Business-like, isn't he?


 

 

Business in Vancouver logo

    Your annual computer security hysteria alert

    by  Alan Zisman (c) 2008 First published in Business in Vancouver August 19-25, 2008; issue 982

    High Tech Office column


    Regular readers of this column know I’m a bit of a computer security nag. “It’s
    dangerous out there; don’t go online without your updates!” But sometimes, I
    have to question the latest pronouncements from self-proclaimed security gurus.
    Recently, my eyes rolled seeing a headline (in IT weekly Computerworld)
    “Unpatched Windows PCs fall to hackers in under 5 minutes.”

    Similar statistics have been around for a while and are gleefully quoted by Mac and
    Linux zealots. This time, the source was Lorna Hutcheson of the SANS Institute’s
    Internet Storm Center (ISC).

    Referring to Windows systems that have not been updated with Microsoft security
    patches and are directly connected to the Internet, Hutcheson estimated an
    average time of about four minutes before a hacker scanning for open ports and
    unprotected Internet addresses will probe the computer. She implied that a new
    Windows system could be successfully attacked in much less time than it would
    take a user to download the updates needed to protect it.

    The German-based Honeypot Project, which places simulated unprotected systems
    online to watch the results, disagreed about the time frame but not the ultimate
    end. Honeypot co-founder Thorstein Holz estimated an average of about 1,000
    minutes before an unprotected system is compromised. At least in their version,
    there’s enough time to safely update a system.

    But Hutcheson replied: “While the survival time varies,… placing an unpatched
    Windows computer directly onto the Internet in the hope that it downloads the
    patches faster than it gets exploited are odds that you wouldn’t bet on in Vegas.”
    Sounds scary. And far be it from me to encourage users to go online unprotected,
    but there are a number of things unclear in this discussion.

    What does either group mean by “an unpatched Windows computer?” Since 2004’s
    release of Windows XP Service Pack 2, Windows users have had a firewall that’s
    enabled by default. New systems sold since that date, whether coming with
    Windows XP or Vista, have been protected from the sorts of attacks the ISC is
    describing from the moment they’re turned on. (Yes, there are more capable
    firewalls, but the built-in Windows version provides adequate protection).
    Would a new XP SP2 or SP3 installation count as “unpatched?”

    And any system connecting to an office, small business or even home network has
    an additional level of protection from their router’s Network Address Translation.
    These systems are not what Hutcheson would describe as “directly on the
    Internet.”

    And even if a user installed a pre-2004 copy of Windows and connected the
    system directly to the Internet, I’m not convinced that just sitting there, the
    computer connected would be quickly compromised.

    Yes, it would be probed, as described by the ISC. Firewall logs always show a
    barrage of probes from the outside. But being probed is not the same as being
    “taken over”– what hackers refer to as being “pwned.”

    It’s unlikely to find such an unpatched, unprotected Windows system directly
    connected to the Net. And few systems are compromised “just sitting there.”
    Instead, users compromise their computers by engaging in risky online behaviour.
    No matter how much I nag, users open virus-bearing e-mail attachments, visit
    sketchy websites, download programs that install spyware, respond to spam ads
    and type their bank account information in forms on phishing sites. And even if
    they have reputable anti-virus and anti-spyware software installed, they too often
    fail to keep it, or Windows and their many installed applications, properly up to
    date.

    So don’t get me wrong: it’s important to be careful online. And minimizing risks
    means running needed security software and keeping it and the rest of your
    system updated, as well as avoiding the sleazier neighbourhoods online.
    But will just turning on your new computer put it at risk? Despite what the
    headlines appear to say, I don’t think so. •

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan
Google
Search WWW Search www.zisman.ca