Your
annual computer security hysteria alert
by
Alan Zisman (c) 2008 First published in
Business
in Vancouver August 19-25, 2008; issue 982
High Tech Office column
Regular readers of this column know I’m a bit of a computer security
nag. “It’s
dangerous out there; don’t go online without your updates!” But
sometimes, I
have to question the latest pronouncements from self-proclaimed
security gurus.
Recently, my eyes rolled seeing a headline (in IT weekly Computerworld)
“Unpatched Windows PCs fall to hackers in under 5 minutes.”
Similar statistics have been around for a while and are gleefully
quoted by Mac and
Linux zealots. This time, the source was Lorna Hutcheson of the SANS
Institute’s
Internet Storm Center (ISC).
Referring to Windows systems that have not been updated with Microsoft
security
patches and are directly connected to the Internet, Hutcheson estimated
an
average time of about four minutes before a hacker scanning for open
ports and
unprotected Internet addresses will probe the computer. She implied
that a new
Windows system could be successfully attacked in much less time than it
would
take a user to download the updates needed to protect it.
The German-based Honeypot Project, which places simulated unprotected
systems
online to watch the results, disagreed about the time frame but not the
ultimate
end. Honeypot co-founder Thorstein Holz estimated an average of about
1,000
minutes before an unprotected system is compromised. At least in their
version,
there’s enough time to safely update a system.
But Hutcheson replied: “While the survival time varies,… placing an
unpatched
Windows computer directly onto the Internet in the hope that it
downloads the
patches faster than it gets exploited are odds that you wouldn’t bet on
in Vegas.”
Sounds scary. And far be it from me to encourage users to go online
unprotected,
but there are a number of things unclear in this discussion.
What does either group mean by “an unpatched Windows computer?” Since
2004’s
release of Windows XP Service Pack 2, Windows users have had a firewall
that’s
enabled by default. New systems sold since that date, whether coming
with
Windows XP or Vista, have been protected from the sorts of attacks the
ISC is
describing from the moment they’re turned on. (Yes, there are more
capable
firewalls, but the built-in Windows version provides adequate
protection).
Would a new XP SP2 or SP3 installation count as “unpatched?”
And any system connecting to an office, small business or even home
network has
an additional level of protection from their router’s Network Address
Translation.
These systems are not what Hutcheson would describe as “directly on the
Internet.”
And even if a user installed a pre-2004 copy of Windows and connected
the
system directly to the Internet, I’m not convinced that just sitting
there, the
computer connected would be quickly compromised.
Yes, it would be probed, as described by the ISC. Firewall logs always
show a
barrage of probes from the outside. But being probed is not the same as
being
“taken over”– what hackers refer to as being “pwned.”
It’s unlikely to find such an unpatched, unprotected Windows system
directly
connected to the Net. And few systems are compromised “just sitting
there.”
Instead, users compromise their computers by engaging in risky online
behaviour.
No matter how much I nag, users open virus-bearing e-mail attachments,
visit
sketchy websites, download programs that install spyware, respond to
spam ads
and type their bank account information in forms on phishing sites. And
even if
they have reputable anti-virus and anti-spyware software installed,
they too often
fail to keep it, or Windows and their many installed applications,
properly up to
date.
So don’t get me wrong: it’s important to be careful online. And
minimizing risks
means running needed security software and keeping it and the rest of
your
system updated, as well as avoiding the sleazier neighbourhoods online.
But will just turning on your new computer put it at risk? Despite what
the
headlines appear to say, I don’t think so. •