.
I believe I've said this before - Grin with cat attached — LiveJournal
Previous Entry Next Entry
I believe I've said this before Aug. 23rd, 2004 12:52 pm
but "Ow".

http://isc.sans.org/survivalhistory.php

From: valkyriekaren
Date: August 23rd, 2004 - 11:56 am (Link)
That's getting worryingly close to a survival time of 0.
(no subject) - (Anonymous)
From: wechsler
Date: August 23rd, 2004 - 12:48 pm (Link)
Is there any data on the proportion of connection attempts/ TCIP traffic that's malignant?
(no subject) - (Anonymous)
From: wechsler
Date: August 23rd, 2004 - 01:36 pm (Link)
It means that if you put a new, unpatched PC online without a firewall it will probably be infected before you have a chance to download the firewall, patches or A-V software.
From: djm4
Date: August 23rd, 2004 - 01:42 pm (Link)
This did, indeed, happen to Liz recently when she upgraded to XP.
From: steer
Date: August 23rd, 2004 - 01:49 pm (Link)
To be fair, it actually only means the time between probe packets. I've seen an unpatched PC which has lasted 8 years without issues (though the campus firewall helped somewhat).
From: wechsler
Date: August 23rd, 2004 - 01:55 pm (Link)
Hence the bit where I said "without a firewall".
From: steer
Date: August 23rd, 2004 - 01:58 pm (Link)
Indeed... but I'm still sure that time before seeing probe packet and time before actual infection is still a few orders of magnitude apart.
From: bondagewoodelf
Date: August 23rd, 2004 - 02:09 pm (Link)
Not really. I've seen other stats (also from SANS) that currently it takes about 25 minutes for an unpatched, unfirewalled, XP in default configuration to be infected by some worm.
From: wechsler
Date: August 23rd, 2004 - 02:16 pm (Link)
AFAIK a "probe packet" generally *is* the attack (there's no seperate recon phase on most worms). As such, to have an "two order of magitude" difference you'd be expecting a box to survive dozens of attacks against which it has no defence.
From: steer
Date: August 23rd, 2004 - 02:19 pm (Link)
*shrug* Again it is experience from coming round and seeing PCs belonging to computer non-aware people that have been unprotected, unfirewalled and unpatched and surviving.
From: wechsler
Date: August 23rd, 2004 - 02:23 pm (Link)
What sort of connections, out of interest? Broadband? Always-on?

It's unfortunate that that site doesn't have more history of the survival times - I'd be interested to know how recently it's got this bad.
From: steer
Date: August 23rd, 2004 - 02:40 pm (Link)
See below -- thinking about it, I'm guessing that having w98 rather than XP helps -- simply because it is listening on not so many ports by default.
From: valkyriekaren
Date: August 23rd, 2004 - 02:28 pm (Link)
Surviving, yes, but like most parasites, the worms don't kill the host machine - they just sit around generating spam, trying to harvest bank/card details, that sort of thing. Might slow the machine down, but is unlikely to make it actually fall over.
From: steer
Date: August 23rd, 2004 - 02:39 pm (Link)
Sure -- I should have been clear about that. I'm thinking in specific about my parents' machine (no viruses and no malware -- but a dialup connection rarely used -- I reckon they probably only connect for an hour a week but that was over the course of several years) and a friend's machine on broadband, used about an hour a day I estimate unpatched and without firewall or virus checker -- riddled with malware (all installed by him) and one virus (contracted through email) -- no worm infection that I could detect.
From: bondagewoodelf
Date: August 23rd, 2004 - 01:50 pm (Link)
And that's why you should enable the Internet firewall in XP -before- you plug in any network cable or phoneline.

From: fluffymark
Date: August 23rd, 2004 - 02:13 pm (Link)
A big problem, that.. I managed to build a new machine yesterday and put Windows on it, and then realised as soon as I configured it to connect to the house network so I could transfer software across, it'd be connected to the internet and totally unprotected. I got paranoid, and my solution was to use another safe machine to download and copy a free firewall onto a USB key. So I could transfer and install the firewall on the new machine before it ever touched the internet. Yay.

(and the main reason I'm putting Windows on there is to install software to burn CDs with the CD-writer in order to create some Linux install CDs to install Linux with.....)
From: wechsler
Date: August 23rd, 2004 - 02:18 pm (Link)
Is your house network entirely routable-IP then?
From: fluffymark
Date: August 23rd, 2004 - 02:23 pm (Link)
Yes, shockingly. It's a security nightmare at times, but I like all my IP addresses and run various servers so its easier that way. I don't NAT even once, let alone twice. :)
From: wechsler
Date: August 23rd, 2004 - 02:28 pm (Link)
This is why I have the DMZ/backroom combination. Which works now.