The BBC's Honeypot PC

Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.

And the moral of the story is.

[AltGrendel]

Home firewall/router software is better than nothing, and a small firewall/router hardware combo is probably better than that. Personally I perfer the Lynksys hardware.

Of course, we all knew this already, didn't we? The results weren't suprising to me and I doubt that any of the regular /. crowd would be either. Yes, I mean you.

Yawn...

[rsilvergun]

this has been done before with WinXP SP1, we already know it's insecure. But you know what? Most home users have firewalls now, if only in the form of a hardware router from their ISP, and any new users are running XP SP2. A simple firewall and a few trips to www.windowsupdate.com takes care of most problems. Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.

Their 'unprotected'=flawed

[i_should_be_working]

So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall. Scared me for a moment.

I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.

Old news..

This study was done years ago, when XP just came out. IIRC, it was done live on TechTV's "The Screen Savers" multiple times.

BBC would have made it more interesting if they tested this in various scenarios -- no updates/firewall, SP2 with no firewall, SP2 with hardware firewall, etc. That way we could see what step(s) really let malware in.

Re:Slammer? Blaster?

[Spad]

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.

Re:We have a Love connection.

The BBC runs hundreds of linux servers, I suspect they are aware of it.

Re:Well Duh!

[SlartibartfastJunior]

it's easy to say "well duh!", but when you have a brand-new out-of-the-box computer, it doesn't exactly come with instructions. My grandmother has no way of knowing she's supposed to be running a firewall, or going to get a Microsoft Security update before doing anything else. WE know these things, because we hang out on Slashdot, but they're not obvious to the rest of the world, and I applaud the BBC for bothering to put this in people's minds. Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

I call BS

[jacquesm]

installation procedures for RealOne on the BBC

I Wished all broadcasting corporations were as 'backwards' as the Beeb.

Re:We have a Love connection.

[Lave]

From my experience the Beeb runs a large amount of linux articles. And is quite vocal about free open source alternatives (a benefit of not being funded from corporate sponsors). For evidence try typing "linux" into their search engine. It gives you 49 pages of hits for the whole of bbc.co.uk, 9 pages of which come from just the "news" section.

So you are simply wrong.

C'mon, I hate MS but this is FUD

[Opportunist]

The BBC ain't a computer biz company. They wanted a story. And what's a better (tech) story in the age of phishing and spam than "OMG TROJANS!"?

Of COURSE you get plastered with portscans and worms hammering against the "well known" ports. That's normal. Welcome to real life on the 'net. You think it's different for my *nix Machine? It's not. My firewall-log is getting flooded with kids and worms trying to find some unprotected ports, trying to connect to 21, 22, 23, 80 and so on, just to see if there's anything running they could use. The real question is, how many successful attacks did happen? Saying XP is insecure because a billion people hammered at its doors is FUD. When a million of those make it in, though, it's a different matter.

And yes, an unpatched WinXP is insecure. It simply is. Get a router and you're set against 99% of the external problems you may face. But then you still should not use the machine to access anything on the net, because some of the tools you're using (IE and Office being the two key players today) has known (and party unpatched) security issues that may cause execution of code when you're not really careful and know what you're doing.

In a nutshell, going online with a MS product that's not well firewalled and using anything but alternative software for the access of online resources is grossly negligent IMO.

Re:Well Duh!

"Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful."

Granted; but Windows XP does include a basic firewall and, post SP2, it is turned on by default.

Re:Indeed, AC

[networkBoy]

Bingo,
Even something as basic as NAT through a cheapie router will buy them all the time they need to connect to windows update.
It won't protect them from malicious connections once infected but because most all routers ignore incoming connection attempts the user is at least protected till patched (assuming the first thing they do is Windows Update, not pr0n surf).
-nB

Re:Well Duh!

Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default

Hasn't this been the case since SP2?

Maybe my copy of windows has been "enhanced" in this regard, but when I reinstall the firewall is installed and on.

Re:Well Duh!

[smilerz]

Actually, new Windows systems come with the firewall on by default. None of the attacks that the BBC witnessed would have had an effect.

Re:How vulnerable Windows XP really is?

[jonadab]

Yes, I think the reported who wrote up the article didn't fully understand the research that was being done. The point of the research is to look at what kinds of attacks are out there and, especially, which ones are common, as it helps security people to know better how to protect against them. The most important take-home message from this article, as near as I can tell, is don't connect a Windows XP system to the network without SP2. I knew that already (actually, I have a strong preference for an external firewall), but that doesn't make it less valid. If I were Microsoft my response would be to say, "See, this is why you need to turn on your Windows Firewall, like we recommend, and stay up-to-date with patches, like we recommend. This is why we put the Security Center in SP2."

The biggest problem here is that home users with OEM versions of XP that predate SP2 can run into trouble when they have to reinstall (not as frequent with XP as it was with Win9x but it does still happen from time to time). The most obvious solution is an external firewall.

Re:And?

[RonnyJ]

A lot of people seem to be mistaking what this article shows.

It's not showing how weak an unpatched XP machine is, they're instead logging the attacks that are still happening on the Internet daily, and then showing the frequency of them. For instance, they logged 11 attempts in 7 hours from the Blaster worm. If, as some people are suggesting, they were just placing an unpatched machine on the Internet, the machine would have restarted from the very first Blaster attack.

Re:do Linksys Routers/Firewalls help?

[Antique+Geekmeister]

It helps a lot: but the firewall itself may be vulnerable. Check it for available updates.

A lot of Windows machines get zombied pretty fast these days, by fascinating web security vulnerability hacks when the owners go web browsing even for legitimate materials and the hacks are installed on "owned" servers. These zombies then open up a port to designated controller machines on the outside for control by remote entities such as spammers using the machines to send the spam from unblocked netwrks. It's a serious issue that won't be shown by this kind of passive honeypot.

Nice Fearmongering

[Effugas]

I saw a great ad for an Antivirus product recently. "Finally, protect your users from the Melissa virus!"

Dude, it's 2003, they want their security holes back.

I'm not going to mince words: This story is BS. Lets take the money quote here:

However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Really? Once an hour, something that'll remotely own XPSP2, just being leaked out over the Internet?

"Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software."

OK, Windows Messenger service is disabled in XPSP2...Blaster hasn't worked in years, Slammer never even hit XP Home by default (you had to install Visio), IIS isn't even available for XP Home, and port scans aren't too relevant when you have a firewall on by default.

What a completely worthless story. You know, we have enough actual security problems going on (the glacier of cross site scripting exploits, what's going on in the online banking realm) that whinging about long solved problems is not only irresponsible; it's dangerous.

Re:Well Duh!

[d_jedi]

Any brand new computer sold nowadays (not counting whiteboxes) comes preloaded with at least service pack 2 installed. You are prompted very shortly after taking the machine out of the box (along with other normal setup stuff, like naming your computer, and adding users..) to turn on automatic updates (which is the "recommended" setting).

Re:Duh

[Twinkle]

6.06, by default, isn't listening on any ports so you're not vulnerable until you install or enable something that does.

Re:do Linksys Routers/Firewalls help?

[cr0sh]

kisrael, I am with 'Geekmeister on this, too - check for updates. The best way to do this is to google " exploit" - so, for your case, you would google "Linksys exploit", and see what returns. I have personally bought three different used NAT routers from Goodwill (each cost under $10.00 used!), and before hooking them up, I checked for exploits (I currently use a homebrew P90 Freesco box) - all of them had an available exploit, and only one of them had an update to correct the exploit. On two of them, the exploit was of the nature of "easily accessible admin password" or similar (one stored the admin password in a text file that was unprotected on the hardware). I originally bought them with the thought of replacing my Freesco NAT router, but so far I haven't felt comfortable doing so. What I am thinking about doing is hanging them off my network and trying to access them myself using the exploit. If I can get in easily, then anyone can, is how I figure it.

Re:Doesn't Ubuntu have ssh?

[zcat_NZ]

It doesn't.

A stock ubuntu install will broadcast DHCP and listen for the reply, and it will send DNS requests and listen for the result.

There's a bit of a dispute at the moment about having mDNS open (aka zeroconf) because in theory it should be even safer than listening to DHCP. But the 'no open ports' people won't allow it. mDNS can't tell you who to trust as a gateway or DNS server, where DHCP will.