Slashdot Mirror
The NYT on the Proliferation of Botnets
ThinkComp writes "The New York Times has a up a story on the proliferation of botnets. The article cites a number of security researchers who paint a depressing picture of the state of internet security, and concludes with the suggestion that for home users, buying a new 'updated' PC may be the only real solution. Unfortunately, as most of us know, given the number of outstanding flaws in software and the ingenuity of malicious software authors, that might not even help."
Sure the Mac will get 'targeted' as popularity increases, but UNIX will _always_ have a leg up on security over Windows _always_ so even if it is not perfect, it will be a better solution for most people. Experts might be better off with a Linux distro like Debian. But the worst thing to do is to buy yet another Windows box. Might as well paitn targets on your email, personal data, and financial accounts.
Its nice to see somebody using all those cycles the noobs waste.
Good for them.
...on the front of my computer. When I push it, it saves a list of all the current programs on a protected partition and then allows me to install one program. No pushing, no installing. Programs would have to say "If you'd like to continue installation, press the big red button."
If something sneaks in that I don't want, then I press the big green button on the front of my computer, and select which program listing I want restored.
An older Windows release, reasonably patched,
running under Linux (win4lin) and behind a paranoid
firewall is safer than XP or Vista.
Alas, not as safe as an unpached RH9, mind you,
but still safer than Vista (;-))
--dave
davecb@spamcop.net
Capitol Punishment on national television for owners of botnets. ,but it has to be bareass.
O.K.,O.K. maybe just corporal punishment
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
There's was so much crap and adware on someone's new Dell (I heard about), it took an hour to get it all off so I could install my pirated version of Microsoft Office. (err... at least, that's what my friend told me.)
For sale: Signature. One owner. Low miles. Always garaged. New punctuation, just installed!
Been done already. And it didn't work out so well IIRC.
That's right. No GNAA for you.
Do not fold, spindle or mutilate.
When a corporation creates a product that is unsafe not just to its user, but to many thousands of others, and provides instructions for that product which, even if faithfully and fully followed by its user, are insufficient to prevent it from causing damage and suffering to thousands of others, that corporation should be liable for the damage and suffering.
If you sell me a chain saw, and I ignore the instructions and cut off my hand, it's my own damn fault. If I ignore morality and criminality and cut off my spouse's head, it's still my own damn fault. But if the chainsaw goes off on its own power, while I'm sleeping, and slices and dices the whole damn town, it's your fault for selling me such a product, especially if you manufactured it with the knowledge that it could, in certain not-uncommon circumstances, do exactly that.
"with their freedom lost all virtue lose" - Milton
unless you know how to secure it and maintain it.
The people offering this "advice" have got to be idiots. True, it might cost more to pay someone else to de-own your PC and train you on how to avoid problems in the future than the cost of replacing the hardware. That doesn't mean that educating yourself isn't the right answer though. What does buying a new machine do to make you more secure? Buy a $400 brand spankin' new bottom of the line Dell, throw it up on the net, and get owned in under 20 minutes. Does anyone make the $1200/hr it would take to keep a steady supply of new bottom of the line bot-to-be PC's flowing into the households of idiot users who can't be bothered with learning fundamental literacy?
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that. Casual users on the internet are presently walking through the worst parts of town with $100 bills sticking out of their pockets, and until they can figure out that this isn't smart and why and what to do better, they're going to continue to get themselves in trouble and drag down the community by feeding the predators that eat away at it.
You see? You see? Your stupid minds! Stupid! Stupid!
LOL
So all we need is a widget on the desktop that allows you to turn on and off the internet connection, and logs all information that goes in and out, along with denying any redirection of data to other than the specific target request (if you send a request to www.google.com, only www.google.com may respond).
Any traffic that isn't specifically requested by the user is blocked. You manually open and close ports as you need them.
Oh, right, that would break most authenticity checks to combat "piracy", and totally botch most advertising on the net, and set us back to the early 90s. BTW - sign me up.
Is it just my observation, or are there way too many stupid people in the world?
Getting a new PC doesn't make any sense at all. It just gives the bot more resources to munch on.
The core of the problem is responsibility, or a lack thereof.
Vendors aren't responsible for the results of the flaws in their programs. Worse, they aren't responsible for deliberate design decisions that make it impossible to secure systems. I make an analogy to automobiles. Auto makers aren't generally liable for defects in cars, unless the source of the defect goes beyond a simple mistake or defective part, but they are responsible for repairing those defects and can be sued if they refuse to do so. And they're liable for design decisions they make. Witness the Ford Pinto. The current state of software liability is akin to Ford claiming that, because they had a valid business reason for building the gas tank on the Pinto the way they did (it was cheaper, thus let them price the car cheaper), they cannot be held liable for the fires that happened as a direct result of their decision. The courts slapped Ford around for making that claim, why are software vendors not treated the same? I can live without strict liability for software flaws, but lack of liability for design decisions that directly lead to security problems is probably the biggest reason we still have problems.
And users aren't held responsible for their use of a computer. They treat it as some sort of plug-and-play device like a television or a radio: plug it in, turn it on and stop thinking about it. A computer isn't an appliance, you can't just ignore it after initial set-up. Again, cars make a good analogy. You can't just ignore a car's maintenance after you buy it, you need to put new tires, new brakes and such on it regularly. And car owners get held liable if they don't. If you wore your brakes out so they don't work anymore and didn't get them serviced, when you rear-end someone because you don't have any brakes you will be held responsible by the courts and the insurance. If you're running on bald tires because you don't think you should have to check and change anything, you're going to get ticketed by the cops at some point for unsafe mechanical condition and the car's registration will get suspended until you fix the problem. Sure it's a hassle and expense to keep maintaining all those things about a car that need maintained, but we don't accept that as an excuse for someone not maintaining them and causing damage or injury to others as a result. So why do we let computer users off the hook when they say "But I don't know anything about computers!".
Software vendors and computer users need to grow up. They've been both acting like spoiled 5-year-olds who were running in the house after being told not to, knocked over the china cabinet and broke everything in it, and now that Mom and Dad are standing there they're whining that they shouldn't have to own up to it and take their punishment. No dice.
...an 'updated' PC with an Ubuntu live CD.
and sell your old one cheap.
Just the other day I bought an older Dell that "wouldn't boot" for $15, sans hard drive. An hour of hacking around inside, and I was able to get it going. It's a little old, but it'll make a nice LiveCD tester.
Consumers are getting raped by MS and Dell, but they're not going to learn, so might as well take advantage.
Maybe not
The summary is a little misleading. The NYT doesn't recommend that getting a new PC is the solution. They simply quote a woman running an old machine with Win98, which wasn't capable of running the security software provided by her ISP without slowing to an unusable crawl. I think most of us have seen our share of computers in that state to sympathize.
Did anyone really expect a middle-aged, non-techie to think "Gosh, I should finally install Linux with a lightweight window manager!"
A post a day keeps productivity at bay.
Purchasing a new, "updated" PC is going to give you about as much protection as purchasing a new "updated" vehicle. Sure, you're going to find plenty more safety features to make your drive easier, but bottom line is the vehicle isn't going to be immune to crashes; it's still your duty to drive responsibly. The same goes for your PC - it's your responsibility to secure you PC against the latest threats. As far as the propagation of malware goes, I predict it's only going to get worse. Let's face it - as long as people remain uneducated to the dangers of malware, and haven't really been affected by it firsthand, they aren't going to make an effort to protect themselves. They'll keep paying Norton $20+ a year for non-existent protection, as long as it makes them feel safe.
There are a limited number of ways for a machine to be cracked.
#1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.
#2. Viruses - an infected program infects other programs, but does not otherwise change those programs. This is not very common now.
#3. Trojans - this is the biggest current threat. And there is no real way to remove it 100%, but it CAN be limited (again, look at Ubuntu). This is primarily a social engineering attack. You have to convince the user to run an app or open a message that will exploit a flaw in their email app (and so forth).
So, why aren't we seeing a focus on the biggest security issue?
Why hasn't Microsoft released a bootable CD so you can run the anti-virus/spyware/adware stuff easier? Clean up the junk AND patch the vulnerabilities in Outlook. Even if it means turning off some of the functionality.
If you cannot do it securely, then you should not do it.
Or Linux
Case Closed
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Thats just what skynet wants you to do!!!
Nope. There are still lots of ports open, it's just that Microsoft put a firewall on the system, too.
The problem still exists. But now there is a wrapper obscuring it that you have to get through. That isn't solving the problem. That's just attempting to hide it.
And exploits have been found for Microsoft's firewall. Which demonstrates the problem with not solving it at the lowest level.
I can put an Ubuntu machine with a default install onto the Internet without any firewall and still be safe from worms.
I cannot do that with WinXP (or Win2K or Win9x or WinNT). If you aren't solving the problem at the lowest level, you're not really solving it. You're just hiding it.
I'm still wary of the young people that pester you to let them do the "free" setup when you buy a new computer at places like Besy Buy.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I have already handed an Ubuntu disk to one "lost cause"... perhaps the wave of the future? Then, over beers, you help install thunderbird and get most of their stuff up and running. What a shiney new machine they have!
meh
The problem is exacerbated by the reluctance of MS and PC vendors to give out Windows CDs that can be used to wipe and reinstall systems. They should build pockets into the sides of cases for the CDs so people don't lose them, and slipstream all the drivers in, and put instructions to boot the restore disk on the CD label itself.
Heck, a 700MB USB flash drive isn't expensive now. They should build read only flash drives with windows into the box, and put an option to run a reinstall in the bios. Solder it in so no one will steal it.
It's the least they could do, considering. I mean, Windows compes preinstalled on almost every PC sold, and there are a zillion pirate copies of Windows floating around on the net, so hardly anyone needs to steal it, and anyone who wants to steal it can. But legitimate users are screwed when they have problems because they don't get CDs, because giving them CDs would encourage piracy. And, I suspect, because it's good for business if people trapped in a monopoly have to buy extra computers to solve this problem.
Comment removed based on user account deletion
Parent got moderated 'flamebait'??
His post seriously addresses TFA, and the only possibly flame-like statement has a smiley after it. Somebody please scroll back and mod him up.
I wish more people would point this out! A firewall by itself is not security. It's just an extra layer of protection. Protecting insecure apps by putting them behind a firewall is a recipe for disaster. Ideally, you should be able to turn your firewall off and still not be any more vulnerable. The primary function of a firewall is to reduce visibility, not add security.
It is too bad that only millionaires can afford Apple. If you could buy a decent Mac for the same cost as a Dell, the 50% of users who don't care about gaming would probably do so, instantly solving half the botnet problem. When PC gaming finishes dying out in the next few years, even more people could switch. Too bad that with their insane prices Apple will never break 15% market share.
I don't know why the botnet hunters don't tell the reporters that they could lessen the impact if everyone would just turn their computers off when they are not using them. Disrupt the botnets as much as possible. It wouldn't affect any but memory resident bots, but a PC that is infected and off won't be sending out spam. Once word got out "do you turn your PC off" then you could educate the masses to patch and practice safer computing.
I work with a Cisco VPN concentrator at a Medical/Dental/Nursing school, and every day a co-worker comes in early and forces off the users that have been connected all night and more. Usually it is 30-40 people but over weekends and holidays the number climbs to 70-80. Why stay connected, why leave your computer on all the time?
I'll leave the M$ bashing to others, the "open any email you get" bashing to others. I run an OpenBSD firewall on an old Dell at home, and I tell my kids to turn off the computer when they are done. I'm doing my part.
NYT Generator is down so time to use copy and paste from the print page:
January 7, 2007
Attack of the Zombie Computers Is Growing Threat
By JOHN MARKOFF
In their persistent quest to breach the Internet's defenses, the bad guys are honing their weapons and increasing their firepower.
With growing sophistication, they are taking advantage of programs that secretly install themselves on thousands or even millions of personal computers, band these computers together into an unwitting army of zombies, and use the collective power of the dragooned network to commit Internet crimes.
These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft.
Security researchers have been concerned about botnets for some time because they automate and amplify the effects of viruses and other malicious programs.
What is new is the vastly escalating scale of the problem -- and the precision with which some of the programs can scan computers for specific information, like corporate and personal data, to drain money from online bank accounts and stock brokerages.
"It's the perfect crime, both low-risk and high-profit," said Gadi Evron, a computer security researcher for an Israeli-based firm, Beyond Security, who coordinates an international volunteer effort to fight botnets. "The war to make the Internet safe was lost long ago, and we need to figure out what to do now."
Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro, a Tokyo-based computer security firm. He declined to identify the agency because it is a customer.
Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.
Plagues of viruses and other malicious programs have periodically swept through the Internet since 1988, when there were only 60,000 computers online. Each time, computer security managers and users have cleaned up the damage and patched holes in systems.
In recent years, however, such attacks have increasingly become endemic, forcing increasingly stringent security responses. And the emergence of botnets has alarmed not just computer security experts, but also specialists who created the early Internet infrastructure.
"It represents a threat but it's one that is hard to explain," said David J. Farber, a Carnegie Mellon computer scientist who was an Internet pioneer. "It's an insidious threat, and what worries me is that the scope of the problem is still not clear to most people." Referring to Windows computers, he added, "The popular machines are so easy to penetrate, and that's scary."
So far botnets have predominantly infected Windows-based computers, although there have been scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems. The programs are often created by small groups of code writers in Eastern Europe and elsewhere and distributed in a variety of ways, including e-mail attachments and downloads by users who do not know they are getting something malicious. They can even be present in pirated software sold on online auction sites. Once installed on Internet-connected PCs, they can be controlled using a widely available communications system called Internet Relay Chat, or I.R.C.
ShadowServer, a voluntary organization of computer security experts that monitors botnet activity, is now tracking more than 400,000 infected machines and a
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run. You don't need to be a security guru, but you can't get by thinking you can just use a computer and never have to learn anything more about it than that.
Ummm, most Mac OS X users don't have to know anything about TCP/IP or NAT, etc. Of course, they have an OS that has security built in at a very low level, not tacked on as an after thought. Windows, at least through XP, is still based on the notion that it wants to make it easy to connect to everything and everyone. As such, it's pretty open and malware takes advantage of that. OS X and the various *nix distros start at the other end of the spectrum where things are locked down unless you open them up (although OS X has more opened up than, say Ubuntu and various other linii).
As others have posted, if Windows shipped with all ports closed except those that were really needed, then the user wouldn't need to worry about all these things. They wouldn't be opening a port until they needed it for some specific application and then that application could explain the dangers, if any to having the port open. It's basically a compromise between ease of use and security. Microsoft chose to maintain it's ease of use model from the pre-internet days, when everything was local and has tried to add security on top. It just doesn't work that well.
So, the real choice is, it seems, that if you want a Windows pc, then you need to learn about TCP/IP, NAT, firewalls, etc. On the otherhand, if you just want to use your computer, either buy a Mac or put a secure Linux, like Ubuntu, on your pc. (I just use Ubuntu as an example, there are others, too)
there is no way that screen would be that out of focus unless it was like 5" big and 2 foot from the camera. The bald bloke is a good couple of feet behind the other guy and he is in focus.
and I think the whiteboard background is slotted in as well. would be difficult to get their right sides in a different colour without some leakage onto the background. And if they have such a large difference in contrast (bright one side, shadow the other), how come the background is one uniform colour?
defintately something wrong in between the blokes and and the monitor...
Everyone seems to be blaiming either Microsoft or the ignorant user. Let's not leave out the ISP. ISPs should cut off anyone who's connection is showing suspicious activity like spewing out hundreds of emails over a short period of time, etc.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
I really, really don't get it. It's not that hard to keep a Windows box safe. I do understand how grandma can screw up, but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.
People talk about "open ports." To me, that's right up there with "oh no! My IP address is visible!" paranoia. It's just not how computers work! Worms don't somehow jump into your computer through magic holes called "ports:" They exploit bugs in services.
So, disable all the services you don't need. Get rid of the blasted Windows filesharing cruft. Shoot the scripting host. Turn off the remote desktop crap. Look through all the services, and just clean all that junk out. If you don't have idiot programs running that worms can fool into executing arbitrary code or otherwise misbehaving, you're ok! Then connect to the 'net and install the latest updates. In the time it takes you to do that, nobody will jump up through your NIC and give your computer gonorrea.
A firewall is a safety net, and it makes perfect sense in, say, a production IT department to have as many safety nets and backups as you can. But a properly-configured machine, without exploitable crap running, shouldn't strictly need it, and I really think that a competent personal user can easily stay safe.
As for the "security software" the article speaks of: Though an up-to-date antivirus is a decent idea, most software firewalls and other pieces of security software really just operate something like modern-day politicians, keeping users alarmed so as to justify their own existance. "Someone is trying to HACK you!" they scream, as an innocent ICMP ping request arrives at your computer. Pfft. Save your CPU cycles and just don't be a fool!
ISP's cannot distunguish legit mailing from spam, granted the billion message mark is quite noticeable.. maybe just a cap, a million mails a day etc?
Kudos.
thegodmovie.com - watch it
Thats a great suggestion from 'security researchers'. "Buy new".
I bet we can solve all problems related to IT Security through that. "buy new".
"Security Researchers" the media interview are about as knowledgeable in the field as Cab Drivers are when interviewed by the BBC.
... It's the negligent PC owners. As long as the general Internet-connected public is dumb enough to let this kind of crap continue the bad guys will prevail. The average user just can't be convinced to keep their PC patched, their antivirus def's current or sweep for malware regularly. The average user just can't resist reading those oh-so-friggin-cute, malware laden eGreetingCards, launching email attachments promising a fun new game or nekkid pics of Brittany, or spending countless hours surfing infected porn sites (and you thought we didn't know.. right?). The average user buys a computer, gets the neighbor's kid to get them on the net and calls it good. See where I'm goin' here? The average computer user needs to be a bit more educated in the ways of safe computing. They need to know that most of the content they encounter is malicious and when they ignore the threats they make it worse for everyone... not just themselves. It's not about Windows vs. Linux vs. Mac (even though Linux rules baby!) it's about bad, but clever people vs. nice, but stupid people... IMHO
chown -R us
Couldn't the OS block access to IRC by default?
It seems to me anyone naive enough to install a trojan would not be using IRC anyway, and conversely, anyone who uses IRC would probably be computer savvy enough to avoid trojans.
i thought holding a website for ransom or unleashing a botnet DDOS to shut them down was a problem, but the topic was never touched on in the NYT article
is it because the issue is outside the scope of the article or am i hopelessly behind the times and that's not really a problem anymore for some reason i'm not aware of?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Being proficient with a computer is not optional if you want to own and use a computer. Learn about TCP/IP. Learn about NAT. Learn about not trusting everything. Learn about understanding how things work at least a little bit before you try to run.
That's not really required. My aunt runs a Windows 2000 install I set up for her, she doesn';t have the admin password, IE, Outlook or the ability to install software and has never had a problem. My sister has a Mac, she keeps a seperate root account and has never had a problem.
I call it machiones shipping with shoddy, poorly set up operating systems.
Xix.
"Everything is adjustable, provided you have the right tools"
Sorry, but the primary function of a firewall is indeed to add security. My website is protected by a firewall but it still receives millions of hits and several hundred thousand pageviews. It's safe to say its quite visible and I wish it to remain so. You're right that a firewall is an additional layer of protection and is by no means the only layer. Sometimes you are forced to run an insecure app though and in those times you thank your lucky stars you have proper firewalls and routers and VLANs and RADIUS to help protect your services.
Nothing will solve this problem other than having the users educated and responsible. Instead of finally telling to the users that they should take the responsibility for their system right now the approach is to make fucking heuristic schemes or to silently make the assumption that a certificate issued by a list of organization is valid. Instead of putting an simple explanation besides the Warning dialog when you open a web page which enables the user to find out whom he actually trusts to, the dialog boxes for self-signed certificates and such signed by an CA look quite similar to the normal user. Morover in everydays life nearly nobody uses ceritifactes. One approach would be to sell one certificate per Computer (or OS license) right when you buy it. And the users should be asked when they would like to sign (and encrypt!) something (e.g. email!). Moreover they should be explained how they can easily sign things themself. And an simple to use scheme should be implemented which allows to say something like: Trust everybody whom my direct contact trust to. Take the Administrator of your Company in your Adressbook and because he trusts certain company signatures (for certain purposes eg. installing drivers) you will not be bothered in the future when a company did only sign the drivers using a certificate not issued by a CA.
Guiding the users to more responsibility is the only thing which can help - in all security affairs.
The biggest problem seems to be the fact that most of the computers on the Internet are now Windows PCs of some flavor. A more heterogeneous network might help. IOW, this is a side effect of Microsoft's virtual monopoly of the desktop. Most end users are going to be too clueless to know how to lock down their PCs. Maybe Microsoft should be fined for selling defective software. If this happens, then Apple and other OS sellers should probably be subject to the same rules regarding how easy it is to setup a botnet on their OSs without the explicit consent of the owners.
Most (not all, mind, you but most) people are reasonably responsible about maintaining their cars. They learned about it at their daddy's knee, or from the coach who taught them driver's ed. They hear about it when they buy a new car. They see ads on television ("Be good to your car so your car will be good to you...") People neglected their oil, filters, and tires savagely back when pumping one's own gas became popular because nobody was there to offer to check for them--but then a whole new line of enterprise sprang up and Jiffy Lube was revealed to us. I'll bet nine people out of ten will tell you that it's necessary to change their oil each 3,000 miles even when it isn't--because Jiffy Lube wants us to.
So where, precisely, do people go to find out about maintaining their PC's in a secure fashion? Nowhere in particular that I've noticed. Most people hate spam. They're in it up to their necks, and they despair of being able to do anything about it. If they knew what to do, I suspect most of them would do their best to follow instructions or suggestions. Nobody's advertising this info, nobody that I know of is teaching it in schools. You can't find it in magazine articles. You can try to ferret it out on the Internet, but that's tough to do for people who don't even know where to begin. What have they got? There are the virus protection companies, I suppose--but they're drowning too, and their posts can be cryptic for the uninitiated.
I have a strong suspicion that if tomorrow, the Tide people began advertising a laundry detergent that would add five years to the life of your washer, people would line up to buy it. So who's advertising what to do when under threat from the spammers and their botnets?
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
I would never run a Windows machine exposed to the Internet - it takes too much damn time to harden it enough to survive the wilds of the Internet on its own. I'd rather give it a BSD or Linux jimmy-hat - faster to set up, and you don't make your Windows box unusable from the security settings you've forced on it.
I'd agree with you on a lot of "security" software - it's mostly horseshit. Unfortunately, most of the good, unobtrusive software is generally reserved for business users. I'd love to have something functional but unobtrusive to offer customers that don't have a server at their office...
Why can't I mod "-1 Idiot"?
root@ubuntu:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:2208 *:* LISTEN 4181/hpiod
tcp 0 0 localhost:51304*:* LISTEN 4184/python
tcp 0 0 localhost:8118 *:* LISTEN 5847/privoxy
tcp 0 0 localhost:ipp *:* LISTEN 5811/cupsd
No open ports on ubuntu?
An ignorant question: Why, then, does MS persist in leaving them open? It seems like there's no real reason for doing so unless you have a specific reason, and that it's possible to open ports only as necessary, eg., opening whatever port(s) MS Messenger uses only while MS Messenger is running. Since MS presumably has competent people designing its security and doing the best they can with such a complex product, why haven't they taken this obvious step?
Revive the Constitution.
I came across this idea recently via a writers' group. The author proposes breaking the "warez" distribution system by deliberately putting out many partly-broken versions of software. For a game this would probably mean some versions that crash halfway through or subtly corrupt saved games. But if the warez networks are using hash signatures to identify perfect original versions of media, wouldn't this technique fail?
Revive the Constitution.
Disrupt the botnets as much as possible.
I liken this to the international telephone call hacks several years back. Company PBX'es were hacked and international calls made through them, with the company getting the bill.
If the company didn't make routine international telephone calls, then a solution was to disable international phone calls.
At any level in the United States, it should be an option to disable internet traffic from, shall we say, countries where most attacks come from, or at least the bulk of it.
Now of course the botnet PC's are comprised of plenty of US PC's, that's not the point. The point is that the attacks that took them over come from overseas, and continued commands to the botnets come from the owners.
I have a small phpBB web site. I am attacked night and day with breakin attempts. When I look up the IP addresses, they are almost all from these few countries. If it is, I ban the entire ISP address range from registering and logging in, but the addresses can read the site I believe. If not from these countries, I ban the specific IP address.
For my site, I ban everything overseas because of no foreign interest in my US oriented content. The bans quickly accumulate to high level domains being banned, so the ban list for my site isn't that big.
I know it's not perfect, and I haven't done anything to generate the list but respond to attacks. But even an exact list of IP ranges for ISP's in countries where if you get a purchase, it would be from a stolen credit card, should be able to be handled by a firewall. I would include US ISP address ranges that don't implement the ban as a default, or in other words, become a hired US proxy to them.
So what I did for my site should be done publically, and software such as a firewall optionally configured to stop traffic to and from the ban list. I think for example ISP's should implement this for customer's except those who specify to be excluded. Botnet owners, not having any idea what their PC's are doing, would not normally be seeking exception from a standard ban.
It should be like an international phone call. People should be able to know what their PC's are bombarded with, and where it's coming from. For example, a firewall log should be easy to bring up and show the attacks coming in, and at least at a ligh level domain level what region the majority of the IP addresses of the attack is from. BlackICE displays the attacks very well, but just an IP address with it.
Whitelists are also good. This is to screen out the chatter, not inhibit useful communications. It's just that with some places very little useful communications is taking place, except useful to thieves.
rd
exploitable crap running = magic holes called ports fool
Ports are just services. In *nix-land they're listed in
A firewall is still required in Windows. netstat -a will show open ports listening on 0.0.0.0. That means that Internet traffic can directly reach it. If MS hasn't issued a patch for recent exploits, then your box will be owned. That's why Windows requires a firewall or a router.
I didn't think that was possible. Bug?
Firewalls *should* be bidirectional filters. That is, they filter what goes out (egress) as well as what comes in (ingress). You are probably confusing them with NATs which usually allow anything out and provide some limited means for inbound port mapping. The XP firewall, when correctly configured will filter egress. Unfortunately it is relatively easy for an application to override. For example any kind of SMTP spambot needs to be able to send out SMTP (and probably hook up with IRC). If SMTP is blocked except through an official MTA with security controls then an infected PC can't do a whole lot.
Unfortunately, the routers that come with firewalls for domestic purposes seem quite limited. I was recently sent a nice new VOIP WiFi router with VoIP (AVM Fritz Fon 7170) as part of a new ADSL contract. It boasts a firewall, but it is only really connected with the NAT traversal with no real egress control. OTOH another router from Billion, I received as part of another contract had very good fireall control, but I suspect most domestic users would just disable egress control. In my case the routers unfortunately were not interchangeable because I needed ISDN support that my Billion model didn't have.
See my journal, I write things there
...but I just do not buy the rubbish that every Windows machine gets compromised in five minutes.
t /articles/080305tn.mspx
I don't know why your post is considered Insightful. Because you said 5 minutes instead of 12 minutes? This from MSFT's web site:
http://www.microsoft.com/technet/desktopdeploymen
Techniques for Patching New Computers
Published: August 3, 2005
By Tony Northrup
I've Been Hacked Already?
A few years ago, I was doing systems engineering work for a technology firm when a UNIX systems administrator asked me to help him with a problem. He used a computer running the Microsoft Windows operating system and connected to the public Internet for testing, and that computer was behaving strangely. I took a quick look at it and immediately recognized the problem: The computer was infected with a worm.
"Okay. Now how do I get rid of it?" he asked.
"The computer doesn't belong to you anymore; it belongs to the bad guys now. You don't know what they might have done with it. Reformat it, re-install Windows, and get it patched."
He rebuilt it and came back to me in about an hour. His computer had become infected with the same worm while he was trying to install the security updates.
According to Sophos research published July 1, 2005, there's a 50 percent chance that an unpatched computer running the Windows operating system will be infected with a worm within 12 minutes of being connected to the Internet. That's bad news, because downloading and installing all the latest updates takes longer than 12 minutes. If you're deploying hundreds of computers, you really have no chance. So, how can you keep your new computers from being attacked before you can update them?
end quote
rd
My website is protected by a firewall but it still receives millions of hits and several hundred thousand pageviews. It's safe to say its quite visible and I wish it to remain so.
I have to ask the question - why do you think you need a firewall on a machine that is only running internet-visible services? A firewall adds a layer of protection against cockups (e.g. accidentally starting a service that shouldn't be running, etc) but if there's a service listening on a port which you have blocked through the firewall you really need to be asking yourself _why_ you have that service listening.
Last time I looked at XP Home, it had a scary amount of stuff listening for connections from anywhere by default - there's really no reason for this. If a service is required for the machine itself (i.e. no one else on the network) it should be bound to the loopback interface instead of binding to all interfaces.
http://blog.nexusuk.org
- Provide the hardware to connect (i.e. the cable or dsl modem)
- route all the traffic
- provide e-mail service to their customers
- get paid money to do the above responsibly
Those facts make this the Cable/DSL providers problem. The security threats just don't fall from the sky, they come in (and go out) through a wire. That wire belongs to the ISP, so this the ISP's problem.Here are some fixes:
- The cable/dsl companies should provide a hardware firewall along with the modem. The 'blue box' fireware/nat router is super cheap wholesale, sometimes you can even pick one up retail for about $30. Last time I was in Best Buy, I saw a Moterola surfboard modem with a built-in router/firewall. There is absolutely no reason (beside shortsightedness) that these should not be automatically provided to customers. The cost savings from customer service and few complaints would more than make up for the initial extra hardware costs.
- Aggressively filter ports. I just got converted (today, in fact) from adelphia to comcast. Comcast routes smtp through port 587, not 25. I was scratching my head for a minute to figure out why, but then it dawned on my that it was to prevent bots from spewing spam on port 25. Granted, now I will no longer be able to occasionally dabble with a my own mail server, but you can get Speakeasy if you seriously want to run you own servers.
- As part of the filtering, aggressively disconnect obvious spam bots. If one of their clients is sending 10,000 mails between 3AM and 3:15 AM, that machine needs to be taken offline. Notify the client and help him clean the machine. Don't let him back on the network until he demonstrates (like by providing a scan log, store receipts) that he has installed anti-virus software, clean up his box, and installed a hardware firewall.
- Scan and add headers to suspicious incoming bulk mail. Spam, mail-borne trojans, and virii rarely come as singletons. They come in bulk, so they should be fairly easy to identify at the server. (Just got identical messages for 10,000 customers?- oh, we might want to scan those or at least add a spam header). It might take some horsepower, but these messages can be marked as spam and/or scanned at the destination server before they are delivered to the client.
Another nice touch would be providing free anti-virus service to the customer. When I was moving my account to comcast this morning, I noticed they provided a free subscription to McAfee for their customers. Very nice and responsible. I already had a subscription, but still very nice.So far botnets have predominantly infected Windows-based computers, although there have been scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems.
I see that John Markoff is keeping with his habit of peppering his articles with unsustained, unproven assertions. I know that this is the NYT and not a real paper, but still, someone is bound to notice eventually.
To set things straight: Of course bots attack Linux servers. I am running a mail server that filters out millions of attacks a day and logs hundres of thousands of others. Every single one of these attacks comes from an 0wned Windows machine. Including some corporate servers.
But that doesn't mean that there are bot nets made out of non-Windows machines out there. It would be a huge news and would rattle the world of network security. So you'd have heard of it. We all would have.
It's rather sad to see that this uncoherent piece passes for "News for Nerds". News for technically illiterate, computerphobic bourgeois to read with they overpriced designer mocha, yes, but for the rest of us, that's a waste of bandwigth.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
IT geeks? That's nothing.
Steve Balmer can't even secure a Microsoft Windows computer.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
I would like to see more consumer grade firewalls sporting the ability to block outgoing packets, but offer customizability so people can choose what goes out the door. For example, port 25 out should be blocked by default, and the manual that comes with the router (or software) offer explicit, clear directions on how to enable this port if a user just has to have it as opposed to using a more proper port in their mail software (465 to be exact.) I am quite sure that between ISPs getting enough of a clue to block outgoing 25 on their dialup/DSL/cable networks, and routers which block 25 by default, this will slow down bot spam.
To be even more funky, perhaps have a SOCKS5 server on the firewall box, so applications can get out as they please if configured properly, but programs which just want to blast out packets will be stopped in their tracks. Of course, if this is done, the next gen spyware will be socksified and scan for existing SOCKS configs, but its a step.
Clarification: I meant firewalls as dedicated hardware boxes like the DSL routers, not firewalling software like ZoneAlarm.
Botnets wouldn't have much influence if hardware and software shipped "hardened". Instead, greedy and evil upper management despots allowed marketers to pervert engineering in order to promote sales.
How come the real bad boys have all the toys?
Yep then this magically secure windows box user fires up IE surfs a couple of web sites and
gets smoked by a remote code execution vulnerability. Oh let me guess, it is the users fault
since he visited some sites he wasn't supposed to. Face the facts, if you connect a windows box
to the Internet it is not a matter of if you will be owned but how quickly you will be owned. I have had numerous people tell me that they never have a problem, go look at their PC and guess what most of the time they are owned but are too ignorant to know it.
Yes you can do a fairly good job of securing a windows box but about the time you get it right you
are left with a computer that has the usefulness of a toaster.
Got Code?
Unless your firewall is a reverse proxy, you are still vulnerable to exploits in yur code, or the webserver.
Firewalls are bandaids, there is no replacement for well written, secure code.
I can throw myself at the ground, and miss.
"Nothing will solve this problem other than having the users educated and responsible"
"the dialog boxes for self-signed certificates and such signed by an CA look quite similar to the normal user"
"Guiding the users to more responsibility is the only thing which can help - in all security affairs"
Nonsence, the root cause of the problem is the vast numbers of Windows computers out there hijacked into the service of some botnet. As such it is up to the manufacturers to make them secure. Relying on the user to click or not click in a box is futile in the extrame.
was: It is not a hardware or software Problem! (Score:1)
davecb5620@gmail.com
Then it'll probably have less resources available, after you factor in the Windows bloat
It's the negligent PC owners. As long as the general Internet-connected public is dumb enough to let this kind of crap continue the bad guys will prevail"
As long as the manufacturers are allowed to sell such defective product botnets, phishing and viruses will be a problem. Incidentally what indemnification does the software maker or the AV vender give us against getting compromised with a 'virus'.
It's not the PC's being targeted... (Score:1)
davecb5620@gmail.com
>Because you said 5 minutes instead of 12 minutes?
I hadn't recalled the exact figure -- 5 minutes, 12 minutes, etc -- but it is exactly this kind of anecdote that I'm talking about. If the research paper has data, I can't argue with that; it's fact. But if you take reasonable steps to secure the box before you insert that RJ-45 connector, in my experience, you'll be just fine.
>Yep then this magically secure windows box user fires up IE surfs a couple of web sites and gets smoked by a remote code execution vulnerability.
I guess I took it for granted that we were using a decent browser... ;-)
>Yes you can do a fairly good job of securing a windows box but about the time you get it right you are left with a computer that has the usefulness of a toaster.
Ah! For simplicity, I'd left my solution to that problem out of my previous post. Once you kill the crap, connect, and update, you download safer replacements -- say, Firefox for browsing, Cygwin SFTP for sharing files, etc. In the process, I generally pretty-thoroughly unixify my Windows machines.
By now I'm obviously not talking about a general solution to Joe User's problems. I'm telling you what I personally like, which I can't expect others to -- and which would not be realistic in a production IT environment. So there are plenty of other solutions, and a hardware firewall is a perfectly good one.
My purpose is really to encourage a more rational worldview about what it is that makes a Windows box insecure. It's not "OMG Windows;" it's buggy services (and clients, like IE) that run by default. A dozen times, I've seen people "disable Windows filesharing because it's insecure" (fair enough) by blocking the appropriate ports on a local software firewall. That's silly. Just turn the service off. I'm trying to challenge the voodoo approach I've seen in homes (and even in IT) so many times, where people simply don't understand that their problem is not "hackers," mystical cyber-warriors who "break in" through sheer mental force, but low-IQ programs that can be sweet-talked out of their pants.
Name three.
my password really is 'stinkypants'
You do have to give Win9x some credit for not exposing a bazillion of ports to the Internet with services. With Win98 and WinME, on a default install only the ports 137, 138 and 139 are open (which are of NetBIOS). Turn off NetBIOS and you're pretty much firewalled. On Win95 the NetBIOS stuff isn't installed by default.
Apparently you don't know what an open port is.
Here's a hint: a service listening for incoming connections creates an "open port." If nobody is listening, the port is not open. So if you disable services that listen for connections, you're closing ports. You can also block them, with a firewall, but as others have pointed out that's not as good.
In other words, yes, worms "jump in" through open ports. You can call them magic if you want.
Damn straight. I don't understand all those people that brag about keeping their boxes online or don't care to shut them off. Common excuses are "I'm downloading something." (despite being on broadband) or "I can collect messages." (despite having e-mail to replace their online IM client).
My siblings here often leave for the city or for friends while leaving their computer on doing nothing. It's such a waste of electricity.
The last DSL broadband service that I worked through used their own SMTP relay server. This had a rate circuit breaker so that if you sent out loads of emails, it would switch off. Most particularly on that router I had it set up that port 25 access only went to the relay so unless the bot was clever enough to find it then the logfile from the firewall would give me a chance to fix the problem.
See my journal, I write things there
If every service provider and business with an internet presence were to perform egress filtering, that is only allow their valid assigned netblock to enter the internet, then Botnet/DoS wouldn't be as big of an issue as it is. By only allowing their assigned netblock they eliminate IP address spoofing which in turn improves traceability, accountability and filtering capability for their internet neighbors. Why is it then that one of the most effective and also simplest method of prevention isn't done? Cisco is to blame since the majority of their routers have poor performance and anyone who owns a Cisco router is reluctant to enable filtering without killing performance. For anyone who manages Cisco routers you've probably experienced the CPU utilization getting pegged out where you can't even console in. This happens because Cisco routers (everything up to 2800, 3800, 7200, 7500, etc.) are poorly designed with the routing, packet forwarding and management are all handled by a wimpy RISC processor. Therefore, Cisco is partially responsibility for the Botnet/DoS epidemic. Now, let's look at routers that are designed right. Juniper M series and above separate the routing, packet forwarding and management so one doesn't affect the other functions. Furthermore, they have ASIC hardware filtering that have amazing performance and doesn't impact router performance.
I don't work for any of the companies listed. I just had to learn the hard way using Cisco equipment.
"scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems."
I have NEVER heard of ANY "botnets" on Linux OR MacIntosh.
"botnet-related"? Meaning somebody TRIED to create a botnet virus or trojan for Linux? Make that clear, please.
As far as I know, the number of viruses (almost none "in the wild") on Linux is something less than 20 (not counting variants). And almost all of them only infect the local user. Without being able to exploit a privileges-escalation loophole to gain root, Linux and Mac are nearly invulnerable to viruses.
Yes, it's bad that a virus can infect the local user. For a home user, that is VERY bad. For a business server, that is very good - which is why you see very few viruses on Linux and Mac.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The firewall as I said is an additional layer of security. I can see when I'm being probed and I can see the spoofs and other attacks on my server. Without the firewall I have no way of monitoring and reactively banning known offenders. Furthermore it adds a layer of redundancy as I have multiple servers servicing that port and IP address, something I couldn't do as effectively if the machine was directly on the Internet.
Of course firewalls do prevent mistakes from causing disaster and that has merit too. Now it doesn't matter if I accidentally install SMTP services on the webserver the firewall will guarantee that it works internally and ensure it doesn't work externally.
XP Home does have a ridiculous number of ports open by default and so does SuSE if you enable all the services that are typically needed for windows file sharing and printing but that doesn't really mean a whole lot these days. Let's face it, Windows 98 was more secure remotely because the thing just didn't do that much compared to the new kernel that exists today and compared to any version of linux after kernel 1.0. None of it is perfect, firewalls aren't perfect either for that matter, that is why you layer your security so a single vulnerability doesn't lead to disaster.
No one was suggesting a replacement of well written code. Firewalls are but an additional layer of security and provide you a buffer between your mistakes and disaster. I can't imagine how anyone could see that as anything but a good thing.
My firewall will also protect me from vulnerabilities in my code however, if my firewall won't allow SMTP from that server then no exploit code on that server is going to result in my server sending out email. It's plain and simple. Yes, not all exploits are averted but the mere fact that there are some is enough to make it worth it.
All the *times site have a "single page" link, could it be possible to use this link in the submissions and forget about multi-page articles ?
t .html?pagewanted=all
http://www.nytimes.com/2007/01/07/technology/07ne
>Here's a hint: a service listening for incoming connections creates an "open port." If nobody is listening, the port is not open.
Hmm. Ok, that's sort of a semantic point, but I don't really disagree. I do understand that it's ports that services listen on: I've written some clients and servers in C for Windows and for Linux, so I get how all this stuff works. My point is that people take a voodoo approach of "closing ports" with some kind of ugly software firewall rather than just turning off what they don't need or trust.
Imagine you're running a call center, and there are a couple of employees who you're afraid are so dumb that they might reveal important company secrets to callers. You don't disconnect their telephones and continue to send them paychecks; you just fire them. The problem in that case isn't the telephone numbers at which your incompetant employees are contacted; it's the people themselves. Likewise, the "ports-as-open-doors" mentality, I think, distracts from the real problem, which is the services that are listening on those ports.
I'm responding to a lot of ignorance I've seen, where even career I.T. guys (MCSEs!) practiced 'network security' as though they didn't really understand what was going on. If you do understand, awesome.
You're right, and I believe that was the guy you were responding to's point as well -- blocking ports with a firewall isn't really an ideal solution. Which is why it's good that most Linux distributions and OS X come with most ports closed (no daemons listening on them). On the other hand, Windows comes with a bunch of stuff open, much of which is nearly impossible to close (particularly for a non-techie) and some of which are actually impossible to close. That leaves you with no choice but to use the less than ideal solution -- a firewall.