem, it's the end-users. (read: guns don't kill people, people kill people)
People don't expect their cars to drive forever without some degree of maintenance and the occasional repair; so why do they think their computers are any different?
NOTE: I hate Windows and I hate guns, but I ESPECIALLY hate people blaming Microsoft for the stupidity of Windows users.
Hell if it won't.
I keep some potassium iodide in my shirt pocket at all times, and I've yet to be harmed by a nuclear warhead, cesium, or the vaingloriously named americanium.
"Sacrifice for the good of The State" - The State
This doesn't really show how vulnerable Windows XP really is, it shows how often it is subject to attack. Since all these are (mostly at least) worms and automated attacks, that's not really different from looking at the logs on my Linux boxes, where, for instance, my apache server is quite often "attacked" by a worm looking for IIS vulnerabilities. /. we all know to never put an unpatched box on-line, but it is interesting when more mainstream media put focus on that, no need to attack Microsoft in order to make this story interesting.
I like to bash MS as much as most people here, but this choice of words really misleading. True, never ever put an unpatched box un the Internet, especially if it's running some version of MS Windows, but this hasn't got that much to do with the security of an updated Windows installation.
Here at
You are correct. It will, however, help. It is all you can do.
Microsoft "more or less" requires an internet connection for updates (the less technically savvy you are, the more you need to be online to get updates). Darn shame too because "update" need not "=" "activation".
The BBC runs hundreds of linux servers, I suspect they are aware of it.
Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?
I love linux, but alot of this stuff pretty much pertains to anything on the internet. Do you have a linux box on the public net with SSH open? I gaurantee you are getting more than 1000 attempted logins per day. This article talks about alot of "attempted" attacks, well my linux machines on the net get port scanned at least 10 times a day, any box that has ssh running on the default port is being dictionary attacked pretty much 24/7. Sure the linux boxes aren't being turned into zombies, and I'm not sending out boatloads of spam, but my apache servers get hit with IIS attacks regularly. Putting a box with open ports on the net gaurantees you will be attacked. It doesn't matter if its linux or windows.
The difference is with windows you will probably get hacked, with linux you at least have a fighting chance.
Guess you missed that the BBC News weather system runs on Linux?
DOS 5 found to be vunerable to bootable floppy trojan worms. The BBC encourages you not to use unsafe diskettes or punch cards.
-BBC
Hey, I thought you were leaving?
The article clearly states that this doesn't affect many PCs due to the patches, but it also states that MS themselves stated they still deal with hundreds of PCs getting infected with these old viruses to this day. In my experience, most average users do not patch their machines on their own. They either rely on auto-update or simply react when an infection occurs. I have also worked on many people's PCs where there virus scan was literally years beyond the virus scan protection subscription.
Anyway, the test isn't the least bit bogus. They are only trying to show how many attacks your average PC suffers per day. This is a a good article for the droves of people that do not apply security updates on a regular basis.
installation procedures for RealOne on the BBC
I Wished all broadcasting corporations were as 'backwards' as the Beeb.
MP3 Search Engine
it WASN@T a fscking test... it was an article showing just how fscking dangerous it is to put an unprotected box on the internet... fer fecks sake... next week they let it get infected just to show what happens...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Strictly, they said the attack was aimed at IIS, not that the attack was successful.
In fact, it's not clear from the article that ANY of the attacks were successful. If that's true, it doesn't really matter how many attacks there were, and it doesn't make Windows any less safe than Linux or VMS, for that matter. Only the successful attacks matter. (You've got to shut down the Messenger, to be sure, but I'm pretty sure that comes turned off now, and it was a stupid feature in the first place.)
Sure, it sucks that there are still so many infected machines out in the universe, and it's time to start tracking them down and turning them off (or at least getting their ISPs to shut down their connections until the users learn to wear a condom). Blaming new Windows for failures of old ones is just scaremongering.
"This is a pretty bogus test. Obviously they didn't install security updates before going about their business,", not already in use
"we installed an unprotected version of Windows XP Home configured like any domestic PC."
"made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago", not already in use
But these three year old attacks were still coming from other already infected machines on the Internet. Are all these infected machines running three year old software.
was Re:I have plenty of reasons to dislike Microsoft..
davecb5620@gmail.com
...so... pls. explain to us how do we get our brand new installation of Win XP updated WITHOUT connecting it to the Internet
PWS (Personal Web Server) is a scaled down IIS.
whilst I will take your point about updates I have found a problem simlar to this personally and I think that you judge them too harshly. When you have a computer which is band new the first thing you will do is connect to the internet. It would take a couple of hours to download the updates for XP up to this point, especially if your on an old service pack (I must admit I don't know if they now sell them with SP2 or not...), even if you get it with the newest service pack if your on a 128K connection a couple of hours to get a few hundered MB is pretty accurate.
During this time you might just leave it unsecured because that's what your addressing, you might be fully intending to get a good windows version of a firewall up and running, but think that you'll get the windows updates first. This is pretty realistic I think... So just how many viruses etc could you have before you can sort this out?
Also, I would say most people just don't update at all anyway... I know people who don't and then question what's going on. Seems like a fair test to me.
*''I can't believe it's not a hyperlink.''
So you're trying to track down someone who's renting a server in Mongolia who allegedly sits in the Ukraine with a DNS entry made with a DNS provider in Kirgisistan which allegedly belongs to some guy in Turkmenistan.
Your turn. Lemme give you a hint from experience: Neither of those 4 targets will get you anywhere. Getting legal help in some countries is a matter of faith. Or, rather, it's about as useful as faith in some deity.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Despite all the Microsoft apologists who will wring their hands and point out that certain things were not done in order to safety the Microsoft honeypot, the genuine service this article demonstrated is that people who turn on their new computer with its Microsoft operating system connected to the Internet are vulnerable to exploits which are automated and exist in abundance, ready to pounce upon current Microsoft operating systems.
Even if you're a master of Microsoft "anti-ware" solutions and tweaks, what happens when someone who isn't takes a few wrong turns with their OS? It's toast, or worse, enslaved and used as a resource the end-user is paying for.
I stopped using Microsoft operating systems to directly connect to the Internet nearly 10 years ago, when the sophistication of the exploits had developed to the point where it was no longer safe to use any Microsoft OS online. Since then it really hasn't gotten much better, has it?
I think it's a shame that the company with the fattest pockets can't be bothered to get it right yet still demands to be on every PC made.
Every new form of media has it's own Requirimento
Pronunciation: -'skA[th]d
Function: adjective
: wholly unharmed : not injured
Do you have something to share with us about your experiences at Oktoberfests? I always thought it was to celebrate the harvest. Perhaps your community has taken it to level of harming 17 year old nude virgins?
I was once exposed to Francium, but it surrendered before I could do anything about it.
Gamingmuseum.com: Give your 3D accelerator a rest.
Obviously they didn't install security updates before going about their business
they were probably trying to download them...
Summation 2
having sex with a diseased hooker with no condom will cause funny liquids to start coming out of you....
This is a pretty bogus test. Obviously they didn't install security updates before going about their business, made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago.
You know what: most people don't install the updates. Unless they're prompted to during installation, which was added with SP2.
Well, continuing this joke is kinda lame, but then the Germanium in these basement walls is known as a laughing-inhibitor...
Damn... WTF is wrong with you people? Most of the people here can't seem to see beyond their own generally computer literate viewpoint. This article is really for your average user out there that doesn't apply the latest security patches or keep their virus scan software up-to-date. It's just stressing how many attacks your average PC undergoes when on the internet. Am I one of the only people that gets this?
So you are simply wrong.
http://skeptobot.blogspot.com/ - A site for the Renaissance man and woman
The BBC ain't a computer biz company. They wanted a story. And what's a better (tech) story in the age of phishing and spam than "OMG TROJANS!"?
Of COURSE you get plastered with portscans and worms hammering against the "well known" ports. That's normal. Welcome to real life on the 'net. You think it's different for my *nix Machine? It's not. My firewall-log is getting flooded with kids and worms trying to find some unprotected ports, trying to connect to 21, 22, 23, 80 and so on, just to see if there's anything running they could use. The real question is, how many successful attacks did happen? Saying XP is insecure because a billion people hammered at its doors is FUD. When a million of those make it in, though, it's a different matter.
And yes, an unpatched WinXP is insecure. It simply is. Get a router and you're set against 99% of the external problems you may face. But then you still should not use the machine to access anything on the net, because some of the tools you're using (IE and Office being the two key players today) has known (and party unpatched) security issues that may cause execution of code when you're not really careful and know what you're doing.
In a nutshell, going online with a MS product that's not well firewalled and using anything but alternative software for the access of online resources is grossly negligent IMO.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
ah yes... nothing underlines the superiority of Linux better than an XP user having to hide behind a Linux based "Hardware" firewall/router...
Actually, these days they're not Linux, they're VxWorks -- unless you special-order the "WRT54GL" version, which most people wouldn't do because you can't buy them at BestBuy and they cost more.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
All of the "well duh" folks miss the point. There are a lot of people out there with reinstall CDs for older machines. When their machine gets hit with malware, many of them "reload" windows and some of these head for Microsoft update.
The point is that they are too late - they're perfectly likely to get hit before update can protect them, and perfectly likely to get hit with something as bad as what they had before.
This really is a problem.
Using plain ol' text since 1968
Yes, that is exactly how a new user will work with his/her new PC.
Which is why Microsoft should be focusing their efforts shutting off all open ports on a vanilla installation. Just as Ubuntu does right now.
Once you've connected it and turned it on, the machine should check in and offer to download all the security patches. But it needs to offer to do this PRIOR to any of the ports being opened.
Clicking "OKAY" (repeatedly) during the initial boot/first use should result in as secure and updated a machine as is possible for the home user.
How do you have a 15 minute average, a 15 minute maximum, and a 15 second minimum?
So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.
And that's $20 that the average computer user doesn't understand why they should "waste" on a funny box. I mean, they already use one of those surge-strip thingies, doesn't that mean that they're protected?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Aren't many self replicating or functional as an independent entity? I doubt many of these are being launched from an actual location that can be tracked down easily. Much of it is embedding in pages, spy-ware, or something similar online. You ask why there is no action taken against these bots, but the reality is that these bots are everywhere and not in one central location. One instance of a bot probably exists in dozens, if not thousands of locations.
On the other hand, what would cleaning up the net really do? It would cost a decent amount of time, money and effort, only to see new and better exploits coming out as a result of our efforts. The burden should be, and is on the OS to handle these threats and protect its users. These people writing exploits will likely never stop unless we can find away to easily identify and prosecute the source of said exploits.
Unfortunately, this is the same sort of response I've got from meetings in the past, "the problem is so big, we'll never get anywhere, so why start?", and then there's me doing the jobs of a half dozen or so people who can't spare five minutes a day to do something right, so it becomes a major problem after all the not-doing-anything-before.
For one, I'd think there are some elementary steps which could be taken, if not by government, then certainly by ISPs. Learn the signature of attacks and isolate computers on your own network which are launching them, if the customer doesn't respond then freeze their account, that usually gets attention fast. Have some kit for learning how to protect new customers (I understand AOL actually comes with something like this, but I'm not one of their subscribers.) Have new customers run through the steps and activate their connection to the outside once they've done so and signed off, then require they keep up or their accounts will be frozen. If all carriers would work together as an industry group I think this could be accomplished, not necessarily as this example works, but something. My ISP only offers email filtering, which is only so-so.
A feeling of having made the same mistake before: Deja Foobar
In case of a nuclear incident:
1. Place head between knees.
2. Kiss ass good-bye.
3. Profit?!?!?
--- This
Yeah, there are bots and they keep sniffing. That is not news. How many of these known attacks actually succeeded? If none, it is pretty good. If one, "Redmond, we have a problem". I assume they OS they simulated was the one that gets shipped right now, not some original unpatched pre SP2 WinXP. If it was an old OS that is not being shipped by OEM vendors currently, then the test is bogus. It is anti MSFT FUD. All FUD is bad, whether it is anti-MSFT or anti-Linux.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
... that while they call attention to an obvious problem, they don't suggest any solution.
Obviously they didn't install security updates before going about their business
Yes. But the machine came under attack within seconds of connection. Best case, you're downloading worms and MS updates simultaneously. The barn door will be closed...right on the horses' departing derriers.
And IIRC, this is the first thing Windows will do upon connecting to the internet.
In other words, quite possibly too late.
They also mention IIS.... does home version even ship with IIS???
No, but worms don't know that. I guess the upside is that there's at least one recorded attack in the sample that this particular installation wasn't vulnerable to.
The SANS Institute Internet Storm Center tracks "Internet Survival Time". Currently it's 23 minutes. That means an out-of-the-box Windows PC, connected unprotected to a live Internet connection, has on average 23 minutes before being pwnd. That might be long enough to finish your most critical bits of Windows Update business, except that's an average, so half the time you have LESS than 23 minutes before pwnage.
Take-away from this: Ma and Pa hooking up their brand-spanking new HP or Dell or emachines will become the proud owners of a zombot within minutes of connection, unless they're extraordinarily lucky or very well advised (for instance "buy a hardware router/firewall and use it" or "run all the security patches on this CD-R before going online").
And speaking of "well advised" and SANS Institute, read "Windows XP: Surviving the First Day". (WARNING: PDF) There's some good stuff in there. The SANS guys (and gals) are the Good Guys (and Gals).
Welcome to the Panopticon. Used to be a prison, now it's your home.
I usually am actually behind a Linksys Wireless Firewall/Router. Does that tend to help this kind of problem, or am I being pwned and not realizing it?
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Some of them send you software firewalls on the "signup kit" CD, but I don't know of any that will send you a hardware firewall/router, except as part of an occasional special promotion.
I think that Comcast Broadband's "CD 'o Crap" includes a software firewall on it, ZoneAlarm or similar, but that won't do you much good if your computer is already compromised; I assume most rootkits will just disable a firewall from inside if you install one after you've been attacked. So they're pretty much useless to anyone who's not installing the software on top of a virgin Windows installation and which has never been connected to the 'net.
Plus, I'm not convinced that a software firewall is really that great anyway; most people will just click that "Allow" button for just about any reason, and that pretty much defeats the entire purpose of having it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Any more questions?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I had some "friends of friends" who were running the reinstall loop due to malware. I gave them an old but locked down linksys router to connect through. Problem solved, but many don't know to do this sort of thing...
One of the local medical offices "needed SP2" for some software they ran on a closed local network of 4 or 5 computers (i.e. totally unconnected to the internet). Somebody with just enough knowledge to be dangerous hooked the computers (one at a time) directly to a DSL line usually used for a protected system, and ran Microsoft update to get SP2.
You can imagine the results...
Using plain ol' text since 1968
Okay, so did the BBC repeat the test with a patched version of XP Home? How about XP Pro, or Win 2003 server, or Solaris, or whaterver-linux.
This isn't a story so much as me-too Microsoft bashing
Here will be an old abusing of God's patience and the king's English.
Or all the samples are 15 minutes. Your pick.
I have to question the blind assertion that this is the average user. Can one even establish a mean (or median) user on a number of different behavioral axes?
This is a common myth among users and developers alike. I regularly hear "the majority of people aren't going to do that," but it's as silly to base design decisions on what the supposed majority will do in one case as it is to claim to be representative of the "average user" with one system. The BBC uses such vagaries as "However, at least once an hour, on average...". Those are two orthogonal restrictions. If something happens at least once an hour, that is very different than something averaging once an hour. Which is it?
It's a fair concern, that putting an older XP installation on an open hole to the internet can be dangerous, but I'm not sure that it's something that the "average" user does. New-computer buyers default to the firewall being on (and annoying), and the last three broadband vendors that I used (DSL, then Cable, then DSL with a different provider) sent modems with built-in firewall/routers to use with their system. The last one sent an 802.11g router that defaulted to an open access point, but that's just another chapter in a long story of security vs. convenience.
The BBC could have used a more modern setup, but they wouldn't have been able to do their week-long series on how to protect against these dangers if they didn't encounter the manufactured dangers in the first place.
There's something to see here, but it's so childishly sensationalist that you should just move along...
"Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?"
.. Doh
The point is thet the Internet is infested with compromised Windows boxen. Ok, where are all the compromized Linux web servers. Assuming they are running Apache under Linux. According to Netcraft Apache usage is at roughly 980,00,000 while IIS is at 490,00,000. Why don't we see an equivalent number of compromised Linux servers.
Yet another mod troll
was Re:Duh (Score:5, Interesting)
davecb5620@gmail.com
>Their impact is limited now because Windows is now sold with its firewall turned on and the patch against them installed.
So nowhere does this guy say that any of the attacks succeeded. By contrast, I once had a default Redhat install compromised, with a root kit and spam relay installed within HALF AN HOUR after I brought it up. Near damn every service was enabled on it! Get off the soapbox!
They do not know what *we* know.
And some who do, are often not fully cognizant of the implications. If they knew their worm infested computer was aiding in the commission of criminal acts, most folks would take action. Instead, 95% of Userland does not even realize something is amiss until the computer bogs down -- such that IE takes 14-20 seconds to load.
You are where you are at the time you are there.
It takes more than 15 minutes to do an update on an XP machine and an update requires an internet connection. How are you supposed to update to the latest patches before being infected in the first place?
Dude, it's 2003, they want their security holes back.
I'm not going to mince words: This story is BS. Lets take the money quote here:
Really? Once an hour, something that'll remotely own XPSP2, just being leaked out over the Internet?
OK, Windows Messenger service is disabled in XPSP2...Blaster hasn't worked in years, Slammer never even hit XP Home by default (you had to install Visio), IIS isn't even available for XP Home, and port scans aren't too relevant when you have a firewall on by default.
What a completely worthless story. You know, we have enough actual security problems going on (the glacier of cross site scripting exploits, what's going on in the online banking realm) that whinging about long solved problems is not only irresponsible; it's dangerous.
What's IIS doing on an "average home user machine"?!
Is this an attempt to indirectly promote Microsoft's new OS by urging people to upgrade?
Mod points are a dangerous tool. Abuse them wisely.
http://www.vnunet.com/vnunet/news/2126479/maliciou s-trojan-infects-windows-media-player
http://news.com.com/2100-7349_3-5211168.html
http://secunia.com/advisories/20626/
The truly scary thing is that prior to May 2005 http://support.microsoft.com/kb/892313 WMP left you vulnerable to the DRM-based viruses even if you'd explicitly told it not to auto-download DRM code!!
I don't know why they included this. XP home does not have IIS.
Yes you can install IIS on XP home if you have an XP PRO CD all ready, but if they are trying to show what normal users expierence they shouldn't be including it.
TruePunk | Games
"Turn the built-in firewall on before pluging the cable in." ...wasn't that a feature wich first came with SP1 (or SP2) ?
Yes, I do allways have just one question more...
Unless you're buying from Ted down the street, your computer comes with the latest OS at the time of production. Of course, because of shelf life, that means it comes from 3-6 months out-of-date, but usually updating from that state is only a few dozen megabytes and maybe half-a-dozen patches. If you're buying from Ted down the street, all bets are off.
Comment of the year
- The power cord
- The cat 5
- The coax cable
In order to do a power cycle on a crappy 3com cable modem. (Still hate sharkfins)This woman was in a litteral panic - complete with wailing, incoherant utterances, etc. She could not think straight enough to reattach the cables. Now, I hate to be rude, but WTF was she doing owning a computer!?!?!?! These were 3 seperate connections that look nothing like each other. One is a screw on connection, one is an overgrown phone jack, and one is a barrel jack. They won't even plug into the wrong place. It's not like she had 2 phone jacks for a modem & couldn't remember which one to put where.... They only go 1 place.
This is closer to the average user than your average slashdot reader.
i know, americanium, the nerve of them. Too bad the europeans cam out with Europium in the 19th century. Go home euro-weenie.
The war with islam is a war on the beast
The war on terror is a war for peace
XP has allways had a built in firewall. It just wasn't turned on by default until SP2.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
A highly protected Windows machine would have SP2, which automatically has Windows Messenger DISABLED. Just which Service Pack were they using, again?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1) Download the "WinXP updates pack" from the Microsoft website with another computer. .wup files. Burn them to a CD or put them on a USB drive. .wup files. Click "Apply".
2) Unzip the archive. It contains ~500
3) Mount the CD or USB drive on the XP machine you want to patch.
4) In "Windows Update" select "apply updates from files".
5) Navigate to your CD or USB drive, select the
Strictly, they said one (1) attack was for IIS.
This wasn't to see whether it was successful or not but to identify the types of attacks and where they are coming from. They state in TFA that next week they let it go full bore to show what happens. Call it a teaser or next weeks
Aunt Bessy goes to OfficeMax and picks out that fancy new HP gadget that everyone is talking about. Of course, she gets the one on clearance sale to save money since it looks just like the one on the shelf. She takes it home, follows the pretty picture diagram that was in the box showing her how to plug things in and hooks it right up to her new cable modem. Since this machine was older, it isn't updated to SP2 yet and to make it worse, her "restore disks" that she has to make are that very same pre-SP2 version. Aunt Bessy doesn't know a thing about firewalls, routers, antivirus, etc. that we all know about. So now here she is hooked up in the raw to the Internet getting attacked every 15 minutes running HP's XP Home which defaults to no password, admin user, yadda, yadda, yadda. Ten seconds into her first experience she gets infected and things go downhill from there. Even if she was to try to run Windows Update, she is still going to get infected before she accomplishes the update.
This problem rests squarely in the lap of Microsoft. They sacrificed security for the all important "ease of use" marketing. Adding in WGA for updates only makes the problem that much worse since it makes people (especially the false positives) not want to update. In short, Microsoft is a menace to networking as if we didn't already know that.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
The article appears to be the first of a series:
Maybe on Wednesday they'll explain how to prevent this sort of thing. That would be good.
So were are the Linux and OSX Honeypot PC's?
What would the point of those be? Why would anybody waste their time setting one up? To watch a bunch of Windows-specific breakin attempts fail?
Also learn to spell.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
And you beat me in pointing Messenger is disabled by default in SP2. Someone go mod my other post redundant, please.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I suppose that it should be "well they get what they deserved for being cheap", rather than "well they get what they deserved for being ignorant", then.
Excellent point. I was wondering about that myself. Maybe the number of actual successful attacks would have been anticlimactic after all the scary stuff about compromised machines and botnets?
Why didn't they do a honeypot with one of these?
I'm not computer stupid, but I was doing a system restore. I made the mistake of plugging into my router and getting my XP PRO updates before turning on the firewall and updating my antivirus... the machine was infected within minutes. I put the restore CD back in and rebooted...
Not to be pedantic (ok, who am I kidding, this is just to be pedantic), but "average" doesn't mean what you think it means.
Don't blame me; I'm never given mod points.
Oct 7 12:20:49 zcat sshd[21846]: Failed password for root from 222.39.47.92 port 34456 ssh2
Oct 7 23:30:24 zcat sshd[3027]: Failed password for root from 59.25.30.145 port 33523 ssh2
Oct 8 00:43:11 zcat sshd[9630]: Failed password for root from 146.145.231.236 port 33847 ssh2
Oct 9 20:11:01 zcat sshd[31977]: Failed password for root from 219.142.102.54 port 53635 ssh2
I know... Not quite every 15 minutes, and not really a flaw in Linux itself. But they are out there.
455fe10422ca29c4933f95052b792ab2
You solve this problem very simple by installing a NAT router between you and the internet. As long as you don't map any vulnerable ports through you don't have to worry about attacks which are not a result of user action, i.e. trojans and what not. The fact that ISP's such as verizon ship standard integrate NAT router / modems probably does a great deal to make their customers and the internet more secure.
Woopty Doo Basil, what does it all mean?!
How is an average l-user going to get their hands on and unpatched Windows box? I bought a computer from Best Buy recently, SP2 was installed and firewall was on. My sister bought a Dell, same story. Sony, Toshiba, Acer, all the same story. So how, pray tell, does this story mean anything?
L-users can't get their hands on an unprotected Windows box even if they tried.
People that can get their hands on unpatched boxes (off of a live cd, but that reason could you possibly have to do that?
So who does this article apply to? Really really drunk techs that delete hard drives then put XP back on them and then go surf the net for porn and download a bunch of stuff without patching(ie Best Buy Geek Squad)? Well then say that so the rest of us don't have to worry about it. BBC, I watch your News Hour, and thank you for the opportunity to get real news in the US, but this is mad trolling.
Aunt Bessy goes to OfficeMax and picks out that fancy new HP gadget that everyone is talking about.
And why just "Aunt Bessy" getting a gadget for no reason other than "everyone is talking about" it? It's not just her... there are plenty of very, very smart (smarter than most of us geeks probably) professional people that aren't, and *shouldn't have to be*, knowledgeable about computer security. I worry more about the small businesses and professionals out there who may know a lot about their profession and even know the computer tools used in their profession and the basics of administering their machines that *don't* know how bad the security environment is for their PC. Likely your accountant, lawyer, doctor, and the owner of the small boutique where you bought a gift for your wife (and who uses their PC to run batch Credit Card transactions) all have the same problems keeping their machine secure as your Aunt Bessy does.
Now, for the average Joe User who doesn't know what a hardware firewall is or why he needs one, how do take these steps before your shiny, new PC is compromised?
From the summary: How long does it take to go to Windows Update, download and install patches? IME, a lot longer than it does to get attacked, which creates a chicken-and-egg problem: you can't put your Windows computer on-line until it's secured, but you can't secure it until you put it on-line.
Hrmmm.....
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Well everyone makes mistakes. I had no idea that my system was under someone else's control. I had an occasionally on wireless connection through my neighbors high speed connection. Windows Firewall and Avast anti-virus, plus SpyBot-SD were always running whenever I connected the machine to the net. Windows Automatic Update is turned off, but I update the machine weekly.
I finally got my own DSL connection last week. Within a few minutes I noticed my machine was running really slowly. My mouse was moving slower than I thought it should. Then a few emails disappeared (including my login email AT&T sent me). Ouch, I think I've been taken over.
So I restarted the machine with Ubuntu, logged into my AT&T account manager via a dial-up connection to change all my passwords etc. and then proceeded to download ZoneAlarm and read up on making my Linksys router more secure (beyond WPA). So I got busted despite my best intentions by letting down my guard. Hopefully not too much personal data was stolen. Fortunately I do very little on the 'Net beyond spending time on online forums and playing http://liveforspeed.net/ so the only passwords stolen will be my logins to Slashdot and such.
Live and learn. Pay attention to all this security stuff, even when you think you are secure.
This post brought to you by your friendly neighborhood MBA.
If you try to connect a fresh new unpatched machine on to Microsofts own network. The machine gets bombarded almost instantly, and if the install is old enough. It will never make it past setup. (Initial networking boot will cause it to fail)
I was doing contract work out there, and I thought they were joking about it. I was doing a fresh vmware install of XP, because I wasn't going to be there long. I didn't wanna install the ISA server software on my personal machine, and when I am done I can blow away the install and not have to worry about still having MS IP on my machine. I still loved the fact that the host machine was Linux. Strangely enough though, I wasn't the only one LOL.
I would like to see the same thing tested with an older unpatched version of Linux, BSD, OS X, etc. Which comes down first, how long does it take, etc.
Alex Pontin writes,
"This article from the BBC shows how vulnerable XP Home really is.
Dear submitter, Alex, this article did not show how vulnerable XP was, it showed how many ATTEMPTED attacks were detected.
Why dont ISPs allow provide a configurable firewall service so most of this stuff isnt even sent down the wire?
Yes, I dont want to buy a router or a new DSL modem with firewall capabilities.
I also dont want another * thing to plug into the wall.
One could even allow users to select/join a non-configurable firewall service -- as long as it isnt too restrictive.
There is way to much junk being sent to most users.
I have WinXP/Home *SP1* that I got OEM when I bought some hardware from newegg a few years ago. The PC I built sat idle (turned off) for a couple years until recently, when I re-built it to play Second Life.
I've had to re-install windows twice recently. Once when I re-built the machine with newer components and once after my hard drive failed.
Each time I do this I am starting with *SP1*, and it takes a long while of windows update, windows update, windows update, etc. before it even gets to updating to SP2, then there are more updates and more updates and...
All the time I am installing windows (about an hour and a half) I am connected through a linksys router/firewall, and once SP2 is finally installed windows firewall is turned on.
Tell me, all-knowing ones, is this machine compromised by the time I have it updated or does the linksys firewall protect me?
Thanks,
Amy
go after the perpetrators. Really, it doesn't seem that hard
The perpetrators are like Al Queda: they are everywhere and they are nowhere. They use lots of zombie PCs or hacked servers to do the dirty work. One may have to trace back several layers of hacked machines, if it even possible.
Once my own website attacked my home PC. I went to check on my website, and low-and-behold somebody planted a JavaScript virus in it which immediately infected my computer. (Low-budget hosting has its downsides.) The virus on my PC probably tried to hack into other websites to do the same thing before I cleaned it out, and I don't even know if it is really gone.
Table-ized A.I.
By utilizing the science of MATHEMATICS...we can see that this doesn't make any god damn sense.
"When we put this machine online it was, on average, hit by a potential security assault every 15 minutes....The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it."
How can the average be 15, but there was never any period LONGER than 15, and some periods less than 15.
1, 3, 2, 5, 4, 3, 4, 2, 3
Average is....5? Bzzzt.
What do you think is propagating all this crap in the first place? MS boxes that have been compromised.
OK, there are things like metasploit that run on Linux, but the majority of the bad traffic comes from PCs that have been compromised by similar stuff to this 'bogus test'.
"It doesn't cost enough, and it makes too much sense."
"What would the point of those be? Why would anybody waste their time setting one up? To watch a bunch of Windows-specific breakin attempts fail?"
No, to provide contrasting examples for the public.
The project was not aimed at convincing geeks.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
It is possible to arrange the shutdown of whatever IRC channel or server is directing the botnet. On the other hand, people on the NANOG list who have been doing this are increasingly skeptical about how much good they're doing.
How exactly does a worm find your IP address and suddenly know when it goes "live"?
There's about 255*255*255*255 possible combinations of IP addresses (minus all the exceptions like LAN addresses, localhost, subnet mask indicators I don't fully understand, etc... you know...) which even minus all those, I'm sure still leaves a huge number of possible addresses.
Someone clue me in here, please.
I've come to the certain conclusion that people do NOT want to be helped. Even on a "survival" sight, they continued to joke about it. If something serious happens, you are dealing with 31 out of 32 people being sheeple. They will come mewling to your door, begging for help. See Katrina, and New Orleans versus Mississippi. I'm anti-Christian, but those people in Mississippi sure showed self-reliance. As for the sheeple, keep your offensive and defense weapons ready. You simply cannot help everyone, and will have to use force to make people realize this.
Just mention tactical defense such as vests and such, and you just get the usual mewling. Dial 911! Sure, people, sure.
And to add to your quote: "No good deed shall go unpunished". Let one sheeple have food, and be prepared to get deluged with them.
I run ubuntu, haven't configured any firewalls or stuff (but I'm behind a router). Does that count? I've no idea how to check for attacks.
Yeah. Would you choose a neurosurgeon who pokes around people's brains in his spare time? I wouldn't.
Computers are like people. If you don't protect before you connect, you can get a nasty virus...
Vagary comes from "vagus," same root as "vague," and can be used to describe an unusual or erratic idea. Rule #2 about being a pompous twit:
If you're going to instruct someone to use a dictionary, make sure that you've read past the first definition.
On "orthogonal," I have three things to say:
1. Most programmers know what is meant by "orthogonal concerns/restrictions," and it doesn't take much more than a middle-school level of math to do so.
2. If you think that "orthogonal" is a haughty word, well, you're a moron.
3. Though you may not post back, I'm sure that you're reading this. No proper trolling AC would skip on checking back. Just make sure you have more to lob than this next time you sign out as your user to try and pick a fight about someone having their nose in the air.
Are those just login attempts, or exploit attemps? Is there any way to tell?
Laws do not persuade just because they threaten. --Seneca
Do most home PC users both 1. know that this should be done and 2. know somebody with another computer and a CD burner who is willing to do this for free?
Microsoft already does attach such a warning label: it's called a disclaimer of warranty and limitation of liability.
What a nightmare. I wonder how long it took them to get their data off, wipe the systems and get a clean reinstall of everything.
Laws do not persuade just because they threaten. --Seneca
You'd think the college's gateway would be able to at least block exploit packets. I remember that UConn's network blocked the SMB ports at the internet gateway to cut down on exploits. How do most of these work? Why aren't they blockable with a simple packet filter?
Laws do not persuade just because they threaten. --Seneca
I think the standard Ubuntu install has ssh (22) active by default. And there was a remote exploit for ssh a few years ago, wasn't there?
Laws do not persuade just because they threaten. --Seneca
I used "Aunt Bessy" because that is the likely customer Microsoft is targeting XP Home to. All those others you list are business interests and thus not a real target for XP Home which IMO is a real abortion in the Microsoft corporate think tank on a par with ME. That isn't meant to negate what you said as that is surely true as well. It still boils down to a Microsoft problem that I don't see getting any better.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
My Snort logs show thousands of attacks a day, and they don't even show the failed SSH login attempts. I live in S. Korea, though. Nukes to the north, poop shoots to the south.
Put identity in the browser.
Not really. The "problem networks" (typically cable broadband nets such as Comcast) already own the equipment and technology to kill 80% of the worms extant in less than a week. I've told Comcast how to do it a couple of times already, but they are not interested.
I prefer to do something rather than theorize about the possible futility of doing something. YMMV.
No. Chickens and eggs. The ISPs are already managing a dynamic environment and can respond to the changes you yourself say are certain to result from stopping any particular exploit. The DOCSIS2 protocol they use can easily be leveraged to reroute all infected PCs (which are quite easy to detect from their traffic patterns, or their DNS activity) to a "clean-up segment" where they can no longer attack others, but where antivirus vendors can pay to maintain a presence. By contrast, the OS is installed and then exists fairly statically on the local PC, unless you run an update protocol, which can be hacked to spread further malware of course. Unless you believe it is possible to ship a 100% bug-free OS (which I do not think is possible) the onus is AND MUST BE on the network operators to detect and contain malware-spewing boxes. It's the gray goo problem in miniature, perhaps.
Or make them pointless by creating a reactive immune system on the net itself. I would pay extra to be on such a net; so would Ma and Pa Kettle. Such a net would be cheaper to run, too, since it would waste less bandwidth and storage on spamblowers and the like. Lots of major corporations run clean internal nets.
i'm curious to know how a defualt installation of XP 9home or pro) with service pack 2 would fare. doesnt it have windows firewall enabled by default?
and on a related note, a friend of mine recently reinstalled xp home, sp1, using the disc that came with his computer (emachines). he's on dial-up, and is only connected for a little while at a time, and he still got infected with a few things.
another friend got a laptop that was a few years old, and i installed a wireless card. at that time, the computer was clean. a few weeks later he came to me and it had a massive spyware/adware/virus infection (again, xp home, sp1). and he had barely used it during that time.
Last night I had to re-install Windows XP in VMware so that my wife can access her work systems. Once I had spent 20 minutes on the phone asking Microsoft for permission to use something that I already bought, it was time to do the updates.
The install was Windows XP - no service packs included. I then had to apply patches, install SP2 and apply more patches. The whole time I was doing this, my machine was not, and could not be protected by what was on it. The only thing that saved me is that I run a decent firewall in front of my home network. If I didn't have one (and many people don't - they just plug their cable modem connection to their ethernet port), I would have been owned in short order.
This is a real-life test and it does illustrate a problem with reloading machines!
I remember it well... (nostalgia wells up)
Rather than all the whining about how obvious this problem is, and how irresponsible people can be. I haven't seen one single post that actually gave any help on how to at least prepare yourself with a safe installation CD.
...BUT...
I know that I can use nlite (http://www.nliteos.com/) to easily create slip streamed CD that has SP2 included, and I know that I can also add hotfixes using that tool as well
How the hell do you figure out which hotfixes need to be/can be added to that build CD. I know there are lots of hotfixes available (I just checked), what should a user who is trying to be responsible do, add them all, add just the "Security Updates", what?
I also think MS are pretty irresponsible in this area, with every update they release, sure, they should be automatically installed, but, there should also be easily identifiable sets of 'rolled up' updates that can be downloaded. Hell, I count myself as an IT Professional, and I'm not sure any more what the difference is between a Hot Fix, a Security Update and a Roll Up, so how the hell can we expect Joe Public to have even the faintest idea other than turn on and wait for things to get updated?
"If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
> ... they're perfectly likely to get hit ...
> before update can protect them
They are perfectly likely to not get any update at all.
I have a Pentium 500MHz machine I bought 8 years ago + an original WIN98 disk that came with it. This machine is not really able to run XP (and the copy of WIN98 I have is perfectly legal. Getting a legal copy of XP would cost me money I do not want to spend).
Anyway: I can install Win98 from the disk. Then I can try to get to Windows Update. The last time I did it (a couple of years ago I think) it first wanted me to upgrade IE because IE4 that came on the disk was not good enough for Windows unpdate. Then it only let me install IE6 but no IE5 or 5.5 available (IE6 is a bit heavy for that machine) and finally after installing a newer IE it told me that I cannot get updates through windows update, but instead I should download all the patches since 1998 manually and install them one by one. I even conatacted M$ support on the phone about this (and surprisingly they did have me on record and gave me my customer's ID #) but there was no other way. They did send me an XP trial disk, though, that I never used because it said I would have to reinstall the system after the trial period is over.
So for MicroSoft stopping support for WIN98 didn't mean not providing any more update after a certain date, but rather removing all the past updates and disabling the automatic update feature. I would at least have expected them to collect all updates and make them available as a single file to allow anyone that reinstalls the OS to bring it to the most updated state available, but they didn't. Instead they made sure that anyone that is not an expert would be using the original unpatched version.
So you have many WIN98 machines operating, many because they are not strong enough for a newer OS, and if they ever reinstall they revert to an unpatched version.
(I know I can install LINUX. I have a knoppix 3.7 disk that runs on that machine though it is very slow. knoppix 3.9 fails on that machine. I tried installing Mandrake 9 a very long time ago and it insisting on not running in graphics mode and complained about my very common ATI card, and I tried Ubuntu that loaded and showed a blank screen. I still hope to run Linix sometime, but I first need something that installs and runs and only thenI can start learning how to fix things).
that's how many ATTACKS the darn machine received. Leave a *nix machine, or an apple, or even a nice router on the internet, look through the incoming/outgoing logs, and it should not be surprising that you'll find a million attempted attacks. They're just all the infected bots on the internet still trying to infect everyone else. I'd be more concerned if the holes were actually open, and it just infected itself if you left it on the 'net. A windows machine does not attract more infection attempts than other OSes; it simply (at least used to) be more susceptible to being successfully infected. someone wayyy above made a point i'd like to address: the majority of users do not know what they're doing and do not know the proper safety precautions. Well, ignoring the fact that norton and mcafee crpsoftware come preinstalled (as dummy trial versions, of course) on most prebuilt PCs (obviously most "regular" consumers do not build computers and at this time probably wont' even install xp themselves), you can't expect them to figure out how to use all of the open source stuff, either, can you?