Clean System to Zombie Bot in 4 minutes
Slashdot thread on a USA Today investigation into how long it takes computers attached to the internet to be attacked and compromised:According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks. In the slashdot thread the well known geeks from Avantgarde had some more info. The interesting bit is the difference between XP SP1 and SP2 (Service Pack 1 and 2 - these are Microsoft security updates you XP users should be installing. Obviously 2 is the most recent.)There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.
Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems. Of course, it will probably take you more than 4 minutes of being connected to the net to download the SP2 patch! D'oh.
In related news, Ars Technica recently did a roundup of spyware removal tools for Windows. No sense reading the whole thing, but they conclude that the free Ad-Aware is your best bet. You can download it here.
+5 gratuitous Simpson's reference in the /. comments: ARG! The patches! They do nothing!
I did the Service Pack 2 thing a while back. The only thing I was confused about was, during the install it asked if I wanted to disable the Norton firewall in order to substitute the Windows firewall. I'm paying for the Norton, so I said no. I don't know how vulnerable that leaves me. I've been using Firefox so I'm less open to IE bugs. I do wish there was some way of knowing if I'm part of a bot net.
I have a firewall in my router which I think was keeping me safe, plus the firewall in SP2 now. I did notice the firewall in SP2 detecting when some software on my machine "spontaneously" generated some IP traffic. It was all innocuous traffic, but it was nice to see evidence that the firewall was keeping its eye on things.
Yes, I should have mentioned this. Having a router (~ $50) between your computer and your cable/DSL modem is a very good idea. Obviously Mark knows how this works (he could probably build one!) but if anyone else is interested I can try to explain in my rambling way.
The short version: a router is so you could hook more than one device up to your one internet connection (either the router has multiple ethernet ports, or has some wireless capabilities to connect multiple devices.) But a side benefit of this situation is that all traffic goes through the router, both incoming and outgoing, and since the router isn't running any services (or even any software other than what is in it's firmware) it is much more secure than your computer (assuming you change the default password from 'admin'!) So you sort of get a firewall for free at the router, and this makes it attractive for security even if you don't have multiple devices you want to connect to the internet.
The downside is that you have to be slightly savvy in terms of being able to set up port forwarding on the router if you want to run p2p apps or things like Skype. But it's not really that hard. And the security seems well worth it.
Actually, IP isn't my strongest point. I mostly went with the out-of-the-box settings of a name brand router. It drives cat 5 ports in various locations around the house (including my back yard), allows multiple PCs to share the DSL line, and provides WiFi (which is a gaping security hole, but MAC filtering helps). I'm not running any p2p stuff, so I haven't had to mess with port forwarding. If you're running a server, there's more issues to deal with.
|
Slashdot thread on a USA Today investigation into how long it takes computers attached to the internet to be attacked and compromised:In the slashdot thread the well known geeks from Avantgarde had some more info. The interesting bit is the difference between XP SP1 and SP2 (Service Pack 1 and 2 - these are Microsoft security updates you XP users should be installing. Obviously 2 is the most recent.)Of course, it will probably take you more than 4 minutes of being connected to the net to download the SP2 patch! D'oh.
In related news, Ars Technica recently did a roundup of spyware removal tools for Windows. No sense reading the whole thing, but they conclude that the free Ad-Aware is your best bet. You can download it here.
- jim 12-01-2004 12:32 am
+5 gratuitous Simpson's reference in the /. comments:
- jim 12-01-2004 12:48 am
I did the Service Pack 2 thing a while back. The only thing I was confused about was, during the install it asked if I wanted to disable the Norton firewall in order to substitute the Windows firewall. I'm paying for the Norton, so I said no. I don't know how vulnerable that leaves me. I've been using Firefox so I'm less open to IE bugs. I do wish there was some way of knowing if I'm part of a bot net.
- tom moody 12-01-2004 1:30 am
I have a firewall in my router which I think was keeping me safe, plus the firewall in SP2 now. I did notice the firewall in SP2 detecting when some software on my machine "spontaneously" generated some IP traffic. It was all innocuous traffic, but it was nice to see evidence that the firewall was keeping its eye on things.
- mark 12-01-2004 2:27 am
Yes, I should have mentioned this. Having a router (~ $50) between your computer and your cable/DSL modem is a very good idea. Obviously Mark knows how this works (he could probably build one!) but if anyone else is interested I can try to explain in my rambling way.
The short version: a router is so you could hook more than one device up to your one internet connection (either the router has multiple ethernet ports, or has some wireless capabilities to connect multiple devices.) But a side benefit of this situation is that all traffic goes through the router, both incoming and outgoing, and since the router isn't running any services (or even any software other than what is in it's firmware) it is much more secure than your computer (assuming you change the default password from 'admin'!) So you sort of get a firewall for free at the router, and this makes it attractive for security even if you don't have multiple devices you want to connect to the internet.
The downside is that you have to be slightly savvy in terms of being able to set up port forwarding on the router if you want to run p2p apps or things like Skype. But it's not really that hard. And the security seems well worth it.
- jim 12-01-2004 2:45 am
Actually, IP isn't my strongest point. I mostly went with the out-of-the-box settings of a name brand router. It drives cat 5 ports in various locations around the house (including my back yard), allows multiple PCs to share the DSL line, and provides WiFi (which is a gaping security hole, but MAC filtering helps). I'm not running any p2p stuff, so I haven't had to mess with port forwarding. If you're running a server, there's more issues to deal with.
- mark 12-01-2004 2:55 am