Study: Unpatched PCs compromised in 20 minutes
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Study: Unpatched PCs compromised in 20 minutes

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Study: Unpatched PCs compromised in 20 minutes

    Don't connect that new PC to the Internet before taking security precautions, researchers at the Internet Storm Center warned Tuesday.
    According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003.

    The Internet Storm Center, which is part of the SANS Institute, calculated the 20-minute "survival time" by listening on vacant Internet Protocol addresses and timing the frequency of reports received there.

    "If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe," the center, which provides research and education on security issues, said in a statement.

    The drop from 40 minutes to 20 minutes is worrisome because it means the average "survival time" is not long enough for a user to download the very patches that would protect a PC from Internet threats.

    Scott Conti, network operations manager for the University of Massachusetts at Amherst, said he finds the center's data believeable.

    "It's a tough problem, and it's getting tougher," Conti said.

    One of Conti's administrators tested the center's data recently by placing two unpatched computers on the network. Both were compromised within 20 minutes, he said.

    The school is now checking the status of computers before letting them connect to the Internet. If a machine doesn't have the latest patches, it gets quarantined with limited network access until the PC is back up to date.

    "We are giving the people the ability to remediate before connecting to the network," Conti said.

    The center also said in its analysis that the time it takes for a computer to be compromised will vary widely from network to network.

    If the Internet service provider blocks the data channels commonly used by worms to spread, then a PC user will have more time to patch.

    "On the other hand, university networks and users of high-speed Internet services are frequently targeted with additional scans from malware like bots," the group stated. "If you are connected to such a network, your 'survival time' will be much smaller."

    In a guide to patching a new Windows system, the Internet Storm Center recommends that users turn off Windows file sharing and enable the Internet Connection Firewall. Microsoft's latest security update, Windows XP Service Pack 2, will set such a configuration, but users will have to go online to get the update, opening themselves up to attack.

    One problem, experts say, is network administrators' reliance on patching and their assumption that users will quickly patch systems.

    Speaking recently at the Microsoft TechEd developer conference in Amsterdam, Microsoft security consultant Fred Baumhardt said the day is likely to come when a virus or worm brings down everything.

    "Nobody will have time to detect it," he said. "Nobody will have time to issue patches or virus definitions and get them out there. This shows that patch management is not the be-all and end-all."

    Baumhardt stressed the importance of adaptability, using the human immune system as an example: "Imagine if your body said, 'Hmm, I have the flu. I've never had this before, so I'll die.' But that doesn't happen: Your body raises its temperature and so on, to buy time while other mechanisms kick in."

    "If the human body did patch management the way (companies do), we'd all be dead."
    Source :http://zdnet.com.com/2100-1105_2-5313402.html
    -Simon \"SDK\"

  2. #2
    Member
    Join Date
    May 2004
    Posts
    33
    "If the human body did patch management the way (companies do), we'd all be dead."
    Hah. The editors softened this sentence, but I can guess what Baumhardt really said.

    Starts with an "M"....ends with a "soft".....

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    From personal experience:

    I had an idiot IT director at my last job (we got rid of him eventually ) who wanted us to set up a Microsoft terminal server at the central office so he (and all the high up mucky-mucks) could have remote access to the network. He wanted me to punch a hole straight through the firewall and essentially leave our main office network completely vulnerable. Didn't want it in a DMZ...nothing. Just open access so that he could show all the CXO types a cool toy.

    So after losing the argument I set one up. Admitadly, I set it up to be breached. Static NAT translation on the edge router, firewall ACL's that said:
    access-list Inbound permit ip any host 172.16.2.23
    access-list Outbound permit ip host 172.16.2.23 any
    and it was completely unpatched with IIS 5 running on it.

    We were an FTP porn site in 40 minutes. 40 minutes!!!

    I watched the penetration take place, it was quick.


    We decided not to have a terminal server in place after all.

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Well thread sometimes it's only like that you can make the management really believe you... your story reminds me a lot of the BOfH archives.

    As for the 20 minute time until an infection, that's an average. Which means you could be down within a second or so from when the first SYN/ACK is made. It's a terrible world out there, especially if you're using ICF instead of iptables :P
    /\\

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    wow thead... I can't believe you did that... hopefully you had rules on the box you *wanted* to get compromised to further compromise of the rest of your network... I know you said you were watching it... but I'd be very nervous about something like that.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Member
    Join Date
    Aug 2004
    Posts
    95

    vulnerabilities in IIS

    There are some serious vulnerabilities in IIS, if used properly with appropariate tools the hacker or intruder can sit in your maching with a rootkit or a killer trojan which would remove your antivirus and software firewall in no time.

    Is ther any vulnerability reported for IIS 6?

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    anban,

    About weeks ago, from a private security mailing list I get to know that recent findings on IIS 6 vulnerabilities count is 60! If you were on NTBugTraq mailing list, you might have read that as well. This actually came from Russ Copper's AUSCert presentation about Microsoft Security Bulletins. Russ is the editor for NTBugTraq, a well-known security expert in MS products security. However, I and couple of Security MVPs do not agree with his findings. Here's the short summary about IIS 6.0:

    7. I then compared IIS versions. Given the timeframe of the products,the numbers are very different;
    IIS 4.0 = 231 vulnerabilities
    IIS 5.0 = 282 vulnerabilities
    IIS 6.0 = 60 vulnerabilities

    It does appear that there is some contention as to exactly how many, but 60 have been claimed at this link:

    http://msmvps.com/bernard/archive/2004/06/10/7882.aspx


    cheers
    Connection refused, try again later.

  8. #8
    Junior Member
    Join Date
    Sep 2001
    Posts
    5
    "If the human body did patch management the way (companies do), we'd all be dead."
    That's the different between God and human invention.

    Anyway, in term of human invention it has a lot of idea and effort can be made to nearly perfect the creation. Open source software is a good example where unknown smart people around the globe contribute/working together to achieve what they believe they can.

  9. #9
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Interesting...we must be the cause of a lower average time. An unprotected machine takes from 30 seconds to 2 minutes to get compromised on our networks. 20 minutes is generous.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  10. #10
    Blast From the Past
    Join Date
    Jan 2003
    Posts
    729
    ha im a home user....set my comp into the DMZ...it was out in 11 seconds!
    yea it was windows 98se fresh install...but i mean wow...just.....wow
    heh...now that i think about it....i was sending a mouse into a mouse into a battle zone.....cause thats all it is out their.......at least this isnt nuke warz in irc.....i have some stories about them too
    work it harder, make it better, do it faster, makes us stronger

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides