[Dshield] 0wnlng Windows machines

John B. Holmblad jholmblad at aol.com
Mon Feb 26 00:52:17 GMT 2007


Adam,

the issue is not so much that consumers are clueless, as it is the fact 
that, unlike the sysadmins who are PAID to maintain the security of 
their systems, the average end user, clueless or not, does not get paid 
to do so.  Consequently it does not happen, as much as it should, and 
especially in those cases where, as you suggest, a friend/relative, will 
come in to clean up the situation and not charge them for the cost of so 
doing.

In the fine tradition of using the U.S. tax code to achieve greater 
social "good", how about if we incent better computer hygiene by 
providing a tax credit for users who keep their computers malware free 
for the prior year?


Best Regards,

 

John Holmblad

 

Televerage International

GSEC Gold, GCWN Gold, GGSC-0100, NSA-IAM, NSA-IEM

Information security, telecommunications, and information technology 
consulting

 

(M) 703 407 2278

(F)  703 620 5388

primary email address:  jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 



Stasiniewicz, Adam wrote:
> Hi Tonni,
>  
> The major reason you see Windows computers is simply because they are the most abused.  While most Novell, Linux, Unix, etc systems are maintained by IT staff who ensure they are properly functioning, most Windows computers are used by clueless consumers.  What often happens is these clueless consumers will buy their computer from Best-Buy or wherever and it will have the latest patches on it.  They might even have a friends/relative/etc look at the computer once or twice a year to "clean it up".  During those times, the folks will usually install the latest patches and AV.  But in the space between, the clueless consumer will not patch their computer or update their AV (since again, they are clueless).  They will open virus infected emails and install the latest crap on their machine.  For this reason, about 80% of all spam comes from computers infected with spam viruses.  The remaining 20% comes from hijacked netblocks and foreign countries with weak cyber laws.
>  
> As for 2003 the main reason you are seeing it lower is because of the limitations of your tool.  Your tool can't tell the different between the client versions of Windows and the server versions.  So, if you could, you would most likely see that 2000 server also has a very low rejection rate.  But because 2003 has no direct client version, you are only see stats for a server OS.  And going back to my first point about Novell, Unix, and Linux, 2003 servers tend to be professionally managed by IT folks, who are much better at keeping junk off those machines.
>  
> Does that answer your question?
>  
> Regards,
> Adam Stasiniewicz
>  
>  
>  
>
> ________________________________
>
> From: list-bounces at lists.dshield.org on behalf of Tony Earnshaw
> Sent: Sat 2/24/2007 4:10 AM
> To: list at lists.dshield.org
> Subject: [Dshield] 0wnlng Windows machines
>
>
>
> Hi list,
>
> I'm the mailadmin of a low-volume high school site in Amsterdam NL, we
> run a Postfix 2.3 MTA with lots of knobs to twiddle.
>
> One of the things I do is twiddle the knobs; as I've written before, we
> block a lot of stuff before we accept it. We don't block it at the
> perimeter, we let the MTA block it, mostly using cidr subnet blocks, but
> also using rules detailed in rfc[2]821 and greylisting, as well as as a
> last resort 4 DNSRBL sites. Postfix also makes it possible to see each
> refused connection, together with the smtp conversation that takes place
> and why we refuse clients. I make full use of that possibility.
>
> We also run a utility called p0f with which I analyze the operating
> system of each client connecting to port 25 on our MTA. For instance, it
> tells me that iceman12-int.giac.net is running Linux 2.4-2.6 and was up
> for 3413 hours on Feb 24 at 01:47:28 CET.
>
> I produce pretty bar graphs with it, and these will be available for a
> couple of days at https://mail.barlaeus.nl/p0f. Normally they're
> excluded from unrestricted Internet access.
>
> One of the things I've found out over the past few months, is that
> around 98% of all the clients we block are Windows machines; which
> variants you can see from the graphs. It's patently obvious that most
> 0wn3d machines are w2k with patch 4/XP with patch 1 and very few are
> W2003. Now assuming the w2k and XP users have been savvy enough to patch
> their W2k/XP machines, can anyone tell me the most obvious reasons that
> they're getting 0wn3d? Presumably the users intelligent enough to patch
> are also savvy enough not to click on things they're told not to, to
> enable stupid p2p, to visit nasty web sites and so on. Or are they? And
> why are there (proportionally) so few w2003 machines refused?
>
> One of the reasons I ask, apart from curiosity, is noting how new
> spammer software patterns develop, how much spammer keeps to the same
> old stupid configuration and similar.
>
> Thanks,
>
> --Tonni
>
> PS: All of our site's 100 or so Windows XP workstations (which I don't
> configure, thank goodness) get their Internet stuff over a Smoothwall
> blocking proxy, all are forced to SASL authenticate to our MTA alone for
> sending, their mail (when it comes in) has gone through 3 AV scanners
> and a hyper-good spam filter, and they run Sophos SAV regularly on their
> ghost-imaged HDs. Their profiles and other Windows stuff is kept on a
> Linux Samba 2.0.22 NT PDC (which I do configure) on which Sophos Sweep
> runs regularly, so they're kept from sinning; if they were to,
> reformatting and imaging their local HDs is relatively easy to do, with
> loss of no personal data.
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
>   


More information about the list mailing list