Is Your OS Tough Enough?

LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."

Jaguar?

[Anonymous Coward]

Tell me I'm dreaming. Are these people really testing the old Mac OS X 10.2 (Jaguar)? And it withstood all atacks. Nice kitty.

Conclusion summary:

[rasafras]

Unpatched Windows: Bad.
Patched Windows, Mac, Linux: Good.

Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.

Scan with Impunity

[physicsphairy]

Most scans and penetration efforts are conducted via zombie machines, and shutting down infected users who probably haven't the faintest clue what's going on just isn't worth the headache it causes ISPs.

So any resolution of this issue has to must be implemented on the OS side.

On that note, Windows is largely responsible for attacks on other operating systems--easily hacked Windows machines are what provides the cover for most blackhats, including those who are attacking Linux/BSD servers.

Re:Now open sendmail and config it.

[innosent]

Agreed, for instance, the default configs with FreeBSD 5.x are so secure, you can't even send mail from your own system. You can send between users, but that's it, no relays, no outbound of any kind. Of course, it would be nice if people who only need one element of sendmail (sending mail, not receiving it) would realize that a full-featured mailer daemon is overkill, and an invitation for problems. If all you need is something that can send alerts (like from your non-mail servers), use something like sSMTP, a sendmail workalike that can only send mail through your real mail server (even outside accounts, it can handle servers that require authentication). Don't blame sendmail for giving you a headache on 50 systems, when you should never have turned it on in the first place.

Re:RTFA

[iccaros]

one thing they did not touch on.. if SP1 is taken over in 18 min.. when is there time to install SP2? and they did say that linux and Mac OSX were unpatched.. the we have a bigger market share is not a true statment.. its an excuse.. With Microsofts new test in Active X (yes the same thing we have to turn off in all DoD system ) to see if you have a legit copy of windows will just open more holes to get your updates.. what woudl be intresting is since MS did not release the same patches for sever 2003 saying its already loced down. you have to break most of the "lockdowns" to make it work correctly.... hwo quickly is it going to be attacked. and since there is no SP2 for it.. is it a good choice to use?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:idiot...

[rpbailey1642]

Wow, that was an angry response. Yes, I did read the article before I posted, that's how I knew they did upgrades on Win XP SP2 and none of the other systems. The article explictly stated that the Win XP SP1 system was exploited by Blaster and Sasser in under 18 minutes, which is good enough to call them "hacked". There are three faults with the second part of your argument stating that if they haven't upgraded to SP2 they deserved to be hacked. In the first, there are those who can not upgrade due to programs (custom jobs, programs no longer supported by their manufacturers) that will no longer work with SP2. In the second, there are those who turned off (or had a "helpful" tech turn off) their automatic updates and have no idea how to update their system. Yes, they should know their computers better, but that's a debate for another time and it's one that we've rehashed time and time again. In the third, they only updated Win XP SP2. Had they done all the upgrades on all the systems, I have a feeling the Win system would still not have fared as well as the UNIX-based systems. Remember, there *HAVE* been exploits for XP SP2 in the wild already. Granted, XP SP2 is a step in the right direction, but it is nowhere near perfect. Viruses, spyware, etc are still a problem.

You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.

Shields Up!

[baconbit]

Check for open ports on your pc. https://www.grc.com/ [grc.com]

Re:Security

[bersl2]

I have had 2 or 3 bots trying to brute-force my main box's password for months on end. The attacks all come from (likely compromised) server farms. I used to run without a firewall, but now I block every IP that tries to run an attack.

They won't succeed as long as I patch, because root logins through SSH are disallowed, and I don't have any of the usernames they guess.

Keep trying, d00dz!

Re:RTFA

[rgmoore]

If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place?

To get a bigger slice of a smaller pie. Worm authors aren't just writing the things as a form of random vandalism; they're writing them to set up botnets that they can use for other nefarious purposes. The huge volume of Windows malware means that there's serious competetion for infectable hosts. A successful Linux or OSX worm would have the whole field to itself, which would make up for the smaller number of infectable hosts.

Re:idiot...

[rpbailey1642]

Story [pcworld.com] about the firewall not blocking Windows shares. I think Slashdot carried this story a long time ago as well. Do not get me wrong, the firewall and steps in SP2 are a nice step, but they simply are not enough at this point. Unless the user is actively involved, no default Windows setup will be enough.

Re:Of course

[MoriaOrc]

Except, as the article says, WinXP SP1 is still quite common. Hell, I still use Win2k SP4. I wish they'd run the test with that.

Re:Of course

[DaveJay]

Better question: does ANYONE put a box on the internet these days without a router between them and the connection?

(actually, now that I think about it, I can name several. Methinks I need to go have a talk with some friends and family.)

Re:RTFA

[bofkentucky]

I wonder why the big hosting providers don't use IIS, would it be the prohibitive hardware and software costs, or the known lax security proceedures at MSFT.

Whats an attack?

[Anonymous Coward]

The article makes great mention of "attacks" but fails to mention what an "attack" actually consists of.

For example: they say Windows XP SP2 got attacked 16 times.

Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.

So what on earth were these attacks?

Re:Are you all retarded?

[Nintendork]

That's funny. I administer about 100 Windows boxes and none of them have been compromised in the two years I've been with the company. That's 2000 and XP. Out of the box, Windows XP SP2 is not open to the Internet. If the computer is a member of a workgroup, it's open to its local subnet and that's all. If it's a member of a domain, the administrator can use group policy to configure it any way he/she pleases. In fact, when it comes to patches, a proper group policy will have all Windows XP boxes (Even with no service pack) and Windows 2000 (As of SP3 I believe) updating automatically. I configure some basic settings from the server and all the computers in our organization get the settings.

Congratulations on your narrow minded, immature, emotional "M$ is the Devil" reaction. The reverse FUD is working....really. In the meantime, I'll just continue running a Windows network the way it should be run and not lose any sleep over it. So will most other business networks. And so will the workers who want to use the same thing at home that they use at work. All the talk about Windows being insecure out of the box for the home user is now past tense as of SP2. Soon enough, it'll be another outdated argument right up there with "Windows is unstable" and "What about backward compatability with DOS apps? They can't force users to upgrade!"

If the developers of other OSes want to battle with MS for market share, they should focus on developing the product and deliver all the new features that people feel is worth paying for the latest version of Windows. While they stand around shouting about a particular advantage, Microsoft is moving to take that away while creating many more advantages of their own.

-Lucas

Re:Lame article.

[louarnkoz]

There is something bizarre in the way the article counts "attacks". In theory, the number of attacks should be almost the same for each computer in the honeypot, because most viruses don't know what they are attacking.

The blaster and sasser worms, for example, make no attempt at reconnaissance. They simply blast TCP connections to IP addresses chosen at random. In theory, they have exactly as many chances of attacking the XP/SP1 box as the XP/SP2 box, or for that matter any the Mac or any of the Linux boxes. The attack is much more likely to be successful of tne SP1 box, but that does not mean the other computers were not attacked.

So, what did they actually count? What do those numbers mean?

Re:Of course

[teece]

Putting a box with almost 4 year old unpatched OS is stupid and should not have been included in the test. To include the original XP and not lets say RedHat 7 for example shows a bit of a skewed results.

I guarantee you there are millions of Windows XP SP1 machines on the 'net right now. How many RedHat 7s are out there? Not so many. First off, Linux is much less common in general, and second, Linux is much more likely to be administered by professionals, and thus properly patched.

So sorry, to NOT include Windows XP SP1 would have been the stupid thing to do.

It would have been interesting to see what would happen to an older Linux distro, but it would have been trivia compared to what happens to SP1. I'm actually surprised they included any non-Windows OSs at all, though.

Re:Yes, Yet again...

[hdparm]

This is total bullshit. Install stock XP, go to Windows update site and see how many critical updates are there for you. Now choose SP2 as a first one to install. Reboot, go to update site again, check how many critical fixes are waiting for you now.

Last time I did it it was 43:8 SP2:XP.

However, let's just say you give default installs of XP SP2 and your choice of recent Linux distro to two equally "non-technical-unable-to-think-run-every-exe-attac hment" users to do with them their usual stuff. Guess which machine will be compromised (virus, spyware, worm, root, whatever) first. I'll call any bet you put down. You?

Re:RTFA

[js3]

which big hosting providers would that be? Are they unable to lock down their own pcs? If you're a hosting provider, you lock yourself out of IIS for one of two reasons. Price too high or your customers don't need it. There are many solutions that need IIS to run on, and from what I've seen, the hosting prices for windows web solutions (iis,asp.net,asp,sql server etc) are much high sometimes even double the price of the unix equivalents

I do it

[Phil Urich]

I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).

By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.

So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.

Re:I do it

[Anonymous Coward]

If you're downloading security patches then haven't you updated to SP2? I mean that's what the patches do...

And if you've been running without a firewall for all this time on SP1 with open shares and a default config, there is simply no way that you are not infected or rooted with something. Maybe someone hacked you, installed a root-kit, and firewalled you?

You're simply insane... really, you hook an unsecured SP1 box to the internet and within minutes it will get infected. Maybe your ISP blocks access to certain ports for security reasons? I know mine blocks 135-137 and 445 to keep it's customers from getting hit.

How about older distros?

[Esel Theo]

I'm absolutely not surprised that up-to-date systems survive current attacks. I'd even expect that from the vendor/distributor.

The behavior of a not exactly up-to-date system would give much more insight in the overall security of an operating system. The authors tested Windows XP SP1. But what about outdated Linux distributions?

My personal experience is that it is virtually impossible to install Windows XP today on a system that is connected to the internet. You don't even have the chance to install SP2 fast enough. The article confirms this with its SP1 experiment (it survived 18 minutes).

In contrast, I'd expect any of the Linux distributions to survive way longer unpatched than Windows does. The distros I've seen (SuSE, Gentoo) have turned any useless service off on a default install since years (I wonder about /. readers that tell something different for Fedora). And I think you can safely do a default install on these systems and then pull your patches from the internet.

A few, say, one or two year old Linux distros would have been a very interesting contrast to the authors SP1 experience.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Linux is insecure

[RdsArts]

While that wasn't a serious post (or at least I hope not), I'll try and offer a true argument in this vein:

Hula. YOu know it. You love it. It's installed on your PC right now. Did you audit the code? No. Did you install it as someone other than root? No.

You have it sitting there, since it's not packaged yet, as a daemon, which is running as root, in /usr.

Totally safe!

(Before we go further, this is true of any software package. Hula's just been popular lately and thus helps to underline the point more clearly. I do not believe Hula is evil spyware, nor that anyone involve with it is now, nor has been, a member of the communist party.)

Except if it where spyware it could have wrote over who-knows-what and now is sending each shell command and bit of network activity to whomever. And it's root. So we've now a root server running on port 80 which has not been audited. Thank God sendmail taught us all our lesson, right?

Linux is no safer than any other OS at the moment. Hell, if we look at the fact that strlcat/cpy have been turned down for inclusion multiple times to the GNU libc because it would be "slower" when preventing a buffer vuln, if anything it's getting worse, and will continue down that slope.

It's as if we've forgotten all we know, and we're ignoring those who try to remind us. [openbsd.org]

Re:PLEASE MOD PARENT UP!

[FireFury03]

If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.

I think you are giving many users far too much credit. 90% of the cases where I have to deal with customers who have misconfigured their mail server as a spam relay, I get a response similar to "Yeah, I know that's really insecure and lets spammers use it, but it was [easier to set up]/[only going to be like that for a few weeks]/[not as if I was telling the spammers the open relay was there]" (delete as appropriate).

The point is that these people *knew* that what they were doing was really stupid, but were doing it anyway because they couldn't be bothered to be secure. Of course it always comes back to bite them in the ass when their server falls over with several million spams in the mail relay queue and a completely saturated ADSL connection.

Re:Of course

[SillyNickName4me]

Of course reading is very difficult and all.. but still..

The fact is that they were testing what people are using TODAY, not what shops should be selling and people might be using in the future.

With regards to SP1, the following quote from the article seems somewhat relevant:

Many computers around the world are still running Windows SP 1, though exact numbers are hard to come by. Gartner research director Michael Silver estimates that by the end of 2005, half of the world's desktops used in businesses will still be using SP 1.

So, while you are right that people should be running SP2 if they use Windows at all, many people are not doign so, and are extremely unlikely to start doing so in a reasonable amount of time. Hence looking at what a substantial part of the users is running is a very good idea. With regards to this, Win2k SP4 should have been tested as well.

Re:I do it

[oconnorcjo]

I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).

I am going to assume that: 1. your modem has a firewall built into it (I know some models do). 2. Your internet provider is fire-walling you (I know some that do).

I have several logs on various firewalls that tell me how many intrusions were attempted on different boxes and the numbers are amazingly HIGH. Your box is either 0wned by someone on the internet (and you don't know it) or you ISP has been "babysitting" you because they know thier are many people out there like you.

Re:Of course

[Anonymous Coward]

Yeah, I would say that the comments from MS themselves are pretty damning there - that they would expect an OS they were selling 2 months ago to be completely riddled with holes to the point that it's cracked within 18 minutes of being connected.

The ability to exploit it within 18 minutes isn't a function of how many vulnerabilities Windows XP has. It's a function of a huge number of systems continually trying to exploit two known vulnerabilities. If Linux had the same number of systems trying to exploit two of its known vulnerabilities it would probably have a similar infection time.

Re:Of course

[Anonymous Coward]

I think you're missing the point

I think it is you who are missing the point.

if I don't apply updates to a machine for 2 months I don't expect it to suddenly be *that* vulnerable to attack,

It's not *that* vulnerable. If you've applied all the latest patches except those from the past two months pre-SP2 versions of XP would not have succumbed to the two worms mentioned in the article.

Blaster was first discovered 8/11/2003. The patch for the vulnerability that Blaster exploits was released on 7/16/2003.

Sasser was first discovered 4/30/2004. The patch for the vulnerability that Sasser exploits was released on 4/13/2004.

Now I don't know about how they calculate time in your world but in this world both of those are easily more than two months old.

In addition XP SP1 became out of date the moment that XP SP2 was released. The fact that pre-SP2 versions were still being sold up until a couple of months ago doesn't mean that SP1 was out of date. Thus SP1 has been out of date since August 2004...over six months ago. People need to accept that Windows XP SP2 is the current version of Windows. If you're going to discuss the current state of Windows' security you'll have to use it as the reference point. Anything else is being disingenuous.

Re:Of course

[FireFury03]

I still say, you buy an OS, you pull down the latest updates

Yeah, doesn't help when you get cracked whilest pulling down the updates though does it? (Yes, yes, I know you can ask MS for a SP2 CD but really, shouldn't that be bundled with the OS, even if it's just a CD taped to the outside of the box?)

I thought XP tried to durring install anyways?

Doesn't help if you're on a pay-per-minute dialup connection.