Four minutes to pwn?

It's IT Blogwatch: in which we offer important security advice for folks sticking with Windows XP. Not to mention the last place you want to hear management-speak...

Gregg Keizer reports:

It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet, a security researcher said today. The SANS Institute's Internet Storm Center (ISC) currently estimates the "survival" time of an Internet-connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches ... The ISC maintains a record of the time between network probes for an average IP address, and assumes that hackers would follow a successful probe ... [with] a worm. Another security researcher, however, said unpatched machines can last longer than just a few minutes before falling to attack. The German Honeypot Project, which sets vulnerable systems on the Internet to collect malware, estimates survival time in hours, not minutes. more

Here's the ISC's Lorna Hutcheson:

I have been asked many by people if I really believed the survival time graph on the ISC site was truly an accurate representation of how long a new system had once connected. The answer to this is yes ... [it's] currently around 4 minutes for unpatched systems. That is not much time at all and the window has shrunk over the past couple of years ... The battle, in my experience, is waged between the admins and management who want to get this system up and working and security who is saying not until its been patched and its security posture confirmed. More than once, I've dealt with a compromise of a system that was place on the network before it was hardened. I got the same answer every time "We needed it working ASAP". However, more time was spent playing clean up from it than if it was just done right the first time. more

Thorsten Holz uses a different method:

With the help of honeypots, we can measure the survival time. For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations. The average time it takes to download the first binary is an estimation of the survival time ... About 90% of the attacks originate from machines within the same [ISP] ... Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time. However, the time is still short and you need to patch a system before taking it online.. more

Xavier Mertens states the bleedin' obvious:

Good practice: Always perform a full patch before connecting a new server on the Internet (even under pressure). A good deployment procedure must be in place. more

Thomas Tomiczek talks:

That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction. more

And kitgerrits adds:

If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive. Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface. You'll be surprised at the stuff you get without asking. more

FuegoFuerte notes Microsoft's improvements in this area:

When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall. In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off"). more

And finally...

• Love Solutions (are tailor-made for you) [err, I think this is safe for work]
  

Buffer overflow:

• Educated Guesswork: IPETEE?
• Google Watch: Google Could Become the Premier Open-Source Provider
• Layer 8: The Top 20 most recession-proof jobs
• Joel Shore: Windows Small Business Server 2008 due in November
• Storagezilla: Could NeoScale rise from the grave?
• Ryan Naraine: On deck from Oracle: 45 critical database, server patches
• Jemima Kiss: Is TechCrunch the next tech blog up for sale?

Other Computerworld bloggers:

• Seth Weintraub: Precipitate online Google Docs search from Spotlight
• Preston Gralla: Microsoft: The power behind selling iPhones
• Angela Gunn: That's MR Geek to you, pal
• Don Tennant: Insight and denial
• SJVN: Apple retail fiasco
• Eric Lai: Fighting software piracy -- with shaky statistics
• Martin MC Brown: Moving to VirtualBox
• Mark Hall: Reduce app/OS size
• Douglas Schweitzer: Seeing the light (and using it, too)
• Shark Tank: Sure, that must be it
• Shark Bait: Weird Helpdesk calls

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• Sizable spammer Soloway's sentencing story
• Apple App Store surprises and delights
• Microsoft helps users downgrade to WinXP???

[More at Techmeme]