Slashdot Mirror
Estimating the Time-To-Own of an Unpatched Windows PC
An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."
I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?
Didn't the honey project provide us this exact same information a few years ago?
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Man this doesn't make sense. So what, are they saying that as soon as you plug in your modem to the PC thousands of different sources are already trying to infect you? Even if you don't browse? Because the point is you can download Windows Updates and you can install and update your AV with only two connections. Not sure how you're going to get infected that way.
Of course it could just be "Windows users can't resist dodgy porn sites for more than 4 minutes". Which makes more sense. I mean, when you've just gotten access to the internet what's the first thing you do? Hot Busty Nurses > Slashdot.
You think either the summary or the linked article would have been kind enough to say what version of Windows.
From the link that goes here (linked from the first linked page) it looks like Windows XP. Would be interesting to compare with Vista.
I am posting this message from a completely unpatched windows box on the Internet and I am not seeing any side eff....
Buy Viagra Cheap at http://myipaddres/viaga
Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).
Andy
Windows XP SP1? Windows 95? Windows 98? No, wait... Windows 3.1.1? Oh, I know! Windows 2000 SP3! Or was that Windows 2000 (Post SP4) Update Rollup 1 for W2K ver 2?
The related article didn't seem to mention what exactly constituted an "unpatched Windows system."
"I like those odds."
The article recommends using a NAT firewall and a correctly configured personal firewall, and of course that's a good start (NAT is evil, but is generally a good starting place for devices that aren't running servers, and until you've got your system running the current patches, you don't want to be running servers at all, and even after that many client-like things work adequately behind NAT.)
But does anybody have any estimates of how long an unpatched machine will last behind a dumb NAT firewall? Are you ok at least until you've installed the standard patches for Windows (or your favorite Linux) and your favorite applications?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I keep hearing on /. about how slow Windows is. Now it turns out that Windows is very fast.
I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....
I think the Time to Infection on a college network is like... 45 seconds.
You can bundle all the patches & service-packs you want into a slipstream image and install everything at the same time.
Otherwise, there's WSUS (http://en.wikipedia.org/wiki/Windows_Server_Update_Services).
(Not that I disagree XP was horribly insecure when it came out)
throw new NoSignatureException();
At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.
When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.
In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").
The source for this post seems to be lacking on quite a few fronts when explaining how they arrived at this data.
- (As pointed out already by numerous posters) Which version of Windows are they using?
- What activity are they using the computer for?
- Who are the "all" in "placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas" ?
- How unpatched is unpatched? Is this a version of the OS that one needs to deliberately search for or if I go and buy a boxed version of the OS there is a pretty good chance it will be just as "unpatched" ?
The "piece" raises more questions than the answers it provides.
There are exploits that don't require any interaction of the 'former owner' of the machine.
So, why have I been using Windows for 12 years with no antivirus, and have never gotten a virus? At one time I had a DSL connection at work with no NAT and didn't have any problems there, either.
These tech people from Comcast or SBC tell you to plug your machine directly. Maybe they work for the people who run botnets?
A spit on them. They seem to be as incompetent as the 'Geek Squad'
Fight Spammers!
That should be Time-To-Pwn. You're welcome.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
While the laptop itself has very little internet presence (just downloading patches, drivers and s/w updates) I've occasionally remote-mounted it's disk to another box that runs Norton. I've never detected any spam, viruses, trojans or other nasties.
My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
unpatch systems with no protection are easy to infect - this is not news.
If you mod me down, I will become more powerful than you can imagine....
Why does my IT guy always say PwN3D? he actually pronounces the "3" in klingon. Does this somehow relate?
Who ever sets up a windows PC with a direct internet connection? Being behind a NAT will cover the drive-by attack issue perfectly adequatly, and whilst it was it was common a few years ago for consumer broadband companies to supply USB broadband 'modems' which did connect directly, in practice now this is rare as most now use a pre-configured (generally wireless) router.
Whether we like it or not MS is slowly but surely on their way to strong-arming everyone into running Vista. I don't care about XP anymore. What is the TTO (time to ownage) for Vista?
I'll believe Windows is getting more secure when I start getting less spam in my inbox.
This is about worms and such that spread across the internet, not about trojans and virusses people download. Afterall, I could surfe google for years without ever getting a single virus and go to a .ru site and be infected in seconds.
No, the 4 minutes is for a windows PC directly connected to the internet (no router in between) doing nothing but being connected. What will happen to a lot of people who just bought a new computer and are using a direct connection to the internet like many a cable company offers.
If your connection to the internet has only ONE ethernet port or is a USB modem or something similar this means you.
ADSL typically uses routers in my experience (more then one computer can be connected) and this effectively closes of your PC from the internet meaning it can't be contacted.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!
The game.
Also, this really undercuts the notion that Linux has a lower cost of ownership. I mean, Windows computers are getting owned for *free* and it only takes a few minutes online!
A TCO like that is just incredible!
But then you might just want to install Linux instead.
... you are infected and there is no more "time to infection".
Does putting it behind NAT entirely protect it?
Or are there worms out there that can bypass that?
My Journal
Now this is indeed funny tbh
Imagine you have a fresh install of windows XP because it crashed the hard drive or something like that, you are on holidays and the only connection you have is a wifi up link with limited bandwidth.
This could (or prolly will, like proven in the test) lead you to getting owned by several trojans, exploits or whatever you name it.
Now how could you ever, when only having an uplink without any blocking/firewall mechanisms on hand, get updated with the right patches.
I guess the only solution is to not do this.
Now I don't use the XP firewall, but use netlimiter pro for firewalling and bandwith shaping. I truly wonder if this is good enough, since I mostly sail through the year and my only connection uplink is through wifi (which is as open as it can get)
About all of my connections run through a openvpnserver which I run at home, but ofcourse, the first step in the process to get a connection is by getting an ip-adress and start the tunnel. From that point on I suppose it is secure since all traffic from that point on is through the tunnel
But then again, if it get's compromised before the rerouting through the tunnel starts, everything is screwed, or isn't it? Now once comprimised, everything, including the trojans and other such will go through the tunnel and I'm still screwed right? allthough from that point on, there won't be any new trojans/exploits/... since the firewall on the other end will block it, but wait again, if the trojan is already inside, it still can open an connection and start transfering new ones to me...
I guess I got a dutch saying here, the chicken and the egg problem, running round in circles...
So to get it all done, this means I have to get a dvd filled up with patches to make sure I can update/fix all the holes before getting online. But wait again, to activate the XP I have to get online, or pick up the phone to dial Microsoft to get it all activated.
Ahhh, nope, XP has this firewall activated by default.
Or is it not?
If it is activated by default, not patched, but a clean install, it still has this truck load of vulnerabilities?
Just wondering.
Solution: don't do it.
The point is not that there are bad people, or 'bots, about, it's that there are still a few individuals who are either too lazy or haven't been educated in the hazards of leaving their PCs unguarded. In time they will learn the hard way - or be taught (or possibly punished, as this weakness affects not just the person who's PC it is) that they will take a loss if they don't or "forget" to take the proper precautions. You can build better security into an O/S, but it still requires the people to actually use it: the problem is more an educational issue than a technical one.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I took about 2 minutes the last time I remember this was *accidentally* tested on our /16 network (XP SP2, way down in mid-2006).
But this is not a Windows problem per-se. Any other OS, in a post-install state, will eventually get compromised. It's just a matter of time.
Solution: build + patch + secure offline, then deploy.
So what? I'm not sure what this is telling us that we didn't already know. It's like removing the airbags and seatbelts from a car, putting a person in the drivers seat, putting the car in drive and letting the car go without the person intervening. Eventually the car is going to come in contact with something and the person is going to be harmed. This is obvious. Throwing an estimated amount of time onto it doesn't tell you anything useful.
Running the test with a fully patched install, that's usable information.
I actually forgot my car keys in my car overnight once and nothing happened. Well, this isn't LA downtown. I live in one of the cities with the least crime overall.
The problem is, with the internet space means nothing. You essentially automatically live in all the worst cities at once, they're all right in front of your doorstep.
That's what most people forget when they deal with the internet, especially if they live in a sheltered community where it's safe to walk the streets at night. They're not used to pondering being mugged any second. But that's exactly what happens on the internet, you live in the worst kind of neighborhood, anyone out there who wants to do something bad to you is camping right in front of your door.
Don't feel special, though. They camp in front of every else's door at the same time.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That bugs come in through open windows......
da da da dum indeed.
I recall a former boss's computer getting compromised during the installation. It was either NT4 or 2000 server. I'm not sure his disk (most likely an MSDN disk) had any service packs on it. (this was late '03.) It was beyond the firewall, naked on a Bellsouth DSL line.
I also recall a friend (sysadmin) had his linux (redhat 6.2 maybe) machine compromised within a day of installing it. I don't know if it was within 4min or 16hrs; the next day we noticed it was scanning the network. That was a "naked" workstation on an ISP's core network -- no firewall of any kind. That was 7-8 years ago, and we still kid him about it.
The T1 at the office was seeing about 100 probes per minute years ago when I cared enough to log all that shit. The DS3 was seeing just as much crap the instant it was turned on a few months ago. (seeing how the morons setup that router (cisco), I wouldn't be surprised if people have broken into it -- with no logging turned on, how would anyone know?!?)
Can you trade in your OEM XP (SP1) disk for a new shiny XP SP2 or 3?
No.
In fact, because it's burned for a specific machine, you can't even slipstream.
So the antipiracy doodad is the problem here.
A stock install pre-SP2 XP is easy to own in a few minutes without user interaction, because there are vulnerabilities in some of the services that listen on the network. That it is not news, that's ancient history. Whether it's owned on average in 4 minutes or 16 is pretty much irrelevant.
Stock SP2 has a built in firewall. If that's exploitable without user intervention (installing apps also counts, as they might disable it, or at least open more ports in it), that would be big news. But I can't really find the configuration details of the "unpatched Windows PC" in the articles.
http://xkcd.com/350/
Slashdot the spammers!
Lock the wife and the dog in the boot of the car.
Return one hour later.
Who's happy to see you?
This is just yet another FUD to get people to use VITSA.
Don't get me wrong I dislike any microsfot product as much as the next guy.
But I'd rather have microsfot continue developping windwos PX then have everybody be FUDded into buying VITSA and giving Microsfot even more undeserved money.
But it would seem that now that microsfot' FUD machine is no longer effective against the likes of Ubuntu, they are using the same tactics towards thier own biggest userbase. Chapeau microsfot, here's to your own pawnage, by your own means, what am I saying, by your own FUD network.
Look at the giant snake eating it's own tail.
I'm sorry, but if you take your average Linux distribution, you will see this won't happen.
For a company with so many resources (read: money) they keep messing up in a big way.
New things are always on the horizon
From my experience a lot of people connect to the internet through their modem/router/gateway instead of a direct connection, this usually means NAT. Even though it is interesting to see how quickly an unsecured system can become hijacked, I wonder how many people are still connected directly to the internet?
can I clear something up: is this only for PCs directly connected to internet i.e. their IP address is their public IP?
As any PC behind a NAT (without static mappings) cannot be directly targeted by a connection initiated from the internet.
Of course the internet facing device itself is another matter....
Or am I mistaken?
Would be interesting to do the same for 5 years-old Linux distros and MacOSX... Anyone has tried it?
Well, I actually measured it on friends Windows XP which I stupidly forgot to enable built in firewall after Windows installation. It was a 56K Modem connected machine, it took 1 minute to get "This system is scheduled to shutdown in 1 minute" blaster thing.
Modem connected machines are in bigger danger since there is no firewall in modem.
Well, it's only a problem if you're (A) fucking stupid, or (B) a troll or security company trying to get some attention. (The difference between trolling and PR can be awfully subtle at times.) Well, not meant personally, but rather the generic "you".
The fact is, you can't even buy a computer nowadays without at least SP1 on XP, or Vista, both of which come with a firewall activated by default. To be unprotected on the Internet like that, you'd actually have to disable it. It's not something that every user will do, and right before downloading the patches, no less. Even if they were completely retarded, well, then they'd be too retarded to find that option.
Even in pre-SP1 XP or even on 2000, you have a little known option to not allow incoming connections. I think it's there even on NT. On 2000 it's under the TCP/IP settings, Advanced -> Options -> IP-Security. It's the poor man's firewall, basically. Not a full fledged one, but it _will_ keep you safe while you download the patches. Yes, I did try it. It worked.
But even that won't be necessary, since (A) you can't even buy a computer with unpatched Windows 2000 nowadays, and (B) even if you somehow found yourself stranded somewhere with a pre-SP1 XP with the firewall suspiciously missing, most vendors include stuff like ZoneAlarm or some security suite. If your computer has a nVidia chipset, it has its own half-hardware/half-software firewall right on the drivers CD. Again, it defaults to be activated by default, so you'd have to be truly retarded and disable it before you even look for the patches.
If you have a 64 bit CPU, as the vast majority are nowadays, and XP SP1 or later, you can also make it use the NX flag. Basically then it can't execute the data segment. That takes care of pretty much all buffer overflow exploits right there, because that's how they work. By default it only checks the Windows kernel and IE, which is enough to get those patches safely, but I'd advise making it check all programs anyway.
Again, you can't even buy pre-SP1 XP nowadays, so you _will_ have that capability.
The fact is, I've been running an unprotected PC for the last 5 years or so, and I don't seem to have any infection. I don't see anything suspicious in the registry. My router led doesn't blink when I'm not browsing and in fact the router does disconnect some 10 minutes after I did anything. I haven't had any extra charges on my credit card. I haven't had my WoW password stolen. So either I genuinely don't have anything bad on it, or it's awfully benign.
So basically this kind of statistics are just pure trolling. So someone took a computer on the net, and actually went and disabled the firewall and possibly the NX protection too. And whop-de-do, it got pwned. Big surprise. That doesn't mean anything about what will happen to the average user. It just means that some retarded troll (either fanboy or a security company's PR) found a way to fuck-up that computer to get a reason to whine, "OMG, Windows gets pwned." Well, gee, big surprise there.
A polar bear is a cartesian bear after a coordinate transform.
Will this be pwned the same way?
say run an unpatched Win98, Win2k or WinXP VM (VirtualBox or VirtualPC) inside a host box with its own personal firewall.
Will the firewall protect the VM, or will it be pwned just as fast because it's running on NAT and it's probably just the host VM software that's being monitored by the firewall?
http://www.object404.com
It's still not apples to apples. Yes, you can still buy XP, but you'll get XP SP2. It's hard to find even XP SP1 any more. Completely unpatched XP, would take some true dedication and ebay-fu to get at all. So, no, you can't buy a completely unpatched XP either. Not any more than you could buy an unpatched RedHat 8.
So whop-de-do, they prove that an OS you can't even buy any more, and just as unpatched as 5 years ago... still gets owned just as fast as it did before. Well, gee, big surprise there.
A polar bear is a cartesian bear after a coordinate transform.
pardon my noobishness, but am not as well versed in basic networking... mostly work on web stuff and not mucking around with networks.
http://www.object404.com
Um, no, it doesn't say that. They're _not_ saying that Vista still gets owned as fast as unpatched, pre-SP1 XP. They're saying that, basically, unpatched pre-SP1 XP is still getting owned as fast as... unpatched, pre-SP1 XP did. Well, gee, big surprise there.
It doesn't say anything about how much MS software improved in the meantime.
Basically, to take the mandatory car analogy, it's like saying that the original "unsafe at any speed" 1963 Corvair is... still as unsafe at any speed, as it was in 1963. Well, gee, that's such a big surprise.
Would you use that to claim that GM hasn't made any progress since 1963? No, seriously.
A polar bear is a cartesian bear after a coordinate transform.
The fact your firewall was disabled shows you already did some interaction.
Win XP versions prior to SP2 apparently didn't always have the firewall switched on by default on install. I haven't used Windows except as a last resort since the 90s (read: before Windows XP even hit the market) and I usually run for cover when I am asked for tech support by a Windows user. Recently, however, I was forced to restore a Windows XP box for family members and apparently there is still plenty of pre SP2 Win XP CDs and restore partitions around. The first thing I did after hitting the blue button on this IBM Thinkpad (Win XP SP1 IIRC) was to install malware protection software. I gave up on this approach after two of the anti malware suites I tried to install caused a BSOD during installation. I ended up downloading the stand alone Windows SP on a OS X box and then installing it on the XP box just to be able to install the anti malware suites without getting a BSOD. The whole Windows restore/patching/hardening process took several hours before the machine was fully patched and internet safe and that didn't cover application installation and configuration. The only bright spot is that next time I can restore to SP3+ level from a binary image I created after finishing this agonizing process. If somebody held a gun to my head asked me to pick between restoring another Windows XP box and a taking a day trip to Gitmo for a waterboarding session I'd be hard pressed to decide which is worse.
Funny thing is that Zone Alarm has had some serious remote exploit vulnerabilities where if you hadn't installed a 3rd party FW in to your Windows XP computer, you'd be safe. Here's an example of one http://secunia.com/advisories/10921/. Windows XP, Vista, Server 2003 and 2008 Firewall has been rock solid and secure. You're simply talking out of your ass and you're giving the typical knee jerk reaction against Microsoft products. You do not have a single example of where Windows XP SP2 firewall is vulnerable to a remote exploit and there isn't a single example of hackers getting through it if all ports are closed.
Best thing to do is have a $20 router with NAT enabled by default. It allows you to share your Internet connection with NAT, automatically log in to your PPPoE account, give you a DHCP server, and give you a safe environment with all inbound ports blocked by default. Most Broadband services come bundled with a router/modem in a single device anyways and it's been a non-issue at least for AT&T DSL users since NAT is enabled by default. A lot of cable providers are also sending out routers with new service.
I do agree with you that downloading an offline SP3 installer is a good thing though I would suggest that using nLite to slip stream it in to a new ISO and CD is the best way to go.
If the internet is so f--- up that plugging a new computer onto it brings it under immediate attack, then, well, the good guys have -lost-.
It's really time to start unplugging bad guys from the internet period, applying stricter filtering at the ISP level, and more rigidly filtering countries who don't police their networks.
Five minutes to be attacked? The internet is LOST.
This is my sig.
I'm confused. No details given.
It'd be behind a NAT, so you'd basically be safe. (Of course you're never completely safe, but you have to pound hard to get through a NAT that doesn't have ports opened administratively.) The fact that it's VMWare providing the NAT doesn't matter; you'd see the same if you were to plug in a cable modem router.
And the argument goes like this:
If you buy a Windows PC, you (hopefully) get a restore disc. This restore disc is locked in time and is your only avenue for reinstalling the OS, short of buying another copy of Windows. Every time you have to reinstall, you are more vulnerable because more exploits exist while your restore copy has not improved. You must go online to get up to date which will take longer as you get further behind in patches. So, your odds of ownage go up every time you have to reinstall.
With open source, you can always reinstall with a recent version of your OS at no extra charge.
this is for an UNPATCHED version though, i fail to see how they "keep messing up" when in fact, a patched version of xp doesn't have this problem.
Really? So if I install Red Hat 7.2 I will not get owned?
The software is over 6 years old and plenty of vulnerabilities have been found and patched.
The article is light on details, so I am assuming they are not using XP SP2, which has the firewall turned on by default.
XP Release Date October 25, 2001
Red Hat 7.2 Release Date October 22, 2001
There are still hosting companies that offer virtual machines and even complete servers with Red Hat 7.3
So I would be interested in the time it takes for that one to be infected.
Do they even give patches for that any more?
I am not trying to say Linux or Windows is safer. I am just trying to say it might not be wise to put an unpatched machine on the net without a firewall to download patches. Regardless of the os.
Hmm.. why "ISP Netblock" ? does this mean that if I'm behind a PA block I am more in danger than behind a routable PI block ?
--Ivan
If you use windows you need to die.
So basically, my Windows Box will be pwned before I even get to the login prompt?
nice..
an unlocked Car is liable to be stolen.
except when the car is in a locked garage.
Back to TFA :
- ISP should react and only provide routers with decent security : with built-in firewall enabled by default. No more dumb modems given out to clients.
This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. {...} Luckily, Linux is pretty good at not getting owned so it's a bit of a non-issue at the moment, but I dare say it's only a matter of time before someone starts targeting them as well.
- The fundamental difference is that on almost every linux cd, be it install CD or rescue CD.
Absolutely *ZERO* service are running and listening. The only contact between the box and the intertubes is done using a fucking simple downloading program that only downloads packages from (user-specified) repositories. Unless the network stack it self is bugged, there's no entry point for a potential exploit.
All installers first give you the opportunity to download upgrades (or even use update repository during installation) and first require you to setup user password, and only then let you open ports on the firewall (closed by default) and start services (even SSH).
And this has been the situation for several years.
You can plug a freshly installed and not yet patched Linux to the internet and nothing will happen because, well "the cable is plugged in" pretty much sums it and nothing else is happening. No exploitable deamons, not even ssh unless the users starts it.
A fundamental bug in the network stack it self is pretty much the hacker's last hope. But those doesn't seem that much frequent in the Linux kernel.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I was setting up my home system after reinstalling Windows (probably SP1 as this was a while back), and had the system connected to my cable modem directly. And almost immediately after booting my system I started receiving messages through the alert (messenger?) service about all the wonderful things I could buy from someone or somesuch thing. So I can completely understand how something worse could happen.
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
... with a capital 'P'
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
That's just irresponsible netizen-ry. How could you suggest such a thing. In fact suggesting such a thing could be seen as trying to coordinate a DDoS.
I, on the other hand, was more than happy to visit their home page and see what they had available. For some reason, however, I had to keep reloading to try to get proper page display. This could have been my browser or their site, not sure. After... 50-100 attempts at reload correction, I gave up. Oh well. I sure hope no one else has this problem.
The problem is that people know that not leaving their keys in the ignition is a no-brainer. What they don't know is how to be safe online, because it's not as intuitive.
"Computers are useless. They can only give you answers." - Pablo Picasso
Yep, I own a very old XP pre-SP2 install CD. I was reformatting an old box of mine and forgot to download SP2 (this was before SP3). No big deal, I'll just get the network install off Microsoft's site. Bad idea, within minutes I was infected with all kinds of stuff. I ended up reformatting and downloading the patches off my linux box. I really need to learn how to slipstream my install disc...
If the internet is so f--- up that plugging a new computer onto it brings it under immediate attack, then, well, the good guys have -lost-. It's really time to start unplugging bad guys from the internet period, applying stricter filtering at the ISP level, and more rigidly filtering countries who don't police their networks. Five minutes to be attacked? The internet is LOST.
!SIGH! The machines running the attacks are unpatched Windows XP boxes that have already been infected
This is happening because Microsoft shipped a version of Windows with services (designed with little or no consideration of security) turned on by default, but without providing any form of firewall.
!YES! This was a long time ago, but the effects are stil being felt. This is not your ISP's fault. It IS your beloved Microsoft's fault.
How would you feel if your ISP kicked you off the internet because you are using a badly made operating system? That's what the end result of your proposal would be. Unpatched Windows XP users would get kicked off the internet. That would probably solve the problem, and I can definitely see an argument for it, but I don't think that was what you really meant, was it?
thx e
I have seen the same thing. Sometimes it is almost "instant". As soon as the computer is recognized, within a minute, attacks begin. As indicated usually does not require any interaction at all.. Gee gives PnP a new meaning. I would give an educated guess that your connection has a lot to do with it.. Static vs Dynamic, known services running on the same IP.. It is fun to build a machine, install a windows flavor and DMZ it just to see what happens. It is also a great "show and tell" tool for the virtue of a Linux distro over windows.. "Watch this"
But yeah, while I lived in a seedier area of town at the time, "seedier" doesn't mean much in a rural Midwestern city.
Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
MS should just save everyone time and sell Windows pre-infected.
Not true at all. It's a common misconception that NAT protects anything at all. Why so?
NAT uses translation routing based upon multiple inside computers to one outside address. The key here is the NAT device does NOT reconstruct packets if they are heavily fragmented. Even upper end Ciscos and Junipers are vulnerable to fragment based attacks.
The key is you construct a IP-IP tunnel to target victim, try to guess the internal IP addressing scheme, and then use a program called Fragrouter to properly "make mal-fragmented packets". Once you do this, it will hop over damn near every router.
I think there's a setting in IPF that forces reconstruction before passing packets. That's the only defense, along with a proactive filtering in both directions.
nt
A year ago, the time it took to download ZoneAlarm was shorter than the time it took to own your box.
Luckily, I carry the latest version of ZA in my mp3 player just for this reason.
Thanks for those links - I'm burning an image to CD right now. But where does Microsoft publish the md5 hash so I can make sure what I downloaded is what it should be?
This is happening because Microsoft shipped a version of Windows with services (designed with little or no consideration of security) turned on by default, but without providing any form of firewall.
My point is that we should have a national infrastructure where someone could plug their computer into the internet, regardless of operating system, and suffer no attacks at all. Consumers should not be forced to buy anti-virus software or firewalls or even have to worry about security. Your argument essentially says that consumers who pay for operating systems, be it indirectly via services or EU taxation, in the case of Linux, or through a PC tax in the case of Microsoft, should be required to pay in both inconvience, and costs.
Any why is this so? This is happening because a minority of users want to have an Internet that is universally open and world wide, and that they want to have all internet traffic remain essentially anonymous.
So, so that a minority of users can anonymously talk to Russia (which originates many of the bots), we have an entirely internet where the western world has to have every citizen under continual assault.
I would argue that, many people would be willing to trade anonymity for internet security in a heartbeat, and so, to an extent, the internet policy we have is entirely undemocratic.
So no, it is not Microsoft's fault that Windows is under assault, any more than it is the fault of a man walking down the street without a pistol for getting robbed. It is the fault of the people that built the internet, and say, hey, let's plug in a bunch of countries that have no laws and no values into it, and we've been paying for it ever since.
Imagine how many more choices we might have in operating systems and network services, if in fact, we did not have to worry about security up and down the entire stack.
It's too much money. Kick Russia off of the internet.
This is my sig.
.
I don't think it gets much easier than this:
What Is Service Pack 3?
Read the XP SP3 white paper.
Steps to take before you install SP3
Download SP3 from Windows Update
Order SP3 on CD-ROM
Download and deploy SP3 to multiple computers [Network Installation for the IT Professional]
Free [basic] unlimited installation and compatibility support
---your choice of e-mail, online chat, or toll-free telephone.
TTY/TDO service for the hearing-impaired
"The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall"
No firewall? Like the one *built in* to windows?
No NAT? Like the one's used for damned near *every* DSL connection and easily over 80% of Cable connections?
Ahh... nothing like some totally unrealistic anti-MSFT BS to get the morning started....
Bah,
We all know that Microsoft Windows has a lower Total Cost of 0wnership
Ubuntu is an African word meaning 'I can't configure Debian'
If Microsoft set every fresh Windows install to connect to only Microsoft.com on the Internet until either Microsoft.com, or the console, or some other specific named/numbered host said that Windows is "safely* patched", then this race condition would not be a problem. They could allow the "patch lock" on network access to be released by the installing operator at the console, or that operator could set a pointer to some other machines allowed access, or Microsoft.com's patch servers could send a list of servers. All other network access would be locked out until someone authorized said the machine was ready to connect to the general network/Internet access.
Such a revision should take a couple of Microsoft programmers a week or so to implement and test. Of course, if Windows were OSS, then anyone in the Microsoft developer community could patch Windows to work right. And anyone could inspect that patch to ensure that it worked right, before trusting it not to be just another security hole.
But of course, Microsoft is so far from anything approaching real openness or modern security practices that its fundamental insecurity in an Internet environment is one of its basic features. Its most prized feature on the hundreds of millions of machines compromised worldwide, many the first time they're connected to the Internet, among the bad guys out there who love Microsoft's closed and counterproductive "security" practices even more than Microsoft loves them.
(* OK, Windows is never "safely patched", but it's a start.)
--
make install -not war
I just patched my wife's XP box last week - the previous update was applied January 10th, 2006. It has been continuously hooked up to DSL or cable broadband for the last 7 years.
My wife browses the web via Firefox for about 3 hours a day on average, and has received tens of thousands of e-mails (spam content in the 10-20% range) into Eudora in that time (more in Yahoo mail - spam content 99%+ in yahoo). I used to run Zone Alarm occasionally if I got paranoid, but it has been disabled most of that time - it never found evidence of active malware. I have only run Trend-Micro's housecall web-based virus checking software on that machine a couple of times in the last 7 years (including last week) - it has never found an active infection, though it did turn up hundreds of viruses in e-mail attachments, and bitch about the missing patches. No other virus protection software is used, and windows software firewall is always disabled.
We have three Wordpress blogs, and one of them got minorly 0wn3d by a worm (and subsequently flagged as a malware site by Google) - that's what got me paranoid and checking the XP box for infections - none found.
If you have a simple hardware firewall, and you're not an idiot about downloading executables or opening strange attachments (as my wife apparently is not) - the time to 0wnage is measured in years.
I'd be curious to see the same issue done on, say, version 1.0 of Ubunghole Lunix or something, perhaps even Leoptard 1.0 (if they can get it to work without blue screening).
Really ? But how can I be sure this is not fraud ? Maybe these people are thieves ? Maybe they sell counterfeit glass beads ? And can you prove they're not funding terrorists in order to assassinate president Bush with a radiactive dirty bomb, or perhaps even poison ?
Those filthy spammers ! I sure hope they'll get the bad reputation they deserve !
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Last XP install I did was last fall on the home computer. Even before working behind a router, the usual procedure for me, with the pre-SP2 XP install CD is:
1. Keep computer unhooked from the internet during installation from CD
2. "Activate Windows Later" - not even trying this yet:
3. Under local area connection > properties > advanced > Windows Firewall (I think) - enable this sucker. Again, pre SP2 firewall.
4. Go directly to microsoft.com, do not pass go, do not collect $200 - start updating, get the SP2 firewall up. You can also activate windows at this point.
5. Update everything else.
Again, YMMV, but this has worked just fine for me.
So what procedure requires me to leave my key in the ignition?
If you can't connect to the net without updates, and you can't update without connecting to the net, what is your suggestion? Surely not keep trying till you hit the lottery.
Did you try holding down "Ctrl" while you reloaded? That way you know you're getting the latest version of the page instead of just checking against the cache.
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
Really? So if I install Red Hat 7.2 I will not get owned?
I can't think of any version of linux current enough to even still have security support that will get owned between the time you connect it to the net and the time the security updates are complete.
A much fairer test:
Unbox machine.
Plug it into a NATted network.
Turn it on and log into Windows. If your computer asks you questions during setup, take all default options and enter reasonable but naive replies to questions that don't have defaults.
Start the stopwatch.
Walk away.
If the system fully patches before you are owned then it's a good sign.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Microsoft has released SP3 as an ISO image that can be conveniently burned to disk for offline installation and "YES" I have a copy of the ISO along with several copies of the burned disk to give to friends on dial-up.
Mod me up/Mod me down: I wont frown as I've no crown
Irresponsible? They contacted you using your bandwidth and Slashdot's. I think that's a pretty clear invitation. No language in the invite indicated that there were rules to follow or that you were expected to purchase anything.
In fact, they told us about their web. If it's anything like the other (WW)web then there's a ton of stuff there, including porn, if only we did deeply enough. We can't disappoint them by not playing with it.
BTW How long until people buy crappy ads for the competition (anonymously, like spam must be paid for) just to make them look bad?
I was prepared to argue with you until I thought about it for a minute. What you're saying is really worrisome and it sounds plausible on the face of it. However if it was really that easy almost every machine on the Internet could be rooted with almost no effort.
Where can I learn more about what you are talking about?
Such a revision should take a couple of Microsoft programmers a week or so to implement and test.
I don't do Windows, but I'll venture a guess that this could be done with firewall settings and would take a couple of hours.
Of course, if Windows were OSS, then anyone in the Microsoft developer community could patch Windows to work right. And anyone could inspect that patch to ensure that it worked right, before trusting it not to be just another security hole.
And then they'd spin off their own Windows distro. Microsoft would either have to catch up or go broke when the new, secure version hits the market.
Ain't the free market great?
Have gnu, will travel.
# Automatic fragmentation reassembly - Connection tracking automatically reassembles fragmented packets for examination.
Hey all...
During the blaster/codered days, I witnessed a win2000 (yeah, slightly off topic, i know) workstation fall victim DURING THE INSTALL (prior to install completing / prior to the first real boot into OS). This occured shortly after the network configuration etc screen that is displayed after TZ / regional configuration...
reminds me of some multiplayer-game respawn location exploitism (don't remember which game[s])
There really isnt any "manual" you can learn about this kind of stuff. However, we all have the toolkit to test and investigate with it at our homes.
1. Search fragrouter in google first. All hits on front page are on topic. Get it and compile cleanly. I prefer Debian, but works for all Linux.
2. Go buy a router from any ol box store. I prefer the WRT54G ones that can be modded to run either DD-WRT or OpenWRT.
3. Get some test machines up and running, including a separate machine running DHCP on the "Internet" side of the router. You'll want to fake a internet connection with this, so tell the router to pull DHCP from the "Internet" box. The Internet Box is your attacking machine. You will want to set up NAT if it's not already.
4. Set up fragrouter and proper routing utils on the attacking box ("Internet" machine). You can use your real network as the attacked network, as you wont cause damage. fragrouter has something like 14 options of bad routing. You can use this in conjunction of other routing daemons and others that exploit active services already existing on the el'cheapo router.
5. Since you have inside knowledge about your network, you can easily guess the subnet mask and ip addressing scheme and "hack through" the NAT.
I've done precisely that on many routers, including mid-range ciscos. And as I said before, the only machines that are immune from fragmenting attacks are ones that piece back together packets before they are passed on to the internal network. OpenBSD, FreeBSD, and Linux can do this reliably ONLY with a large amount of ram and fast CPU.
Good Luck.
not to burst your bubble, but M$ offers ISOs for SP3. Download it, and burn it on a disk. Alternatively, pay for shipping, and they will send you the CD.
A Good Troll is better than a Bad Human.
Security should never be stagnant, just as nobody should ever think "ok I'm behind a router, I'm safe", nobody should ever think "I'm running Linux, I'm safe".
I'm not saying that Linux has some magical power protecting it from ever being pwned.
What I'm saying is that, should the possibility of an exploit arise, the strategy employed in Ubuntu, openSUSE and SystemRescueCD (but apparently not in Fedora/CentOS, according to others in this thread) which doesn't open any service before the user has had an opportunity to set up and patch the installation, makes the box much less susceptible to being pwned during or straight after the installation.
The OP above was basically saying that it's an unfair test, because an un-patched machine is, well, unpatched and vulnerable, and that Linux could be vulnerable too given the big amount of old boot disk laying around.
I'm just point the fact that *there are strategies* that almost completely (minus the in-kernel stack bug) remove risk of such "pwned straight after installation" scenarios, simply by patching the machine first before exposing any pwnable service on the intertube.
Most Linux distributions and/or boot disks *are* following such strategies and are fundamentally hard to break.
Microsoft *is not* following these strategies and thus those "from install to pwn in 4 minutes" story are direct consequence of their poor choices.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
An additional rant :
Microsoft can't bend time and space and retroactively patch ALL XP disks every time they release an update?
No, they should have provided a way to easily get the updates *while* the system is installing.
Of course Microsoft will never ever be able to deliver a "download patches while installation is underway" installer, simply because this require them to have a good nice decent package manager in the first place.
Not some brain-damaged system which is barely able to just add and remove icons on the desktop, and completely unable to actually remove unused components (like the several GiB worth speech technology in Vista). Their excuse is probably that the OS is so much tangled that probably it won't function anymore if the libraries happened to be removed and probably huge amounts of 3rd party applications rely on obscure COM provided by those un-removable applications.
For now, using nLite/vLite is your best solution to remove components (and even has some limited form of dependency tracking).
And slipstreaming the updates into the install files before even burning them and using them to install a machin is the only solution to add patches before the system has finished installing.
That's hardly something an inexperienced user could do.
Meanwhile, under Linux, it basically amounts to *not* clicking the "cancel" button when the installer proposes to add updates into the list of repositories from which the package will be downloaded.
One more proof that good package management is something that is definitely missing in the Windows world.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
"I'm confused then. If what you say is so, and Microsoft's firewall is rock solid, then how could an unpatched Windows installation be pwned in less than four minutes as the summary says? I guess I need to RTFA (grumble mumble)."
Because they used pre-SP2 which is more than 4 years old.
You're wrong, Windows XP SP3 update does include SP2 stuff, but not SP1. When you use nLite, you have to roll in SP1 first and then SP3.
While they're at it, they should also try it with Windows 3.11. Hello! It's 2008 out there. How about you do the same test with Vista?
Try putting a raw Windows 2000 machine on the Internet. Pwnd in 10 seconds at my home IP addresses. It's not pretty.
1. Live CD don't have scores of services running
2. Live CDs run off of CD-ROMs. Hence the name: Live CD. You know what's great about CD-ROMs? They're READ ONLY.
.
This is what Microsoft's Steve Riley had to say about outbound protection:
There's an important axiom of security that you must understand: protection belongs on the asset you want to protect, not on the thing you're trying to protect against. The correct approach is to run the lean yet effective Windows firewall on every computer in your organization, to protect each one from every other computer in the world. If you try to block outbound connections from a computer that's already compromised, how can you be sure that the computer is really doing what you ask? The answer: you can't. Outbound protection is security theater--it's a gimmick that only gives the impression of improving your security without doing anything that actually does improve your security. This is why outbound protection didn't exist in the Windows XP firewall and why it doesn't exist in the Windows Vista(TM) firewall.
Earlier, I said that the typical form of outbound protection in client firewalls is just security theater. However, one form of outbound control is very useful: administratively controlling certain types of traffic that you know you don't want to permit. The Windows Vista firewall already does this for service restrictions. The firewall allows a service to communicate only on the ports it says it needs and blocks anything else that the service attempts to do. You can build on this by writing additional rules that allow or block specific traffic to match your organization's security policy. Exploring The Windows Firewall
In one page, Riley covers quite a bit of ground.
Windows XP SP2 and up already enables the Windows firewall by default, and disallows any incoming connections, which is the most that can be expected.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The system that restricts connections to other sites is the firewall. Exploits of that are already underway. What I describes doesn't add any new vulnerabilities. It only reduces them. That's how security decisions work. They don't work by throwing up your hands and saying that any change, even one that just reduces access, increases vulnerability. And saying that the status quo is better than the improvement, when the status quo is unacceptable, isn't a legitimate security analysis either.
--
make install -not war
Throwing in a feel-good measure, that doesn't actually improve security, isn't a legitimate security measure. Just because the status quo isn't good, doesn't mean ANY and all changes you can come up in 5 minutes on a napkin is an improvement.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Maybe so. But instead of your purely theoretical abstractions, I actually described a security system that is what I personally designed for Northern Telecom and Microsoft almost a decade ago, before Windows Update copied the convenience features but not the closed system that's secure by default. We actually deployed our system in hundreds of public access terminals across Canada. So when I say that it would work for Microsoft, and what they'd have to do to make it work, it's because I spent a lot more than 5 minutes designing it (though we did use our share of napkins).
Compare that actual security analysis to the under 5 minutes you spent, without even a napkin, complaining about it without any factual or analytical basis.
Congratulations! You win the unacceptably bad status quo.
--
make install -not war
Such pessimism..
You also live in the best neighborhood too! Me and BillG sent our packets to the same high school.
The fact that you've deployed a system to install updates, doesn't remotely imply it was or is secure. Certainly, online threats have become far more advanced in the past decade.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The fact that you're complaining without any specific details or other qualifications means that I'm not reading any more of your posts. I've become far more advanced in the past decade.
--
make install -not war
What is there to explain? The inherent limitations of "software firewalls" are very well-known. Without a separate (hardware) firewall, you simply can not possibly stop machines from being exploited.
Forcing someone to update as soon as the network is connected is still much too late. Your system gains nothing except a false sense of security, and monopoly lock-in (see alternatives like windizupdates.com).
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The newer Windows Server versions do something very much like this. Even if the didn't, all versions of NT since 2004 have a firewall enabled by default - but yeah, XP SP1 and down were pretty bad.
There's no place I could be, since I've found Serenity...
A correct version would be to ask the startup questions "Do you want Windows to upgrade itself to the latest version during installation (Y/n)" and, on a Yes, ask "Where do you want to get the upgrades from? (Microsoft.com/other)". The defaults would behave like you asked, while still allowing people to patch from a local server or disk instead, or skip the updates entirely.
I do wonder why the activation of any network connection _during install only_ isn't delayed until appropriate basic firewall software is running and ready to monitor said connections. Once the install is completed, however, I don't want the boot process automatically killing all network connectivity if it gets its panties in a twist about version numbers or what software it thinks should be installed. That's my call to make, not Microsoft's.
That is why I said that the operator could control the access lockout from the console while running the installer.
--
make install -not war
They should go all the way, and make it simply like I said.
Funny how everyone screeching that this approach is impossible and useless doesn't even know that it's shipping right now. I guess some of the screechers are inside Microsoft, or it would just work the simple and open way that I described.
--
make install -not war