Slashdot Mirror
The BBC's Honeypot PC
Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.
So we've learned that putting an unprotected windows box on the internet is a bad idea - well duh! It probably doesn't help that they didn't bother with any updates, or turning on the firewall.
Of course, we all knew this already, didn't we? The results weren't suprising to me and I doubt that any of the regular /. crowd would be either. Yes, I mean you.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
why is there such a thing as an "unprotected windows box"? Isn't this a serious fault of Microsoft that there's even a way to have an "unprotected" system on the internet? Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.
stuff |
I set up a friend's new computer and installed a firewall, before attaching to to internet for the first time and he was stunned how fast the log of probes filled up. He'd never used a firewall before on his old XP machine.
What bugs me is why there doesn't seem to be any decent coordinated effort to track the bots down and shut them down and to go after the perpetrators. Really, it doesn't seem that hard, it just seems like no government is interested in doing anything about it.
A feeling of having made the same mistake before: Deja Foobar
this has been done before with WinXP SP1, we already know it's insecure. But you know what? Most home users have firewalls now, if only in the form of a hardware router from their ISP, and any new users are running XP SP2. A simple firewall and a few trips to www.windowsupdate.com takes care of most problems. Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall. Scared me for a moment.
I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.
I have windows XP and a $19 dlink router (and a lynksys before that) and I have had *zero* problems in 24 months.
So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Did they pass WGA?
This doesn't really show how vulnerable Windows XP really is, it shows how often it is subject to attack. Since all these are (mostly at least) worms and automated attacks, that's not really different from looking at the logs on my Linux boxes, where, for instance, my apache server is quite often "attacked" by a worm looking for IIS vulnerabilities. /. we all know to never put an unpatched box on-line, but it is interesting when more mainstream media put focus on that, no need to attack Microsoft in order to make this story interesting.
I like to bash MS as much as most people here, but this choice of words really misleading. True, never ever put an unpatched box un the Internet, especially if it's running some version of MS Windows, but this hasn't got that much to do with the security of an updated Windows installation.
Here at
The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.
The BBC runs hundreds of linux servers, I suspect they are aware of it.
Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?
I love linux, but alot of this stuff pretty much pertains to anything on the internet. Do you have a linux box on the public net with SSH open? I gaurantee you are getting more than 1000 attempted logins per day. This article talks about alot of "attempted" attacks, well my linux machines on the net get port scanned at least 10 times a day, any box that has ssh running on the default port is being dictionary attacked pretty much 24/7. Sure the linux boxes aren't being turned into zombies, and I'm not sending out boatloads of spam, but my apache servers get hit with IIS attacks regularly. Putting a box with open ports on the net gaurantees you will be attacked. It doesn't matter if its linux or windows.
The difference is with windows you will probably get hacked, with linux you at least have a fighting chance.
installation procedures for RealOne on the BBC
I Wished all broadcasting corporations were as 'backwards' as the Beeb.
MP3 Search Engine
"This is a pretty bogus test. Obviously they didn't install security updates before going about their business,", not already in use
"we installed an unprotected version of Windows XP Home configured like any domestic PC."
"made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago", not already in use
But these three year old attacks were still coming from other already infected machines on the Internet. Are all these infected machines running three year old software.
was Re:I have plenty of reasons to dislike Microsoft..
davecb5620@gmail.com
whilst I will take your point about updates I have found a problem simlar to this personally and I think that you judge them too harshly. When you have a computer which is band new the first thing you will do is connect to the internet. It would take a couple of hours to download the updates for XP up to this point, especially if your on an old service pack (I must admit I don't know if they now sell them with SP2 or not...), even if you get it with the newest service pack if your on a 128K connection a couple of hours to get a few hundered MB is pretty accurate.
During this time you might just leave it unsecured because that's what your addressing, you might be fully intending to get a good windows version of a firewall up and running, but think that you'll get the windows updates first. This is pretty realistic I think... So just how many viruses etc could you have before you can sort this out?
Also, I would say most people just don't update at all anyway... I know people who don't and then question what's going on. Seems like a fair test to me.
*''I can't believe it's not a hyperlink.''
Despite all the Microsoft apologists who will wring their hands and point out that certain things were not done in order to safety the Microsoft honeypot, the genuine service this article demonstrated is that people who turn on their new computer with its Microsoft operating system connected to the Internet are vulnerable to exploits which are automated and exist in abundance, ready to pounce upon current Microsoft operating systems.
Even if you're a master of Microsoft "anti-ware" solutions and tweaks, what happens when someone who isn't takes a few wrong turns with their OS? It's toast, or worse, enslaved and used as a resource the end-user is paying for.
I stopped using Microsoft operating systems to directly connect to the Internet nearly 10 years ago, when the sophistication of the exploits had developed to the point where it was no longer safe to use any Microsoft OS online. Since then it really hasn't gotten much better, has it?
I think it's a shame that the company with the fattest pockets can't be bothered to get it right yet still demands to be on every PC made.
Every new form of media has it's own Requirimento
So you are simply wrong.
http://skeptobot.blogspot.com/ - A site for the Renaissance man and woman
The BBC ain't a computer biz company. They wanted a story. And what's a better (tech) story in the age of phishing and spam than "OMG TROJANS!"?
Of COURSE you get plastered with portscans and worms hammering against the "well known" ports. That's normal. Welcome to real life on the 'net. You think it's different for my *nix Machine? It's not. My firewall-log is getting flooded with kids and worms trying to find some unprotected ports, trying to connect to 21, 22, 23, 80 and so on, just to see if there's anything running they could use. The real question is, how many successful attacks did happen? Saying XP is insecure because a billion people hammered at its doors is FUD. When a million of those make it in, though, it's a different matter.
And yes, an unpatched WinXP is insecure. It simply is. Get a router and you're set against 99% of the external problems you may face. But then you still should not use the machine to access anything on the net, because some of the tools you're using (IE and Office being the two key players today) has known (and party unpatched) security issues that may cause execution of code when you're not really careful and know what you're doing.
In a nutshell, going online with a MS product that's not well firewalled and using anything but alternative software for the access of online resources is grossly negligent IMO.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
All of the "well duh" folks miss the point. There are a lot of people out there with reinstall CDs for older machines. When their machine gets hit with malware, many of them "reload" windows and some of these head for Microsoft update.
The point is that they are too late - they're perfectly likely to get hit before update can protect them, and perfectly likely to get hit with something as bad as what they had before.
This really is a problem.
Using plain ol' text since 1968
It's not showing how weak an unpatched XP machine is, they're instead logging the attacks that are still happening on the Internet daily, and then showing the frequency of them. For instance, they logged 11 attempts in 7 hours from the Blaster worm. If, as some people are suggesting, they were just placing an unpatched machine on the Internet, the machine would have restarted from the very first Blaster attack.
It helps a lot: but the firewall itself may be vulnerable. Check it for available updates.
A lot of Windows machines get zombied pretty fast these days, by fascinating web security vulnerability hacks when the owners go web browsing even for legitimate materials and the hacks are installed on "owned" servers. These zombies then open up a port to designated controller machines on the outside for control by remote entities such as spammers using the machines to send the spam from unblocked netwrks. It's a serious issue that won't be shown by this kind of passive honeypot.
"Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?"
.. Doh
The point is thet the Internet is infested with compromised Windows boxen. Ok, where are all the compromized Linux web servers. Assuming they are running Apache under Linux. According to Netcraft Apache usage is at roughly 980,00,000 while IIS is at 490,00,000. Why don't we see an equivalent number of compromised Linux servers.
Yet another mod troll
was Re:Duh (Score:5, Interesting)
davecb5620@gmail.com
Dude, it's 2003, they want their security holes back.
I'm not going to mince words: This story is BS. Lets take the money quote here:
Really? Once an hour, something that'll remotely own XPSP2, just being leaked out over the Internet?
OK, Windows Messenger service is disabled in XPSP2...Blaster hasn't worked in years, Slammer never even hit XP Home by default (you had to install Visio), IIS isn't even available for XP Home, and port scans aren't too relevant when you have a firewall on by default.
What a completely worthless story. You know, we have enough actual security problems going on (the glacier of cross site scripting exploits, what's going on in the online banking realm) that whinging about long solved problems is not only irresponsible; it's dangerous.
He said an coordinated effort. Of course no one person can get anywhere, but if we just decide not to accept this, we start blocking IP ranges, force the ISPs to deal with their spammers and botnets--it wouldn't take long at all to shut down the entire problem (and 60% of the web). Then you just bring up clean PCs one at a time--forward their DNS to a page that can lead you through the process of cleaning out your PC and contains a list of services that will help.
Subsidize the creation of some decent anti-virus and service companies that can clean your computer remotely (Just don't build one nuke, that should take care of funding it for a few years)
Of course we can't take these steps proactively, humans are too short-sighted, but we WILL do something like this reactively, It's going to happen--just a matter of time.
Strictly, they said one (1) attack was for IIS.
This wasn't to see whether it was successful or not but to identify the types of attacks and where they are coming from. They state in TFA that next week they let it go full bore to show what happens. Call it a teaser or next weeks
Aunt Bessy goes to OfficeMax and picks out that fancy new HP gadget that everyone is talking about. Of course, she gets the one on clearance sale to save money since it looks just like the one on the shelf. She takes it home, follows the pretty picture diagram that was in the box showing her how to plug things in and hooks it right up to her new cable modem. Since this machine was older, it isn't updated to SP2 yet and to make it worse, her "restore disks" that she has to make are that very same pre-SP2 version. Aunt Bessy doesn't know a thing about firewalls, routers, antivirus, etc. that we all know about. So now here she is hooked up in the raw to the Internet getting attacked every 15 minutes running HP's XP Home which defaults to no password, admin user, yadda, yadda, yadda. Ten seconds into her first experience she gets infected and things go downhill from there. Even if she was to try to run Windows Update, she is still going to get infected before she accomplishes the update.
This problem rests squarely in the lap of Microsoft. They sacrificed security for the all important "ease of use" marketing. Adding in WGA for updates only makes the problem that much worse since it makes people (especially the false positives) not want to update. In short, Microsoft is a menace to networking as if we didn't already know that.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
kisrael, I am with 'Geekmeister on this, too - check for updates. The best way to do this is to google " exploit" - so, for your case, you would google "Linksys exploit", and see what returns. I have personally bought three different used NAT routers from Goodwill (each cost under $10.00 used!), and before hooking them up, I checked for exploits (I currently use a homebrew P90 Freesco box) - all of them had an available exploit, and only one of them had an update to correct the exploit. On two of them, the exploit was of the nature of "easily accessible admin password" or similar (one stored the admin password in a text file that was unprotected on the hardware). I originally bought them with the thought of replacing my Freesco NAT router, but so far I haven't felt comfortable doing so. What I am thinking about doing is hanging them off my network and trying to access them myself using the exploit. If I can get in easily, then anyone can, is how I figure it.
Reason is the Path to God - Anon
It doesn't.
A stock ubuntu install will broadcast DHCP and listen for the reply, and it will send DNS requests and listen for the result.
There's a bit of a dispute at the moment about having mDNS open (aka zeroconf) because in theory it should be even safer than listening to DHCP. But the 'no open ports' people won't allow it. mDNS can't tell you who to trust as a gateway or DNS server, where DHCP will.
455fe10422ca29c4933f95052b792ab2