Posted on 11/30/2004 1:29:41 PM PST by zeugma
Unprotected PCs Fall To Hacker Bots In Just Four Minutes
By Gregg Keizer, TechWeb.com
The lifespan of a poorly protected PC connected to the Internet is a mere four minutes, research released Tuesday claimed. After that, it's owned by a hacker.
In the two-week test, marketing-communications firm AvanteGarde deployed half a dozen systems in "honeypot" style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet.
The six machines were equipped with Microsoft Windows Small Business Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft Windows XP SP2, Macintosh OS X 10.3.5, and Linspire's distribution of Linux.
Not surprisingly, Windows XP SP1 sans third-party firewall had the poorest showing.
"In some instances, someone had taken complete control of the machine in as little as 30 seconds," said Marcus Colombano, a partner with AvanteGarde, and, along with former hacker Kevin Mitnick, a co-investigator in the experiment. "The average was just four minutes. Think about that. Plug in a new PC--and many are still sold with Windows XP SP1--to a DSL line, go get a cup of coffee, and come back to find your machine has been taken over."
Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.
"If you're running a firewall so your machine is not seen, you're less likely to be attacked," said Colombano. "The bot or worm simply goes onto the next machine." Although Windows XP SP1 includes a firewall, it's not turned on by default. That security hole was one of those plugged--and heavily touted--by Microsoft in SP2.
The successful attacks took advantage of weak passwords on the target machines, as well as a pair of long-patched vulnerabilities in Microsoft Windows. One, the DCOM vulnerability, harks back to July, 2003, and was behind the vicious MSBlast worm of that summer. The second, dubbed the LSASS vulnerability, was first disclosed in April, 2004, and led to the Sasser worm.
The most secure system during the experiment was the one running Linspire's Linux. Out of the box, Linspire left only one open port. While it reacted to ping requests by automated attackers sniffing for victims, it experienced the fewest attacks of any of the six machines and was never compromised, since there were no exposed ports (and thus services) to exploit.
The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added.
For the bulk of users who work with Windows, however, Colombano didn't recommend dumping Redmond's OS and scurrying for the protection of hacker-ignored platforms.
"Update Windows regularly with Microsoft's patches, use a personal firewall--third-party firewalls still have their place, since Microsoft's isn't suited to guard against outbound attacks--keep secure passwords, and use some type of anti-virus and anti-spyware software," he advised. Of the list, the firewall is the most important. The study concluded, for example, that Linux- and Windows-based machines using an application firewall were the best at preventing attacks.
"No machine is immune," he counseled. "No human is safe from every virus, and it's the same for machines. That's why people have to have some personal responsibility about security. You have to be a good citizen on the network, so you're not only protecting yourself, but others who might be attacked from exploits originating on your machine."
bttt
That's a pretty broad question. As far as a browser, yes. For most, if not all purposes, firefox is all you need. The broader issue though, is that if you have a computer connected to the internet, you should get a hardware firewall. If you are a windows user, and have had the PC online for a while before installing the firewall, I'd also reccommend you reformat and reinstall your OS on your PC AFTER plugging it into the firewall.
Of course, once you've opened up wireless, you have an entirely new set of problems to deal with. my reccommendation is 128-bit crypto on a non-broadcast SSID that is tied directly to your cards MAC addresses. That will keep out all but the most determined wireless hackers. If you've got someone willing to expend the effort that it would take to penetrate the above setup, you've got =much= bigger issues to deal with :-)
"The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added.
We are now going on FOUR YEARS experience with OSX and, despite the glory that would be given in the hacker world to a hacker who penetrated the Mac's vaunted security, IT HAS NOT HAPPENED! There have been a couple of trojans that rely on tricking the user into installing them, and a couple of proofs of concept that demonstrated some security holes... but these holes were quickly closed. ONE proof of concept proved that an OSX system could be tricked into downloading and executing an executable on a disk image, That was patched very quickly and is no longer possible. ALL newly installed programs required the user to approve their first execution before they can run. Users who fell prey to the trojans could probably be counted on the fingers of two people.
Authors of studies such as this keep claiming that the Mac is "just as (or more) vulnerable as Windows", but, to date, they CANNOT and HAVE NOT shown ANY Self Propogating code that WILL compromise a Mac OSX.3 system... Until they do, I am not worried. The mere declaration that it would happen shows they are ignorant of the security built into Unix based systems... the requirement to have an administrator password to install executables. It is probably just wishful thinking.
Before OSX, there WERE viruses and worms that were written to invade the even smaller number of OS9 and lower operating systems on the Mac. They were rare, but fairly regularly, hackers would come up with a new variety. Mac users of those OSs also had to buy and use Norton AntiVirus just as Windows users have to.
There are now over 14 million OSX users... and NO VIRUSES. NO SPYWARE. NO ADWARE. NO HIJACKERS. NO WORMS.
The Macs with OSX are shipped with the ROOT LEVEL turned off by default. While the Command Line Interface is available to lower level users, little damage can be done to the operating system or other users without activating Root AND having its password.
Your link to the September 8, 2004 article about Apple's latest patch releases for OSX is apt... OSX, like any operating system, is a work in progress. We applaud the identification and patching of flaws. However, you might notice that in almost every case, the flaws were in components or features that were, by default, "turned off".
As for your statement about attaching unknown configuration machines to networks, I agree completely.
Ping for Mac interest. Unprotected PCs infected within 4 minutes of being connected to the Internet. Article claims Macs "very vulnerable" if malicious code was written for them.
If you want to be included on the Mac Ping List, or dropped from it, please Freepmail me.
Which is worse? Not to have bought at all at 13... or to have bought and sold at 34, half of what it has reached today?
Which self imposed kicks in the butt are hardest?
I sold at 15.25. Somewhere over 1,000 shares :-(
One distinct advantage dial-up users have over broadband users is that they are not ALWAYS connected. IF they are infected with Spyware or viruses that need to use the internet to phone home or propogate, then they WILL notice their computers connecting when they are not wanting them to.
Another advantage that can give the dial-up user a little protection (if they are are alert) is that with a dial-up, the user can keep the status window open and visible. Any suspicious activity of downloading and uploading can be seen... especially if the activity seems unrelated to the current user activity. For example, the user is on a no-longer downloading website and the connection status window shows down or up loads taking place. With broadband, such activity may happen too quickly to be noticed.
I had one new client who FINALLY called me (not when he should have but after months of frustration) because his computer wanted to connect to the internet so badly that it would start over 60 dial-up connection windows (the auto-connect was turned off) and each and every one of them HAD to be closed before he could do anything productive with his computer. Needless to say, his computer was very badly infested. Had he had a constantly connected broadband, it is likely he would not have noticed the infestation as no windows would have been in-his-face!
The firewall probably would have been no protection AFTER THE FACT of such an infection. The connection would have been initiated by the infected computer and the firewall would have allowed these connections.
Thanks for the ping...
I'm glad I *forgot* to sell my AAPL shares - heh heh. I'm still sitting on the ones I bought while it was in the teens.
Interesting thread. I use Virex on my Macs (cuz it's free with the .mac service) and don't give viruses a second thought. It does its monthly update and never finds anything nasty on my drive. I don't think I'd like to be always worrying about an impending attack. Living in a war zone for the last year was one thing, but someone messing with my Mac - well, that's another.
Cheers, CC :)
Good info bump
Thanks for the information. I will check into FireFox.
"The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now."
I have a laptop with WiFi and am running Zone Alarm Pro with no problems. And Pro is not inherentley more WiFi friendly than the free version.
Didn't you Interface with the terminal by entering Lines of Commands?
Maybe I'm reaching here. (cough, cough,.. sarcasm cough, cough)
bttt
Having been in the IT field for the last 15 years or so, I strongy disagree.
bump
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.