Slashdot Mirror
Don't Forget That Worms Happen Everywhere
friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."
I know what would get worms back into the media for a long time - a Warhol Worm. You want to read something scary about worms, go read that. Be sure to read the section "A Worst Case Warhol Worm". It gives me the shivers to think about it.
From the article: "A worst case Warhol Worm is truly frightening, capable of doing many billions of dollars in real damage and disruption. Since it can achieve complete spread in well under an hour, and could begin doing damage immediately on infecting a machine, human mediated responses offer almost no hope of stopping it. "
Complete spread in under an hour! Total destruction of infected servers!
Whee!
Watch for one of these coming out with the next major IIS exploit.
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
I highly recommend showing people how insecure telnet is -- in a dorm, for example, pop up ethereal on one machine and log in over telnet from a machine in a different room. Follow TCP stream, and point to your real password displayed on the screen. This is more effective than lecturing people about TCP/IP and ethernet, and I've only had one guy start asking dismaying questions about how to sniff other people's passwords.
Change your password after, of course. Now if only there were an equivalent way to get people to use PGP...
A *nix sysadmin is less likely to let a machine go unpatched, in the best of all possible worlds.
An NT/2000 sysadmin is a secretary who reboots when the internet thingy stop hoogjamajigging, in the best of all possible worlds.
Seriously, in tracking down a couple of thousand hosts on campus who had Code Red, I have never ran into such righteous indignation over a simple lecture on systems maintenance as patching. Of course, many of these users/sysadmins were dumbasses who installed Win2K server because they could, not because they had to. 3 machines in one room were being used as everyday workstations and not offering services for any particular use by the office. Mind you, the services were still offered. Hit the average Code Red machine with your web browser and you will see the default webpage.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
I think that the real reason that MS systems were hit so hard by Code Red and it's descendents is that there is a real difference in the culture of the respective developer communities.
There is no reason why all those home systems and corporate desktops should have IIS running in the first place. There is also no reason (generally) for a home linux system to be running, say, BIND or wu-ftpd.
So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?
It comes down to culture. Unix-like operating systems are minimalist and modular, because the development communities appreciate elegant code (not neccessarily elegant interfaces).
Whereas Microsoft prizes a DWIM (Do What I Mean) approach, which encourages adding functionality 'just-in-case', as Microsoft seems to think that actually asking a user to install a component is a failure on their part.
In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
Take a look at the SANS Institute's "Ten Most Critical Internet Security Threats" here.
Notice that the level of representation of MS products is quite low. Consider that the Open Source Community's conventional wisdom is that closed source leads to insecurity. I am risking the almighty flame when I say so, but here it is: Monoclonal OS prevalence is the issue, not open source versus closed source.
What I am saying is that the OS with the greatest market share attracts the hackers the most because they get the most "bang for the buck."
But two conclusions can be drawn about this observation, one good, one bad:
The good: the move towards an "OS ecosystem" of various flavors of OS is the healthiest for the Internet. Because if something like Code Red were to reappear, only a minority portion of the pie chart of OS prevalance would succumb, as opposed to the majority slice. I use the biological allegories "monoclonal" amd "ecosystyem" because you can say the same thing about crop resistance to insect/ bacterial/ fungal/ viral pests: the more the genetic similarity of crops, the greater the risk of one solitary biological pest taking out all of the Midwest as opposed to one cornfield.
The bad: Microsoft, having the greatest exposure to exploits now, is getting the most experience with dealing with exploits. Dealing with them at a business, PR, and technical level. The more you fight a war, the better you get at it, and Microsoft will only get better and better at it, the general public will only grow more and more confident with their fight, and less and less exploits will be discovered. Other OSs haven't borne the brunt of the kind of hacker attention yet that fosters this kind of improvement, unfortunately for us all, who live in the ecosystem of the Internet.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.
Your basic premise is correct that there are more people trying to break MS systems than Unix/Linux systems, but U/L will never be as vulnerable for a number of reasons:
1.) There are several flavors of Unix and dozens/hundreds of distributions of Linux, not to mention all the different version numbers of each of those. This would dramatically impede the spread of any worm. Almost every MS-based site has IIS 5.0 and it is this homogeneousness the allows things like Code Red to spread so quickly and effectively.
2.) Unix/Linux systems in general are easier and safer to patch. Almost every MS patch requires a system restart and it is not at all unusual for the patch to break something else. I have never had a security update break anything on my Debian systems, nor have I ever had to restart the whole system. The service updated (such as the recent Horde/IMP updates) is restarted and the user doesn't even know, even if he/she is using the system at that moment (I know this because I did it as a test case here at work. Someone was reading their email on our IMP system while I upgraded the system. Yeah, a bit dangerous, but we're a small company and no one would have gotten in trouble. Regardless, she didn't even know anything had happened).
3.) Security holes are much more frequent on MS systems. We all have heard about the fact that the last known remote root exploit for Apache was over 3 1/2 years ago. There have been a few security patches since then, but nothing nearly so troublesome as Code Red. I read somewhere that there have been over 40 serious holes in IIS this year alone, although I don't remember where I read it and it may be apocryphal.
Bottom line is that while it may be true that if as many people who are attacking MS systems starting attacking Unix/Linux systems, we might see more issues on U/L, it is also true that Unix & Linux are better engineered from the start, easier to upgrade and more varied, all of which make them much more secure inherantly than MS solutions.
Cheers...........
I'm waiting for the time when a worm comes out that exploits a vulnerability that has yet to be 'discovered' yet.
All that has to happen is for a worm writer to be the first person to find a vunerability. Then (assuming that this person is malicious) thier worm would have a tremendous advantage. They would be garanteed that every single server running that particular OS would be open to attack. If they took the time to write a really nasty worm (say it's set to replicate itself 10 times and then try and erase everything it can reach on the networks it has access to, except itself) this would quite assuredly bring a large proportion of the internet to a grinding halt.
And you know it's got to happen some day...
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
Do I have any numbers for this? Nope... I'll leave that for somebody else to dig up. I'm a BugTraq reader, and I'm amazed at the sheer number of serious IIS eploits that have recently been coming out. I haven't seen anything new in the past few weeks, which is good, but take a look at the sheer number of buffer overflows alone that have been found in IIS lately. I bet it's more, or really close, to the total number of buffer overflows found in things like sendmail, bind, apache, and event telnetd in the same time span.
As a programmer I'm appauled here by IIS. Buffer overflows are old, but they keep coming back up. IIS is a new product, most likely written entirely in C++, which should be making the string handling much simpler than the C counter parts. These IIS holes are coming but due to either laziness, incompetence, or indifference in the MS coders parts. Theese aren't obscure either. You request a long URL and you overflow a buffer? 'Cmon here. The URL is coming from untrusted users -always-. Access point #1 into the system isn't even being looked at for possible holes... over and over.
One would think (read: hope) that MS has got a slew of people over-looking all areas of IIS for possible buffer overflows right now. Maybe they'll actually fix some before they're found? Doubtful... given their track record of re-active security.
Justin Buist
I'll say it yet again, since this is just another way of drudging up the Code Red issue. The problem isn't the platform, it is the administration of the platform. If Unix can be counted on to be mismanaged then an exploit will surely surface. In short, if the Unix world ever finds itself in the state of the Windows NT world, where boxes aren't administered and patched, we too will be nailed. I anyone surprised? No. Okay, lets let this tired topic die already.
-- Solaris Central - http://w
No matter if it is a DOS attack or a worm or any other kind of attack. No matter what OS you are supporting and using if you as an Admin dont have the proper service packs and updates installed then your OS will be a victim sooner or later. Having competinent people running the shop is where it is all at. If you look at the latest worms, Red Hat's and MS's, they could BOTH be avoided by updating software.
/. posts!
Sorry about the spelling, I really need to get a spell checker plugin for
"If ignorance is bliss, why aren't there more happy people in the world?"
And don't forget that the GPL is evil, and any program you write with it is like a virus. Hey, wait a minute.. :P
Imagine Code Red in which almost all servers are NT/IIS and there is no web, no central authority, no "experts"...
It caused the Inet as it was to cease to function. People had to pull their boxes off-line to keep from getting repeatedly infected.
The confusion and panic that followed lead to the creation of CNet and was the start of most of the big, early Inet security organizations that exist today.
<old codger>
You young whippersnappers don't know from worms. We used to create worms on punch cards and you had to mail them around to get infected! Those were the days!
</old codger>
I suddenly feel old and have to go lie down....
=tkk
Bill Gates - Creationist?!?
That should make the point of the superiority of Linux worms over Windows worms and end all the FUD.
Je t'aime Stéphanie
When IBM sprayed SF sidewalks with Linux graffiti (some is still there)
sulli
RTFJ.
You all say that Unix admins know more, or that open source programs have patches out faster, but what about all those people who know little about linux and install it. They can just as easily leave their computers unpatched, running 24/7 using some cable provider. More and more people are trying out linux, it doesn't mean all of them are smart. So of course the same thing can happen.
Talked about his experience as a worm. In the interview here. It has some advice for newer worms and viruses.
don't most UNIX admins need to know something about the OS other than the size of the install base therefore actually patching their security holes in a reasonable amount of time. Let's not forget the issue is NOT microsoft's security hole. All oses have that, it's that the userbase is not up to date on installing the security fixes. We just hope everyone who bashes MS will patch their own holes come unix worm time.
I think there are 2 real points to the fact that *NIX systems are more secure. First of all, UNIX is more mature than MS software, therefore they have already been through the more trivial problems with holes. The second point is that because of Open Source customers get to choose what part of the software gets the most development. Security gets attention when those affect by bad securty get to decide.
Im not here now... Im out KILLING pepperoni
To a Lisp hacker, XML is S-expressions in drag.
Right now there aren't any non-proof-of-concept Linux viruses.
I can just see it:
Hi! How are you?
I send you this perl script that must be run as root in order to have your advice
See you later. Thanks
*** Where are we going? And what's with this handbasket?
And Windows had its viruses 10 years ago. Those holes have been patched, and now people know better.
err...
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
Yes, worms can happen everywhere. That's because practically all network software is written in C (or its perverse descendent, C++).
If we were coding our network software in a secure ("safe") language (one without buffer-overflow "capabilities") such as Java, O'Caml, (or even scripting languages like Python, to an extent) we would greatly reduce our security risk. Given that these languages also typically increase productivity, it seems like a clear win to me...
Microsoft realizes the contribution C and C++ make against stability and security; they've recently hired up a lot of famous programming language folks to work on new language technologies. Microsoft knows that large projects written in languages without sophisticated modularity constructs (ie C, C++) tend to get out of hand quickly. They're working to fix this! They're even working on technologies to improve the stability of device drivers through language technologies (see the Vault project, for instance).
However, C has always been the UNIX platform's language. Will UNIX stay in the 60s as even Microsoft moves on? If so, I say it will be the "wormy" operating system family of the 21st century...
I have read a lot of posts in this discussion (and similar discussions in the past) talk about how *nix is better than NT. Then, some of the more level-headed among us pipe up and remind us that no OS is truly secure, and that the difference lies not with the system itself but with the system administrators. Thus, it follows that *nix admins are better than NT admins.
I most heartily disagree. Sure, there are *some* *nix admins that mop the floor with NT admins... but the opposite is also true.
I think we are all forgetting exactly what an "admin" is. An admin is *not* any JoeBlow@aol.com that stands up a web server! A system administrator is an IT professional who researches his work and prides himself on keeping his machines running smoothly.
If you think about it a little, I believe that you'll agree that the major cause of the whole Code Red problem is not the NT admins out there, but rather the JoeBlow@aol.com's who really don't know what they're doing. Ignorance, people... ignorance is our enemy! Not Bill Gates, not MS, not closed source! It's ignorance and apathy.
It's always a long day... 86400 doesn't fit into a short.
I'm not a very close observer to any of these things, but it seems like the recently noticed telnetd exploit has really screwed over more sites than Code Red has, which seems more of a bandwidth hog. I mean, a years-old simple string buffer overflow giving root access on so many linux boxes is inexcusable for people trying to "sell" Linux on its general security and reliability...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Windows (NT/2000) has some good security features in the kernel, the problem is that they are not properly used by the operating system as distributed by Microsoft. Locking things down would break too much stuff.
UNIX/Linux has an archaic security model that hasn't changed in decades.
Both operating systems suffer from being implemented in C, an unsafe language. It is possible to write secure code in C, but most people have neither the expertise nor time to do it correctly.
Mea navis aericumbens anguillis abundat
"Sooner or later" is effectively a LIE because whether it's sooner or it's later makes a huge difference in securityville. You're also ignoring the ``quality'' of the intrusion (such as carte blanche versus mere DoS).
Me for later, much later. While I could do even better, I use Mandrake 8.0 for production work. It's a bit bleeding edge in some ways - and I pay for that - but it comes with two massive advantages over many Linux distros: it installs reasonably securely unless you tell it not to (warns you when you install world-visible services and if you choose a "high security" install even disables those), and it can automagically update itself. Debian users in particular have long had these comforts.
All Linuces have at least five huge additional advantages over Windows:
Yes, administration makes a big difference, but all OSes are a loooooong way from interchangeable when it comes to vulnerability.
Got time? Spend some of it coding or testing