Unpatched Windows PCs own3d in less than four minutes An unpatched PC is likely to last just four minutes on the internet before being attacked and compromised. The time it takes for a PC to get itself owned varies by operating system and what activities a user engages in - but even allowing for this, putting an unpatched Windows PC directly onto the net in the hope that it …
OK, here we go again....
As you enter, please take a ticket. Please select one of the following.
1. "My Windows is better 'cos it's got the latest security patches straight from MS!"
2. "My Linux box would not get onwed, 'cos it's got open source code I can check!"
3. "My Apple box is rock solid and would never get owned, it's so secure!"
Thank you for your patience, your rant will be along soon.
"personal firewall before connecting systems to the net"
Prey tell, how does the average home user download the personal firewall (I'm guess they are on about standard, non SP2 XP machines).
Bit like the "Tech Support" pillock who many years ago, kept telling me to download the drivers for my modem, so that I could connect up...
"Security experts advise using a NAT (network address translation router) and personal firewall before connecting systems to the net"
Given that most Network Address Translation Router include a Firewall which stops traffic originating on the internet from reaching the internal network. After recently upgraded my Router/Firewall I can also limit the outgoing protocols that can be sent onto the internet. So what benefit is obtained by having a personal firewall?
Why put anything in an exposed position? If it's going to spend its life behind a hardware firewall anyway, why build it outside, and if it's not, then "(mis-)management" should be politely told that the machine will not be supported if it's not correctly protected. If it needs doing "ASAP" then it should have been planned sooner: your planning fuckup is not my emergency.
Several months ago out of curiosity I setup Windows XP SP1 as fresh install on VMware using a Debian host, XP was configured with a static IP set up in the DMZ. An Agobot variant owned its ass so quickly I actually laughed. I rarely ever find anything funny, as in funny ha ha, about using a Microsoft OS.
Credit where it is due though, XP SP3 after so many years of patching, fixing and updating has now reached such a level of stability, reliability and possible security (I don't use IE, Windows mediaplayer or messenger). That I find it a pleasure to use. I still wouldn't leave it open to the Internet though. In fact I don't leave anything open to the Internet 'cept my Honeynet.
I remember way back when, I was re-installing windows XP on a machine at home - and within no more than about 1 minute I got the windows system process initiating a shutdown (Blaster?)
I cancelled the shutdown, downloaded the patches, burnt them to CD, and re-re-installed, this time offline, and didn't go back online till I was as convinced as you can be of windows security
If it's taking hackers 4 mins to own an unpatched Windows box, they're slacking.
This post has been deleted by its author
Did an XP rollout a few years back - unpatched SP1 machines, still connecting over dial-up. Within seconds of being issued an IP address by the RAS server you would start getting pop-ups. At that time, the simple addition of SP2 would have solved most of the problems. Unfortunately the clever souls that created the builds were convinced SP2 "breaks everything", and the clever users kept clicking on the 'Ok' button. Still, fixing their mistakes kept me in a job for a while.
Paris - because she knows all about getting own3d on the internet.
A NAT router with no open ports to allow inbound traffic to said PC would probably be enough to keep it safe until it's service pack & patched up. Plus ensuring the only web site you go to is Windows Update.
I wouldn't trust in one of those freebie 'trial' copies of Norton that comes shipped with OEM distributions that are likely years out of date out of the box and will spend hours downloading masses of bloat to cripple your PC just to get it up to date, and then you realise you need to get rid of it and install a decent AV/firewall solution before you've even had a chance to patch Windows.
"This best practice can create tensions between management, who want new systems up and running as quickly as possible, and security admins."
Very simple way around this. Give this form with something like the following to managment.
I _____________ accept that by not following best practises recommended by the ________ (insert company name) Information team I put at risk the security of any finanical or customer data that our company holds and the availability of our systems. I accept that any fines, notification or bad publicity attibuted to these actions will be a direct result of these actions and that by signing off on this risk accept any action that the company or regulatory authorities may take against me.
SIgned __________________________
Works Everytime
How on earth did a corporate IT department manage to screw up that badly and put an unpatched machine out there?
1: They only have a 7 year old disk?
2: Are they unable to slipstream the installer with SP2
3: Can't they just download SP2 and keep it on CD?
4: The corporate machines are unfirewalled and un-natted?!?!?
5: Don't you install from images anyway?
I wouldn't want these IT people anywhere near any company I work for.
Given that the vast majority of home computers are behind a NAT router. 100% of unsolicited exploits will be killed in the bud.
Exploits caused by the unfortunate user navigating to the wrong web-site are more likely. But 4 minutes? Not unless the user is an inveterate porn cruiser.
How about you revise your average exploit time to months rather than minutes
This might be a more intersting article if it happened to mention what variety of Windows it refers to. For example, if "unpatched Windows" refers to say Windows XP SP1, then this revelation comes in the "duh, no s**t Sherlock" category. If however it refers to say Windows Vista without SP1 installed, then its a tad more alarmainf
You stick some old code on the net and it's had in minutes, yes i remember a pre SP2 box picking something up before i'd managed to apply updates but that was 4 years ago.
I'd be very very surprised if you got the same result with an XP SP3 box and anyone that installs from SP2 media and then casually browses the net before a visit to MS update deserves what they get.
I've been putting up servers over the past week. Prior to starting, I slipstreamed SP2 into my copy of Windows Server 2003 R2. I've also slipstreamed SP3 into Windows XP for our clients.
For those who cannot follow a web article on how to do it, one can download a free copy of nLite to do it for them; it's stone-dead simple. I get that a home user might not get this, but for anyone in any IT department not to ought to mean an instant boot through the door to the unemployment line.
@Jerry
Actually I think you'll find the majority of home users have Windows machines with the cheap USB broadband modem supplied by their ISP. Therefore no NAT. It used to be that you only got the benefit of a proper router if you subscribed to a 'wires only' service and bought your own. I know thats changing these days, but how much?
Regardless if I build it, re-build it, repair it, clean it up or just install software, I tell everybody the same thing. You have to treat computers like babies: you have to feed them what they need an periodically clean their smelly behinds.
One day I gave my "computer responsibility" statement and the recipient replied, "Why?". I just looked at her as she further commented, "I have you".
I've come to believe it's not a matter of people knowing what to do; they're flooded with that sort of stuff. It's a matter of priority and what's important to them. And in my experience, admittedly limited, few people treat their computer as if it's anything other than just a box full of electronic parts. Can you imagine that? They treat them like toasters, stoves, MP3 players and etc. When it gets mucked up bad enough they buy a new one. I don't know why I expect otherwise; we've created a throw away society and its inhabitants have learned well.
Windows Installation (SP3 slipstreamed) takes about 20 minutes and about 10 to install a firewall and antivirus. So it's not time in my worthless opinion, it's priority and for most people proper computer maintenance is not only low priority, it's something they can pay someone else to do. Or in the case of a few I know, just turn the damn thing off and go play with their kids.
And given my last installation of Ubuntu had more than 100 updates this scenario is not limited to M$ products.
I would like all of you techies to step back with all your advices comments on without firewall and NAT and all that nonsense.
Just imagine you are 65 computer illiterate and want to go online with you new pc.
Obvously it requires patching ? whats a patching asks the 65 year old ?
you the 65 year old phones provider gets on broadband and in the post is your USB dongle (since none of them are going to send you a broadband router unless you ar paying extra)
so the 65 year old goes online and in 4 minutes he is infected he spends another few months spreading infection deeper and further in OS.
MS should have done better than this by now.
for a start with all that profit (that don't go into no MS fanboys pockets) they could have created CD for online access so all people using the OS at all levels who sign up with a provider get this CD sent to them........
Secondly do they actually test any of their products before going live surely all thes excess open ports there should be a hardening package or go online utlitiy ? go through lock down ports not required..
No more advice for the bull of all OS's MicroShaft... sign up with us and we will shaft your day with lots of time spent on analysing why our OS sucks.
I have a dream and in this dream microsoft no longer exists. :)
Looking at the PDF thesis, I don't speak German so I have no idea what version they were testing. However doing a find on the string Windows, suggests they were testing versions of windows as far back as Windows 3.11 and NT4.0 and the only reference to Service packs seems to be "Windows XP SP1+, 2000 SP3". If that is the newest version they are testing, quite frankly I don't care - that these OSs are not secure is 5 years out of date to be classed as "news".
Yup, I remember that happening to me 4 years ago when I got broadband installed at home.
The Telewest technician had just got the cable modem installed, then we plugged in the Pre-SP2 laptop and blam... Windows would shut down with an intrusion before I could even get online for the updates. Unplugged the network connector and of course the computer started up just fine. Needless to say, the technician didn't have a clue what was going on.
Had to take the computer into work to connect to the firewalled network there to get the updates.
What version of XP, what service pac? What about Vista and OSX?
I know when I bought my new Mac the updates were over 500 meg. I use a wireless router but what would have happened if I had connected straight using an ethernet connection?
The web sites listed are not very useful either.
As someone who has owned Macs since the days of the Mac Plus I don't buy this Mac's don't get infected crap.
“Obvously it requires patching ? whats a patching asks the 65 year old ?”
but i have the same problems with my Ubuntu box that rolls on patches seemingly day after day and not all of them without issue.
As i said this isn't really an issue with an XP SP3 or Vista install now is it?
The risk is even less if you run your box as an ordinary user not as an admin, i've been running like this for three years with few issues (non secuity related), ALL of them caused by poor software not Windows.
And that's coming from someone who is not just a Windows admin (Novel/Linux as well) and can look objectively at a situation, i also deliver training so i know the headach of using multiple platforms.
A guy decided he would install windows on his machine, he had previously been running linux, and due to some tests he had been running his machine was on the outside of the firewall on one network interface, and in the DMZ on the other.
He forgot to unplug the machine from the net, before he installed XP (I believe service pack 2, but it might have been 1, I don't recall).
The machine was hacked and compromised, before he even managed to log in on the console, on the last reboot, after the installation has run.
So yes it does happen, and it is almost certain it will happen if you don't keep a NAT in front of your machine.
I would not install a windows machine with any kind of network connections active. If patches have to come from the net, then at the very least keep it behind a NAT router/firewall, if you do not want problems.
Even better, download all patches using a secured patched machine, or even better pull them down with a non windows system, and create a patch disk, before you even think of starting a network connection on the newly installed machine.
I prefer to use other operating systems to pull down windows patches, because their vunerablility is not the same as windows, and if the pull down carries a probe, they hit a wall, due to the heterogeneous systems. Then I scan the data for vira/trojans/known root kits, before I transfer it to a CD or the machine that is to use it.
Paranoid - You might say, though I prefer to call it experience with microsoft products :-).
Unix based systems I do slightly different, I remove all network services, before putting a network cable on, and thus make the machine non-responsive to incoming data and then pull down patches.
Gee, this is really what irritates me about computers. You've got a simple requirement: bring up a new machine securely. A pretty basic requirement for a computer.
The security people in the article recommend the purchase of a computer to protect your computer -- something called a "NAT router with firewall". Apparently there's no chicken-and-egg problem with this idea.
The previous poster recommends yet another product, with its own meaningless terminology ("slipstreaming"?) and hours to be wasted. Oh, and the need for another computer to prepare the CD with. And that computer was installed and nLite downloaded from the Internet without chicken-and-egg issues just how?
Both Ubuntu and Fedora look simple enough to bring up with all updates applied. But here's the rub, they don't do this by default. That's right, the secure alternative isn't the default.
It looks nearly impossible to bring up MacOS with all updates applied. The saving grace here being that MacOS doesn't have a huge number of open ports running insecure protocols when it starts, so there's a good chance for the updates applied after boot to win.
In short, all OSs currently suck for Joe Average doing an installation on a unfiltered Internet connection. And you're not going to be able to hide Joe Average behind that NAT gateway anytime after ISPs roll out IPv6 to customers.
(arrogant self-important geeky voice) "My free open source operating system is the mutts nutts, bow down to the almighty Linux, the sun shines out of it's posterior"
(arrogant designer type know-nothing bozo) "Macs are just so amazing, we can't be own3d, Steve Jobs is a minor deity"
(Joe Public windows user) "I'm running windows 2006 with interweb explorer AOL thing, the sales guy says so long as I've got a virus wotzit I'm safe, plus I've got a BT home rooter."
Paris because she was own3d in less than 3
"As someone who has owned Macs since the days of the Mac Plus I don't buy this Mac's don't get infected crap."
If you'd have plugged an unprotected Mac into the internet without a firewall, you would be quite safe today. No-one (up to now) has a remote exploit for the Mac. Yes, of course you should patch your Mac and run behind a firewall, but today, there's nothing to fear.
Macs don't get exploited remotely. That's not crap, that's just the state of affairs today. Tomorrow this could change, but today, that's just the way it is.
"The risk is even less if you run your box as an ordinary user not as an admin, i've been running like this for three years with few issues (non secuity related), "
my experience from a windowsinstall the initial user is admin ! there is no requirement to put in a root password to install anything...
"ALL of them caused by poor software not Windows."
Ahem thats why ubuntu debian and all the rest of them have central repositories so there is no need to go to http and download 3rd party software which is the source of a lot of the issues...
Two main flaws in windows if you ask me.. This is not evident in Linux
Also 1 last issue - FS partitions Linux install ok if your a noob all goes in one but for me its always been things like home get own parition - so sure format OS partition as much and as often as you like - your data is safe unlike c:\Documents and Settings\Blah
"spaces in folder names is not clever either by the way"
lol
>>Within seconds of being issued an IP address by the RAS server you would start getting pop-ups. At that time, the simple addition of SP2 would have solved most of the problems. Unfortunately the clever souls that created the builds were convinced SP2 "breaks everything", and the clever users kept clicking on the 'Ok' button. Still, fixing their mistakes kept me in a job for a while.
erm why not just disable the Messenger Service on windows
Non pop ups then
takes 5 sec's to fix
I like installing XP with out SP's , its fun trying to update windows before blaster popped up shutting down the pc lol
In my city (Cincinnati, in USA) my ISP gave me a NAT router as a matter of course, a little Cisco box the size of a paper back book. That little router has NAT built in, I didn't have to do *anything*. Naturally I have a dynamic IP, but that's never been an issue.
I'll admit the phrase "on the internet without a router" leaves me puzzled. How, exactly, does one get to the internet without either A) an ISP to handle all the messy details (home users) or B) a considerable effort on the part of the IT department (corporate users).
Either way, NAT is the cheapest and easiest protection there is, most routers have it built in as a matter of course. Assuming your ISP/IT department is so criminally negligent as to give you an unfirewalled/non-NAT connection to the net the fault lies with them!
This BS about management not giving IT time to properly connect a system to the net is drivel. In a corporate environment you *can't* hook directly to the net! You have to go through the local LAN--which will have a router between you and the net.
Unless, of course, you hire idiots to run your networking center...
I've had a machine that came with a pop-up at precisely 17 seconds after connecting to the internet (happened all the time) but this was Windows 98 over dialup, and fortunately it was only a pron advert (nothing malicious).
Whenever I'm called upon to sort out a machine or to install a new one for someone I always tell them that the difference in price between a router and a USB modem is a hell of a lot less than the cost of getting me out to fix the b****y thing when it goes wrong, which is usually within the first month.
</rant>
If they still insist on using a USB modem on a new (unpatched) machine I tend to connect them through my spare router initially to collect the updates then install the Modem. Takes a little longer but saves me a few trips usually.
"Just imagine you are 65 computer illiterate and want to go online with you new pc."
Im 32, no driving licence, no idea how to drive a car, but i can figure out how to "tun it on". So, i should just step up to a car, hit the gas and away we go... Sure, ill kill myself and probably someone else too, but it's NOT my fault, its the car maker's, because they made a car a clueless dumb@ss could not drive safely....
The "users are dumb/clueless/illiterate" argument has been used again and again. Still stinks. Either get an education like techies did (no, we weren't born "in the know") or get shafted and take it like a man.
In the end, like most thing in life, your problem, your responsibility, do as you see fit, and deal with whatever comes back to bite you.
Death.... complain to it that you didn't know better. Fat lot of good it will do to you...
>>"The security people in the article recommend the purchase of a computer to protect your computer -- something called a "NAT router with firewall". Apparently there's no chicken-and-egg problem with this idea."
I'm not sure there *is* a chicken-and-egg problem.
I don't recall seeing many news stories about router/hardware firewalls getting compromised.
In fact, I don't recall seeing any.
That's presumably why most people who know about them (not just security pros) would consider them a good idea, particularly for Windows users, and especially since they aren't exactly expensive.
On the other hand, my experience of *software* firewalls has been rather underwhelming, with some seeming to have a habit of just stopping working for no reason (on machines seemingly free of malware).
[Quote]
By Anonymous Coward
Posted Tuesday 15th July 2008 15:38 GMT
“Obvously it requires patching ? whats a patching asks the 65 year old ?”
but i have the same problems with my Ubuntu box that rolls on patches seemingly day after day and not all of them without issue.
[/Quote]
You do realize that you are probably >90% of the time not patching the OS, but instead applying updates to packages? Don't you?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
