Estimating the Time-To-Own of an Unpatched Windows PC 424
An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."
How is this measured (Score:5, Insightful)
Re:Honeynet (Score:3, Insightful)
Re:Doesn't make sense (Score:3, Insightful)
These days, you turn on the firewall on XP SP2 or 2003 and don't have the problem. (As the OP said, just don't browse the web while you're doing a server install.)
cheers,
Based on a.. diary post? (Score:4, Insightful)
The source for this post seems to be lacking on quite a few fronts when explaining how they arrived at this data.
- (As pointed out already by numerous posters) Which version of Windows are they using?
- What activity are they using the computer for?
- Who are the "all" in "placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas" ?
- How unpatched is unpatched? Is this a version of the OS that one needs to deliberately search for or if I go and buy a boxed version of the OS there is a pretty good chance it will be just as "unpatched" ?
The "piece" raises more questions than the answers it provides.
Re:How is this measured (Score:5, Insightful)
Re:Honeynet (Score:2, Insightful)
The fact that the time-to-pwn has not fallen over the past four years...
Pray tell what has happened to the base Windows installation over the past for years? Those security fixes you mention aren't counted in this time, so you can't claim that they aren't contributing to overall security. From the article (sort of ) it sounds like this is still the time for XP and not Vista (though since neither the summary nor either linked article actually says or anything, so I'm not sure). So why, exactly, should we have expected the time to decrease?
And these techs tell you... (Score:4, Insightful)
These tech people from Comcast or SBC tell you to plug your machine directly. Maybe they work for the people who run botnets?
A spit on them. They seem to be as incompetent as the 'Geek Squad'
Re:Honeynet (Score:4, Insightful)
How can you say this shows no improvement over the last 4 years when the test subject was an UNPATCHED version of Windows?
The article wasn't even particularly clear if it was good ol' Vanilla XP or XP SP2 or whatever.
Re:Honeynet (Score:4, Insightful)
One question though - why exactly would I face out a machine with an unpatched OS (the "article" doesn't even mention the version), any OS?
Especially since a $20 Linksys router solves my problems, assuming I'm unable to splipstream service packs or errata or whatever?
If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install? Do I not have to go online to download the errata for that one as well? Or even the new version?
Even with the larger number of exploits for Windows vs Linux, that doesn't mean there are no exploits for Linux. So I have 20 minutes to download my patches, instead of 5? And that's some sort of median, right? Wow, that sure sounds a lot safer. I hope I make it.
This "metric" is like measuring how deep a machete can cut into your leg, or how much chlorine bleach you can chug before doubling over. Useful? Sure. Should you try it? Nope. With *any* operating system. Not even with any of the *BSDs, which I tend to trust a hell of a lot more than most Linux distros nowadays.
Looks like a slow news night for Slashdot, as usual.
Re:Honeynet (Score:4, Insightful)
Can you still buy Redhat 8?
... and if you leave your car key in the ignition? (Score:2, Insightful)
Solution: don't do it.
The point is not that there are bad people, or 'bots, about, it's that there are still a few individuals who are either too lazy or haven't been educated in the hazards of leaving their PCs unguarded. In time they will learn the hard way - or be taught (or possibly punished, as this weakness affects not just the person who's PC it is) that they will take a loss if they don't or "forget" to take the proper precautions. You can build better security into an O/S, but it still requires the people to actually use it: the problem is more an educational issue than a technical one.
Re:... and if you leave your car key in the igniti (Score:5, Insightful)
I actually forgot my car keys in my car overnight once and nothing happened. Well, this isn't LA downtown. I live in one of the cities with the least crime overall.
The problem is, with the internet space means nothing. You essentially automatically live in all the worst cities at once, they're all right in front of your doorstep.
That's what most people forget when they deal with the internet, especially if they live in a sheltered community where it's safe to walk the streets at night. They're not used to pondering being mugged any second. But that's exactly what happens on the internet, you live in the worst kind of neighborhood, anyone out there who wants to do something bad to you is camping right in front of your door.
Don't feel special, though. They camp in front of every else's door at the same time.
Re:Doesn't make sense (Score:3, Insightful)
What's cooking here is worms. Those pesky little things that don't wait for you to click on an infected program but use security holes in your RPC to infect you. XP pre-SP2 was notorious for such a security hole, and my firewall logs tell me that such machines are still widely in use on the internet.
As I stated above, it took less than 2 minutes with SP1 in 2004. I should repeat that test, I wonder if it changed in the past 4 years.
Bottom line of it all, a router for 20 bucks can already solve that problem if it's configured to drop any incoming packets (which it is by default). An expense of 20 bucks is all that keeps Joe Average from defeating about 99% of today's worms. I know of a few POCs that can actually find ways around this, but so far I'm not aware of any widespread use of any of those.
Re:Um, what version? (Score:5, Insightful)
Which is exactly my point. We know those machines get pwned quickly, so why is this news?
Because it's about Windows and in the current trend, you don't have to bother on /. with little annoyances like facts and the truth if it's to do with Microsoft - any old shite will do if it is trying to make Microsoft look bad.
Yet you'll notice that the /. crowd isn't bleating on about the 33 year old Unix bug that's only just been fixed this week.
Can you trade in? (Score:1, Insightful)
Can you trade in your OEM XP (SP1) disk for a new shiny XP SP2 or 3?
No.
In fact, because it's burned for a specific machine, you can't even slipstream.
So the antipiracy doodad is the problem here.
Re:How is this measured (Score:4, Insightful)
Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.
It could be that there is a lot of pre-SP2 install-disks out there. In the likely event of needing a reinstall you are faced with having to put a pre-SP2 XP on the net to retrieve SP2.
Re:How is this measured (Score:3, Insightful)
"Yonah, if you read the blog posting things should be more clear: "For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations."
Thus we did not use native machines, but low-interaction honeypots that emulate different kinds of exploits. You can find more information about these tools at http://nepenthes.mwcollect.org and http://amunhoney.sf.net - hope this helps to understand the results a bit better."
No where on any of the pages is there any indication that these are windows exploits nor was a windows machine used in this study. According to https://sourceforge.net/projects/amunhoney/ Amun requires linux.
Although I've no doubt any unpatched OS has vulnerabities (hence the pathces), could KDawson please point us to the article discussing "Estimating the Time-To-Own of an Unpatched Windows PC" because this article (and none of the links) even mention windows.
Re:Honeynet (Score:5, Insightful)
Exactly. Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
I'm not even sure what it is they're trying to prove - that Microsoft can't bend time and space and retroactively patch ALL XP disks every time they release an update?
This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?
Luckily, Linux is pretty good at not getting owned so it's a bit of a non-issue at the moment, but I dare say it's only a matter of time before someone starts targeting them as well.
Re:I have to call BS (Score:4, Insightful)
I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....
Would you even know if your PC was a Botnet client?
You can't lay all this at Microsoft (Score:4, Insightful)
If the internet is so f--- up that plugging a new computer onto it brings it under immediate attack, then, well, the good guys have -lost-.
It's really time to start unplugging bad guys from the internet period, applying stricter filtering at the ISP level, and more rigidly filtering countries who don't police their networks.
Five minutes to be attacked? The internet is LOST.
Re:How is this measured (Score:3, Insightful)
Is it a problem if you need 4 minutes to install all windows patches and updates?
It's not a problem at all if you just turn on the firewall that comes with every version of XP, or in pretty much every consumer-level cable/ADSL modem/router.
It would be interesting to see how long default, unpatched installs of OSes like RH7 and Solaris 8 last as well.
These sorts of articles are just flamebait. Pretty much any version of Windows XP acquired since 2004 has SP2 integrated, and this the firewall enabled by default. The vast majority of consumers sit behind NAT routers (at the very least) and firewalls (also common). A completely exposed Windows XP box - much like a completely exposed box running any OS - is a rarity, today.
Re:How is this measured (Score:3, Insightful)
Then I patched in an Ethernet cable to the local network which had unfiltered access to the internet (pretty much what the average cable user, or the average DSL user has after dialup).
The average DSL user, at least, is sitting behind a device which at the very least does NAT and probably has a firewall enabled as well.
It's been some time since I had a cable connection and modem, but I'd be surprised if they weren't the same, these days.
Re:Honeynet (Score:3, Insightful)
Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
No, it's more like saying that a car is likely to be stolen before the locksmith has a chance to install locks.
Re:How is this measured (Score:3, Insightful)
That, and it was on pretty much every magazine cover DVD for months.
And how many people really don't have access to at least an SP2 DVD anyway? If the average lifetime of a PC is, say, somewhere in the 3–5 year range, then almost all PCs in use today would have come with such a disk.
This entire article is (-1, Troll). It's like asking the average time to crack an Ubuntu box if you install it with a direct, unfirewalled connection to the Internet, disable all the security settings, and post the root password in your Slashdot sig.
Re:Funny thing is that Zone Alarm has had vulns (Score:3, Insightful)
If you have a clean system AND don't go screwing with the system's settings the Windows firewall will do just fine at getting you online safely
I'm confused then. If what you say is so, and Microsoft's firewall is rock solid, then how could an unpatched Windows installation be pwned in less than four minutes as the summary says? I guess I need to RTFA (grumble mumble).
How hard would it be for Microsoft to add a patch CD to the box, or when patches are released to ship patch CDs to retail outlets like Best Buy and Circut City for their existing stock? AOL used to send me coasters every damned week, why can't Microsoft?
I spent over a hundred dollars for XP, is it too much to ask for a quality product? My car is six years old, but if a defect crops up they'll do a recall and fix it on their dime. Why can't Microsoft?
More confusing, why isn't everybody demanding this instead of making excuses for Microsoft? Apple ships millions of computers quarterly, why don't they have these security problems? Are there any Apple or 'nix viruses (not trojans) in the wild?
Re:How is this measured (Score:2, Insightful)
Re:How about a VM on NAT in a firewalled host mach (Score:5, Insightful)
Not true at all. It's a common misconception that NAT protects anything at all. Why so?
NAT uses translation routing based upon multiple inside computers to one outside address. The key here is the NAT device does NOT reconstruct packets if they are heavily fragmented. Even upper end Ciscos and Junipers are vulnerable to fragment based attacks.
The key is you construct a IP-IP tunnel to target victim, try to guess the internal IP addressing scheme, and then use a program called Fragrouter to properly "make mal-fragmented packets". Once you do this, it will hop over damn near every router.
I think there's a setting in IPF that forces reconstruction before passing packets. That's the only defense, along with a proactive filtering in both directions.