Randy Cassingham's Blog

You're counting access attempts on various ports, not actual attempts to log onto your server, right? Before I started using a router which is also a hardware firewall, my software firewall logged thousands of access attempts per day as well. I submitted them to a service that analyzed and totaled the records. What I found was that most were not malicious but could be considered "background noise". There were maybe 2% (at that time) which were attempts from infected machines to find other infected machines by accessing one specific port that the infected machines open. Blocking those ports from being opened is the rationale behind outbound firewalls.

While I don't have current figures, my past experience indicates that very few attempts to actually hack into another machine are being made. However there are certainly enough that a "naked" system should never be connected to the Internet.

---

They're not necessarily login attempts, but they are probing for vulnerabilities. My admin says:

"[The access attempts] are random probes of all types, not just login attempts. Random viruses attempting to spread, other crap. The kind of thing that a firewall stops, and the kinds of stuff that Windows users do need to be aware of."

Finding an unsecured login (such as a default password) is just one way to crack a system. It is foolish to think that by (say) changing passwords, you're safe. That is just one of many, many vulnerabilities, but it only takes one unlocked door for your system to be compromised. -rc

You may be interested in this article posted by Sophos, regarding how the website of the Miami Dolphins was breached just prior to Superbowl.

The one item that needs adding to your article is that users of Windows must keep up to date with Microsoft patches -- there are holes that are patched each week as they are discovered and used by hackers to get into computers.

Security is getting to be more and more of an issue, but much could be prevented if everyone did the basic maintenance of removing spyware, keeping virus protection up to date, and keeping patches up to date.

---

I couldn't cover it all, but indeed your conclusion is great advice. -rc

I have to say, the one piece of advice you give may not be necessary: anti-virus software. I haven't used it in years. Why? Because it slowed down my PCs (yes, even my super-powerful state-of-the-art setups), caused periodic glitches, and honestly didn't do much good. It's far more important to have a trained user than to have anti-virus software.

Part of the reason is that such software is reactive: "Hey, there's a new virus that just caused all sorts of trouble. We've addressed it and now you're safe." Except, if you were one of the first hit, you're still screwed.

The reality is that viruses are extremely rare these days. Trojan horses are all over the place, but if you can just get over using Outlook/Outlook Express (I use Thunderbird) and can then control your urge to open every damn attachment, you've foiled about 99% of "virus" attacks.

My other advice: use Firefox of something other than Internet Explorer (something you've mentioned before); update Windows - whatever version - on a weekly basis, or turn on the automatic update feature; and use a hardware router on broadband connections - mine cost a measly $35 and works fine as a basic firewall.

The key is to train yourself (and others) to not be idiots. Unfortunately, the more user-friendly OSes out there aren't helping. For example, Windows by default hides file extensions. Turn that off in Explorer by going to Tools->Folder Options->View->Uncheck hide extensions for known file types. (The process is a bit harder under Windows Vista - go figure. New OS, and now it tries even harder to make sure people don't know what files really are.)

---

I agree with pretty much everything here, including that you don't need antivirus software (note: I lump trojan horse attacks under that label) if you don't have e-mail software that automatically runs attachments for you (some older ones did!), and you're religious about not running attached programs yourself, EVEN IF it apparently comes from someone you know. Because odds are, it really didn't. -rc

My servers show much less impressive statistics.

Why? Because I completely block IP addresses for a few minutes after they try and fail login.Only very few are fast enough to get a second try before the lockout occurs.

---

It's ridiculous to have to go to such measures, but it sounds pretty smart to me. -rc

I myself run a small private FTP server for friends and family to use as they need it. When I was setting the server up I had not yet turned on any security for it before I went to bed for then night planning on finishing the next day. In the morning I had found that not only had the server been accessed already but it had been "tagged" which is where the hacker makes a directory on the drive claiming the hard drive as their own. After trying clear the directory and the files on it unsuccessfully I ended up having to fully format the drive and start over as it was faster than spending any more time removing everything that was added.

This slip in security set me back a day in personal time. Had this been a live server with data on it already, the hack could have been much more damaging. Now that I have the server up and running I am consistently seeing IP addresses trying to login to it using a host of names and trying password after password. As the server admin I have the power to block IP addresses which I do, but so far after 3 years of the server being in service, blocking IP address has done nothing to slow down those trying to gain unauthorized access.

---

Indeed it won't, since there are literally hundreds of thousands of systems all over the world that have been turned into robot cracking and spamming machines. If one gets blocked, no worries -- before long they'll have another one to set against you.

The key thing to notice here, by the way, is why that is: Nathan's system was cracked in less than 24 hours after it went online. That's not amazing, it's typical! -rc

I consider myself pretty net-savvy. I've been programming computers for over 35 years, and I've been on the 'net since Windows 3.1 was still "shiny". Yet my system's firewall was broken into. (I hate the term "hacked", since I consider myself a "hacker" in the original sense of the word.)

We had recently gotten broadband, and I set up one system on our network to be the router/firewall. Unfortunately, I had set it up in such a way that the Winsock proxy was available from the outside as well as from our LAN. One day, I noticed unusual outgoing SMTP connections on the router's status window. It took me a while to realize just what was happening -- someone "out there" had connected to our Winsock proxy to send spam, and it would appear to the outside world as if it were someone on our LAN sending them. Of course, by then the damage had been done. I don't know how many spams were sent from our router, but our IP did get on at least a few blacklists for it. Fortunately, SpamCop's list (which is what we use) is run by intelligent people, and after explaining what happened, they ran a quick test, saw it was fixed, and removed our IP.

Then there was the time I upgraded the router/firewall from WinMe to Win2000. (The router/firewall software was off at the time, as I was doing the upgrade in order to run the latest software, which no longer supported WinMe.) While downloading the latest service pack, I got a popup telling me I needed to download some security patches. I almost clicked on the link, which of course was really Messenger Popup spam, and would have infected my system. Had I not been downloading the updates at the time (the window of opportunity was only a few minutes, but they found it), I wouldn't have even given it a second thought, and recognized it for what it was immediately.

About 90% of my wife's consulting services lately has been cleaning up the mess people have made of their computers with all of the spyware that's installed on them.

As someone involved in computer security at work, I can assure anyone that the problem is only getting worse. At the last SANS security conference that I attended they announced that their tests showed unpatched and unprotected computers attached to the internet were compromised in less than 20 minutes. Which, unfortunately, means that you often don't have time to fully patch and protect those systems before they are infected! The solution, of course, is other protection such as a firewall.

Also of note is that, as a general trend, there seem to be a greater variety of infection attempts against home-based PCs, but more robust / complete attempts against servers. So although you may not see 3,000 attempts to infect your home PC from one IP, you very well might see that many different IP attempts! Of course, this is just a very generic/general statement - exceptions ALWAYS apply.

I'm happy to see you passing the word along, Randy!

After reading your comments on security, I visited all of the listed sites and, as I expected, not word one about Macintosh weaknesses, and how to prevent crackers, spyware, etc. from coming in. I knew that, of course, Macs are inherently secure, and have never been taken over, in spite of the challenge they represent.

The $10,000 hacker contest that located a QuickTime vulnerability has already been patched by Apple, even though it was never exploitable in the way a Microsoft victim is exploitable.

Bottom line: If you want to lose your fear of the Internet, trash your Windows box (or at least get it off the Net) and get a Mac. Then keep a copy of ClamXAV around for the day someone finally, actually does come up with a self-propagating virus, which doesn't seem very likely considering how long it's been. Hell, back in the '80s, we had MORE viruses than Microsoft, all of which died with the OSX changeover.

You need only beware of phishing posts, which are, of course, platform-agnostic.

---

I have been around computers long enough to remember when only Macs were virus targets. Should they become a large enough segment of the market, they will be targeted again. -rc

"I have been around computers long enough to remember when only Macs were virus targets. Should they become a large enough segment of the market, they will be targeted again. -rc"

Microsoft claims that it has sold 20 million copies of Windows Vista in the last 4 months and it already has at least 6 known viruses/worms/malware in the wild. Mac OS X has about 22 million installations worldwide and has been on the market for SIX years and has yet to have one virus detected in the wild. The Mac OS is inherently more secure and no increase in market share will change that. It's not impossible, but apparently it's pretty hard (the first hacker to propigate a virus on the Mac will be world famous- don't you think they're trying all the time to be the first?). Just a thought...

---

My statement stands. -rc

I must chime in on the Mac side. There was one successfull attemt on the Mac side about 2 years ago. It required uses to download and install a "picture", and well 10 minutes later and no big explosion it died. The hacking event saw all "eletie" hackers fail their intended mission, but one suceed by a modiied set of rules that required the user to accept the hack. Apple had the problem fixed permenantly within 3 days.

I am a manager for one of Canada's largest independent Mac dealers with 4 stores different citys and we didn't see a machine brought in with the first "malware". Heck I haven't seen a Virus problem on my machines without antivirus in 3 years. I used to be a MCSE and work for a small mom and pop Windows shop and even 10 years ago there was at least 1 a week. That stats are stagering against Windows vunerbilities and we could go on for days about them.

It comes down to one simple fact. People want to have a simple to use machine that they don't have to be experts on security, and have extra software to maintain. Do you buy a car to do a engine rebuild every 6 months? A computer shouldn't need one either! This my at this point sound like a Mac add, but no it is a Wake Up Windows add. Pull your socks up and get security up to date and fix all the holes!

---

I didn't say Windows security didn't suck. It does. That's why people need to pay attention. My essay didn't mention Macs at all, but as you point out it's still necessary to be vigilant. -rc