Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Windows Security Holes Go Mostly Unexploited 557

murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
This discussion has been archived. No new comments can be posted.

Windows Security Holes Go Mostly Unexploited

Comments Filter:
  • And how many (Score:5, Insightful)

    by TerryAtWork ( 598364 ) <research@aceretail.com> on Monday December 30, 2002 @06:00PM (#4984560)
    of these holes are exploited by adults who are quiet about it instead of big-mouth children?

    • Re:And how many (Score:3, Insightful)

      by MonTemplar ( 174120 )
      Who knows? If anyone has been exploited, they ain't telling...
      • Re:And how many (Score:3, Insightful)

        by pod ( 1103 )
        Who knows? If anyone has been exploited, they ain't telling...

        Perhaps because they don't know? I know I wouldn't notice someone sneaking away my IE history file, or the password file, or a couple of mp3s.

    • Re:And how many (Score:5, Insightful)

      by JoeBuck ( 7947 ) on Monday December 30, 2002 @06:19PM (#4984724) Homepage

      If your Windows PC has a fast (DSL or cable) connection, it may well be one of thousands of machines owned by some jerk who wants to use it to launch DDoS attacks. Its owner may never notice any difference: it appears to operate normally, only sometimes the web seems a bit slower than expected. The attacker has an interest in having the machine appear to be "normal".

      • by billstewart ( 78916 ) on Monday December 30, 2002 @08:55PM (#4985497) Journal
        As an old Unix hacker I've found it annoying that Windows is sometimes more secure than Linux, but it can happen.
        My lab used to have an unprotected DSL with out-of-the-box RedHat 6.x and unprotected Win95 boxes on it that we used for testing things. As far as I could tell, nobody ever successfully hacked the Windows box, and when I was running ZoneAlarm, it'd detect a lot of doorknockers but no real attack - No surprise, because we had file-system sharing turned off, a relatively obscure freeware web server, no Napster/Kazaa/Gnutella/Morpheus/etc., and not much else useful on it except clients so not much to crack.

        But the main Linux box got broken into all the time - I eventually changed its name to "Kenny" because it was getting brutally killed every week. As far as I could tell, nobody seriously bothered it once I upgraded to RH 7.1 in a medium-secure mode (I didn't install FTP servers, for instance, and Apache didn't have any web pages complex enough to be exploited), but by then I wasn't doing much complex, and I'd replaced the highly reliable Pentium-66 with an faster el-cheapo machine that often died on its own so it wasn't available to crackers.

        The most common attacks I was aware of were some rootkit followed by installing Staecheldraht DDOS and some IRC bots. (And after I'd wiped out Staecheldraht a couple of times, the loser got annoyed and wiped out my disk drive once.) I noticed the initial attack because one of Kenny's P66 cousins was used to run a tcpdump sniffer to monitor the LAN and it kept doing ICMP to machines at universities. At least one of the rootkits "fixed" ls and ps to not report on its directories and processes, but forgot about some other utilities like /proc, and forgot about semantics problems like

        umount: Can't unmount /home2 - in use

        $ ps -ef
        [nothing obvious shows up]
  • In other news (Score:5, Insightful)

    by Exiler ( 589908 ) on Monday December 30, 2002 @06:00PM (#4984563)
    Thousands of people are in dark alleys every day and rarely are any shot, raped, mugged or sodomized.
    • Re:In other news (Score:3, Insightful)

      by Sc00ter ( 99550 )
      Most household locks are easy to kick in. Yet many houses are not broken into.

    • Re:In other news (Score:5, Insightful)

      by Telex4 ( 265980 ) on Monday December 30, 2002 @06:27PM (#4984775) Homepage
      Well put :)

      The fact that the bugs go unexploited is a good thing, but it does not excuse the bugs. People are unlikely to want to switch from Windows to another OS simply because there are lots of security holes, because they rarely encounter them. From your average user's point of view, they're no big deal. But that doesn't excuse Microsoft from allowing them to exist, just as the low number of rapes doesn't excuse governmental organisations from allowing dark alleys to exist. Every rape is tragic. Every bug exploited is of course not as tragic, but certainly an inconvenience for the victim, and at times a rather large financial problem for companies.
  • Bad. (Score:2, Interesting)

    by s0l0m0n ( 224000 )
    Unexploited == unpatched?

    I know the difference, but I'm wondering what percentage of the unexploited are also currently unpatched?

    Perhaps all the black hats are just saving up for, MWHahahaha, World Domination.
  • Well yeah, (Score:5, Insightful)

    by autopr0n ( 534291 ) on Monday December 30, 2002 @06:01PM (#4984581) Homepage Journal
    because they don't notice these viruses.

    Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.

    Tons of people are infected with viruses and spyware (now that shit should be illigal, god damn) but they never notice or care, as long as their computers keep working.
    • I've had DSL for 6 months now, and have been running my computer 24/7 since. In total my logs show less than a dozen attacks in that whole time. When I first got it I got port scanned hourly, but I haven't seen one in the past month that I can recall.

      Before I got DSL (and a static IP) I was warned that they usually get a lot of hack attempts. Maybe I'm the exception, or maybe I'm being hacked at such a high-level that my scanners or firewalls haven't caught it.

      But overall, running Win2000 the whole time, I haven't had a problem.
      • by Znork ( 31774 ) on Monday December 30, 2002 @06:54PM (#4984926)
        Sounds like you've gotten so 0wn3zd your're not even getting the logs anymore. Probably fairly soon after those first portscans you saw. Or maybe your ISP is running a firewall for you? But if I was suddenly seeing less than a dozen attacks per day, frankly, I'd be pretty sure I wasnt seeing the real picture.

    • Re:Well yeah, (Score:5, Informative)

      by sfe_software ( 220870 ) on Monday December 30, 2002 @06:27PM (#4984780) Homepage
      because they don't notice these viruses.

      Very true. I worked a temp job doing warranty repairs on Gatway PCs (and wouldn't recommend a Gateway to my worst enemy). Sadly, since the Gateway Country stores don't employ any computer literate people, over half of the systems we were to "repair" involved popping in the restore CD.

      But at the time (a few months back), I'd say about 10% of them were Klez-related (in order to tell the user what was wrong, we had to do a diagnosis including virus scan as a first step).

      As well, my dad has restored his PC a multitude of times in the 3 years he's had it. He of course thinks it's because Microsoft sucks, or "that new MSN upgrade broke my system", but in reality I think it's because he'll download anything and everything he can get his hands on (he just loves that Bonzi buddy thing... ugh)

      My point simply being that most of them probably didn't even know they were infected/exploited (I'm sure most don't read the paperwork we sent back). These statistics come from where, exactly? How many joe-sixpack users, who have already been ridiculed by their geek friends, are going to admit in a survey that they were stupid enough to click on the attachment against everyone's advice?

      I just have to wonder where the stats come from. If it's from Wired readers, I'd say it's skewed as their average reader-base is probably a bit more savvy than average.

      Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.

      And since Code-Red, Nimda, etc use a semi-random IP selection routine, attempting to stay close to the current IP, home cable/DSL networks are the most affected. My DSL still logs around 80-100 attempts on port 80 per day (keeping in mind Nimda tries several variations per attempt).

      Also, the majority affected aren't aware that they are even running a web server at all, much less that they're infected (and spreading infection). To this day, I can go to each IP in my logs, and see the IIS default page on the vast majority (indicating they aren't running IIS for a reason, and likely aren't aware that it's there).

      Finally, I just want to say that just because not everyone has been exploited, should mean that we should look at the situation any lighter. The Code Red thing should have been a serious wake-up call to Microsoft. Same with iloveyou, melissa, et al. These things were highly public, and should have been viewed as a major fiasco. Maybe the scene has toned down in the last year or so, sure, but that doesn't mean we should just not worry about it. Hopefully not too many people will read the Wired article and become more lax in their practices...
    • Very simple answer (Score:3, Insightful)

      by lseltzer ( 311306 )
      People who run antivirus software and keep it up to date are almost completely immune to this nonsense. And it's not like they haven't been warned; anyone who thinks about this knows. Almost everything out there that's prevelant in the wild was patched by MS or put in everyone's virus definitions long ago.

      Here's the virus count for my gateway since July 4 of this year:

      717 WORM_KLEZ.H
      120 WORM_SIRCAM.A
      45 WORM_YAHA.E
      11 PE_NIMDA.E
      6 WORM_BUGBEAR.A
      2 WORM_HYBRIS.B
      1 JS_NIMDA.A
      1 WORM_HYBRIS.C
      1 WORM_KLEZ.E
    • Re:Well yeah, (Score:3, Insightful)

      by sjames ( 1099 )

      Agreed.

      Apparently malicious code inserted into Windows by 13 year olds with nothing better to do deoesn't harm stability any more than what MS put in there. (O.K. that's out of my system now)

      The other factor is probably that most people don't have anything all that interesting on their PC that couldn't be gotten more easily on a warez newsgroup. The same reason most people needn't worry about neighbors listening in on their cordless (or even tapping in at the NID on their landline).

  • by tomhudson ( 43916 ) <barbara@hudson.barbara-hudson@com> on Monday December 30, 2002 @06:01PM (#4984585) Journal
    That's because there are SO many exploits to choose from. Nobody has the time (or need) to exploit all of them :-)
    • It's true for the script-kiddies who run these attacks too you know.

      They'll get around to it.
    • Sad but true. (Score:3, Interesting)

      by billstewart ( 78916 )
      Unfortunately, Windows is way too big to fix, as are too many of the major applications that run on it, and security isn't something you can just patch on after the fact. Some of the newer versions, such as XP, don't crash anywhere near as often, which suggests that maybe enough major parts have been rewritten that many of the old bugs have been discarded and replaced with a smaller number of newer bugs.

      One of the things that annoys me the most is the number of reported holes that are caused by buffer overflows. There's simply no excuse for them this decade! If you don't have a good enough quality control process to test for them all, and MS doesn't, you shouldn't let your people write code in C! Don't get me wrong - I really *like* C, and I've been using it for over 20 years. It's a great language for a lot of things, including compact, efficient, clean, obvious code, and it does let you shoot yourself in the foot [216.239.51.100]. But if you can't keep your people from shooting, and can't tell where the holes are, and can't tell whether all your feet are intact, it's not the language for you. And if you want to use C++ or C-- or C-sharp or C-dull, and you don't enforce the use of safe I/O and copying methods, don't do that either. (By the way, this rant applies to Linux as well.)

      Esther Dyson has her signature-line about "Always make new mistakes". Buffer overflows and testing for maliciously formatted input aren't new mistakes, folks! They're CS100 material, the first thing you should be learning after you learn how to do arrays and input functions. (And I learned my programming in PL/I, an language that won't let you overflow buffers.) At least make the bugs interesting, like race conditions or something! Accepting input that abuses ..s in directory paths when they shouldn't be there isn't a new mistake, and it's one of the most common bug reports I see that aren't memory-related.

  • Lies, foul lies. (Score:5, Informative)

    by J. T. MacLeod ( 111094 ) on Monday December 30, 2002 @06:03PM (#4984597)
    As a contractor doing technical support for an ISP, I will attest to the fact that home users are hit very hard by problems such as Klez.

    It's an epidemic.

    On the other hand, we know of surprisingly few cases where machines were exploited on the network for other types of obvious security holes.

    "We know of" being the key phrase.
  • by Anonymous Coward on Monday December 30, 2002 @06:03PM (#4984598)
    The article mentioned does not specifically discuss Windows security holes (as the title of this thread suggests), but rather security holes in general, and goes on to mention the Linux Slapper worm in particular.

    I find this typical of the slanted, Microsoft-bashing nature of posts here on Slashdot!
  • Sooner or Later (Score:5, Insightful)

    by robbyjo ( 315601 ) on Monday December 30, 2002 @06:03PM (#4984600) Homepage

    Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.

    The problem is that the article fails to mention that if the holes are not fixed, sooner or later the so called malicious hacker will find it and exploit it *quietly*. This is dangerous thing.

    IMHO, better to expose it and then *quickly* fix it rather than do nothing.

    The problem is now that Microsoft knows (or being told) about the holes but often takes a very long time to fix it and sometimes ditch the bugs as "unimportant". This is even worse as this *will* give a plenty opportunity for the hackers to implement the exploit.

  • by heldlikesound ( 132717 ) on Monday December 30, 2002 @06:04PM (#4984609) Homepage
    You know for being a virus, I'd think the authors would want to give it a cool name, like Infectita or Shadowbyte, I dunno SOMETHING cool. Instead, it's Klez, which sounds like a freeware puzzle game that sucks ass but has a lot of bright colors.
    • by Anonymous Coward
      Quite a lot of virus names aren't coined by the virus writer, you know, but by the anti-virus labs' reverse-engineers trying to research the virus. Lots of viruses don't have strings detailing their names, even encrypted ones, so the labs just have to kind of make them up, and occasionally one sticks. The researchers aren't looking for something cool, they're looking for something uniquely identifiable that they can refer to it as during their research and writeup.

      The author did, however, name KLEZ and it's parasite, Elkern. KLEZ appears to be an acronym, though what it stands for is unknown.

      Also, sometimes the author's names are simply ignored - for example, Nimda isn't actually called Nimda, it just wrote a file called ADMIN.DLL and while reversing it, the researchers.. .well.. you can guess the rest.
    • by baryon351 ( 626717 ) on Monday December 30, 2002 @06:24PM (#4984757)
      klez always made me think of a bundled lesbian that came with KDE...
  • by helix400 ( 558178 ) on Monday December 30, 2002 @06:04PM (#4984611) Journal
    Funny, the Opaserv worm is currently exploiting one flaw with great success. The newest variant destroys a hard drive

    Its so bad, that if you install win98 on a fresh machine, password protect and share the C drive, and connect to the internet, you can get this variant within 5 minutes. Opaserv exploits a shared drive password flaw, and has full access to the machine. Then it will ruin the CMOS and main hard drive partitions.

    From my tech support experience, this year has been the worst for exploits.

    • Yeah but if this hits the average home user who is clueless, will they:

      a) Figure out Opaserv hit them
      b) Figure Windows went bad again and simply try to reinstall the OS
      c) Figure their hard drive pooped out and buy a new machine
      d) Profit!!!

      You'd think that virus writers would get pissed off that Microsoft keeps getting credit for all the messed up machines. I mean what does a self respecting cracker need to do nowadays .... provide an EULA so the user clearly sees who owned them?
      • Heh, one clue is that after Opaserv ruins the computer, it only allows the computer to boot up and display this

        ----
        Illegal Microsoft Windows license detected! You are in violation of the Digital Millennium Copyright Act!

        Your unauthorized license has been revoked.

        For more information, please call us at:

        1-888-NOPIRACY

        If you are outside the USA, please look up the correct contact information on our website, at:

        www.bsa.org

        Business Software Alliance
        Promoting a safe & legal online world.
        ----
        Annoying huh? But you're right. I've been helping a lot of people out who've been infected by Opaserv. Of the few who recognized it is Opaserv, I've already had 1 guy say "Well, I don't want to mess with it, I went out earlier today and bought a new machine with WinXP on it."

    • Sorry, You might want to check your sources, as NO virus to knowledge has nor will be able to destroy a Hard Drive or BIOS on the physical level. Yes, it may rewrite sectors and the like, but no damage to the drive other than wear and tear: Your lesson on OpaServ [symantec.com]
      • Well of course it doesn't *destroy* a hard drive. I just used the word "destory", because it sounds a lot better than saying "Opaserv changes some of the 1's and 0's on your hard drive in a bad way"
      • You might want to check your sources, as NO virus to knowledge has nor will be able to destroy a Hard Drive or BIOS on the physical level.

        Overwriting the BIOS with garbage is as good as destroying it, unless you have a system with dual BIOS chips. If you can't boot to DOS, you can't re-flash it with the correct software.
  • by antis0c ( 133550 ) on Monday December 30, 2002 @06:08PM (#4984633)
    My girlfriend's Windows 2000 machine was hacked about a month ago by script kiddies exploiting one of the recent exploits in a Microsoft product. They then installed 2 apps, a ghosting app that hides any application from the Taskbar and Tasklist, and mIRC with hacked up startup scripts to allow remote control when connected. They used the ghost app to hide itself and mIRC. Whenever she turned on her computer, it would load mIRC, hide it, then connect to EFNet. Then shortly after someone who would see it connect, would use it to mass-ping hosts in an attempt to DoS someone.

    Needless to say, for the week this was going on, I noticed serious network problems at home. And pinpointed them to every time she turned on her computer, the network would lag to a stop. Finally after researching it I discovered what was going on.. I found the channel these guys hung out in, and she wasn't the only victim. They had a few hundred hacked users they could control.

    So when I see reports like this, I suddenly get a whiff of steaming horse shit.
    • That's not an exploit, the backdoor mirc 'bots' are delivered via trojan horses.

      Ever join a chatroom and get mass autosends of crap like 'HoTCHICKandDOG.vbs'? Your girlfriend accepted and ran one of them. (Or maybe through an e-mail or a website or whatever)

      So it's not what this article is about. Unless you consider user incompetence a security hole. And then, I don't know what you expect MSFT to do about it.
    • by Cyclometh ( 629276 ) on Monday December 30, 2002 @06:18PM (#4984713)

      Just because your girlfriend's computer got compromised doesn't make the article's position incorrect. Even a few hundred zombies on some script kiddy IRC channel doesn't invalidate the contention.

      I really don't think you can use your indivdual experience as a barometer for the world at large. Being cracked isn't a unique experience, but it's not as common as the FUD-mongers would have us believe.

    • It gets really funny when you find one of these things lying around someone's computer and you discover what IRC channel they're in.

      Over the summer my sister decided to run some P2P software on my main workstation while I wasn't home. I get home the next day and noticed my LAN lights on my hub going nuts from my main workstation. So I yanked the cord from the hub and decided to see what processes were running.

      Low and behold I discovered what was causing it. My sister downloaded a keygen off the network that turned out not to be a keygen but a trojan instead that was connecting to an IRC server and was DoS'n someone.

      Using an IRC daemon, some IRC monitoring software, and a small edit of my hosts file, I discovered where this thing was connecting, what channel it was joining, and the password required for the channel. I fired up another IRC connection from my machine and decided to talk to the kiddies.

      The kids were acting like they didn't know anything and subsequently kicked me out. Didn't do anything beyond there but they had a massive collection of bots going.
  • Why... (Score:5, Funny)

    by intermodal ( 534361 ) on Monday December 30, 2002 @06:08PM (#4984636) Homepage Journal
    why does this headline sound like an invitation?
  • by jmorris42 ( 1458 ) <jmorris@[ ]u.org ['bea' in gap]> on Monday December 30, 2002 @06:08PM (#4984641)
    I'm sysadmin at a public library with public dialup access. They get Klez by the dozens every month so I wonder where the writer is looking for 'typical users'? I'm sitting in a rural parish (county for the rest of the US) in LA and have a pretty typical bunch of 'end users' in our population with the one exception that I try as hard as I can to educate them as to the evils of Outlook (which falls on deaf ears) and pass out CD-ROMS and setup manuals documenting Netscape for web & E-Mail (which they ignore, whining about having problems getting Outlook Expresss configured.). The only concession to unsafe computing is that I do give detailed configuration steps on getting IE past our federally mandated filtering system because I know that a lot of sites and third party software depends on IE.
  • I'm not surprised (Score:2, Interesting)

    by stratjakt ( 596332 )
    Aside from pissing off the odd script kiddy in IRC or on some online game, why would anyone feel the need to hack or exploit my PC? There's nothing there of any import. And I doubt there is on 99.9% of all home PCs out there.

    What are they gonna do? Edit someones Sims save file to make them 6 year old girls? I've been DDOS'd and had various exploits tried against me in the past. The worst they could do is annoy me.

    I mean, rock-solid security on your OS is all fine and good.. But I don't wear a bulletproof vest either, and it's ok, because I hardly ever get shot at.
    • They could care less what you have on your machine. They only care that it IS a machine connected to the Net. They can use it to attack other people, use it as a safe exchange point for warez/porn (especially illegal stuff like kiddie porn). They can run IRC bots on it. They use them as 'currency' to trade for more desirable things like the latest exploit scripts, etc. All script kiddies strive to maintain a stable of zombies to be used as needed.
    • not trying to pick on you too hard here...

      ... why would anyone feel the need to hack or exploit my PC? There's nothing there of any import. And I doubt there is on 99.9% of all home PCs out there.


      The many exploit-ers are not aiming at you in particular. Once an exploit is found, setting up an automated tool to hack random machines is not hard. You may just happen to be one of the random victims.

      Random victims can then be staging points for many things such as: warez servers, DDOS attacks on someone else, automated hack stations to get more zombies, etc.

      I've been DDOS'd and had various exploits tried against me in the past. The worst they could do is annoy me.


      This is fairly short sighted. Yes it may be an annoyance to you, but when your machine and thousands of others are DDOS-ing etrade.com, I can't make trades. Now it annoys me.


      I mean, rock-solid security on your OS is all fine and good.. But I don't wear a bulletproof vest either, and it's ok, because I hardly ever get shot at.


      The difference is that it is hard to set up a gun that fires non-stop at random people for long periods of time. And if it were not so hard, and if there was a low risk of being caught by the police, I'm sure that you would start wearing a bullet proof vest -- or risk getting maimed.
    • Re:I'm not surprised (Score:3, Informative)

      by geekoid ( 135745 )
      thats fine, until they load up a program that does something illegal, and the feds kick down your door, take your computer away and say "Prove it wasn't you"
  • From the article:

    "In the computer security game, you can't be an Edward Jenner and come up with a vaccine for electronic smallpox that will put you in the history books and eventually result in the complete eradication of the disease," George Smith said. "You can only be the guy that spots the electronic poison ivy and suggests people either steer clear or buy calamine."

    That's not true. If you could come up with a vacine that eradicated Microsoft, the disease would disappear along with it!
    • by JoeBuck ( 7947 )

      Too late, we're already infected.

      We'd have to eradicate Microsoft before the KDE, Gnome, and Mono projects finish cloning all of their convenient but insecure features (autorun when someone puts a disk in your CD drive, macros in your documents, Visual Basic scripts in attachments, click and run everything). Trade press folks saying that Linux on the desktop will never succeed until the apps work exactly the same way, when many of the security holes are simply logical consequences of the features as designed.

      • We'd have to eradicate Microsoft before the KDE, Gnome, and Mono projects finish cloning all of their convenient but insecure features (autorun when someone puts a disk in your CD drive, macros in your documents, Visual Basic scripts in attachments, click and run everything). Trade press folks saying that Linux on the desktop will never succeed until the apps work exactly the same way, when many of the security holes are simply logical consequences of the features as designed.

        In that case, Linux developers should pay more attention when Microsoft screw up, the better to make sure that they don't wind up doing the exact same thing at some point in the future...

  • by frovingslosh ( 582462 ) on Monday December 30, 2002 @06:09PM (#4984648)
    Most Chevy Geo's are not broken into or stolen, so it would be OK for GM to just use the same key on them all, giving the owners the illusion of security.
  • by SeanTobin ( 138474 ) <byrdhuntr@hot[ ]l.com ['mai' in gap]> on Monday December 30, 2002 @06:11PM (#4984656)
    Let's think of all the benefits of hacking a home users computer:
    • Steal the HS research paper on crop circles
    • Grab secret financial information
    • Use as a proxy to hide the hackers identity*
    • Part of a DDOS attack*
    Now, lets think of all the benefits of hacking a server/website
    • 50000 working credit card numbers, names, and addresses
    • Prestige in the community of linking to this prestigeous website [goatse.cx].
    • Setting up a high volume warez server
    • Possibly getting media attention

    Also note the last 2 reasons for hacking a home computer are really for working with servers. The truth is, not too many people really care about hacking your computer, unless its a means to an end.
    • Actually hacking home users is a good place for a newbie-hacker (or script-kiddie or whatever) to learn. Much less chance of being caught, and if you screw up you can just wipe the machine since most likely there aren't backup logs.

    • Note that in the last two reasons you give -- use as a proxy to hide identity, and use in a DDOS attack, it is in the interest of the attacker to hide the fact that there has been a successful attack, and to allow the owner to continue to use his/her machine normally. If the owner notices that something is wrong and re-installs the OS, the black hat loses the box. So, naturally the home user thinks he has no security problems. The attacker might even have patched a few security holes, so no other attacker can take it over.

  • ahem... (Score:5, Informative)

    by GoNINzo ( 32266 ) <<moc.oohay> <ta> <ozNINoG>> on Monday December 30, 2002 @06:11PM (#4984657) Journal
    Except when they are exploited, they might not be noticed for awhile. I've noticed one site getting hit for awhile now.

    As we speak, someone is changing the news options on the RIAA website [riaa.org]. However, they don't seem to be stopping them from doing it. I did grab a shot of a particularly amusing one [granzeau.com] though.

    Oh, and just so everyone knows. [netcraft.com]

    • They're also changing some of the links on the side menu: they all (or the ones I've tried, at least) seem to forward to isonews.com.
    • Is that this doesn't seem to be a hack on the system (that may exist too). The problem is in bad programming. This link [riaa.org] (if it's still there) was the main problem, as it was the tool to post news/press releases, and had no authentication. Direct link and you could control what went on there. There might have been other weakness' but that's the one I heard of. Now the funny part is, just before the site went down, somebody caused it to redirect to the infamous goatse.cx, and as a friend noted. when goatse.cx goes up, the owning is complete
  • each year, I might as well leave my front door unlocked, right? Or better yet, if I am a builder of homes, there is no reason to install those locks at all.
  • by weave ( 48069 ) on Monday December 30, 2002 @06:15PM (#4984685) Journal
    My addresses show up on a lot of web pages and others' addressbooks, so not only do I get a lot of Klez messages, I get a lot of them sent out to others in my name.

    I am then subjected to dozens of e-mail scanning auto-responders telling me I have a virus, auto replies from people I've never heard of, and the occasional jerk who thinks they know everything screaming at me in e-mail telling me I am stupid for letting myself get infected.

    The fact I am also the postmaster admin to 13,000 users means I get users contacting me in a panic thinking they have a virus because one of the three above things happens to them. This, despite a faq and notices on intranet etc etc that this thing is out there.

    Klez is probably the primary reason I am starting to hate Microsoft. It doesn't matter if my computer and all computers I am responsible for are completely patched and that my mail gateway blocks it, I still get to be a victim indirectly, and I doubt we'll ever see the entire planet fully patched.

  • My Nutty Theory (Score:2, Interesting)

    by Gareman ( 618650 )
    Microsoft secretly loves Linux because OSS development sucks all the brainpower away from malicious anti-Windows activities and focuses it on innocuous projects that can do them no harm. Why crack Windows when you can get the same peer respect and feeling of civil disobedience by developing for Linux?
  • So the megabytes and megabytes of Klez-type spam in my inbox are "little impact"? The fact that even my mother almost infected her machine because the mail seemingly came from one of her friends, in spite of the fact that I told her not to run any attachments, is little impact? ILOVEYOU, Melissa etc. had little impact? Well, if so, I don't want to know what the deep impact is. They must be referring to extinction level events. And you know why we haven't had one of these yet? Because most virus programmers are just kids who want to try something new and not evil "cyberterrorists". Except for the 911 dialing virus, most viruses and worms have not really explored the realm of possibility. To therefore dismiss the risk of security exploits is frivolous, preposterous, stupid, arrogant, ignorant, foolish -- adjectives fail me. Why did this piece of PR crap get linked? And why hasn't Michelle Delio been fired yet for writing it?
    • For every person who gets megabytes and megabytes of virus spam and has a mother who gets the same, there are many more Windows users don't have that problem. Both I, my mother, and Michelle Delio live on that planet.
    • I was hit by Monkey B in 98. Lost all my files. Luckily I had a lot of them backed up to another computer (which also had Monkey B, but I was able to bring the first one back up, move the files over and wipe the other one), but I lost at least 3 months of personal work that was only on my computer.
  • public memo (Score:5, Informative)

    by cr@ckwhore ( 165454 ) on Monday December 30, 2002 @06:19PM (#4984722) Homepage
    Despite the thousands of known exploits and virii...

    Public Memo:

    Its "viruses", not "virii". Repeating, "viruses".

    Did you also get the memo about the TPS report cover sheets?

  • ...or I'll have to sell some of my precious "security" stock.

    God Bless American AntiVirus companies and their Anti-Terrorist business campaign!

    You could be transmitting your IP address right now for hackers to lock-in on! Buy some protection for you and your loved ones before they wipe out your hidden porn collection!

    --

  • by burgburgburg ( 574866 ) <splisken06.email@com> on Monday December 30, 2002 @06:20PM (#4984727)
    The authors are astonishingly naive if they can look at the huge number of exploitable holes available and declare "Oh, things aren't that bad because nobody has really exploited them so far."

    Do we doubt that there are malicious, destructive and/or idiotic people out there? Do we doubt that there are enough relatively easy-to-exploit bugs out there that can have amazingly destructive consequences?

    While I would love for there to be a more holistic approach to security, as long as the majority software platform (with all of it's variants) is rife with holes and the security repair falls exclusively to the same people who built it bad in the first place, I'll take point-by-point/line-by-line review any day of the week and twice on Tuesday.

    • I think the reason they arent being exploited as much is because of the increased number of firewalls etc in use. Most cable modems now have them standard as well as dsl routers.

      This doesnt solve the problem but it would explain the lower than expected numbers they talk about.
  • RIAA HACKED (Score:5, Funny)

    by gulfan ( 524955 ) on Monday December 30, 2002 @06:23PM (#4984745)
    http://www.riaa.org/admin/press_and_news.html You can modify or post ANY news on the site now, the front page has GOATSE on it. http://www.riaa.org/ Do your worst :P
  • Why bother (Score:3, Funny)

    by dheltzel ( 558802 ) on Monday December 30, 2002 @06:26PM (#4984772)
    Who wants to own a Windows box anyway ? Is there anyway to upgrade it to Linux after you get in ?

    What is needed is a remote, unattended install of Linux so the system security can be fixed while giving the cracker something more useful to use. It might even be considered charitable, the new system admin could maintain the system for free and the users might not even notice if you gave them an autologin with a message telling them their kid installed a cool new desktop theme!
  • by Anonvmous Coward ( 589068 ) on Monday December 30, 2002 @06:27PM (#4984777)
    One thing that bugs me a bit about this article is that it defines an exploit as a security hole. While this is true, the tone of the article makes it sound worse than it really is.

    I mean, think about what an exploit really is: Somebody has taken a feature of Windows and turned it against the user or the user's machine. The problem I see here is that you can't have a totally secure machine and have all those fancy features you like.

    I'll give you an example: I use Outlooks's to do list to keep track of my tasks. There's a feature where you can attach shortcuts to each task. I've found this handy, whenever I need to do my time sheet I just pull up the task and double click the shortcut inside of it. Now, in order to 'crack down' on security on my computer, I turned off a bunch of those handy-dandy features and found myself unable to launch that shortcut anymore!

    Now, before you start saying "Oh, MS could easily fix that...", instead think about the real problem here. Either I don't use that feature at all, or MS has to think of every single malicious use of a feature and only allow the non-dangerous ones. Sorry, that's not a good solution. You're holding MS (or anybody else) responsible for other people's creativity.

    I'm not saying that MS is unfairly given a bad rap for this whole topic. I think their default choices are ill-thought and have caused serious damage. However, it needs to be considered that there is always an inherent risk with any piece of software you use. It's not a matter of security holes, it's a matter of deciding whether or not it's worth the risk.

    I, for one, would never underestimate people's creativity. I read about an insurance scam once where this guy got fire insurance for each of his cigars, over $1,000 a piece. Then he smoked them. He took the insurance company to court, and the judge reluctantly ruled that the insurance company had to pay the guy $12,000. Fortunately for the insurance company, though, they were able to charge him with arson. Heh he got a hefty fine ($10,000 ish? I don't remember..) and served jail time.

    Now, if you think about this insurance company, you probably wonder why they didn't a policy about cigars or items that were meant to work with fire? Well, it's simple: They never imagined that somebody'd do that. The only way they could be fraud proof is if they were to clearly define the rules for every ridiculous outcome they can think of. Know what'd happen then? There would be people unable to redeem fair claims because their unusual case strayed outside the boundaries that are clearly defined. There would also be that one guy who figures out a creative way to buck the system anyway. The insurance company is far better off coming up with ways to deal with the eventual fraud instead of over-relying on their policies and laws to protect them.

    So where does that leave us computer people? Well, it's simple: Using a computer is risky. Take a few risks but protect yourself. Worried about people stealing your credit card info on-line? My answer is not: "well don't use one then!" Instead, my answer is: "Get a credit card with a company that'll protect you in that event." Worried about data loss? Make backups once in a while. Worried about hackers breaking in on your always on connection? Use a firewall, but use common sense too. A firewall is the equivalent of shutting a few windows, it's not a structural reinforcement.

    Total security is a pipe dream. Instead of blaming Microsoft, take some sensible precautions to minimize the damage done. The benefit here is that you protect yourself from damage that can happen outside of the exploit world. (Lightning strikes, hardware failure, children...)
  • by Bogatyr ( 69476 ) on Monday December 30, 2002 @06:27PM (#4984783) Homepage
    Can I have the address of the people who think Klez has no effect? I want to set my procmail so instead of $KLEZ_DU_JOUR going to /dev/null, to going to these people who think it's not important.
  • Nobody who is serious about threatening computer security is after home users. They have more to worry about ad/spy ware than viruses. There are 4 things any home user can do to avoid all viruses/trojans. In order of effectiveness

    1. Don't download e-mail attatchments. Avoid attatchments to e-mails entirely if possible, use IM file transfers instead.

    2. Don't use Outlook.

    3. Don't visit untrustworthy websites. like warezprontrojanforyou.com

    4. Use a firewall if you are on a LAN.

    Anti-virus software is almost useless for a home user, unless they are incredibly stupid. All it does is interfere with other programs and waste memory. Seriously if you are a home user who the crap wants to crack into your pc? You probably haven't even configured it properly so it can't even have enough uptime to get anything useful from it.

    And do hax0rz really want to steal your family photo album? The best they can hope for is your quicken files or your credit card number. They can get thousands of CC#s by cracking a business database better than getting home users through windows holes. Computer security is somethign only business have to worry about.
    • i think the only people that target home computers are those that want to use the machine in a distributed denial of service attack, or as a stepping stone to make the real attack on another box appear to come from somewhere other than the cracker's home machine.
  • I think they hit a very high percentage of all windows machines world wide. More is that most people dont know they are infected, how many scriptkiddies you know who have a bunch of subseven boxes ? wonder how they get those....dream on..

    but maybe i am wrong lets read the wired article now.
  • by MonTemplar ( 174120 ) on Monday December 30, 2002 @06:36PM (#4984824) Homepage Journal
    I subscribe to the Microsoft Security Bulletins at work, and on every security notice there is a section marked Mitigating Factors which details the particulars that are required for an exploit to be performed. These break down into the following types :

    • Software set to the defaults, not the settings recommended by Microsoft (eg. Outlook (Express) setting for Security Zone to use when viewing messages)
    • A particular combination of software and settings (eg. IIS, SQL Server, Exchange)
    • Vectors than can be used to exploit the hole - some will require physical access to the machine, or to a machine on the same local network, or particular user access.
    • The window of opportunity that can be afforded by exploiting the hole - how much code you could inject, how far you could elevate your privileges on the system, how much access you gain to the system, etc.


    A lot of the potential exploits would fall at the first two hurdles above. For instance, by setting Outlook (Express) to use the Restricted Zone, you've already plugged several holes.

    This is not to excuse Microsoft for creating the holes in the first place. Particularly odious are those related to allowing scripting to be performed in places where it makes no sense whatsoever, eg. Windows Media files. That is not a case of sloppy coding, that is bad design from the get-go.

    Sad to say, even if Microsoft fixed all the outstanding holes tomorrow, you will still need to have a firewall and anti-virus software, because the malware will continue regardless, until such time as we all move to a platform that is secure by design. (And, no, in truth that platform doesn't exist yet)
  • by Waffle Iron ( 339739 ) on Monday December 30, 2002 @06:38PM (#4984839)
    In spite of 50 years of lax security, the U.S. airline industry has traditionally had little problem with hijackings and bombings. What can we learn from this statistic? As things turned out, not much.

    Likewise, every remote root exploit makes it technically possible for this [berkeley.edu] to happen. Even if relatively few people are being hacked by script kiddies today, that says nothing about the odds of a highly skilled attacker pulling off a single massively devestating attack.

    This report is no reason for complacency.

  • If you cut off the vector, the virus won't survive.

    We've got the Exchange server punting any attachments that don't end in .zip, txt, gif or jpg.

    We've got parts of the workstation's registries locked out from normal user modification, and Trend Officescan is installed on all worstations and automatically updated from the server.

    We've got an agressive firewall policy. (e.g. no tftp from funny locations.)

    We haven't had ANY recient virus attacks. Short of having someone brnig something minor in on a floppy, virus attacks just haven't happened. I don't think we'll see many more as time goes on as all of the easy vectors have been plugged.
  • When I was in college, we always left our dorm doors unlocked. Between 7 AM and 11 PM, anyone could walk right into the buildings. We never had people come into our rooms and steal our stuff. Does that mean we shouldn't ever lock the doors?

    We had a security exposure, we didn't "patch" it - does that mean it wasn't dangerous that we left the doors open? No, it just meant we hadn't been ripped off yet.

  • No shit, it's illegal to exploit a hole.
  • by Rorschach1 ( 174480 ) on Monday December 30, 2002 @06:48PM (#4984894) Homepage
    Most unlocked doors and windows don't result in a burglary, either, but for everyone to ignore the issue is a bad idea when there are bad guys running around out there who can just walk in at will.

    Of course most vulnerabilities don't get exploited, it's just a matter of volume.

  • by sheldon ( 2322 ) on Monday December 30, 2002 @06:54PM (#4984920)
    Most companies were taken off guard by several of the major viruses and worms over the past 4-5 years. ILoveYou, Nimda, CodeRed, etc. But after each major hit things were done not just reactively, but also proactively.

    Virus scan engines were updated, email servers had attachment blocking filters installed, patches were installed, etc.

    There has been a slew of updates made available to applications like Outloook, Outlook Express, IIS and so forth which disable many of the features that these exploits took advantage of. The Outlook 2k security update, default permissions in OE 6.0, IIS Lockdown wizard, URLScan, etc.

    Then you have a whole slew of administrative utilities such as HFNetChk from Microsoft/Shavlik to test systems for patches and various tools(HFNetChk Pro) to do reports on large numbers of machines and push out patches.

    I do agree that the security finders tend to overstate the impact, but it's still important to react to the issues. The conclusion that wired really should be making is that we've learned lessons and learned how to better prepare and respond. That's why their are fewer major problems.
  • by D'Arque Bishop ( 84624 ) on Monday December 30, 2002 @06:57PM (#4984941) Homepage

    Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users.

    Hmm.

    *checking mail logs*

    According to my mail server's logs, I have gotten FORTY virus/worm-infected emails since midnight.

    No effect on home users? Someone hit this guy with a cluebat.

    Just my $.02...
  • by Vodak ( 119225 ) on Monday December 30, 2002 @07:04PM (#4984990)
    So I guess under this logic it would be perfectly fine to install doors and windows in your house with no locks at all because your neighborhood doesn't have home break-ins or invasions?
  • by raque ( 457836 ) <jimwall&mac,com> on Monday December 30, 2002 @07:06PM (#4984997)
    This is the sort of crappy reasoning that states that since most people don't get wacked by the Mob, the Mob doesn't mean much. In NYC for years everyone payed a 1 percent Mob tax. That was the amount prices were inflated to cover corprate losses to the Mob. If you wanted to build a building the cement was controlled by the Mob. Then you had, and have, labor rackettes.

    If a company is hacked and blackmailed they often don't report it. But the cost is passed along to the consumer.
    • Hackers are nothing like the mob. Hackers are dirty little kids with acne and B.O. They fear bullies in school and hack because they have no girlfriend. Mobsters on the other hand beat up people like hackers and have girlfriends. =] ah the joy of using simplistic stereo types.
  • by Radical Rad ( 138892 ) on Monday December 30, 2002 @07:07PM (#4985004) Homepage
    The biggest hole is the end user. Tight network security means nothing if the end user can run a trojanized screensaver sent to him by email or downloaded from Joe Blow's Web Emporium and infect his own machine.

    And I have heard claims that as many as 90% of security breaches go undetected. Think about it. How many of even you Linux users actually run tripwire on your personal system? What percentage of people do you think even check the md5sum against their downloads before compiling as root? It is small I guarantee. I once posted the wrong md5sum for a release of an open source project and it was downloaded hundreds of times without anyone saying anything.

    Another reason they go undetected is that many trojans are customized. If you were going to plant a keystroke logger on a target's computer would you use one that is found by McAfee antivirus? No. You'd compile your own; changing the signature, different size, different port, different protocol, and only use that particular version in that one instance.

    Of the breaches that are detected, many are not reported. What bank or online retailer wants people to know that their personal data was stolen? So just because there hasn't been a Code Red lately doesn't mean all is well.
  • by Cryogenes ( 324121 ) on Monday December 30, 2002 @07:28PM (#4985109)
    Some of the holes in IE allow to install arbitrary code on a machine which visits a malicious website. This has been used very widely here to waylay modem users. The website clandestinely installs a dialer program and sets is as default internet connection. The new number is of course a very expensive 0190 pay number and depending on how soon the user notices, this can easily cost a few thousand euros. There is currently no viable defense: if your computer dials the number, then you have to pay (a new law is being considered, though). Since all phone bills are collected by a central instance (German Telekom) refusing to pay is not an option, because they will simply cut your telephone line.
  • by Angst Badger ( 8636 ) on Monday December 30, 2002 @07:49PM (#4985220)
    Windows Security Holes Go Mostly Unexploited

    Well let's get to work!
  • by ScubaS ( 600042 ) <theteofscuba@hotmail.com> on Monday December 30, 2002 @08:13PM (#4985343) Homepage
    yes, it is true that microsoft has alot of security flaws and they get the appropriate amount of flame for it, but the irony is how the open source losers completely ignore all the flaws that are publically addressed regarding their own "kind" get dismissed on grounds of "who cares? its been fixed.", "it's not that significant, its open source!"
  • Klez (Score:3, Interesting)

    by BrookHarty ( 9119 ) on Monday December 30, 2002 @08:50PM (#4985478) Journal
    At work we have to disable some users accounts on the wireless data networks who have viruses. They consume too much bandwidth, resource hogs. We run reports, and every day anyone who displays virus/trojan behavior, we shut them off.

    We can tell from the users profile if its a p2p network program, or a virus, viruses dont portscan your entire network, or spam your smtp servers.

    Many users have found things such as back orafice, or other remote programs. Lucky its easier to watch for this when you own the entire network, for an ISP, it would be much harder.

    YMMV.
  • by phorm ( 591458 ) on Monday December 30, 2002 @08:56PM (#4985502) Journal
    Despite the thousands of known exploits and virii, most MS users aren't target of much harm
    3 words... no shit sherlock. Despitesthe incredible stupidity of claims that klez is ineffective, I'd have to say the reason that thousands of different virii/exploits/etc aren't being used is because the existing ones work very well to nail a large range of people. If 2% of the exploits hit such a large audience of say 100000+ people, why bother trying to hack up new methods.
    Once a given method begins to be less effective, then the hackers/etc can move onto something more effective.

    It's like having a changeroom with 1000 peepholes. Why do you need 998 of them when the one or two in the corner are showing you all you need to see?
  • by Black Copter Control ( 464012 ) <samuel-local@bcgre e n . c om> on Monday December 30, 2002 @09:42PM (#4985662) Homepage Journal
    Security exploits are 'benign' until someone exploits them in a vicious manner. The security head at Boston's airport was probably going "Security here isn't perfect, but it's not like we have the problems that Israel does". If the US suffers from an electronic equivalent of Sept 11, it's going to be via the exploit of some of those 'benign' security holes.

    Security is, and never will, be perfect but it does make it harder for an intruder to pull something off. Florida in the late '70s probably had the most stringent security of any airports in the states (lots of cuban hijackers wanting to go home, etc.). Nontheless, I was able to walk all over their security systems before I made the mistake of tellling someone what I'd just done (asking for help, I was).

    It's not that most home users aren't affected by viruses, it's that most home users don't notic when they're infected. Most home users don't have the money to pay for someone who can watch their network on an ongoing basis for signs of intrusion. Even fewer are geekheads like me who can look at the blinking lights on my hub, go 'where did that traffic come from' and then load up ethereal and/or go through my firewall logs (firewall? what fireall) to figure out if what happened was really benign.

    Even businesses -- One place that I do occasional work (the only Unix-head in a sea of Windows) didn't know that they were infected until I noticed way too much traffic for the time of day and started up ethereal. I told their admin, he plugged the holes, and a little while later I found more signs of exploitation on their net. The last time I told their Windows admin about a problem, he had given up trying to secure their boxes. Spammers are still using their proxy boxes to deliver email but most majour services (except Hotmail!) are refusing their connection, now.

    If Al Quaida was using the thousands of 'benign' Windows exploits to setup a distributed meltdown of the internet, we wouldn't know it untill after the pieces fell down. They spent 4 years setting up September 11. How much damage could they do with 4 years worth of Windows exploits?

  • In other news (Score:3, Insightful)

    by jsse ( 254124 ) on Tuesday December 31, 2002 @03:22AM (#4986885) Homepage Journal
    In Sudan there are about 2 millions landmines remaining, and there are more than 700,000 landmines victims since WWII.

    "The average citizens wouldn't know a hack if it walked up and bit them," Sweeney [packetattack.com] said. "And many of the so-called landmines require a very specific event to occur and the odds are very slim that it will occur. "

    Idiot. People care about the security problems is like Sudan's citizens care about landmines problems. The fact that majority of them are not victims doesn't mean it's safe out there.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...