Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Survival Time for Unpatched Systems Cut by Half 460

UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."
This discussion has been archived. No new comments can be posted.

Survival Time for Unpatched Systems Cut by Half

Comments Filter:
  • Patch CDs (Score:5, Insightful)

    by Oculus Habent ( 562837 ) * <oculus.habent@g[ ]l.com ['mai' in gap]> on Tuesday August 17, 2004 @09:47AM (#9991142) Journal
    Microsoft should make Patch CD ISOs available. You could swing by a friend's house and get one, drop into your local computer store and have them burn you one for a few bucks, or pick up a Microsoft produced copy at your local gas station, like AOL CDs.
    • Re:Patch CDs (Score:5, Informative)

      by Jarnis ( 266190 ) on Tuesday August 17, 2004 @09:50AM (#9991187)
      They do. At least in europe retailers are giving out 'Microsoft Windows Security Update CD's. Works on any windows version, but sadly is not quite up to date on XP patches anymore. Next edition is coming soon (called 'Windows XP Service Pack 2 CD') - I fully expect MS to hand out those for free via retailers as well. You can already order one via MS webpage.
    • by networkBoy ( 774728 ) on Tuesday August 17, 2004 @09:52AM (#9991210) Journal
      You know? That's actually a good idea . . .
      which means it'll never happen
      -nB
    • Re:Patch CDs (Score:5, Informative)

      by YrWrstNtmr ( 564987 ) on Tuesday August 17, 2004 @09:53AM (#9991226)
      err...they do. Free. Not as continuously up to date as it might be, but they do have them.

      hmm...or rather, they did. [microsoft.com]
    • You can download the patches by hand yourself you know, using the windows update catalog (see this news article for details [google.nl] on accessing each patch individually) and then offline install those PC's using your own ISO.
      • by abb3w ( 696381 ) on Tuesday August 17, 2004 @10:12AM (#9991460) Journal
        For the truly daft and determined, it is possible to use the Windows Update Catalog (Windows Update, Personalize Windows Update, Show Windows Update Catalog) to download everything at once, to burn to DVD and make your own. If you limit yourself to a particular Windows flavor (98/ME/2K/XP), a CD will still hold it all, but IIR the whole shebang for all four goes over a CD these days. On the other hand, it's easier to download only one OS version the way the catalog is set up.

        Figure out what the latest service pack for the OS is, and apply that. That should let you get on long enough to use windows update to scan and get a list of the other KB-patches you need. Disconnect, patch, rescan. Repeat. If you want to learn how to use QChain [microsoft.com], it can be faster, but that doesn't work on Win 98/ME.

        For the truly paranoid, keep a list of what order you need to apply the patches in. Then wipe and reinstall the OS from scratch, and apply the needed patches in order without connecting to the net first.

        However, it's a lot easier to use the Update CDs. It would be nice if there was a reliable torrent of the ISO somewhere....

  • by Jarnis ( 266190 ) on Tuesday August 17, 2004 @09:48AM (#9991150)
    Install the Windows XP off a CD that includes SP2 slipstreamed in, and your survival time online 'unpatched' goes up dramatically. Something about a reasonably good firewall that is turned on by the default installation...
    • This is good advice... but most nontech people don't know how to build a custom slipstreamed XP install. A less elegant but still effective solution seems to be:

      1) Burn a CD with XP SP2 on it at work, a friend's place or wherever
      2) Install XP fresh without being connected to the net
      3) Install SP2 from the CD next
      4) Install everything else
      • Well, twenty minutes is long enough to enable their WinXP firewall. Even the one that comes with an unpatched XP box is sufficiant to protect a box on the next once its booted. Sure there is some concern about loading certain TCP modules and connecting before loading the firewall, but then all you have to do is install XP, boot unconnected, turn on firewall, connect, download patchs.
      • XPCREATE: The XP Distribution CD Creator with Hotfix Slipstreaming [msfnhosting.com]

        Automatically downloads all current patches for WinXP, Win2000 or 2003 Server installations, slipstreams them and creates an ISO image. Fully configurable, including unattended install scripts through winnt.sif and first-boot application installs and regtweaks through cmdlines.txt. You can pick and choose which hotfixes and add-ons you want to apply.

        Although the "current hotfix" list on the website doesn't yet reflect it, WindowsXP-KB835

  • 20 minutes?? (Score:5, Interesting)

    by AnswerIs42 ( 622520 ) on Tuesday August 17, 2004 @09:50AM (#9991183) Homepage
    Try 50 seconds :(

    No, not joking. At work, somewhere, there is an infected computer and while rebuilding a computer I plugged it in to run the updates for 2K and antivirus. Less than a minute after pluging it in, I was crashing and burning.

    Had to go to a patched computer, download the needed updates and burn them to CD and update the computer that way first before plugging it onto the network.

    REALLY anoying.. and when I find the user with the infected computer.. well, lets say I'll have a new storage location for this dead notebnook hard drive...

    • Ditto (Score:5, Interesting)

      by Moth7 ( 699815 ) <mike,brownbill&gmail,com> on Tuesday August 17, 2004 @09:56AM (#9991255) Journal
      I had a a similar problem (albeit with a home box) under XP. The worst of it is that you can't just download the update installer and unplug the 'net connection because the installer itself does downloading. Since the other two boxes in my house run Gentoo and Redhat I couldn't download the patches from there (Does this [microsoft.com] look familiar?) and had to just race against time for 5 or 6 attempts before it worked.
      • Re:Ditto (Score:5, Informative)

        by karnal ( 22275 ) on Tuesday August 17, 2004 @10:11AM (#9991452)
        Read the bottom of that page...

        " If you prefer to use a different Web browser, updates to Windows may be downloaded from the Microsoft Download Center."

        With a link within the text "Microsoft Download Center." I'm guessing you can at least get some necessary patches from there (SP's, some critical patches) before letting your machine full-bore on the 'net without a firewall.

        I know there are some home users out there that still aren't natting or using some sort of stateful firewall, but come on - you have 2 linux boxes there and can't get a nat to work? Hell, I'll buy you a linksys, they're getting darn cheap after rebates nowadays.
        • Nope (Score:3, Informative)

          by Moth7 ( 699815 )
          The bottom of the page says that I must be running windows. None of that browser shit =)
        • Re:Ditto (Score:3, Informative)

          by Jameth ( 664111 )
          If you aren't using windows, what you get is:

          Thank you for your interest in Windows Update

          Windows Update is the online extension of Windows that helps you get the most out of your computer.

          You must be running a Microsoft Windows operating system in order to use Windows Update.
      • Re:Ditto (Score:3, Informative)

        by Sepper ( 524857 )
        There is a ~140 meg Stand alone install... but you wind up downloading EVERYTHING and no just what your computer needs...

        http://www.microsoft.com/windowsxp/downloads/updat es/sp1/network.mspx [microsoft.com]

        Same is true for SP2...
    • Network Cable? (Score:5, Informative)

      by WhoseHouse ( 804916 ) on Tuesday August 17, 2004 @10:10AM (#9991426)
      Did you ever learn anything about computer security? On a machine that you do not want to be compromised, absolutely do not connect it to the network/internet. have all relevant patches available on removeable media - that has been verified authentic - and install sans network.

      Then once you are certain that everything is hunky dory, plug it into the network or internet with a firewall (for both incoming and outgoing).

      And this isn't an issue with Windows or Linux or FreeBSD for all the fanboys out there. This applies to all OS's. Windows is targeted more because there are more people using it. There are plenty of exploitable vulnerabilities in any OS. It's a matter of work / payoff ratio.
      • Re:Network Cable? (Score:4, Insightful)

        by jdreed1024 ( 443938 ) on Tuesday August 17, 2004 @11:46AM (#9992473)
        Did you ever learn anything about computer security?

        Did you ever learn anything about end users?

        It's all well and good to say don't connect it to the network before patching, but end users don't know that. Nor should they have to know that. It is totally unreasonable to think that the first thought through Joe User's head should be "Right, I bought this brand new machine, but I shouldn't connect it to the network since it might be compromised."

        End users are only very recently learning about service packs and patching, etc. Remember, prior to Windows XP, service packs were for business operating systems. How many end users did you see running NT 4? Even those folks running 2K at home were clueful folks - home PCs sold at CompUSA and the like shipped with 98SE or ME. You can't expect them to gain all this knowledge overnight.

        have all relevant patches available on removeable media - that has been verified authentic - and install sans network.

        And you obtain them how? In an IT environment, sure, it's trivial, beacuse you have N different computers, and probably N different platforms to use to create this media. Most folks still only have one PC. Sure, some people can burn CDs at work (but many workplaces severely limit what users can do on their machines, and lots of places prevent CD burning on work machines for corporate espionage reasons), and others might have friends with CD burners, but that's still a lot of effort, and it doesn't cover everyone.

        It's totally unreasonable to expect a consumer to jump through all these hoops. (I'm not saying they shouldn't take these steps, just that they shouldn't *have* to take these steps in order to make a consumer electronics device work) Several changes need to be made. MS should produce a crapload of service pack CDs and give them to OEMs and every new computer should come with a current one. (They did this with NT4 SP3 and haven't done it since to my knowledge). They should also ship them to large stores (BestBuy, CompUSA, etc) and sell them for a low price (ie: $0.99) enough to prevent people from taking more than they need, but not terribly expensive. MS is notoriously tight-fisted when it comes to stuff like this, despite the fact it's their fault the product is insecure. Carmakers wouldn't get away with charging for recalled parts. For example, MS refuses to ship CDs to colleges. They'll ship one for every 50 or 100 students, but that's it, and that's ONLY if you have a Select license. Given that in that quantity the CDs cost fractions of a cent each, there's no reason for this. I can understand them being reluctant to make a CD with hotfixes, since those come out so frequently, but once a service pack is out, it's out, there's no reason not to make a CD except to penny-pinch.

        • Re:Network Cable? (Score:3, Interesting)

          by WhoseHouse ( 804916 )
          Did you ever learn anything about end users?

          The answer... yes, actually. My father is probably the best example of an end user that I can think of. He used to write code for his psychology tests, purchased his first computer the year I was born (1981) and has been using computers very successfully for nearly 25 years. The problem is that he has never had the need to understand them more as a means to an end, a tool. And in that sense, he is to me the quintessential computer user.

          Most people I hav
    • Re:20 minutes?? (Score:4, Informative)

      by malfunct ( 120790 ) on Tuesday August 17, 2004 @10:11AM (#9991450) Homepage
      Before you plug in the net cable turn on windows firewall. Its minimal protection but its better than nothing. One thing to make sure of after you have the firewall up is to not go to any sites or connect to any online services other than windows update until you are fully patched. I've never had a problem getting a machine patched once I adopted this method.
    • Re:20 minutes?? (Score:4, Interesting)

      by LoudMusic ( 199347 ) on Tuesday August 17, 2004 @10:11AM (#9991454)
      Try 50 seconds :(
      No, not joking. At work, somewhere, there is an infected computer and while rebuilding a computer I plugged it in to run the updates for 2K and antivirus. Less than a minute after pluging it in, I was crashing and burning.


      I think there is a major difference between network and internet time frames. A friend of mine works for a huge corporation, 5000+ desktops at one location, and their LAN team noticed a significant increase in rate of infection when they changed the workstations from 10mbit to 100mbit.

      Also, worms are programmed to infect their own subnet before branching out.
    • I have a friend at NYU. You pretty much have to keep yourself provably protected at all times.

      I mean, they litterally plug in, said "fuck", unplugged, and they were already infected with something.

      They want an iBook...
    • Re:20 minutes?? (Score:3, Insightful)

      by shokk ( 187512 )
      Security-wise, you should probably handle vulnerable systems on a test lan isolated from the rest of the net by NAT, but still able to access the outside world, until it can be brought up to the current patch standard. Of course not everyone can afford VLANs and implementing best practices.
  • Is anyone else... (Score:5, Interesting)

    by ScytheBlade1 ( 772156 ) <scytheblade1 AT averageurl DOT com> on Tuesday August 17, 2004 @09:50AM (#9991186) Homepage Journal
    ...not suprised at all? This isn't intended to be a troll, but back when blaster was "new" and I was formatting, I was hit three times within two minutes of booting, which gave me a whopping 3 minutes to download (not an issue) and install (BIG issue) the corresponding patch.

    In the end I had to swap some CD burners around, download+burn the patch, and then unplug the box from the internet while booting.
    • "I was hit three times within two minutes of booting, which gave me a whopping 3 minutes to download (not an issue) and install (BIG issue) the corresponding patch."

      I opted for making the service restart the service rather than restart the machine. Funnily enough, it gave me hours of uptime to get the patch installed, then restore the RPC component to it's rather panicky restart state.

      It helps knowing something about an operating system you dislike.

  • Dodgy assumptions (Score:5, Insightful)

    by Westley ( 99238 ) on Tuesday August 17, 2004 @09:51AM (#9991190) Homepage
    The name "survival time" suggests that it's the average amount of time an unpatched system would last before being compromised. That assumes that every single worm targets every single unpatched system, and is always successful. That's not exactly realistic - many worms target specific programs which may well not be on the unpatched system, or target specific operating system versions.

    It would be much more interesting to see average compromise times for a vanilla install of various different OS versions (with no ISP protection, of course). In the mean time, the name should be changed, in my view.
    • Re:Dodgy assumptions (Score:3, Interesting)

      by garcia ( 6573 ) *
      It would be much more interesting to see average compromise times for a vanilla install of various different OS versions (with no ISP protection, of course). In the mean time, the name should be changed, in my view.

      Worms target my Linux machine via port 80 about every 35 seconds (at least in the past two days, I don't feel like looking further back). I have blocked most of the local Comcast customers in my area through *A LOT* of /24 and /16. It doesn't seem to help too much. Either there are more and
    • I'm planning on doing a clean install of Panther today, if I have some free time I'll test it out and get back the results.

      I predict that I will get bored of wating well before anything remotely interesting happens. Mac OS X comes with a software firewall already on with nearly every port blocked to begin with. In addition to the lack of prolific Mac related viruses I think I'll leave it up for maybe 2 hours or so, see how it did, and then report.

  • by funkdid ( 780888 ) on Tuesday August 17, 2004 @09:52AM (#9991201)
    Microsoft should have an auto-update during install feature. (If you have broadband). During the install process it could run the windows update, blah blah blah once your nic was initialized for the first time and IP granted etc.
    • There is something in the setup that would make you think it does that (Setup Update, IIRC). Sadly, I don't think it really does much of anything.
    • While you are updating the computer gets slammed - that is unless you have a decent firewall (router firewall) - or at least you install windows (unplugged from the internet), install a decent firewall (zonealarm?) and then plug yourself to the net :)
    • by kuiken ( 115647 ) on Tuesday August 17, 2004 @10:05AM (#9991369) Homepage
      chances are you will get infected before the install is finished then

      the trick is easy tho :
      1) unplug network
      2) install xp
      3) install firewall or activate build-in FW
      4) plug and config network
      5) patch the system

      there 5 easy steps for a "safe" install
    • It does. I installed a 2K3 server the other day, and it asked to go on the net to download the latest update files. Of course there must be something horrid in that. Boo microsoft! how dare you waste my bandwidth like that! piracy! fascists! republicans! boo!
  • by callipygian-showsyst ( 631222 ) on Tuesday August 17, 2004 @09:52AM (#9991216) Homepage
    Now we're going to sit and talk about how bad things were BEFORE the patch? Get a life!

    Put an old red-hat system up and see how long it takes before you're r00t3d!

    Or watch an OS-9 system crash!

    • Or watch an OS-9 system crash!

      Huh? You didn't even need to plug into the network for that to happen. And most of the time it was Nutscrape 4's fault anyhow.

    • by hattig ( 47930 ) on Tuesday August 17, 2004 @09:59AM (#9991297) Journal
      Thing is, Both MacOS and Linux have had numerous RELEASE updates in the time that Microsoft haven't changed anything with the default XP install CD. Which means that if you need to reinstall XP now, you run the risk of being pwned, but if you install Linux or MacOS, you will be doing it from a much more recent CD that is far less susceptible.

      I don't know how often Mac users reinstall, but if they had to, and their hardware was good enough, I'm sure that they'd upgrade to the latest version at the same time. You simply can't do that with Windows, you have your 3 year old install CD. Of course, you didn't have to pay $120 each year since like with MacOS X, although you did get extra features with that as well as bug fixes.

      I doubt that many people would burn a specialised SP2 CD and do it right. Human nature - their current system has it installed via Windows Update, why download it again as a whole? They probably wouldn't even know about it.
    • MacOS 9 (I'm assuming you don't mean OS9) is actually a pretty good server platform. It's hard to root something that has NO remote access by default. Heck, if you 0wn the webserver (MachTen, AppleShare IP, or WebSTAR) all you can do is change content. If you're lucky you can maybe run some system-level AppleScripts, if security is turned way down on the server.
  • by selsine ( 731825 ) on Tuesday August 17, 2004 @09:53AM (#9991219) Homepage Journal
    What do they mean by survival time?

    Time before worm infection?

    Time before the computer is brought down?

    • They mean "average time between reports for an average target IP address".

      Which means they assume all of those are from worms, and all worms are successful, etc.

      It's still a bloody short time, though.
    • by WWWWolf ( 2428 ) <wwwwolf@iki.fi> on Tuesday August 17, 2004 @10:07AM (#9991393) Homepage
      What do they mean by survival time?

      I'm guessing here, but time between when machine is first brought online and when it's first discovered/probed/found alive by a worm or hax0r scanners - in other words, time before worm infection or other kind of intrusion, because after it dawns to the world that there's an unpatched system right before their noses, there sure isn't much time left before that system is owned.

  • by slowhand ( 191637 )
    Seems like cable and DSL modems need auto(ugh - scary)-updating firmware with firewall enabled by default. Stuff that will update without being plugged into a computer. I hate things that don't let you choose. This scenario sounds like you walk into a clinic for innoculations, but deadly disease agents are everywhere in the air. Try holding your breath while waiting...
    • ISP's should block incoming connections by default unless you ask otherwise.

      Either that or Microsoft installs should not enable any ports for incoming connections after an install until the latest patches are installed.

  • yes, but... (Score:3, Informative)

    by millia ( 35740 ) on Tuesday August 17, 2004 @09:55AM (#9991242) Homepage
    the important thing to note here is that that this ISN'T the time from an announced exploitable hole (and patch), it's the time an exploit actually takes once it starts propagating.

    the time it takes for an exploit to be crafted has usually been sufficient to allow sysadmins to patch- 1 to 2 months usually.

    doesn't mean it happens, obviously. and the time it takes for an exploit to be created is shrinking, too.

    at this point, the clue should be received: firewalls. updates. secure systems.
    (and microsoft, please fix your stuff pro-actively.)
  • by meganthom ( 259885 ) on Tuesday August 17, 2004 @09:58AM (#9991281)
    Every time I read about computer security compromises resulting from failure to patch/setup firewalls/etc, I can't help but think there's a better way to educate the public than to wait for them to be victims. With all the MS tutorials and "helpers" (stupid paperclip...how I hate you!), it never ceases to surprise me that when you first start up a new MS-based computer, you don't get a security tutorial. Really, how hard would it be to take users through the basics of computer maintenance (and scare them into compliance) when they go to set up a broadband connection, etc?
  • Two cents (Score:3, Interesting)

    by InternationalCow ( 681980 ) <.mauricevansteensel. .at. .mac.com.> on Tuesday August 17, 2004 @09:59AM (#9991290) Journal
    1. As previously noted (I think on /.) the one thing you do not do with an unpatched WinXP system is to go onto the 'Net. Indeed, ISO's with patches or prepatched install CD's might be a solution but I think that the virus/worm/malware writers can also get these and patch their wares. Given MS's track record it'll be weeks at least before the problem is recognized or solved. It might be better to not take any WinXP system onto an open network.
    2. I note that despite increased awareness and MS's increased focus on security the average survival time shows a downward trend, with slight peaks shortly after high profile worm events. How come? Is the average user slacking off? Or are the worms/viruses/trojans/whathaveyou getting smarter? Or are there ever more on the loose, resulting in an ever increasing number of probes? Looking at my firewall, the number of probes I receive remains more or less constant (although I had a few more than usual on port 8000 today) so maybe that is not a good explanation (for the Netherlands at least). Anyone?
  • Hardware firewall (Score:5, Informative)

    by pqdave ( 470411 ) on Tuesday August 17, 2004 @09:59AM (#9991292)
    This is why the average broadband connection should be behind at least a consumer router, even if it's the only machine connected. Routers are too cheap and easy to skip.
    • by LoudMusic ( 199347 ) on Tuesday August 17, 2004 @10:41AM (#9991769)
      This is why the average broadband connection should be behind at least a consumer router, even if it's the only machine connected. Routers are too cheap and easy to skip.

      I've almost begun purchasing Linksys routers for my friends and family. At $40 a piece it's just ignorant not to have one. The basic firewalling that they do is pretty handy. And there are models that include client software controled firewalls. It's also nice to have a switch already at their house for when someone comes over with a laptop or such. Home networks, though still geeky, are becoming a nice thing to have with more networkable devices like game consoles (XBox, PS2) and media devices like a ReplayTV or TiVo. Also, if there are more than two people in the house you can almost be garounteed that there will be more than one computer.
  • by swordofstars ( 682648 ) on Tuesday August 17, 2004 @10:01AM (#9991316) Homepage Journal
    Microsoft Replies: In light of this new data, we would like to announce a new, more secure operating system. It is based on our Windows ME technology. By simply accelerating the timer for the essential bluescreen feature we feel confident that NO hacker will be able to make use of a corrupted machine.

    Further, we are offended by all the FUD spread about our products by the open source community. Our security features include and expanded install size, which severly limits the space available on disk available to anyone who co-opts your computer for use as an illicit server.

    Also, the times recorded by this survey are non-relevant and obviously flawed. They claim that their machines were only compromised after more than 15 minutes of CONTINUOUS uptime. This simply does not occur on our new ME+ varient. We cannot accept responsibility for those who remove our essential security features by removing 'buggy' components, or running a 'stable' GUI.

    End Sarcasm;
  • Low survival time (Score:5, Interesting)

    by yamla ( 136560 ) <chris@@@hypocrite...org> on Tuesday August 17, 2004 @10:01AM (#9991318)
    The record shortest survival time, last time I checked, at the University of Alberta [ualberta.ca] is four seconds. That's from the time they plugged in an unprotected Windows XP machine until the time it was compromised.

    That's not enough time to engage your software firewall pre-SP2. I'm not sure of the condition post-SP2.
    • by Darth_brooks ( 180756 ) <clipper377@g[ ]l.com ['mai' in gap]> on Tuesday August 17, 2004 @10:26AM (#9991595) Homepage
      Walk down the street in downtown Detroit counting $20 dollar bills and see how long it takes for you to get mugged. Then do the same on mainstreet in West Bumblefuck, Iowa (population 15, if'n Pastor Smith isn't out of town). Betcha you last longer in Iowa. In other words that time is probably dependant on how nasty the computing environment is.

      IIRC Sasser and Blaster chose their target IP's at random, starting with IP addresses in the same subnet then moving to random IP's. So if a machine gets infected four seconds after it's plugged in, that's not just a product of how poorly secured windows is, it's also a product of U of Alberta having a network chock full of RPC 'sploiting goodness. Now, if they'd have plugged in the same in an environment that had been properly patched, firewalled, etc. The box would've been fine for hours, days, or maybe it would've never been comprimised at all.

      Firewall and Snort logs can give you the true tale of the tape. Some days my home firewall (SBC residential DSL) is turning away worm attempts like a goalie on speed. Other days I go 10-12 hours without so much as a nibble or a port scan.

      But it is so much fun to talk about how "WIUNDOWS IS TEH GHEY! IT GOTS PWN3D IN TEH SECONZ!!LOL!!!11ONE@!!!@!
      • Re:Low survival time (Score:5, Interesting)

        by yamla ( 136560 ) <chris@@@hypocrite...org> on Tuesday August 17, 2004 @10:34AM (#9991667)
        Actually, the University of Alberta has a pretty good network as far as security and patches are concerned, though your point is undoubtedly valid. The Computing Science [ualberta.ca] department, particularly the undergraduate part thereof, is a huge supporter of OpenBSD [openbsd.org] and that is generally what the undergrad public machines run.

        Fundamentally, I'm not sure what they could do differently. There's no doubt that it is a hostile environment, but the only alternative seems to be to simply shut down network access, something that just isn't reasonable at a university.

        I should point out, of course, that the 4-seconds-to-0wn time is from the results of testing they did. None of the system administrators there would ever plug in a unpatched machine they weren't planning on immediately wiping.
  • So, does this mean that if you are running Windows Server 2003 (eg the eval version, as I am) on a cable/dsl line you should just assume that you have been rooted?

    Fucking harsh.

    side note; would using something like outpoast firewall make any difference?

  • This 'survival time' is an average which includes dialup users and those whose ISPs filter certain ports. Time for truly unprotected high-speed-connected PCs is probably MUCH shorter...
  • 10 minutes? Pfft. (Score:3, Interesting)

    by Rgb465 ( 325668 ) <gbk@in[ ]htbb.com ['sig' in gap]> on Tuesday August 17, 2004 @10:02AM (#9991337) Homepage
    Ive personally seen XP machines get infected with Blaster, Sasser, etc, during the install of Windows. These days, if you install Windows with an active connection to the internet, or to a network of infected machines, your nuts.


    I generally install Windows with the box disconnected from the network, install all the latest updates of a CD, then attempt to connect to the network. Most of the time, that works...
    • by Phil John ( 576633 ) <phil@NOSpAM.webstarsltd.com> on Tuesday August 17, 2004 @10:17AM (#9991513)
      • Make sure all networking cables are disconnected (but if you have an external ADSL modem like me, make sure it's plugged into the computer at least)
      • Install windows
      • Either install ZoneAlarm which you have handy on disk, or enable the windows firewall on your internet connection.
      • Go to windows update and start the patching process.
      • Go out for the day
      • Get back in to find out that it's only installed 1 patch and needs to reboot
      • Swear profusely
      • Reboot
      • Lather
      • Rinse
      • Repeat
      • and repeat
      • and repeat
      • Download/install anti-virus software
      • Go in and disable all those services that you don't need (themes support for one), for a good list google elder geek, he's got a nice handy guide.

      That's all there is to it, I've installed my fair share of XP machines and never ever had any problems with getting patched before getting pwned.

  • I do all my machine builds and initial updates with the box sitting behind a netgear router, fully NATted and with no port forwarding - i.e. the box is invisible to the net. I've merrily built and updated many machines in this way and have never been compromised (and my last step is to virus, spyware, and trojan scan with several of each type of tool).

    If you just throw a cheap hardware router/NAT/firewall in front of your box when you build, this isn't really big deal I've found.
  • This again? (Score:5, Insightful)

    by Otter ( 3800 ) on Tuesday August 17, 2004 @10:04AM (#9991356) Journal
    Either way, 20 minutes is not long enough to download patches.

    Perhaps a "TURN THE GODDAMN FIREWALL ON BEFORE YOU CONNECT TO THE NETWORK!" notice somewhere on the front page would get the point across? I've done exactly two Windows installs in my life and I know how how to safely set up a new XP system.

    • What if you have a Win2K system? Also, on XP I think that if you have File and Print sharing enabled and firewall enabled you may still get infected. I think the best bet is to disable both the Client (MS Client) and the Server (File & Print) and leave only TCP/IP with the firewall, this will probably decrease the chances of anything getting in.
  • by Metroid72 ( 654017 ) on Tuesday August 17, 2004 @10:04AM (#9991357)
    I work for a Fortune 5 company and we've had to alter our standard load server procedure to go offline and apply some patches because we have estimated that one in six unpatched computers that we work with will get the Sasser worm (that annoying reboot prompted by LSASS).

    If this happens in an enterprise environment, I pity all those clueless web users.
  • Lets think about why the survival time has been cut, just look at the MSBlaster crap and all the variations of it, if you had your computer plugged into an unprotected network whilst installing windows you would have it for sure by the time you had got to your initial welcome to windows screen. Of course thats why we put a seperate network up with NAT and a Firewall to allow us to do all our installations hooked up. But in a way the publicity that these viri and worms bring to personal PC security is a go
  • by jaylee7877 ( 665673 ) on Tuesday August 17, 2004 @10:05AM (#9991372) Homepage
    Honestly, isn't it obvious by now that if you put a old machine on the net it's going to get exploited? That's the case with Windows and Linux, put a Redhat 5 box up on a cable line and see how long before it's serving up the warez...
  • Last time I reinstalled my XP partition, by the time I downloaded the XP updates and latest AVG sigs my machine was already rebooting with RPC errors. That was a fat pipe and I'd have to guess I had blaster within 5 minutes of touching the net. This was unfortunately at the wife's office at Uni... no firewall, no proxy.

    Opinion: It's always a good idea to run a strong firewall in front of your home network.

    Fact: If you're running Windows you MUST run a strong firewall in front of your home network.
  • How significant? (Score:4, Interesting)

    by polyp2000 ( 444682 ) on Tuesday August 17, 2004 @10:08AM (#9991408) Homepage Journal
    How much of that can be attributed to faster technologies ? Greater CPU speed, Connection Speed etc?

    Nick...
  • Untrue (Score:3, Funny)

    by CDS ( 143158 ) on Tuesday August 17, 2004 @10:09AM (#9991422)
    That's not true at all.

    I have a bone-stock winXP system here, and have been running online for almost an hou*(&^@ SD#&7*$^)_*( #$%@#&*() #

    NO CARRIER
  • Beating the probers (Score:3, Informative)

    by Jeppe Salvesen ( 101622 ) on Tuesday August 17, 2004 @10:10AM (#9991425)
    Breathe in, breathe out. This can be overcome!

    1. Unplug your network connection before you install the OS.
    2. Install the OS
    3. Before you connect to the network, shut down every service you can shut down and make sure they don't start automatically.
    4. Connect the computer to the network.
    5. Run windows update until you're fully patched
    6. Set up the firewall
    7. Start enabling any service you might want to run.

    This approach will hopefully keep you safe from harm - and it will definitely reduce your exposure!
  • But which versions (Score:3, Interesting)

    by jimicus ( 737525 ) on Tuesday August 17, 2004 @10:11AM (#9991445)
    I'd be interested to know the average survival rates for a whole bunch of unpatched operating systems. I'd start with:

    - Win95/98/Me
    - WinNT4/2K/XP
    - Win3.1 (with Trumpet Winsock)
    - Mac OS (whatever the first version with a TCP/IP stack)
    - Linux (various distros)

    ALL unpatched.

    Paradoxically, I reckon the newer Windows systems would go first (more services open to the world), along with older Linux distros (same problem).
    • I'm not sure I agree with your Linux distro analysis, because mandrake, SuSE, Fedora and other user friendly distros have presets for security that you choose during installation. So virtually that leaves M$ OS at stake, maybe along with MacOS... I don't know about the first versions, but I have seen version 7 and 8 in action, it's as unstable as win98.
    • If you're going to throw in XP and 2k, you should also throw in OS X as well.

      Mac OS X/Jaguar/Panther

      I suspect that OS will last the longest out of the box, but I'm biased I think.
  • by Goeland86 ( 741690 ) <goeland86.gmail@com> on Tuesday August 17, 2004 @10:11AM (#9991446) Homepage
    I recently reinstalled winXP on my 'puter (shame on me) to be able to use the NetMD software. Well, I knew what was going to happen as soon as I plugged the ethernet in. So, as usual, I installed winblows, then McAfee Antivirus 7 + firewall, then plugged the cord to get the updates. 20 seconds later, mcafee stopped functionning. I received tons of windows messages about earning college degrees online, a couple porn ones and whatnot. Ok, so far, nothing (too) surprising. So, I take my courage with both hands, open up IE to go to windows update. BIG mistake. Instead of windows update, I ended up on some obscure casino website with so many popups I thought my system was going to jam. A few hundred clicks later, I finally see the new windows update page. Then, I start downloading the updates, like everybody else does. Of course, in the meanwhile I left a total security black hole open for every hacker in Beijing to try and read the lack of data on my drive. I can understand how some people overcome the integrated winXP firewall. But HOW in the world did they hack McAfee's to stop working? I had to download updates manually, and McAfee, just like windows update, REQUIRES IE, for some obscure non-standard non documented function. So... is M$ the only one at fault here? probably not, though I'm willing to bet it's because of winXP security failures that McAfee was disabled. Sometimes I think of WinXP of a sponge. So many many many holes... And they have to be filled one by one. No wonder winblows will never be secure. But, the reason lots of people use it, as my gf says: sponges are nicer, you don't wanna use a rock unless it's to crack heads. So, moral of the story? It's the opensource world's role to crack the big fat happy M$ head.
  • by HighOrbit ( 631451 ) on Tuesday August 17, 2004 @10:17AM (#9991517)
    A few weeks ago, I installed Win2k. I then proceeded to Windows Update and started the patching process.

    I went for the big updates first (like Service Packs and IE upgrades) - but most of those require that they be installed alone with no other updates until the machine is rebooted. So you have this long drawn out process of download a single patch, reboot, download another single patch, reboot, download another patch, reboot, repeat ad-nauseaum and finally download all the straglers. I not sure how many reboot cycles I had to go through, but the whole install and patch process (including partitioning and formating) took over an hour. And that was attended.

    My point here is that during the patch process with the constant reboots, it would be easy for somebody to walk away from a machine while it is downloading or rebooting and thereby leave it open to attack while it is idling. Of course, you ought to download all the patches on a secure machine and then patch-up you new box while inside your own secure net before exposing the box, but most people (like me) are going to connect direct to the internet to get "windows update". Luckily, I am behind a firewall, but you can easily imagine how ugly it could get if somebody were doing this outside a firewall. The single downloads and constant reboots are not going to help.
  • With the amount of worms and viruses out there, even a clean format/install won't last more than a minute. I put a system up without a firewall and it got pounded by the Sasser Worm immediately. Even with Windows Update auto resume download it took me twelve tries, each time before forced to reboot by the worm, to get just that one small patch installed. After that patch, I patched like crazy, because there's so much more out there.
  • 20 minutes my arse. (Score:3, Informative)

    by smacktits ( 737334 ) on Tuesday August 17, 2004 @10:23AM (#9991574)
    Usually when I install a fresh copy of Windows I disconnect the ethernet cable before I've at least installed a firewall (if the computer isn't already behind a router/firewall) and done any updates.

    The other day I was at my sister's house and installed her a fresh copy of w2k. For some reason I completely forgot to disconnect the network connection and not two minutes after Windows initially started, the machine had become infected with Nimda.
  • by astrashe ( 7452 ) on Tuesday August 17, 2004 @10:25AM (#9991586) Journal
    First of all, if you buy a new machine with the OS pre-installed, it will probably be patched almost up to date out of the box.

    Second of all, if you're installing your own OS, you're taking on the responsibility to do things in a minimally competent way. That might mean a NAT router, a slipstream installed CD, or just a CD with the service pack burned on it, so you can install it before you plug into the net.

    Third of all, you should be using a hardware firewall anyway.
  • by leereyno ( 32197 ) on Tuesday August 17, 2004 @10:27AM (#9991612) Homepage Journal
    Firewall

    Firewall

    Firewall

    XP has a built in firewall, did you know this? When it it turned on, even an unpatched system is protected from attempts at remote intrusion. You are still vulnerable to IE exploits, but if you're using IE on an unpatched system you need to be smacked. Actually if you're using IE at all you deserve to be smacked, just not as hard.

    So, the next time you do a clean install of XP and need to download patches, turn on the firewall BEFORE you connect it to the network. Then immediately begin installing patches from windows update. Each time you need to reboot during this process, yank the network cable until the system has finished booting. The reason is that an unpatched and partially-patched Windows system is vulnerable during boot-up. It seems that the windows firewall is one of the last things to be turned on during boot up instead of the first, which creates a window of opportunity for attacks to succeed.

    Once the system has installed all of the patches that are available, LEAVE THE FIREWALL ON unless you have a very good reason not to and know what the fsck you are doing.

    If you'll follow this simple proceedure, patching your windows system is safe and easy.

    I'm sick and tired of reading slashdot headlines that claim there are all kinds of problems patching a windows system. Windows may suck, but that is no excuse for lying about it. Propaganda and FUD are best left to the professionals in Redmond.

    Lee
  • by Wapiti-eater ( 759089 ) on Tuesday August 17, 2004 @10:31AM (#9991643)
    From the SANS inst - a PDF file giving step by step, detailed instructions (suitable for newbies!) on how to setup a brand new, un-patched XP box, connect to the I-net, get it all patched and updated *WITHOU* getting it all FUBAR'd in the process.

    Good read and should be a mandatory inclusion with every Smith's Club, Wally-World, Shack de Radio, Dell, HP/Compaq, ET-ware, Gamer's Hack Shack or any other end user PC appliance sold.

    http://www.sans.org/rr/papers/index.php?id=1298 [sans.org]

    SANS server is amazingly slow today - here's an alternate:
    http://www.cablemodemhelp.com/xpsurvivalguide.pdf [cablemodemhelp.com]
  • by James Turpin ( 789479 ) on Tuesday August 17, 2004 @10:35AM (#9991694)
    ... that the high-speed Cable internet installation CD instructs the user to turn off all anti-virus and fire-wall software during installation. Talk about a security flaw! It's like telling somebody to remove all contraceptives before ... you know ... for the first time.
  • by Thangodin ( 177516 ) <elentar.sympatico@ca> on Tuesday August 17, 2004 @10:37AM (#9991719) Homepage
    My first recommendation is that you get a router with a hardware firewall--for the price, there's really no reason not to. And any ISP who discourages the use of routers is just plain irresponsible.

    If you don't have a router, have the free version of ZoneAlarm handy, and a list of the services you can shut down on Windows (everything you don't need that uses ports or acts as a server.) Shut down these services and install ZoneAlarm before you plug the machine back into the internet. When you do connect to the web, no one will even know you're there.

    Between my router, ZoneAlarm, Ad-Aware, and some good anti-virus software, I haven't been touched by anthing out there for 10 years, even when installing and patching.
    • Between your latency-inducing router, cycle-whoring firewall and spyware scanner, and disk i/o-happy av program, your machine is running considerably slower than it could be. There's nothing wrong with that if the machine is still fast enough for you. But when you factor in the extra cost, effort, and resource drain, this isn't an option for most people (especially the non tech-saavy). I'd like to see most of these operations shifted to the ISP level, where people pay a few dollars more for access per mo
  • by loophard ( 799511 ) on Tuesday August 17, 2004 @11:09AM (#9992086)
    In my case, when I reinstalled XP about a month ago, my computer was compromised 5 minutes after XP was running. That was not enough time to get SP1 downloaded (over a cable modem). Some mystery process was running that kept popping up dialogs.
  • by jonasmit ( 560153 ) on Tuesday August 17, 2004 @11:21AM (#9992210)
    Windows XP: Surviving the First Day (Checklist)
    • Disconnect Network Connection.
    • Setup a secure administrator password.
    • Disable Client for Microsoft Networks
      To verify: Start -> Control Panel -> Internet and Network
      Connections -> Network Connection -> select your network
      connection
    • Disable File and Printer sharing
      verify using the same dialog as 'Client for Microsoft
      Networks'
    • Enable Internet Connection Firewall
      same dialog as 'Client for Microsoft Networks'. Select
      'Advanced' tab.
      Connect Network
    • Run Windows Update until there are no more critical updates.
      Start -> Control Panel -> Windows Update -> Scan for
      Updates


    PS: If I remember correctly turning on the firewall (Pre SP2) will prevent you from communicating with other computers on your LAN. But you definitely want to turn it on until you get patched or download/buy another firewall.
  • by Cyhwuhx ( 594396 ) on Tuesday August 17, 2004 @11:34AM (#9992346) Homepage
    .::: So basically we now have a sort of 'Internet weather', which tells wether your computer can go play outside or not?
    Nice, I can see the evening news getting an extra report then.

    "In North America we have some nasty worms raging across the Net spreading all the way to Europe, better close up those ports. Asian PC's may want to wear an extra layer of firewall as we got some heavy probes coming in. South-Afrika meanwhile has some lovely patchy weather."
  • What I'd like to see (Score:3, Interesting)

    by Tim C ( 15259 ) on Tuesday August 17, 2004 @11:38AM (#9992383)
    Is a country-by-country study of this kind. I say that, because I read lots of comments here and on similar sites about all the probes and other unwanted network activity that people see, and yet my machine is usually on every waking moment, and is connected to the net via ADSL, yet I see almost no activity. Once every few days my software firewall (Sygate Personal Firewall) will tell me that a small handful of ports have been scanned. For example, I've actually had the machine on and connected for almost 3 days now, and my firewall is showing no unusual activity.

    Now, either I'm just not logging enough (entirely possible), or I'm sat on a very, very quiet part of the net. I have to wonder how much one's country of residence influences this sort of thing, given that I'm in the UK and I'm guessing most people here are in the US.

FORTRAN is not a flower but a weed -- it is hardy, occasionally blooms, and grows in every computer. -- A.J. Perlis

Working...