The BBC's Honeypot PC

Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.

Well Duh!

So we've learned that putting an unprotected windows box on the internet is a bad idea - well duh! It probably doesn't help that they didn't bother with any updates, or turning on the firewall.

Re:Well Duh!

The thing is, users do this EVERY DAY. So it is an important excercise. People here on Slashdot may know how to keep themselves protected, but I talk to Windows users ALL THE TIME who have their computer sitting on a broadband connection with no idea how to protect it (no hardware firewall, no spyware protection, whatever virus protection was bundled with the machine [but likely not updated with the latest signatures]).

It's still a HUGE problem. So, maybe it's a no-brainer for you, but it isn't for the average user.

Indeed, AC

All of the "well duh" folks miss the point. There are a lot of people out there with reinstall CDs for older machines. When their machine gets hit with malware, many of them "reload" windows and some of these head for Microsoft update.

The point is that they are too late - they're perfectly likely to get hit before update can protect them, and perfectly likely to get hit with something as bad as what they had before.

This really is a problem.

Re:Indeed, AC

And this is why they should be letting a professional set their stuff up. If you knew nothing about cars, would you try to put an engine together and then drop it in by yourself, or would you take it to a mechanic? Most people seem to understand that, why should it be different just because we are talking about computers? Nothing like having your system owned as a way to hammer this point home. I certainly don't take the crass view of "well they get what they deserved for being ignorant" - but how do you combat naiveté among people? Especially with a technical subject that most people's eyes just glaze over when you start talking patches and firewalls? I think most folks just figure they can save $100 by setting it up themselves....Big mistake....

Re:Well Duh!

The BBC is not exactly known for being beginners at IT, they're the people that brought a lot of us (including me) into the age of personal computing with their BBC Micro Computer.

The thing they've tried to do here is to accurately simulate what the average home user will do, and see what the consequences would be.

It's like a 17 year old nude virgin visiting the octoberfest and expecting to come away 'unscathed', I give you that much. But anybody that buys one of those HP internet ready pc's with XP pre-installed that goes home and plugs in his / her machine is doing the exact same thing.

The instructions even tell you to connect all that stuff *before* switching on in simple-to-use IKEA style no words diagrams. Don't be too quick to judge the beeb, they're pretty good at what they do.

Re:Well Duh!

it's easy to say "well duh!", but when you have a brand-new out-of-the-box computer, it doesn't exactly come with instructions. My grandmother has no way of knowing she's supposed to be running a firewall, or going to get a Microsoft Security update before doing anything else. WE know these things, because we hang out on Slashdot, but they're not obvious to the rest of the world, and I applaud the BBC for bothering to put this in people's minds. Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

And the moral of the story is.

Home firewall/router software is better than nothing, and a small firewall/router hardware combo is probably better than that. Personally I perfer the Lynksys hardware.

Of course, we all knew this already, didn't we? The results weren't suprising to me and I doubt that any of the regular /. crowd would be either. Yes, I mean you.

Re:And the moral of the story is.

We're not the target audience. Average home users probably aren't reading /., but they just might be BBC readers. Good "welcome to the real Internet" articles need to get out into the mainstream more, and I don't mean the standard "OMG INTERNETS BE AFARIAD OF PRON AND PEDOS AND ID THIEVES AND VIRUSESES IT GOING TO KILL YOU ALLS" that modern "news" seems to favor.

better question...

why is there such a thing as an "unprotected windows box"? Isn't this a serious fault of Microsoft that there's even a way to have an "unprotected" system on the internet? Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.

Impressing

I set up a friend's new computer and installed a firewall, before attaching to to internet for the first time and he was stunned how fast the log of probes filled up. He'd never used a firewall before on his old XP machine.

What bugs me is why there doesn't seem to be any decent coordinated effort to track the bots down and shut them down and to go after the perpetrators. Really, it doesn't seem that hard, it just seems like no government is interested in doing anything about it.

Re:It IS hard

He said an coordinated effort. Of course no one person can get anywhere, but if we just decide not to accept this, we start blocking IP ranges, force the ISPs to deal with their spammers and botnets--it wouldn't take long at all to shut down the entire problem (and 60% of the web). Then you just bring up clean PCs one at a time--forward their DNS to a page that can lead you through the process of cleaning out your PC and contains a list of services that will help.

Subsidize the creation of some decent anti-virus and service companies that can clean your computer remotely (Just don't build one nuke, that should take care of funding it for a few years)

Of course we can't take these steps proactively, humans are too short-sighted, but we WILL do something like this reactively, It's going to happen--just a matter of time.

Yawn...

this has been done before with WinXP SP1, we already know it's insecure. But you know what? Most home users have firewalls now, if only in the form of a hardware router from their ISP, and any new users are running XP SP2. A simple firewall and a few trips to www.windowsupdate.com takes care of most problems. Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.

Their 'unprotected'=flawed

So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall. Scared me for a moment.

I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.

Old news..

This study was done years ago, when XP just came out. IIRC, it was done live on TechTV's "The Screen Savers" multiple times.

BBC would have made it more interesting if they tested this in various scenarios -- no updates/firewall, SP2 with no firewall, SP2 with hardware firewall, etc. That way we could see what step(s) really let malware in.

Slammer? Blaster?

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003.

...

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible.

Wouldn't that include all patches that would specifically protect against Slammer and Blaster? Note, the article says "such as", not "similar to".

Sorry but...

I have windows XP and a $19 dlink router (and a lynksys before that) and I have had *zero* problems in 24 months.

So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.

Yes but...

Did they pass WGA?

How vulnerable Windows XP really is?

This doesn't really show how vulnerable Windows XP really is, it shows how often it is subject to attack. Since all these are (mostly at least) worms and automated attacks, that's not really different from looking at the logs on my Linux boxes, where, for instance, my apache server is quite often "attacked" by a worm looking for IIS vulnerabilities.
I like to bash MS as much as most people here, but this choice of words really misleading. True, never ever put an unpatched box un the Internet, especially if it's running some version of MS Windows, but this hasn't got that much to do with the security of an updated Windows installation.
Here at /. we all know to never put an unpatched box on-line, but it is interesting when more mainstream media put focus on that, no need to attack Microsoft in order to make this story interesting.

Duh

Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?

Not just Windows

I love linux, but alot of this stuff pretty much pertains to anything on the internet. Do you have a linux box on the public net with SSH open? I gaurantee you are getting more than 1000 attempted logins per day. This article talks about alot of "attempted" attacks, well my linux machines on the net get port scanned at least 10 times a day, any box that has ssh running on the default port is being dictionary attacked pretty much 24/7. Sure the linux boxes aren't being turned into zombies, and I'm not sending out boatloads of spam, but my apache servers get hit with IIS attacks regularly. Putting a box with open ports on the net gaurantees you will be attacked. It doesn't matter if its linux or windows.

The difference is with windows you will probably get hacked, with linux you at least have a fighting chance.

Re:Not just Windows

Do you have a linux box on the public net with SSH open?

Yes.

I gaurantee you are getting more than 1000 attempted logins per day.

Uh, no. On the occasional day I get a sustained attempt to guess a username/password combo, and such an attempt may well get up to 1,000 attempts, but in the last 4 days' log (all I keep), I don't see any such attempt. There were a couple of attempts on my FTP server, but it looks like the attacker closed the connection as soon as they saw the welcome banner; scanning for a particular server/version in the connection report, I guess.

A Premium of Paying Vicitms

Despite all the Microsoft apologists who will wring their hands and point out that certain things were not done in order to safety the Microsoft honeypot, the genuine service this article demonstrated is that people who turn on their new computer with its Microsoft operating system connected to the Internet are vulnerable to exploits which are automated and exist in abundance, ready to pounce upon current Microsoft operating systems.

Even if you're a master of Microsoft "anti-ware" solutions and tweaks, what happens when someone who isn't takes a few wrong turns with their OS? It's toast, or worse, enslaved and used as a resource the end-user is paying for.

I stopped using Microsoft operating systems to directly connect to the Internet nearly 10 years ago, when the sophistication of the exploits had developed to the point where it was no longer safe to use any Microsoft OS online. Since then it really hasn't gotten much better, has it?

I think it's a shame that the company with the fattest pockets can't be bothered to get it right yet still demands to be on every PC made.

RTFA

Damn... WTF is wrong with you people? Most of the people here can't seem to see beyond their own generally computer literate viewpoint. This article is really for your average user out there that doesn't apply the latest security patches or keep their virus scan software up-to-date. It's just stressing how many attacks your average PC undergoes when on the internet. Am I one of the only people that gets this?

C'mon, I hate MS but this is FUD

The BBC ain't a computer biz company. They wanted a story. And what's a better (tech) story in the age of phishing and spam than "OMG TROJANS!"?

Of COURSE you get plastered with portscans and worms hammering against the "well known" ports. That's normal. Welcome to real life on the 'net. You think it's different for my *nix Machine? It's not. My firewall-log is getting flooded with kids and worms trying to find some unprotected ports, trying to connect to 21, 22, 23, 80 and so on, just to see if there's anything running they could use. The real question is, how many successful attacks did happen? Saying XP is insecure because a billion people hammered at its doors is FUD. When a million of those make it in, though, it's a different matter.

And yes, an unpatched WinXP is insecure. It simply is. Get a router and you're set against 99% of the external problems you may face. But then you still should not use the machine to access anything on the net, because some of the tools you're using (IE and Office being the two key players today) has known (and party unpatched) security issues that may cause execution of code when you're not really careful and know what you're doing.

In a nutshell, going online with a MS product that's not well firewalled and using anything but alternative software for the access of online resources is grossly negligent IMO.

15 Min. Average?

How do you have a 15 minute average, a 15 minute maximum, and a 15 second minimum?

How many succeeded?

Yeah, there are bots and they keep sniffing. That is not news. How many of these known attacks actually succeeded? If none, it is pretty good. If one, "Redmond, we have a problem". I assume they OS they simulated was the one that gets shipped right now, not some original unpatched pre SP2 WinXP. If it was an old OS that is not being shipped by OEM vendors currently, then the test is bogus. It is anti MSFT FUD. All FUD is bad, whether it is anti-MSFT or anti-Linux.

Interesting

... that while they call attention to an obvious problem, they don't suggest any solution.

do Linksys Routers/Firewalls help?

I usually am actually behind a Linksys Wireless Firewall/Router. Does that tend to help this kind of problem, or am I being pwned and not realizing it?

And then what?

Okay, so did the BBC repeat the test with a patched version of XP Home? How about XP Pro, or Win 2003 server, or Solaris, or whaterver-linux.

This isn't a story so much as me-too Microsoft bashing

Is this "average?"

I have to question the blind assertion that this is the average user. Can one even establish a mean (or median) user on a number of different behavioral axes?

This is a common myth among users and developers alike. I regularly hear "the majority of people aren't going to do that," but it's as silly to base design decisions on what the supposed majority will do in one case as it is to claim to be representative of the "average user" with one system. The BBC uses such vagaries as "However, at least once an hour, on average...". Those are two orthogonal restrictions. If something happens at least once an hour, that is very different than something averaging once an hour. Which is it?

It's a fair concern, that putting an older XP installation on an open hole to the internet can be dangerous, but I'm not sure that it's something that the "average" user does. New-computer buyers default to the firewall being on (and annoying), and the last three broadband vendors that I used (DSL, then Cable, then DSL with a different provider) sent modems with built-in firewall/routers to use with their system. The last one sent an 802.11g router that defaulted to an open access point, but that's just another chapter in a long story of security vs. convenience.

The BBC could have used a more modern setup, but they wouldn't have been able to do their week-long series on how to protect against these dangers if they didn't encounter the manufactured dangers in the first place.

There's something to see here, but it's so childishly sensationalist that you should just move along...

Nice Fearmongering

I saw a great ad for an Antivirus product recently. "Finally, protect your users from the Melissa virus!"

Dude, it's 2003, they want their security holes back.

I'm not going to mince words: This story is BS. Lets take the money quote here:

However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Really? Once an hour, something that'll remotely own XPSP2, just being leaked out over the Internet?

"Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software."

OK, Windows Messenger service is disabled in XPSP2...Blaster hasn't worked in years, Slammer never even hit XP Home by default (you had to install Visio), IIS isn't even available for XP Home, and port scans aren't too relevant when you have a firewall on by default.

What a completely worthless story. You know, we have enough actual security problems going on (the glacier of cross site scripting exploits, what's going on in the online banking realm) that whinging about long solved problems is not only irresponsible; it's dangerous.

IIS

What's IIS doing on an "average home user machine"?!

Is this an attempt to indirectly promote Microsoft's new OS by urging people to upgrade?

1 IIS attack....

I don't know why they included this.  XP home does not have IIS.

Yes you can install IIS on XP home if you have an XP PRO CD all ready, but if they are trying to show what normal users expierence they shouldn't be including it.

There's some FUD here.

A highly protected Windows machine would have SP2, which automatically has Windows Messenger DISABLED. Just which Service Pack were they using, again?

Simple Solution: NAT routers

You solve this problem very simple by installing a NAT router between you and the internet. As long as you don't map any vulnerable ports through you don't have to worry about attacks which are not a result of user action, i.e. trojans and what not. The fact that ISP's such as verizon ship standard integrate NAT router / modems probably does a great deal to make their customers and the internet more secure.

This article is completely useless

How is an average l-user going to get their hands on and unpatched Windows box? I bought a computer from Best Buy recently, SP2 was installed and firewall was on. My sister bought a Dell, same story. Sony, Toshiba, Acer, all the same story. So how, pray tell, does this story mean anything?

L-users can't get their hands on an unprotected Windows box even if they tried.

People that can get their hands on unpatched boxes (off of a live cd, but that reason could you possibly have to do that?

So who does this article apply to? Really really drunk techs that delete hard drives then put XP back on them and then go surf the net for porn and download a bunch of stuff without patching(ie Best Buy Geek Squad)? Well then say that so the rest of us don't have to worry about it. BBC, I watch your News Hour, and thank you for the opportunity to get real news in the US, but this is mad trolling.

Duh, right?

Well everyone makes mistakes. I had no idea that my system was under someone else's control. I had an occasionally on wireless connection through my neighbors high speed connection. Windows Firewall and Avast anti-virus, plus SpyBot-SD were always running whenever I connected the machine to the net. Windows Automatic Update is turned off, but I update the machine weekly.

I finally got my own DSL connection last week. Within a few minutes I noticed my machine was running really slowly. My mouse was moving slower than I thought it should. Then a few emails disappeared (including my login email AT&T sent me). Ouch, I think I've been taken over.

So I restarted the machine with Ubuntu, logged into my AT&T account manager via a dial-up connection to change all my passwords etc. and then proceeded to download ZoneAlarm and read up on making my Linksys router more secure (beyond WPA). So I got busted despite my best intentions by letting down my guard. Hopefully not too much personal data was stolen. Fortunately I do very little on the 'Net beyond spending time on online forums and playing http://liveforspeed.net/ [liveforspeed.net] so the only passwords stolen will be my logins to Slashdot and such.

Live and learn. Pay attention to all this security stuff, even when you think you are secure.

Sheesh

Alex Pontin writes,
"This article from the BBC shows how vulnerable XP Home really is.

Dear submitter, Alex, this article did not show how vulnerable XP was, it showed how many ATTEMPTED attacks were detected.

ISP Firewall Service

Why dont ISPs allow provide a configurable firewall service so most of this stuff isnt even sent down the wire?

Yes, I dont want to buy a router or a new DSL modem with firewall capabilities.

I also dont want another * thing to plug into the wall.

One could even allow users to select/join a non-configurable firewall service -- as long as it isnt too restrictive.

There is way to much junk being sent to most users.

I'm safe, right?

Help me out here, please. I'm a Mac person and use my PC only to play Second Life, and I'm wondering if my PC is protected long enough to get it set up.

I have WinXP/Home *SP1* that I got OEM when I bought some hardware from newegg a few years ago. The PC I built sat idle (turned off) for a couple years until recently, when I re-built it to play Second Life.

I've had to re-install windows twice recently. Once when I re-built the machine with newer components and once after my hard drive failed.

Each time I do this I am starting with *SP1*, and it takes a long while of windows update, windows update, windows update, etc. before it even gets to updating to SP2, then there are more updates and more updates and...

All the time I am installing windows (about an hour and a half) I am connected through a linksys router/firewall, and once SP2 is finally installed windows firewall is turned on.

Tell me, all-knowing ones, is this machine compromised by the time I have it updated or does the linksys firewall protect me?

Thanks,
Amy

Zuh?

By utilizing the science of MATHEMATICS...we can see that this doesn't make any god damn sense.

"When we put this machine online it was, on average, hit by a potential security assault every 15 minutes....The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it."

How can the average be 15, but there was never any period LONGER than 15, and some periods less than 15.

1, 3, 2, 5, 4, 3, 4, 2, 3
Average is....5? Bzzzt.

which service pack?

i'm curious to know how a defualt installation of XP 9home or pro) with service pack 2 would fare. doesnt it have windows firewall enabled by default?

and on a related note, a friend of mine recently reinstalled xp home, sp1, using the disc that came with his computer (emachines). he's on dial-up, and is only connected for a little while at a time, and he still got infected with a few things.

another friend got a laptop that was a few years old, and i installed a wireless card. at that time, the computer was clean. a few weeks later he came to me and it had a massive spyware/adware/virus infection (again, xp home, sp1). and he had barely used it during that time.

I kinda see their point

Last night I had to re-install Windows XP in VMware so that my wife can access her work systems. Once I had spent 20 minutes on the phone asking Microsoft for permission to use something that I already bought, it was time to do the updates.

The install was Windows XP - no service packs included. I then had to apply patches, install SP2 and apply more patches. The whole time I was doing this, my machine was not, and could not be protected by what was on it. The only thing that saved me is that I run a decent firewall in front of my home network. If I didn't have one (and many people don't - they just plug their cable modem connection to their ethernet port), I wou