The BBC's Honeypot PC

Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.

better question...

[192939495969798999]

why is there such a thing as an "unprotected windows box"? Isn't this a serious fault of Microsoft that there's even a way to have an "unprotected" system on the internet? Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.

Re:Not just Windows

[julesh]

Do you have a linux box on the public net with SSH open?

Yes.

I gaurantee you are getting more than 1000 attempted logins per day.

Uh, no. On the occasional day I get a sustained attempt to guess a username/password combo, and such an attempt may well get up to 1,000 attempts, but in the last 4 days' log (all I keep), I don't see any such attempt. There were a couple of attempts on my FTP server, but it looks like the attacker closed the connection as soon as they saw the welcome banner; scanning for a particular server/version in the connection report, I guess.

15 Min. Average?

[Anonymous Coward]

How do you have a 15 minute average, a 15 minute maximum, and a 15 second minimum?

Re:Well Duh!

[r00b]

One of the first things I do when setting up my home box is remove windows completely.

Re:Duh

[Macka]

But the attacks would fail for a number of reasons. First and foremost because the attacks are targeted at Windows not Linux or OS X. Secondly OS X has a very capable built in Firewall thats always on. I can't speak for Linux because that will be up to the person who built it. Though my default Ubuntu 6.06 installation had no firewall enabled at install time, nor any option to configure or enable one before you get onto the internet and download the bits with synaptic.

Re:It IS hard

[bill_kress]

He said an coordinated effort. Of course no one person can get anywhere, but if we just decide not to accept this, we start blocking IP ranges, force the ISPs to deal with their spammers and botnets--it wouldn't take long at all to shut down the entire problem (and 60% of the web). Then you just bring up clean PCs one at a time--forward their DNS to a page that can lead you through the process of cleaning out your PC and contains a list of services that will help.

Subsidize the creation of some decent anti-virus and service companies that can clean your computer remotely (Just don't build one nuke, that should take care of funding it for a few years)

Of course we can't take these steps proactively, humans are too short-sighted, but we WILL do something like this reactively, It's going to happen--just a matter of time.

Re:Indeed, AC

[Mister Whirly]

"When you buy a car, most people expect to insert the key in the ignition and put their foot on the accelerator. They don't expect to be handed the components and a 900 page manual and be expected to assemble it themselves."

Yet when the same people are handed computer components and manuals that they don't understand, they somehow think that they CAN assemble it themsleves. That is where the problem lies...

"Why can't the average user go into a shop, buy a computer, bring it home and expect it to work - out of the box."

Most of the time they can, given it is a shop of reliable reputation. Most new Windows boxes sold today come with SP2 installed - with included firewall set on by default. If you bought a car, would you assume there is engine coolant, air pressure in tires, working brakes, airbags, fuel, etc. or would you ask the person selling it if these things are at proper levels, or even check for yourself before driving it?? Assumptions can sometimes be costly...

Re:I have plenty of reasons to dislike Microsoft..

[penix1]

Strictly, they said the attack was aimed at IIS, not that the attack was successful.

Strictly, they said one (1) attack was for IIS.

In fact, it's not clear from the article that ANY of the attacks were successful. If that's true, it doesn't really matter how many attacks there were, and it doesn't make Windows any less safe than Linux or VMS, for that matter. Only the successful attacks matter. (You've got to shut down the Messenger, to be sure, but I'm pretty sure that comes turned off now, and it was a stupid feature in the first place.)

This wasn't to see whether it was successful or not but to identify the types of attacks and where they are coming from. They state in TFA that next week they let it go full bore to show what happens. Call it a teaser or next weeks /. feature again. Besides, you are totally missing the point. I'll outline it here for you...

Aunt Bessy goes to OfficeMax and picks out that fancy new HP gadget that everyone is talking about. Of course, she gets the one on clearance sale to save money since it looks just like the one on the shelf. She takes it home, follows the pretty picture diagram that was in the box showing her how to plug things in and hooks it right up to her new cable modem. Since this machine was older, it isn't updated to SP2 yet and to make it worse, her "restore disks" that she has to make are that very same pre-SP2 version. Aunt Bessy doesn't know a thing about firewalls, routers, antivirus, etc. that we all know about. So now here she is hooked up in the raw to the Internet getting attacked every 15 minutes running HP's XP Home which defaults to no password, admin user, yadda, yadda, yadda. Ten seconds into her first experience she gets infected and things go downhill from there. Even if she was to try to run Windows Update, she is still going to get infected before she accomplishes the update.

This problem rests squarely in the lap of Microsoft. They sacrificed security for the all important "ease of use" marketing. Adding in WGA for updates only makes the problem that much worse since it makes people (especially the false positives) not want to update. In short, Microsoft is a menace to networking as if we didn't already know that.

B.

Re:Well Duh!

[ben there...]

Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

Microsoft should really ship with all IP addresses except update.microsoft.com redirected to localhost, until you complete all critical updates.

It will never happen, but it should.

Re:A Premium of Paying Vicitms

[demo9orgon]

Hey, it's not a high-horse...it's a soapbox. :-)

Agreed, all old OS's are weak somewhere. But what happens to grandma when her doting son hands her his old boxen with XP with expired "Anti-" ware on it? Grandma entertains keyloggers with insights into the wicked subterfuge of bridge groups, quilting, what happened at the store checkout queue, or just how awful the last family gathering was; and all the while her machine is merrily testing basic-auth at a pornsite somewhere while she wonders why everything seems so slow on the Internet.

The article illustrated that Windows machines are constantly under attack. Everything else is give and take, but the fact that there's so many vectors of attack should be what people understand; most of them are squarely aimed at Windows operating systems.

I think the Microsoft userbase is exploited by legit and illegitimate businesses. Buying a new machine with a new Microsoft OS doesn't solve the problem. How is someone supposed to feel when they've bought a product, then they have to register the software online or over the phone, and repeat that process if they've added/removed/or changed the hardware config, and then they suffer the indiginity of having terms and conditions changed arbitrarily by the software developer (SP2,WGA anyone?) in order to receive further updates and then they still get exploited by some IRC bot-masters?

I know how I'd feel which is why I don't bother playing that game.

What is the true cost advantage of an operating system which requires 3rd party bolt-on security solutions, many of them with secret blocking lists and other interesting features the user can't modify or maintain without a subscription?

I can't really say, because I stopped using Microsoft a long time ago.
I wish more people would wake up and stop being exploited.