[Dshield] 0wnlng Windows machines

Tomas L. Byrnes tomb at byrneit.net
Mon Feb 26 03:06:58 GMT 2007


I think it's more basic than whether people are clueless, careless, paid
or not: It's that it's too much of a hassle to actually keep Windows
systems secure and operational.

It's like playing whack-a-mole.

Even the full-time crews have to do task prioritization based on risk
assessments, which always allow for a certain amount of risk.

 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of John B. Holmblad
> Sent: Sunday, February 25, 2007 4:52 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] 0wnlng Windows machines
> 
> Adam,
> 
> the issue is not so much that consumers are clueless, as it 
> is the fact that, unlike the sysadmins who are PAID to 
> maintain the security of their systems, the average end user, 
> clueless or not, does not get paid to do so.  Consequently it 
> does not happen, as much as it should, and especially in 
> those cases where, as you suggest, a friend/relative, will 
> come in to clean up the situation and not charge them for the 
> cost of so doing.
> 
> In the fine tradition of using the U.S. tax code to achieve 
> greater social "good", how about if we incent better computer 
> hygiene by providing a tax credit for users who keep their 
> computers malware free for the prior year?
> 
> 
> Best Regards,
> 
>  
> 
> John Holmblad
> 
>  
> 
> Televerage International
> 
> GSEC Gold, GCWN Gold, GGSC-0100, NSA-IAM, NSA-IEM
> 
> Information security, telecommunications, and information 
> technology consulting
> 
>  
> 
> (M) 703 407 2278
> 
> (F)  703 620 5388
> 
> primary email address:  jholmblad at aol.com
> 
> backup email address:  jholmblad at verizon.net
> 
>  
> 
> 
> 
> Stasiniewicz, Adam wrote:
> > Hi Tonni,
> >  
> > The major reason you see Windows computers is simply 
> because they are the most abused.  While most Novell, Linux, 
> Unix, etc systems are maintained by IT staff who ensure they 
> are properly functioning, most Windows computers are used by 
> clueless consumers.  What often happens is these clueless 
> consumers will buy their computer from Best-Buy or wherever 
> and it will have the latest patches on it.  They might even 
> have a friends/relative/etc look at the computer once or 
> twice a year to "clean it up".  During those times, the folks 
> will usually install the latest patches and AV.  But in the 
> space between, the clueless consumer will not patch their 
> computer or update their AV (since again, they are clueless). 
>  They will open virus infected emails and install the latest 
> crap on their machine.  For this reason, about 80% of all 
> spam comes from computers infected with spam viruses.  The 
> remaining 20% comes from hijacked netblocks and foreign 
> countries with weak cyber laws.
> >  
> > As for 2003 the main reason you are seeing it lower is 
> because of the limitations of your tool.  Your tool can't 
> tell the different between the client versions of Windows and 
> the server versions.  So, if you could, you would most likely 
> see that 2000 server also has a very low rejection rate.  But 
> because 2003 has no direct client version, you are only see 
> stats for a server OS.  And going back to my first point 
> about Novell, Unix, and Linux, 2003 servers tend to be 
> professionally managed by IT folks, who are much better at 
> keeping junk off those machines.
> >  
> > Does that answer your question?
> >  
> > Regards,
> > Adam Stasiniewicz
> >  
> >  
> >  
> >
> > ________________________________
> >
> > From: list-bounces at lists.dshield.org on behalf of Tony Earnshaw
> > Sent: Sat 2/24/2007 4:10 AM
> > To: list at lists.dshield.org
> > Subject: [Dshield] 0wnlng Windows machines
> >
> >
> >
> > Hi list,
> >
> > I'm the mailadmin of a low-volume high school site in 
> Amsterdam NL, we 
> > run a Postfix 2.3 MTA with lots of knobs to twiddle.
> >
> > One of the things I do is twiddle the knobs; as I've 
> written before, 
> > we block a lot of stuff before we accept it. We don't block 
> it at the 
> > perimeter, we let the MTA block it, mostly using cidr 
> subnet blocks, 
> > but also using rules detailed in rfc[2]821 and greylisting, 
> as well as 
> > as a last resort 4 DNSRBL sites. Postfix also makes it 
> possible to see 
> > each refused connection, together with the smtp conversation that 
> > takes place and why we refuse clients. I make full use of 
> that possibility.
> >
> > We also run a utility called p0f with which I analyze the operating 
> > system of each client connecting to port 25 on our MTA. For 
> instance, 
> > it tells me that iceman12-int.giac.net is running Linux 2.4-2.6 and 
> > was up for 3413 hours on Feb 24 at 01:47:28 CET.
> >
> > I produce pretty bar graphs with it, and these will be 
> available for a 
> > couple of days at https://mail.barlaeus.nl/p0f. Normally they're 
> > excluded from unrestricted Internet access.
> >
> > One of the things I've found out over the past few months, is that 
> > around 98% of all the clients we block are Windows machines; which 
> > variants you can see from the graphs. It's patently obvious 
> that most 
> > 0wn3d machines are w2k with patch 4/XP with patch 1 and 
> very few are 
> > W2003. Now assuming the w2k and XP users have been savvy enough to 
> > patch their W2k/XP machines, can anyone tell me the most obvious 
> > reasons that they're getting 0wn3d? Presumably the users 
> intelligent 
> > enough to patch are also savvy enough not to click on 
> things they're 
> > told not to, to enable stupid p2p, to visit nasty web sites 
> and so on. 
> > Or are they? And why are there (proportionally) so few 
> w2003 machines refused?
> >
> > One of the reasons I ask, apart from curiosity, is noting how new 
> > spammer software patterns develop, how much spammer keeps 
> to the same 
> > old stupid configuration and similar.
> >
> > Thanks,
> >
> > --Tonni
> >
> > PS: All of our site's 100 or so Windows XP workstations 
> (which I don't 
> > configure, thank goodness) get their Internet stuff over a 
> Smoothwall 
> > blocking proxy, all are forced to SASL authenticate to our 
> MTA alone 
> > for sending, their mail (when it comes in) has gone through 3 AV 
> > scanners and a hyper-good spam filter, and they run Sophos SAV 
> > regularly on their ghost-imaged HDs. Their profiles and 
> other Windows 
> > stuff is kept on a Linux Samba 2.0.22 NT PDC (which I do 
> configure) on 
> > which Sophos Sweep runs regularly, so they're kept from sinning; if 
> > they were to, reformatting and imaging their local HDs is 
> relatively 
> > easy to do, with loss of no personal data.
> >
> > --
> > Tony Earnshaw
> > Email: tonni at hetnet dot nl
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught 
> > by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
> >
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught 
> > by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
> >   
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught by our top rated instructors plus a huge 
> vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 



More information about the list mailing list