One of my biggest com­plaints with the secu­rity indus­try in gen­eral, is that they seem to thrive on FUD. I find it to be par­tic­u­lar­ily frus­trat­ing, because there actu­ally is a lot of really impor­tant infor­ma­tion there. Unfor­tu­nately, to find it you usu­ally have to dig through layers of junk.

It pisses me off that some­one like me, who is gen­er­ally knowl­edge­able about such things although by no means an expert, can find fre­quently arti­cles that are either com­pletely wrong or very mis­lead­ing. While this is merely annoy­ing for me, the real­ity is that most people just lack the knowl­edge about com­put­ers and secu­rity to under­stand that often­times the infor­ma­tion they are get­ting is just crap.

I was par­tic­u­larly annoyed by a recent arti­cle in ZDNet. Basi­cally a Win­dows XP machine was set up on an unse­cured wire­less net­work and a secu­rity expert demon­strated a hack that down­loaded some infor­ma­tion from the com­pro­mised com­put­ers My Doc­u­ments folder. It took about 11 minutes.

Get­ting onto the unse­cured wire­less net­work, ping­ing pos­si­ble IP addresses of other com­put­ers on the net­work, find­ing Andy’s unpatched com­puter, scan­ning open ports for vul­ner­a­bil­i­ties, using the attack tool to build an exploit, and using the mal­ware to get into the XP com­mand shell took six minutes.

Fright­en­ing, yes. Sur­pris­ing, no. The impor­tant part of the arti­cle is the fact that the com­pro­mised com­puter was run­ning with SP1 and no pro­tec­tion whatsoever:

[They] con­nected a machine run­ning Win­dows XP with Ser­vice Pack 1 to an unse­cured wire­less net­work. The machine was run­ning no antivirus, fire­wall, or anti-​spyware software…

This arti­cle isn’t really news at all. It simply demon­strates that if you put a default Win­dows XP SP1 install on a net­work, it is likely to get hacked (and fast). In fact, the “unsecured wire­less network” part of this arti­cle is com­pletely irrel­e­vant. Granted, it may make hack­ing easier, but the fact remains; a default install of Win­dows XP SP1 will get hacked.

So, yes every­body, if you do not have SP2 on your Win­dows XP install, get it now. If you don’t have it because you pirated Win­dows, buy a frak­ing copy, or at least start using some free linux os (like Ubuntu).

I sup­pose there is no harm in reit­er­at­ing the point that every­body, regard­less of oper­at­ing sys­tems, should be upgrad­ing their ser­vice packs. I do how­ever take issue with the sen­sa­tion­al­ist tone of the arti­cle. Using FUD to increase page views or sell soft­ware doesn’t help anyone. This arti­cle could have just as easily been writ­ten about hacks for XP SP2 or Vista with patches installed. The hack prob­a­bly would have taken a lot longer and had a lot of things line up per­fectly, but that’s not to say it can’t be done. At least that type of arti­cle might have been news­wor­thy or even help­ful. Even John Dvorak knows this arti­cle is crap.