The BBC's Honeypot PC

Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.

Well Duh!

[fluffy99 (870997)]

So we've learned that putting an unprotected windows box on the internet is a bad idea - well duh! It probably doesn't help that they didn't bother with any updates, or turning on the firewall.

Re:Well Duh!

[by Anonymous Coward]

The thing is, users do this EVERY DAY. So it is an important excercise. People here on Slashdot may know how to keep themselves protected, but I talk to Windows users ALL THE TIME who have their computer sitting on a broadband connection with no idea how to protect it (no hardware firewall, no spyware protection, whatever virus protection was bundled with the machine [but likely not updated with the latest signatures]).

It's still a HUGE problem. So, maybe it's a no-brainer for you, but it isn't for the average user.

Indeed, AC

[QuaintRealist (905302)]

All of the "well duh" folks miss the point. There are a lot of people out there with reinstall CDs for older machines. When their machine gets hit with malware, many of them "reload" windows and some of these head for Microsoft update.

The point is that they are too late - they're perfectly likely to get hit before update can protect them, and perfectly likely to get hit with something as bad as what they had before.

This really is a problem.

Re:

[networkBoy (774728)]

Bingo,
Even something as basic as NAT through a cheapie router will buy them all the time they need to connect to windows update.
It won't protect them from malicious connections once infected but because most all routers ignore incoming connection attempts the user is at least protected till patched (assuming the first thing they do is Windows Update, not pr0n surf).
-nB

Re:Indeed, AC

[Mister Whirly (964219)]

And this is why they should be letting a professional set their stuff up. If you knew nothing about cars, would you try to put an engine together and then drop it in by yourself, or would you take it to a mechanic? Most people seem to understand that, why should it be different just because we are talking about computers? Nothing like having your system owned as a way to hammer this point home. I certainly don't take the crass view of "well they get what they deserved for being ignorant" - but how do you combat naiveté among people? Especially with a technical subject that most people's eyes just glaze over when you start talking patches and firewalls? I think most folks just figure they can save $100 by setting it up themselves....Big mistake....

Re:

[Mister Whirly (964219)]

"When you buy a car, most people expect to insert the key in the ignition and put their foot on the accelerator. They don't expect to be handed the components and a 900 page manual and be expected to assemble it themselves."

Yet when the same people are handed computer components and manuals that they don't understand, they somehow think that they CAN assemble it themsleves. That is where the problem lies...

"Why can't the average user go into a shop, buy a computer, bring it home and expect it to work -

Re:

[tomhudson (43916)]

Yes, and every day there are users out there who use the password "password". Was that tested as well?

I'm happy to report it was, and only 20% of Windows users used "password" as their password, making it only the third-most-popular password. The two most popular ones were "qwerty" and "12345", in that order. The least popular password, with just one example, was "i heart bill gates" - on Steve "the Chair-man" Balmer's box.

Re:Well Duh!

[jacquesm (154384)]

The BBC is not exactly known for being beginners at IT, they're the people that brought a lot of us (including me) into the age of personal computing with their BBC Micro Computer.

The thing they've tried to do here is to accurately simulate what the average home user will do, and see what the consequences would be.

It's like a 17 year old nude virgin visiting the octoberfest and expecting to come away 'unscathed', I give you that much. But anybody that buys one of those HP internet ready pc's with XP pre-installed that goes home and plugs in his / her machine is doing the exact same thing.

The instructions even tell you to connect all that stuff *before* switching on in simple-to-use IKEA style no words diagrams. Don't be too quick to judge the beeb, they're pretty good at what they do.

Re:

[jacquesm (154384)]

I highly doubt there's malice on the part of HP involved. It's just that the time between manufacturing and hitting the consumers home is more than long enough to go through several software updates. The real problem is that early XP had no default firewall 'on' out of the box, in order to upgrade it you have to be online (sometimes for quite a while) to download security updates, or alternatively you have to know what you're doing.

But honestly, I highly doubt many of the buyers of consumer grade hardware h

Re:Well Duh!

[SlartibartfastJunior (750516)]

it's easy to say "well duh!", but when you have a brand-new out-of-the-box computer, it doesn't exactly come with instructions. My grandmother has no way of knowing she's supposed to be running a firewall, or going to get a Microsoft Security update before doing anything else. WE know these things, because we hang out on Slashdot, but they're not obvious to the rest of the world, and I applaud the BBC for bothering to put this in people's minds. Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

Re:

[d_jedi (773213)]

Any brand new computer sold nowadays (not counting whiteboxes) comes preloaded with at least service pack 2 installed. You are prompted very shortly after taking the machine out of the box (along with other normal setup stuff, like naming your computer, and adding users..) to turn on automatic updates (which is the "recommended" setting).

Re:

[ben there... (946946)]

Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

Microsoft should really ship with all IP addresses except update.microsoft.com redirected to localhost, until you complete all critical updates.

It will never happen, but it should.

Re:

[geoffspear (692508)]

Please shut off your computer until you can prove to me you have a PhD in Computer Science and have personally designed a computer with at least 5% of the world market share. If you can't, I judge you not competent to use a computer, and you're endangering the rest of society by doing so.

Re:

[ichigo 2.0 (900288)]

And just to be safe, nuke it from orbit.

And the moral of the story is.

[AltGrendel (175092)]

Home firewall/router software is better than nothing, and a small firewall/router hardware combo is probably better than that. Personally I perfer the Lynksys hardware.

Of course, we all knew this already, didn't we? The results weren't suprising to me and I doubt that any of the regular /. crowd would be either. Yes, I mean you.

Re:And the moral of the story is.

[Rob T Firefly (844560)]

We're not the target audience. Average home users probably aren't reading /., but they just might be BBC readers. Good "welcome to the real Internet" articles need to get out into the mainstream more, and I don't mean the standard "OMG INTERNETS BE AFARIAD OF PRON AND PEDOS AND ID THIEVES AND VIRUSESES IT GOING TO KILL YOU ALLS" that modern "news" seems to favor.

Re:

[rf0 (159958)]

The biggest issue to the security of the system is the human sat on the chair and clicking boxes they shouldn't and installing slightly dogey software. Of course having a decent level of OS secruity helps but taking what MS is doing in Vista with prompting for virtually everything just seems to get annoying. The best solution would be training people there is no point in hacking etc but of course that will never happen as at some level its either to show that people can hack, or money related with botnets e

Re:

[kosmosik (654958)]

Yeah I *love* Linksys routers. Especially the few that pop up in my PDA using "linksys" ESSID without any access restrictions. ;)

better question...

[192939495969798999 (58312)]

why is there such a thing as an "unprotected windows box"? Isn't this a serious fault of Microsoft that there's even a way to have an "unprotected" system on the internet? Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.

Re:

[voice_of_all_reason (926702)]

Except that once you purchase/steal software, it is yours. The firewall can be turned off at your liesure.

Re:

[ednopantz (467288)]

...light, nimble and ALWAYS ON.

pick any two.

Re:

[Danga (307709)]

Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.

I do believe that the default should be for the MS firewall to be on after installation, that would have saved problems for MANY inexperienced users whose windows boxes ended up getting owned within minutes of them connecting them to the internet. The MS firewall definitely seems to be light, nimble, and does a decent job but for users like me who prefer to use a software firewall that is more customizable (I like Kerio Personal

Re:

[Blakey Rat (99501)]

The firewall (which is pretty good) is on by default on any computer bought in the last 2 years. And older XP computers typically have a firewall installed (and turned on) by the company that sold it.

Sure, the user could turn it off, but-- guess what?-- it's THEIR COMPUTER. You can turn off the firewall on your Linux or OS X machine, also. That said, Windows XP SP2 will make your life a pain in the ass if you do run it with no firewall. There are constant system tray messages reading "your system is at

Impressing

[ackthpt (218170)]

I set up a friend's new computer and installed a firewall, before attaching to to internet for the first time and he was stunned how fast the log of probes filled up. He'd never used a firewall before on his old XP machine.

What bugs me is why there doesn't seem to be any decent coordinated effort to track the bots down and shut them down and to go after the perpetrators. Really, it doesn't seem that hard, it just seems like no government is interested in doing anything about it.

Re:It IS hard

[bill_kress (99356)]

He said an coordinated effort. Of course no one person can get anywhere, but if we just decide not to accept this, we start blocking IP ranges, force the ISPs to deal with their spammers and botnets--it wouldn't take long at all to shut down the entire problem (and 60% of the web). Then you just bring up clean PCs one at a time--forward their DNS to a page that can lead you through the process of cleaning out your PC and contains a list of services that will help.

Subsidize the creation of some decent anti-virus and service companies that can clean your computer remotely (Just don't build one nuke, that should take care of funding it for a few years)

Of course we can't take these steps proactively, humans are too short-sighted, but we WILL do something like this reactively, It's going to happen--just a matter of time.

Yawn...

[rsilvergun (571051)]

this has been done before with WinXP SP1, we already know it's insecure. But you know what? Most home users have firewalls now, if only in the form of a hardware router from their ISP, and any new users are running XP SP2. A simple firewall and a few trips to www.windowsupdate.com takes care of most problems. Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.

Their 'unprotected'=flawed

[i_should_be_working (720372)]

So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall. Scared me for a moment.

I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.

Re:

[garcia (6573)]

I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.

You're obviously confused by the definition of "average home PC". The "average" home PC us

Re:

[evilviper (135110)]

So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall.

What part of "The machine was attacked within seconds of being connected to the Internet," did you not understand?

How quickly can you apply the latest service pack and all the patches to your fresh installation of Windows?

Over 2 years ago, I was hearing from several people that experienced exactly that... They were incredibly frustrated that their freshly-installed systems were being compro

Slammer? Blaster?

[krygny (473134)]

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003.

...

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible.

Wouldn't that include all patches that would specifically protect against Slammer and Blaster? Note, the article says "such as", not "similar to".

Re:

[Spad (470073)]

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.

Sorry but...

[Maxo-Texas (864189)]

I have windows XP and a $19 dlink router (and a lynksys before that) and I have had *zero* problems in 24 months.

So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.

Yes but...

[Harin_Teb (1005123)]

Did they pass WGA?

How vulnerable Windows XP really is?

[KingGuru (759739)]

This doesn't really show how vulnerable Windows XP really is, it shows how often it is subject to attack. Since all these are (mostly at least) worms and automated attacks, that's not really different from looking at the logs on my Linux boxes, where, for instance, my apache server is quite often "attacked" by a worm looking for IIS vulnerabilities.
I like to bash MS as much as most people here, but this choice of words really misleading. True, never ever put an unpatched box un the Internet, especially if

Not just Windows

[pavera (320634)]

I love linux, but alot of this stuff pretty much pertains to anything on the internet. Do you have a linux box on the public net with SSH open? I gaurantee you are getting more than 1000 attempted logins per day. This article talks about alot of "attempted" attacks, well my linux machines on the net get port scanned at least 10 times a day, any box that has ssh running on the default port is being dictionary attacked pretty much 24/7. Sure the linux boxes aren't being turned into zombies, and I'm not sending out boatloads of spam, but my apache servers get hit with IIS attacks regularly. Putting a box with open ports on the net gaurantees you will be attacked. It doesn't matter if its linux or windows.

The difference is with windows you will probably get hacked, with linux you at least have a fighting chance.

Re:Not just Windows

[julesh (229690)]

Do you have a linux box on the public net with SSH open?

Yes.

I gaurantee you are getting more than 1000 attempted logins per day.

Uh, no. On the occasional day I get a sustained attempt to guess a username/password combo, and such an attempt may well get up to 1,000 attempts, but in the last 4 days' log (all I keep), I don't see any such attempt. There were a couple of attempts on my FTP server, but it looks like the attacker closed the connection as soon as they saw the welcome banner; scanning for a particular server/version in the connection report, I guess.

A Premium of Paying Vicitms

[demo9orgon (156675)]

Despite all the Microsoft apologists who will wring their hands and point out that certain things were not done in order to safety the Microsoft honeypot, the genuine service this article demonstrated is that people who turn on their new computer with its Microsoft operating system connected to the Internet are vulnerable to exploits which are automated and exist in abundance, ready to pounce upon current Microsoft operating systems.

Even if you're a master of Microsoft "anti-ware" solutions and tweaks, what happens when someone who isn't takes a few wrong turns with their OS? It's toast, or worse, enslaved and used as a resource the end-user is paying for.

I stopped using Microsoft operating systems to directly connect to the Internet nearly 10 years ago, when the sophistication of the exploits had developed to the point where it was no longer safe to use any Microsoft OS online. Since then it really hasn't gotten much better, has it?

I think it's a shame that the company with the fattest pockets can't be bothered to get it right yet still demands to be on every PC made.

Re:

[demo9orgon (156675)]

Hey, it's not a high-horse...it's a soapbox. :-)

Agreed, all old OS's are weak somewhere. But what happens to grandma when her doting son hands her his old boxen with XP with expired "Anti-" ware on it? Grandma entertains keyloggers with insights into the wicked subterfuge of bridge groups, quilting, what happened at the store checkout queue, or just how awful the last family gathering was; and all the while her machine is merrily testing basic-auth at a pornsite somewhere while she wonders why everything s

C'mon, I hate MS but this is FUD

[Opportunist (166417)]

The BBC ain't a computer biz company. They wanted a story. And what's a better (tech) story in the age of phishing and spam than "OMG TROJANS!"?

Of COURSE you get plastered with portscans and worms hammering against the "well known" ports. That's normal. Welcome to real life on the 'net. You think it's different for my *nix Machine? It's not. My firewall-log is getting flooded with kids and worms trying to find some unprotected ports, trying to connect to 21, 22, 23, 80 and so on, just to see if there's anything running they could use. The real question is, how many successful attacks did happen? Saying XP is insecure because a billion people hammered at its doors is FUD. When a million of those make it in, though, it's a different matter.

And yes, an unpatched WinXP is insecure. It simply is. Get a router and you're set against 99% of the external problems you may face. But then you still should not use the machine to access anything on the net, because some of the tools you're using (IE and Office being the two key players today) has known (and party unpatched) security issues that may cause execution of code when you're not really careful and know what you're doing.

In a nutshell, going online with a MS product that's not well firewalled and using anything but alternative software for the access of online resources is grossly negligent IMO.

Nice Fearmongering

[Effugas (2378)]

I saw a great ad for an Antivirus product recently. "Finally, protect your users from the Melissa virus!"

Dude, it's 2003, they want their security holes back.

I'm not going to mince words: This story is BS. Lets take the money quote here:

However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Really? Once an hour, something that'll remotely own XPSP2, just being leaked out over the Internet?

"Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software."

OK, Windows Messenger service is disabled in XPSP2...Blaster hasn't worked in years, Slammer never even hit XP Home by default (you had to install Visio), IIS isn't even available for XP Home, and port scans aren't too relevant when you have a firewall on by default.

What a completely worthless story. You know, we have enough actual security problems going on (the glacier of cross site scripting exploits, what's going on in the online banking realm) that whinging about long solved problems is not only irresponsible; it's dangerous.

I call BS

[jacquesm (154384)]

installation procedures for RealOne on the BBC [bbc.co.uk]

I Wished all broadcasting corporations were as 'backwards' as the Beeb.

Re:We have a Love connection.

[Lave (958216)]

From my experience the Beeb runs a large amount of linux articles. And is quite vocal about free open source alternatives (a benefit of not being funded from corporate sponsors). For evidence try typing "linux" into their search engine. It gives you 49 pages of hits for the whole of bbc.co.uk, 9 pages of which come from just the "news" section.

So you are simply wrong.

where are all the attacks coming from ..

[rs232 (849320)]

"This is a pretty bogus test. Obviously they didn't install security updates before going about their business,", not already in use

"we installed an unprotected version of Windows XP Home configured like any domestic PC."

"made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago", not already in use

But these three year old attacks were still coming from other already infected machines on the Internet. Are all these infected machines running three year old software.

was Re:I have plenty of reasons to dislike Microsoft..

Re:I have plenty of reasons to dislike Microsoft..

[joe 155 (937621)]

whilst I will take your point about updates I have found a problem simlar to this personally and I think that you judge them too harshly. When you have a computer which is band new the first thing you will do is connect to the internet. It would take a couple of hours to download the updates for XP up to this point, especially if your on an old service pack (I must admit I don't know if they now sell them with SP2 or not...), even if you get it with the newest service pack if your on a 128K connection a c

Re:

[penix1 (722987)]

Strictly, they said the attack was aimed at IIS, not that the attack was successful.

Strictly, they said one (1) attack was for IIS.

In fact, it's not clear from the article that ANY of the attacks were successful. If that's true, it doesn't really matter how many attacks there were, and it doesn't make Windows any less safe than Linux or VMS, for that matter. Only the successful attacks matter. (You've got to shut down the Messenger, to be sure, but I'm pretty sure that comes turned off now, and it was a stu

Re:

[Macka (9388)]

But the attacks would fail for a number of reasons. First and foremost because the attacks are targeted at Windows not Linux or OS X. Secondly OS X has a very capable built in Firewall thats always on. I can't speak for Linux because that will be up to the person who built it. Though my default Ubuntu 6.06 installation had no firewall enabled at install time, nor any option to configure or enable one before you get onto the internet and download the bits with synaptic.

where are all the attacks coming from ..

[rs232 (849320)]

"Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?"

The point is thet the Internet is infested with compromised Windows boxen. Ok, where are all the compromized Linux web servers. Assuming they are running Apache under Linux. According to Netcraft [netcraft.com] Apache usage is at roughly 980,00,000 while IIS is at 490,00,000. Why don't we see an equivalent number of compromised Linux servers.

Yet another mo

Re:

[RonnyJ (651856)]

A lot of people seem to be mistaking what this article shows.

It's not showing how weak an unpatched XP machine is, they're instead logging the attacks that are still happening on the Internet daily, and then showing the frequency of them. For instance, they logged 11 attempts in 7 hours from the Blaster worm. If, as some people are suggesting, they were just placing an unpatched machine on the Internet, the machine would have restarted from the very first Blaster attack.

Re:

[Antique Geekmeister (740220)]

It helps a lot: but the firewall itself may be vulnerable. Check it for available updates.

A lot of Windows machines get zombied pretty fast these days, by fascinating web security vulnerability hacks when the owners go web browsing even for legitimate materials and the hacks are installed on "owned" servers. These zombies then open up a port to designated controller machines on the outside for control by remote entities such as spammers using the machines to send the spam from unblocked netwrks. It's a seri

Re:

[cr0sh (43134)]

kisrael, I am with 'Geekmeister on this, too - check for updates. The best way to do this is to google " exploit" - so, for your case, you would google "Linksys exploit", and see what returns. I have personally bought three different used NAT routers from Goodwill (each cost under $10.00 used!), and before hooking them up, I checked for exploits (I currently use a homebrew P90 Freesco box) - all of them had an available exploit, and only one of them had an update to correct the exploit. On two of them, the