Unprotected PCs Fall To Hacker Bots In Just Four Minutes

Techweb ^ | 11/30/2004 | Gregg Keizer

[zeugma]

Unprotected PCs Fall To Hacker Bots In Just Four Minutes

By Gregg Keizer, TechWeb.com

The lifespan of a poorly protected PC connected to the Internet is a mere four minutes, research released Tuesday claimed. After that, it's owned by a hacker.

In the two-week test, marketing-communications firm AvanteGarde deployed half a dozen systems in "honeypot" style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet.

The six machines were equipped with Microsoft Windows Small Business Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft Windows XP SP2, Macintosh OS X 10.3.5, and Linspire's distribution of Linux.

Not surprisingly, Windows XP SP1 sans third-party firewall had the poorest showing.

"In some instances, someone had taken complete control of the machine in as little as 30 seconds," said Marcus Colombano, a partner with AvanteGarde, and, along with former hacker Kevin Mitnick, a co-investigator in the experiment. "The average was just four minutes. Think about that. Plug in a new PC--and many are still sold with Windows XP SP1--to a DSL line, go get a cup of coffee, and come back to find your machine has been taken over."

Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.

"If you're running a firewall so your machine is not seen, you're less likely to be attacked," said Colombano. "The bot or worm simply goes onto the next machine." Although Windows XP SP1 includes a firewall, it's not turned on by default. That security hole was one of those plugged--and heavily touted--by Microsoft in SP2.

The successful attacks took advantage of weak passwords on the target machines, as well as a pair of long-patched vulnerabilities in Microsoft Windows. One, the DCOM vulnerability, harks back to July, 2003, and was behind the vicious MSBlast worm of that summer. The second, dubbed the LSASS vulnerability, was first disclosed in April, 2004, and led to the Sasser worm.

The most secure system during the experiment was the one running Linspire's Linux. Out of the box, Linspire left only one open port. While it reacted to ping requests by automated attackers sniffing for victims, it experienced the fewest attacks of any of the six machines and was never compromised, since there were no exposed ports (and thus services) to exploit.

The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added.

For the bulk of users who work with Windows, however, Colombano didn't recommend dumping Redmond's OS and scurrying for the protection of hacker-ignored platforms.

"Update Windows regularly with Microsoft's patches, use a personal firewall--third-party firewalls still have their place, since Microsoft's isn't suited to guard against outbound attacks--keep secure passwords, and use some type of anti-virus and anti-spyware software," he advised. Of the list, the firewall is the most important. The study concluded, for example, that Linux- and Windows-based machines using an application firewall were the best at preventing attacks.

"No machine is immune," he counseled. "No human is safe from every virus, and it's the same for machines. That's why people have to have some personal responsibility about security. You have to be a good citizen on the network, so you're not only protecting yourself, but others who might be attacked from exploits originating on your machine."

[ncpatriot]

We've been told we don't have to worry about a firewall because we have dial up. Is that true?

We just had Mozilla Firefox installed, and that has really cut down on the pop-ups, esp from the DrudgeReport!

[governsleastgovernsbest]

I do enjoy some of the extensions, such as the ability to remember passwords even on sites that try to prohibit that. Is there a system you recommend as an alternative to IE and Firefox?

[LTCJ]

Does anyone know which port this is, and what network service is bound to it?

Not 100% sure about Linspire but an educated guess would be 113/IDENT.

[AngryJawa]

Bookmark for future edjumakashun....

[Proud_texan]

I don't know but when I saw that I wondered if they would be compliant with RFC 1122.

You think they're doing a port re-map internally?

[WildTurkey]

Having said that, everyone should have a hardware firewall regardless of OS.

Now why would you say that since you also seem so confident that Macs are not vulnerable?

[IndyMac]

Two comments:

1. The honeypots were inactive; e.g., no email reading or web browsing to simulate real-world usage. I'd like to see this experiment repeated with some scripts on each machine running through a list of web sites as well as receiving and responding to spam. Each OS's resistance to the resultant malware attacks would be instructive.

2. The Mac in this experiment actually had some extra services turned on such as 'windows file sharing' ... and still wasn't compromised.

[TomGuy]

I like the FoxyVoice extenstion. I use another browser (IE based) that has build in speech. It is excellent for reading long news articles aloud, although the computer voice takes some getting used to.

I've tried most known browsers at one time or another. My favorite (IE based) is Fastbrowser because it was one of the first tabbed and build-in speech capabilities.

I have Maxthon (IE based) and Mozilla (similar to the old Netscape).

If I run up against a webpage that doesn't work with one, I load up IE. Sometimes I'll have 2-3 different makes of browsers running at the same time. Each has its good and not so good. It is in what a person gets used to.

[ThinkDifferent]

Now why would you say that since you also seem so confident that Macs are not vulnerable?

I'm confident I won't get into an accident driving home tonight, but I'll still wear my seat belt.

[processing please hold]

Can I just click on firefox and that's all I need...I don't need to buy anything?

[RadioAstronomer]

I use a hardware firewall along with AnalogX script defender, Xp SP2, XP antispy, Spyware blocker, PC Pitstop security config, and Zone Alarm. I also use an antivirus, anti popup blocker, Ad-Aware, Spybot SD, PC cleaner, and tested my machine against GRC.com

I still feel vulnerable. :-(

[this_ol_patriot]

Don't forget to use "Live Bookmarks" or the Sage RSS reader to get your daily dose of Freeper goodness. I'm a recent convert to Firefox and I love it, while there are a few pages that render funky for the most part I'm more than happy. Security wise it's a no-brainer.

Batten down those "cookie hatches" Ad-Aware and Spybot will NOT detect tracking cookies from Firefox. It uses the old Netscape cookie format that puts them into a single text file and those programs will not see them. I use accept only from originating site and delete when closing Firefox with good results but you can make it tighter.

Sage.Mozdev

Sage Project Wiki, check out the tutorial under getting started.

[mikegi]

This is the relevant useful statement in the whole post. At least for today.

Guess you missed this part: The automated bot/worm attackers were exclusively using Windows-based attacks

[avg_freeper]

"The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added."

First of all Mac OS 10.x comes with a firewall that blocks a number of the ports by default. I have no idea how they turned it off. The rest is just silly conjecture. There is no way of knowing what would happen if they intentionally tried to target the Mac operating system. There is no way of knowing from this article how easy it would be to code exploits for the mac.

Of course it could be done but the degree of vulnerability doesn't increase just because it hasn't been tried.

[UseYourHead]

Actually Apple has been busy pathcing OSX this year. Here is one article on 15 of them:

http://www.eweek.com/article2/0,1759,1643902,00.asp

There are many more. Mac OS used to be CLI free and therefore fairly well protected. Now that it is just BSD with a Mac interface, there are plenty of things to look after when setting it up. Like anything else out there, configuration is key. Never attach a machine to any network until it is configured - as attested to by some of the previous comments.

[SengirV]

Macs and OS X are your friends. The wintel brown shirts will claim higher costs, but with this crap as the alternative, the TCO is WAY below what a wintel POS costs to operate.

[Mustng959]

ping for info

[proxy_user]

But according to what I have read, there's little need to run an IDENT service nowadays. You can leave port 113 closed but not stealthed, and remote connections will work.

The IDENT protocol, as documented in RFC 1413, is really a hoot. Life was simpler in those days....

[Glenn]

There is no way of knowing what would happen if they intentionally tried to target the Mac operating system.

Interfaces are what they are. If they were left wide open on the Mac, you'd have the same result as with the Pee Cee or any other platform. There are no code mysteries left in the universe and there haven't been since they invented the computer.

[WildTurkey]

Perhaps because you know that since XP was beefed up with SP2 it will be just matter of time till the hackers go after the more vulnerable Macs.