Is Linux as Secure as We'd Like to Think?

man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Ha - Ha! (Nelson voice)

[Outland+Traveller]

Looks like some of that "defacement" is happening close to home.

view-source:http://www.zone-h.org/

DB connection failed ().

Re:I think its the apps

[BrynM]

I think website defacement and Linux security are 2 different issues all together.

Exactly! People tend to trust website "packages", like PHP-Nuke or site building applications a little too much. They tend to assume that someone has already fixed whatever security holes may be in it. When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing. Since these sites usually end up being run on Linux and Apache, Linux and Apache get blamed when the site is defaced, when the actual weakness that led to the defacement was in the PHP/HTML pages themselves.

I don't expect everyone to know how to clean up security for a PHP site, but if they decide to use what they don't understand bad things will happen. If you know a novice that wants a site, start them out with some static HTML rather than let them use whatever code strikes their whim as "neat", "shiny" or "cool". Explain to them that they are learning how to eventually do the "shiny" stuff, but they need to learn how to use it safely first.

Re:Psychology plays a role

[KrispyKringle]

You make a good point; one of the explanations I've seen for statistics similar to those the article posting cites (61% of defaced machines being Linux) is that when an amateur wants to set up a personal website on his cable modem, he doesn't usually install IIS. He installs Linux and Apache. When he wants a really basic comment board or CMS, he uses PHP-Nuke. For his e-mail server, he uses Sendmail.

Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.

Re:Psychology plays a role

[Malc]

Rubbish. My employer bought a company that was deployed on RedHat 7.0. We are a MSFT only shop. Let me tell you, those RedHat servers were in worse condition than our Win2K boxes. The servers have been exploited as spam relays (very old formmail) amongst other things. It's pretty bad when a software engineer (me) has to come in and get a server running properly due to the incompetence of the IT staff. They had all kinds of stuff installed that should never have been there. They never cleaned things up. Based on that, I would say there are probably other Linux boxes out there administered by idiots.

Simple probability

[noda132]

There are some stats (look for the pretty pie charts) which can help explain the percentage, along with a few key thoughts and speculations:

• Most web sites run Linux.
• Linux boxes cause so little fuss it's easy to forget they're there (for better or for worse, most distributions, especially older ones, are very content to leave you alone). I've never run across a Windows server that didn't ask for personal attention at least once every hundred days.
• Website defacement is often a direct act, not a simple script which happens to take down a site. All operating systems being equal, a cracker would pick sites at random and crack them; Linux would get cracked more than any operating system, assuming the cracker is great.
• In any operating system, the security is only as tight as the administrator makes it. Well-secured servers are VERY hard to come by.
• A website defacement is not a remote root. It could be a simple cross-site scripting bug in some CGI/PHP/Perl code, which is not the fault of the operating system.

No.

[wasabii]

As has been said many times, security is only as good as the admin responsible for it. Yes, there can, and will be a Linux blaster... There might some day be a email worm too... but not like sobig.

Lets examine the reasons why blaster and not sobig. Blaster exploits a buffer overflow, requires no user interaction. Find a overflow in Apache, you'll have a worm. Not a whole lot admins can do to prepare for this except application level filtering. It will happen. Those of us who are "in the know" will be patched long before.

SoBig: This is a user spread virus. It does not exploit any vulnerbility. It mearly requires the User to click on the attachment and hit open. It relies on badly designed software, that allows a user to execute code legally, easily. Windows lets you click Open.

Contrast that to most unix mailers: You have to deliberatly save the file to disk, chmod +x it, and then run it with ./. Yeah, a bit harder eh? Nobody I know will be able to manage this.

About the web site defacements. Linux is more complicated to administer, I dont think anybody can argue that. Lately, people have been given this sense of "if I replace Windows with RedHat i will be more secure". That is not true. Security is up to the ADMIN and the ADMIN alone. I would venture to say that a Linux box is MORE dangerous in the wrong hands than a Windows box. Hence your 60%.

Nothing about this changes anything at all. Those "in the know", generally Unix admins, will not be exploited, weither on Windows or Unix.

This doesn't mean Unix doesn't raise the bar of your security... you just need an admin that knows how to use it for it to be even close to it's potential. With Windows you are always stuck at whatever MS deams "secure enough".... bar writing your own IIS filter or something. :D

What we need are more smart admins using Unix, not sucky admins that give us all a bad face.

My two cents.

Re:did you fix it for yourself, or for everyone?

[BrynM]

I'm working submitting the fixes I've created actually. I've only recently (in the last two months) started the site, so it's still in-process - code submissions and all.

It all came about because I am building a module for Nuke. I started looking at the code and decided to do some house cleaning. Most of the fixes I implemented are already in the public (look around at Nuke Forums or search for "php nuke exploit"), so I'm betting that Francisco Burzi (the creator of Nuke) is working on implementing them for the next version if they aren't already in. He's been good about including fixes as problems are found.

Most of the exploits are simple SQL injection exploits, which affect all PHP/SQL code and not just Nuke. Let's say you want to query user data from a MySQL table named USERS with the USERID as the criteria:

?php mysql_query("select * from USERS where USERID=5"); ?

This will work great for one user, but to make the code portable, you'll need to use a variable for the USERID, so it becomes:

?php mysql_query("select * from USERS where USERID=$USERVAR"); ?

When the variable is passed by an online form it will look like this:

http://foo.yoursite.com/file.php?USERVAR=5

Because PHP doesn't keep strict varaible types, $USERID could contain the number 5 just as easily as it can contain the string "foo". Since the variable is at the end of the SQL query, we can append SQL to the end of our URL like:

http://foo.yoursite.com/file.php?USERVAR=5%20or% 201=1

As a result, PHP will hand MySQL a query that says "select * from users where USERID=5 or 1=1" (remember that %20 is an URL encoded space). Since 1 will always equal 1, MySQL will dump every record in the table instead of just the one with a USERID of 5. The way to fix this is simple. Before your line of PHP with the query, just do a simple

?php $USERVAR=intval($USERVAR); ?

Since our exploit relies on $USERVAR being interpreted as a string, it will fail as PHP intval() will discard everything in the variable from the first encountered non-integer onward. Thus malicious value of "5 or 1=1" becomes the number 5 again. There are a lot of places where this needs to be fixed and I haven't found them all yet. I'm working on a list that I plan to give to Francisco rather than have him try to keep track of me telling him about many individual ones and lose something along the way. Many nuke users have already fixed these themselves as well. There are other checks that need to be done for string variables, but I've already veered way too far offtopic.

I would be quite the selfish bastard to only fix the security holes for my use and no one else's. I'm glad you asked though. It never hurts to remind OSS users of their responsibilities should they touch the code. ;)

The woes of small business consulting

[swb]

I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.

If you've ever installed systems (of any kind) for small businesses (~50 people), you'd know why this was such a temptation and often a functional necessity.

Many of them have no full-time technical staff. The typical scenerio is a "operations manager" who spends most of their time dealing with production issues; a "back office" person (who's usually the consumer of the system, often the head financial person); and then whoever ends up being the technial liason, which in my experience is whatever office flunky can get WebShots installed the best or who has the copier repair phone number.

It's sad, but I've done a ton of installs where basically everyone who uses the system is root/wheel/administrator and there are no permissions. If I'm lucky and can figure out there's no one to even reliably change tapes before the equipment is set up, I have it do alternate full backups on different physical disks; I figure it's better than a burned up tape.

It keeps you in business, but it kind of sucks, since it's apparent that nobody really gives a shit...

Worm potential

[MeanMF]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

I think the biggest reason that something like Sobig is unlikely is that there are so few Linux machines on the Internet as compared to Windows machines, and since a majority of Linux installations are on servers an awful lot of them are behind firewalls. Worms like this spread by seeking out more systems to infect. If 95% of the systems are running Windows, a worm can spread a lot faster than if it is looking for a fraction of that other 5%. A similar worm on Linux would take a _lot_ longer to spread and would give us more time to react and put a stop to it.

Re:Psychology plays a role

[Tony-A]

Unix is simply designed and developed much more with security and securability in mind.

From an old fart, I gotta take exception to that.
The design is from Multics, which is arguably secure, down to something that is doable on a departmental minicomputer. The design doesn't preclude some degree of security but all the emphasis is on getting something useful done. That said, Unix probably does manage to get the most useable security out of the fewest bits theoretically possible. I suspect that Unix is as simple as it can be and have any pretense to security.

NT does have security "features". It has lots of them, and they take lots of bits. They are stuck in strange places. If I have a lot of files to manage, I will not be using those features. I do a DIR. I see date and time and file size. No security information whatever. Must not be important.

Unix, if I do just an ls, just gives back the file names. If I do an ls -l to see dates and file sizes, back comes a mess of x's and hyphens. Must be important. Further, these are in my face every time I'm looking at files.

Multics was designed to be secure.
Unix wasn't.
Windows was designed to be able to claim the most "features"

Copy a directory from one place to another, where you don't have permission to read some of the files or write some of the targets.
Windows will give a pop-up and die when it runs into trouble.
Unix will copy what it can and give you the error messages with it dying breath.
Windows security. Even a little bit can be too much.
Unix security. I haven't seen it get in the way, and I haven't really got into groups yet. (Big gripe. I can't have NT users and groups with the same name. Stupid.)