back to article Unpatched Windows PCs own3d in less than four minutes

An unpatched PC is likely to last just four minutes on the internet before being attacked and compromised. The time it takes for a PC to get itself owned varies by operating system and what activities a user engages in - but even allowing for this, putting an unpatched Windows PC directly onto the net in the hope that it …

COMMENTS

This topic is closed for new posts.

Page:

Go

@ vahid

"Also 1 last issue - FS partitions Linux install ok if your a noob all goes in one but for me its always been things like home get own partition - so sure format OS partition as much and as often as you like - your data is safe unlike c:\Documents and Settings\Blah

"spaces in folder names is not clever either by the way"

------------------------------------------

I'll agree that spaces in folder names were a silly idea, that's obviously why in Vista the Docs and Settings folder is now just Users ;-)

As you say defaults are always for noobs as you put it a default Linux install slaps everything in one area so does Windows but i've never ran a Windows box without redirecting the Documents folder to another partition or physical drive. It's an insanely easy process as well just right click and select target.

-------------------------------------------------------------

"my experience from a windows install the initial user is admin ! there is no requirement to put in a root password to install anything"

Yes but other new users that you create are basic users.

-------------------------------------------------------------

Anyway we're getting off track here the point is that pointing out that 5 years old code has flaws is pointless, ALL code has flaws it's time to fix that is important an area where i do think MS could improve.

0
0

Learn how to use it or fuck off.

MS's biggest crime is letting people who have no idea how to use a computer think that they're superusers.

If you can't use Linux then you can't actujally operate a computer -- you can only play games produced by Microsoft and Apple.

0
0
Happy

@ By Nuno trancoso & @ AC about windows install

You do not need a licencse to use a computer

You do no sit a test of compitency to use a computer

You do not break any rules by getting hacked .

AC about windows install when making your own Partition for documents and settings

What if you purchase pc from a shop with windows? does it come with seperate partitions ?

or how about when you do an install does it come up with clear consise questions about partetions etc a sepearte slot for boot seperate for swap seperate for home etc ? last time i installed windows this was not the case but then it was donkey years ago....

0
0
Bronze badge

It's not unreasonable

It's not unreasonable to expect that you ought to be able to buy a computer in a store, hook it up to the Internet, and be able to use it with no more fear of someone in the outside world being able to interfere with it... than one would be afraid of having a mechanical adding machine or a rotary-dial telephone "hacked" in some fashion.

Consumers expect their television sets, automobiles, and refrigerators, when made and sold by reputable companies, to work reliably. Why can't the makers of computers meet the same standard?

And, despite being made cheaply these days, computer hardware meets that test. Software could meet that test too. Check very rigorously for possible buffer overflows or race conditions. Do not add features that allow remote execution, like Java or JavaScript, until *after* they've been perfected - and are sitting behind two layers of sandboxing.

Put the important parts of the operating system in ROM, and the rest of them on a separate read-only hard disk - that gets made writeable by a *physical switch* on the computer case during OS installation! Prevent dialers by only having modems with buttons for dialing on them (yes, you can program in your ISP's number for one-button dialing, but you do that from the modem front panel, not from your computer, which has no way to access that function _at all_).

One could make computers as secure as people expect, with simple instructions that would ensure this made them only slightly more complicated to use. Perhaps many computer users are not the computer experts they ought to be; but surely the big computer companies are the ones truly without excuse?

0
0
jai
Silver badge

pwn3d

if you're going to try and be hip and with it and down with the kids in your titles, at least get the 1337 nomenclature correct, innit :)

0
0
Boffin

Not specific enough.

What version of Windows? What service pack level?

If I smack a PC with a freshly-loaded copy of Windows XP SP3 on the network, how long will that last against, say, the original release of Windows XP? Or SP2?

And what of Vista? I don't use it (and have no intention of using it), but curiosity for its own sake...

0
0

blame the pc vendors

years ago when the Sasser worm had been doing the rounds for a couple of months. I got a call from a customer who had bought a Pc from PissyWorld plugs it in bungs in the disc to get Bt Dial up it connects to get her details and set up the account and the pc starts shutting down. Then every time it rebooted it would start to shutdown again. All it needed was Pissyworld the give the costomers a floppy with the M$ patch on is and to say before you go on the internet install the patch on the floppy.

this was sometime in the summer in 2004 and you can bet the PC had SP1a and nothing more on it

Maybe the venders can't be expected to keep the PCs upto date before they sell them but the Sasser worm was so prevalent that it should have been a special case.

The local vendors who hand build PCs and in my case make sure that they are upto date before going to the customer may be a bit more expensive but price isn't everything

0
0
Flame

Well that shows the XP lie

I've had plenty of unprotected NT4 and 2K machines on the net without problem with either nothing or a cheesy ZoneAlarm type firewall. And those NT4 machines were never patched, because, well, you had to download and install them all by hand.

Frankly, for what they are talking about you don't need patches if you are not browsing. All you need is a decent firewall like Kerio 2 from about 5 years ago that keeps Windows from bleeding out the 2000 odd ports it exposes to NetBIOS and such.

0
0

@david wilson

Routers get corrupted all the time. Anything with a network connection and write access is vulnerable.

It seems to me that this article was targeted at those of us who build our systems, and not at those who purchase loaded gear from a retailer. Installing any OS involves patching it. This article was simply relaying the results of research performed by one company on a couple of Microsoft products. There's nothing to be learned from this unless you have never given thought to the risks of networking an unpatched system.

I've never had a Posix system compromised during setup, but I could see how it could happen ... if there were as many malware bots actively looking for them as are constantly seeking out MS installations.

You protect what you can and deal with the rest. The article provided a word to the wise for newbie installers, and gave the rest of us something to kvetch about.

0
0

USB modems

USB modems are a rare bread these days I would say. Even BT wouldn't give out one of their old frogs now. a) they want to plug HomeHub, but more importantly b) the USB modems are a notorious nightmare for support as they were more than likely the main cause of connection problems. I remember even NTL used to strongly advise against connecting their modems via USB because of all the hassle it caused and would ship Ethernet cables to customers as the immediate solution regardless of what the problem really was.

Anyway, the majority are no good for "8mb+" broadband. Yeah we know it's a myth but even to get beyond 1mb you really need a proper dedicated router/modem.

Besides that the majority probably get wireless broadband routers for free with their ISPs (not knowing why they need one). All NATed up and ready.

Biggest risk from ISP hardware is use of WEP encryption and default passwords, but even that's a low risk really.

However, a company I worked for used to be anal about security, firewalls and virus scanners, but their laptops that were the only authorised ones to go onto the network would go out of the office with no firewall at all, and I'd seen one plugged direct into the net with no NAT and sure enough within minutes it had pop-ups all over.

Though these pop ups are really nothing to write home about. Just old netbios message windows, like the kind you used to get to tell you your print job had finished.

Another thing. Of the "clueless" who buy from PC World etc, who would really end up with a PC with raw unpatched Windows XP pre-service pack? Likely they'll be shipped with the latest service pack at least (with Vista these days anyway), which has enough lock downs to get you going. In the case of Vista, probably enough to stop you getting anywhere in the first place ;)

0
0
Happy

M$ of course

By way of an attempt at humour.............

tonight I have been running a modern AMD with XP media, and a five year old dell with XP. both behind a rather 'nice' IPCOP firewall

the medis centre PC has crash/died 4 times in as many hours, and the vanilla XP just BSoD

[of course, I will check to see if anything nasty got in, but]

I aggree an unprotected PC on the imterweb wil only survive for minutes............................... but how long do they last anyway?

0
0

let's not forget mac 10.2

... which shipped without its firewall turned on. Pathetic.

0
0
Silver badge
Paris Hilton

@Simon Harris

So, your computer at home was connected to the internet without any kind of protection, and you got what appeared to be a remote exploit, or at least some kind of potentially malicoius code run on the machine.

You then took it into work and exposed your works network to your machine?

"Well, I've got home, locked the house doors, and set the alarms. Now, I'm going to juggle with nitroglycerine because what with the doors being locked and the alarm being on, I must be safe, right?"

Do they do the IT equivelnt of Darwin awards yet?

Steven R

0
0

@By John Savard

It's not unreasonable to expect that you ought to be able to buy a computer in a store, hook it up to the Internet, and be able to use it with no more fear of someone in the outside world being able to interfere with it... than one would be afraid of having a mechanical adding machine or a rotary-dial telephone "hacked" in some fashion.

Consumers expect their television sets, automobiles, and refrigerators, when made and sold by reputable companies, to work reliably. Why can't the makers of computers meet the same standard?

The difference is you don't have people coming into your home trying to break your tv,fridge or car.

Out of the box it does work. Would you blame the car manufacture if you install radio that killed your electrical in the car ?? Would you blame the auto manufacture if some steals your car ???

0
0
Stop

Yes, but...

Look, much as I hate rising to the defense of Windows, this is about a network probe of some sort equaling a compromise which, of course does not necessarily follow.

Unless I am greatly mistaken - and I am often greatly mistaken - what it does show is that unsolicited network activity believed to be aimed directly at windows systems (lets say 1, every 35 minutes) is on the order of 20 times that believed to be aimed at unix systems (1, every 700 minutes) which, given that the install base is about 10:1 in Windows' favour, is probably worse than it should be.

Basically, if you had an imaginary unix system vulnerable to all vulnerabilities that the probes ascribed to unix systems were targeting, and an imaginary windows system vulnerable to all the vulnerabilities that the probes ascribed to Windows systems were targeting, and then you ascribed the remaining non-specific probes proportionately between the two, and you connected both to the internet with no boundary protection, then hit yourself with a great big lump of wood you idiot. You probably built your own car out of thirty years of Ford manufacturing defects. Yes, your arse is wet and the electrics make your pacemaker skip. Sky blue. Flowers pretty.

Now the disproportionate activity on the windows front is another thing all together. Newsworthy, it may well be. Now I may justifiably resume my slightly hypocritical, slightly self loathing, stance of deriding Windows while still being partially dependent on it.

Oooh! I AM a dirty boy! Tell me I'm a dirty boy!

0
0
Boffin

What OS?

Yeah, a bit more reporting would be nice. What OS/patch level on the box?

As for the morons here going on that they can have a windows box pwned in a minute or so, have you not heard of the concept of "average"? The *average* time a box is compromised is apparently 4 minutes - which of course means that individual boxes could take seconds or days to be compromised.

0
0
Silver badge

@ Steven Raith

The story was just meant to illustrate the catch 22 problem of setting up a Pre-SP2 PC with a standard domestic broadband connection. You needed the connection to get the updates, but the problem the updates were supposed to solve came over the connection before the updates arrived. It wasn't meant as a step by step guide to fixing it, so I skipped to the end of the story with the comment about getting the updates over a more secure connection without filling in all the middle bits about scanning and cleaning up the PC first.

I don't remember there being any nitroglycerine left at that point!

0
0
Gates Horns

USB modems are around

I have a roaming connection that consists of a USB GPRS modem (which sticks by velcro to the back of my laptop's lid). There is no way to install a hardware firewall. Four minutes? The first time I used this connection with a (throw-away) fresh, unpatched XP, it took somewhere between 20 seconds and 20 minutes to be compromised - I didn't time it properly. The second time, it took two minutes. Each time, that system got so infected that I didn't dare do ANYTHING serious with it, but just repartitioned and reformatted the disk as soon as I got home.

A hardware firewall / NAT router is probably 99% of the solution. If you have an unpatched Windows system, though - or even a patched one, though it's less critical there - a personal software firewall is a good way to protect against rogue code from web sites etc, and also helps contain problems if you do get them. It does help.

Yes, all operating systems get updates. If you don't like that idea, I'm sure someone can find you a copy of MS-DOS version 1; or maybe you'd rather go for QDOS? But Windows has a lot of problems that allow external attackers to take control of your system, whereas other operating systems have much less critical faults. I'd like to see anyone try to argue that Linux security holes are as much of a problem as Windows holes.

0
0

Its about time MS mailed all registered users a new secure version of installation media

Like I said, all those people who bought the retail version should should be allowed to have a new version of installation media with all the patches applied. This is MS's fault they can't write a secure OS so they should have to pay to put it right.

0
0

@ Ryan

And anyone using cable modems without firewalls, or even the masochists updating via dialup. MS are still making people pay for their "male chicken" up

0
0

Then again

I've had several boxes (XPSP2 no AV, no nuffink) on and offline for the last year or so, with maybe a load of spyware, but nothing that can't be broken easily enough, and I have suffered very little. It's very simple - keep the stuff that matters to you on external static/optical/mag media, use virtual O/S that run in RAM with no HDD, or just blow away and reimage the box every Sunday. Hardly much effort, and a lot cheaper than worrying about keeping up with licenses for bloated AV/Firewall shit.

If you want to do anything questionable or anything which could be used against you in any way, do it from a public access point or hijack some peons AP.

People worry about the wrong things mostly...if someone wants to steal your identity, or fuck you over somehow, I'd be far more concerned about the criminal element in government and their quango buddies than some nerd with a few hijacked boxes and some scripts. Once your biometric data goes onto the NIR, and some crook in authority has access to it, that's it for life. You can't change your fingerprint or retinal signature.

Four minutes? Four minutes till some relatively harmless piece of code gets installed which does what exactly? Makes your PC run slow? Makes it unstable? Uses some of your bandwidth? Just blow it away and start again.

Obviously it makes sense to protect yourself online as much as possible, but the ramifications of not doing so are likely to be trivial. Unless you consider having to reinstall an OS as some kind of crisis - in which case you should really probably sit under a large tree and have a good hard think about life.

0
0
Linux

It is very cheap to protect your computer

Routers with NAT/Firewall functionality can be obtained from about 10pounds and up, I myself am using one that cost about 29 pounds, and is about 4 years old.

Default configuration of these is to deny all, unfortunately they also enable UPNP.

Make sure you disable UPNP, as (afaik) it allows software to create holes in your firewalls, and unfortunately this feature is enabled in almost all cheap firewalls. As I understand it, UPNP provides a way to go through a firewall (from the internet - the wrong way), and thus opens your system to attack, and requires no security to alter the firewall protections.

I recommend these cheap routers as a solution to all who own a computer, and doesn't know much about computers, as it goes a very long way to securing your system, and is a very cheap way to avoid problems. Ofc firewalls do not protect against malware downloads.

0
0
Anonymous Coward

@ vahid

"What if you purchase pc from a shop with windows? does it come with seperate partitions ?"

From a good shop yes, from Dell, HP and the rest i doubt it, some Acers seem to.

"or how about when you do an install does it come up with clear consise questions about partetions etc a sepearte slot for boot seperate for swap seperate for home etc ? last time i installed windows this was not the case but then it was donkey years ago...."

No, but then (and i can only comment on Fedora and Ubuntu) i only remember seeing those options when manualy configuring an install just the same as Windows. If you let it auto partition you get a seperate swap and the rest /home /var and so on are all stuffed in one partition.

0
0

Has been true for years

This was already the case five years ago. I guess it's good to keep reminding people of it, though.

0
0

ping Vahid

Hey wait a minute Vahid. Making the 65+ crowd sound like a bunch of imbeciles.

While I'm not there yet (I've got another 15 years or so), I'm a member of a computer club where the average age is in its 70's. You go to GRC.COM and the newsgroups are crowded with retirees. There was even a recent thread where people talked about teaching senior citizens (including their parents) Linux. One guy said one of his first senior citizen students who has used most main distributions and stuck on fedora was having their 101st birthday.

Next time you use a group as an example of stupidity, find out more about them first.

BTW: what about the Taterf worm?. The WBE id10+s that turn off their AV and PFW for a performance boost and download a bunch of cracked software that infects their machine. Of the 330 million MS found in the 1st week, I doubt if very many of them were senior citizens.

0
0
Coat

@Stu Reeves

"(I'm guess they are on about standard, non SP2 XP machines)."

Non SP2 machines aren't "standard" by any stretch of the imagination - any version of XP that isn't SP2 or better is at least 5 years old!

0
0
Thumb Up

All Us Stupid Seniors

RE:ping Vahid

By fluidlyunsure

As a retired baby boomer, thanks. Well said

0
0
Unhappy

So I have under 4 minutes?

My wife's HP machine came with XP and SP1, and ran for years without problems. Recently it has crashed repeatedly and often all the way down, and after many re-installations of the OS, assisted recently by my (fairly cheap but not free) SP2 disk from M$, I decided the problem has to be the hard drive going south. The machine is capable of doing all the things we need, and much of our software and even hardware is not Vista-compatible, in particular the HP scanner for scanning her artwork is no longer made, and had compatibility problems with SP2 until I got patched for that, and our WordPerfect is not Vista-ready.

Yes, I am over 65, but first used a computer in 1963/4 (paper-tape input, printed output, no graphics, wrote my own near-machine-code programs), have designed ICs for decades, both before and with computer software assists, but now I am wondering if I am just not getting the OS updated fast enough on the re-installs. My ISPs assign an IP when I connect (yes, I have been involved in IEEE 802.3 committees, so I know what an IP is), but how do I protect against being "own3d" before I have the updates downloaded? And if I go on a business (or other) trip, how does my (non-techie) wife handle it?

I do like the idea of M$ providing an updated installation disk, since they originally put the holes in the OS. But would they do that for XP? Moon$Hine dreaming!

0
0
Thumb Up

A Little Help

http://grc.com/default.thm

These can help

The DCOMbobulator 1,634,863 downloads.

DCOMbobulator allows any Windows user to easily verify the effectiveness of Microsoft's recent critical DCOM patch. Confirmed reports have demonstrated that the patch is not always effective in eliminating DCOM's remote exploit vulnerability. But more importantly, since DCOM is a virtually unused and unneeded facility, the DCOMbobulator allows any Windows user to easily disable DCOM for significantly greater security.

Shoot The Messenger 2,144,420 downloads.

Even before the latest DCOM/RPC vulnerability (see above), many Windows users were being annoyed by "pop-up spam" notices appearing on their desktops. This intrusion is also facilitated by an exploitation of port 135. Our free "Shoot The Messenger" utility furthers the security of Windows by quickly and easily shutting down the "Windows Messenger" server that should never have been running by default in the first place.

UnPlug n' Pray 2,837,124 downloads

As originally urged by the FBI, and still urged by prominent security experts, our UnPnP utility easily disables the dangerous, and almost always unnecessary, Universal Plug and Play service. If you don't need it, turn it off. (For ALL versions of Windows.)

XPdite 1,090,543 downloads.

A Critical Security Vulnerability Exists in Windows XP. (Surprise) Actually, as we know, there are many, but we'll handle them one at a time. This particular vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is already being exploited on the Internet.

0
0
Dead Vulture

'fraid not chaps

I noticed how much slower my pc[the one I'm typing on now]was after installation of all of the Microsoft updates, and that seemed somewhat counter productive. So...

I decided to run a little experiment.

I reinstalled windoz, went to the update site and installed everything I reasonably considered neccessary BUT made a point of NOT installing anything with "security" and /or "critical" in it's description.

The experiment continues.

I like the ladies.hahahaha

I also visit sites which deal with controversial subjects.

I go where the hell I want on the net.

I run zonealarm free firewall.

About every couple of weeks do an online scan and occasionally d/l a free antivirus, update it and run a full scan.THEN UNINSTALL.NO "WATCHERS".

Now not to piss on Bill's bonfire but....whats a virus again?

Have none.

Have had NONE. AT ALL.

Security my bottom.

"Update"........ experiment has now been running for over a year,and will continue.

Security my arse.

The vulture = the death of common sense.

Now ya'all have a nice day now.

0
0

@Michael Nielsen re UPnP

Most of the "UPnP is bad" commants come from a distinct lack of understanding of security issues and practice.

Sure there are potential security vulnerabilities with some UPnP implementations, and in some environments (e.g. company network) you probably don't want it but that's more for staff policy reasons than because of security issues.

In most cases, UPnP can be MORE secure than not having it. It's absolutely true UPnP allows a PC on your network to open ports on your firewall, but if you're PC has been "pwn3d" then it's a bit late anyway, and it pretty damn trivial for the virus/trojan to create connections to the Internet without UPnP.

Assuming your PC isn't infected, UPnP allows you to run certain software apps without having to do permanent port-forwards on your firewall.

It doesn't take a rocket scientist to understand that an on-demand, randomly allocated open port is more secure than a permanent, fixed port (or, worse still, port range) which is always open even if it's not needed.

0
0
Happy

@ all over 65

sorry no offense was made. It was just an example for people who think on a professional level and comment on this level rather than looking at the problem from someone who has basic knowledge :)

0
0
Linux

@Cameron Colley

Go fuck yourself Mr Colley. You said...

"MS's biggest crime is letting people who have no idea how to use a computer think that they're superusers.

If you can't use Linux then you can't actujally operate a computer -- you can only play games produced by Microsoft and Apple."

Most people have better things to do that learning all the ins and outs of Linux... actually, let me rephrase that - I'm no Linux hater, indeed full respect to the penguin aficionados out there - but people have different priorities. I spend a significant part of my life working, writing carefully written reports amongst other things, and outside that time I swim almost every day, enjoy cycling, watching football and playing it (badly), cooking, reading, seeing friends, volunteering, going to galleries, making love (to someone other than myself), and generally doing stuff that doesn't involve being sat in front of a small screen.

And now you tell me that basically I shouldn't be allowed to use a computer because I don't know how to use Linux - how stinkingly elitist and full of shit is that. I keep my Windows fully patched and scan for malware of all sorts regularly using a variety of different tools and observe good computing practice, and help my friends and family to do the same.

When I step back and take a look at this I do wonder whether a Mac would be a better idea, as a computer that would entail less time fannying about making it work as opposed to more. You're merely confirming my suspicions about Linux - that it is an operating system that you need to get highly involved in. I want to get highly involved in things other than my computer's operating system.

0
0
Boffin

Not so long ago

There were computers which had their OS on a chip called ROMs (Read Only Memory) which couldn't be erased easily (you could fry 'em with static, I spose) then some bright spark decided (as there was a chip shortage) to bung the OS on hard disks. This, in my 14 year old mind was a recipe for disaster, but hey, folk wanted to make money. Anyway, us youngins should be doffing caps to the seniors, as it was they who started all this computing nonsense off. It's been fun over the last 30 years faffing about with biscuit tins of electronics and getting it all to work. The floppy disk is dead, if that's the case, why are they still being sold?

0
0

Woosh, the sound of the real point going straight over peoples heads.

The point of the research was not "lets prove that it's not a good idea to put an unpatched Widows computer on the net". After all, these computers were *meant* to invite infection.

This experiment demonstrated in a simple (headline grabbing) manner that despite over ten years of the Windows security industry and many fixes by Microsoft there are still so many *already* compromised Windows computers on the net that that a honeypot computer will be infected extraordinarily quickly.

Look at the research, these attacks weren't being made from some bunker in Siberia, the vast, vast majority were from the same net block that the computer was connected to. ie. ordinary peoples computers connected to the same ISP.

So forget about how great your computer practice is, or how you think people "ought" to use computers, it's not about *you*.

This is a peek into the real world of millions of Windows systems herded into botnets, spreading worms, compromising peoples privacy and security, degrading peoples experience on computers and the internet, and a certain part of the computer industry that seems either unwilling or incapable of solving it.

0
0

@AC - 65 year old

That is the biggest load of garbage I've ever read.

The idea of patching of Windows, Linux, Mac OS or whatever is to correct problems/plug holes that weren't known about when the OS was released or have been introduced as a result of previous patching/new features.

What you are referring to is a Linux Live CD but bear in mind that hardware that requires specific drivers may not work if the driver isn't present on the CD.

If my memory serves me correctly OEMs are not permitted to make their own build CDs anymore (as in the days of Win 95 so thats why there is no slipstreaming but there is nothing to stop you make your own build DVD :)

0
0

Page:

This topic is closed for new posts.

Forums