Slashdot Mirror
Linux Most Attacked Server?
Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."
But think of how many more linux servers are out there than windows servers.......
On the surface, this statistic serves both as a testament to linux's growing popularity as a server OS and ammo for those windows admins who have long taken abuses about the insecure nature of their OS. These ideas, particularly the latter, however, may prove misguided; breaches against servers are rooted not only in the security of their running OS, but also in the effectiveness of the security implementation of the system admin him/herself.
It's ironic that Microsoft provides that service for free, whereas Linux requires paying money. But it's good because at least here there's a clear way to make money off Free Software and keep programmers like me from going hungry.
John.
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.
So while these "attacks" on servers totalling about the same damage amounts as usual there was quite a new record high obtained by the RPC vunerability...
So they are attacking an OS that is known to be running on more servers around the world and the "damage" from these attacks is holding steady, yet we don't mention in the article title that because Windows is MAJORLY vunerable, there was nearly 30 BILLION dollars in damage done!
Interesting spin.
Also, it has gained something of a reputation as a secure system, at least compared to IIS, and this may be undeserved in installations where best security practices are not followed (most of them). This is perhaps a wakeup call that it's important to patch, only set up services that are necessary, and use a firewall and intrustion detection system, but most people know that already.
I never vote for anyone. I always vote against.
-- W.C. Fields
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
The only way they've reduced the _proportion_ of attacks on their servers is by losing market share. The total number of attacks against Windows servers is still increasing, so it's a little premature to give them any compliments.
If voting changed anything, they'd make it illegal -- Jello Biafra
They claim a database of 280,000 attacks since 1995. They claim there were at least 18,000 attacks in August alone, or 6.5% of the total of 1% of their sample. Also, these numbers are meaningless without knowing the total population of each type of server. Oy!
I think it's time to break the statistics down application by application at that point. Show me some Apache vs. IIS numbers or MySQL vs. SQL Server numbers or exclude third party applications altogether please. For the record, I run both Windows and Linux for clients and servers and am pretty neutral in the whole OS wars thing. Each has their merits and uses, both need regular security maintenance and I am pretty much happy with both for very different reasons. I'm not a Linux zealot, but I know bad numbers when I smell them. And then...
So MS is shoring up third party applications then? They even go on to cite Sobig and MSBlast as the reasons for the high MS numbers. This is shifting over to a very FUD-like smell now.US Democracy:The best person for the job (among These pre-selected choices...)
I seem to recall some 500,000 servers being compromised by a worm last month. Do they only count attacks by people?
I think a much more meaningful statistic would be how many fully patched Windows and Linux servers are successfully hacked. With Windows, you are always vulnerable, because the rate at which vulnerabilities are discovered far surpasses the rate at which patches are issued. With OSS, OTOH, a patch is usually issued a few hours or days after the vulnerability is discovered. Hence, the amount of time a successful Linux exploit is usuable is usually much lower than an exploit for Windows.
I would guess that most Linux machines that get hacked are due to unpatched/deliberately insecure configurations - like using a dictionary word for a root password.
The society for a thought-free internet welcomes you.
Number (or percentage) of successful attacks against servers maintained by professionals, sorted by operating system.
Of course there are a lot of non-secure Linux systems on the net. Lots of amateurs use Linux. After all, it's free! Notice how much the statistics in the article changed when they leveled the playing field and looked only at servers in one industry: government? Keeping to one industry caused them to look at systems maintained by sysadmins with much more equal skill levels.
From the article: Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Folks who have traditionally been Microsoft users, who have recently installed Linux on an old machine at home or maybe as dual-boot, who have little to no real experience or training with Unix-like systems or with particular open source servers, are going into to the business IT environment and installing Linux-based systems on the hype.
Sure they can get Apache webserver serving pages, they can get Tomcat doing "something", and they can certainly run XMMS quite well on their workstation, but they really have no clue how to properly use these technologies in a production environment.
They see switching to Linux-based systems as being a simple fix.
They aren't willing to extensively review their configuration or product documentation. They aren't willing to put in the significant amount of time that is in fact required to become experts with the technologies.
Yes, they certainly do get a kick out of telling their friends that they have "Linux boxes running their shop", but security suffers due to their naive incompetence.
These techs should be fired.
Open source development may be a "we'll get that feature done when we feel like it" affair, but deploying Linux-based systems in a production environment must not be.
If anything, effectively and securely deploying Linux-based solutions requires more training and knowledge than does deploying Microsoft.
Let's stop pretending otherwise.
.sig Realistic fines for copyright in
That's not the point.
The point is that this report handily debunks the myth that a Linux server is inherantly more secure than a Windows server.
The more rational among us here have tried to get the message out that no server is secure if there's an idiot at the helm.
Good admins make secure servers, not an operating system, despite what the zealots would have us believe.
"Ask not what your country can do for you." --John F. Kennedy
If over 12000 Servers were linux and were being sucessfully cracked compared to 4000 of windows boxes. Now representing this as 67% is to skew the results. What we dont actually know is how many were in the data set ?
Did they sample 20000 Servers ? 20,000 servers or 200,000 servers ?
Linux 67 Breached Linux Servers 12892 73.59%
Windows 23 Breached Windows Servers 4626 26.41%
90Total Cracked ? 17518
Well the percentile is only 90% of the figures. Which servers were in the missing 10%.
Did the survey compare windows to linux boxes alike e.g.
1 Linux Server examined to 1 windows box. for 20,000 boxes ?
I dont see any figures here for accuracy or qualification of the figures.
What I do see is a suggestion that Linux is very popular. If this is the case and we suggest that 80% of the net is unix to 20% microsoft. then 67% of 80% of the network being interupted seems very unusuall and rather high as a figure.
So I keep coming back to wondering where the figures have actually originated and been compiled.
Im fairly sure Microsoft can be secure, but unlike Unix it tends towards insecurity. Ive often compared running Microsoft boxes to herding sheep. You spend all your time keeping them alive and free of viruses. Unix on the other hand is the sheep dog, consistent , loyal and dependent.
They can bandy these figures all they like but unless they can flatten the survey and show a clear scope of investigation and comparison then I dont think we should be worrying about the quote.
And thats why Firecrackers and kittens don't mix.
I would say there is an important difference between server hacks and viri in that respect. Most people making a virus specifically target windows, while most people hacking a server don't target an OS, but an organization, therefore it is relevant that there are more Linux servers, while the number of MS boxes is not relavent in cases involving virus. The attack focus is different.
This statement clearly states that less than 2 percent of the BSD servers on the net were attacked. Yet that is not what the numbers show. The numbers state that less than 2 percent of the attacks were against BSD servers. That is a very different thing indeed.
As such, there are a number of pieces of information that are needed to make this article useful:
The net will not be what we demand, but what we make it. Build it well.
What folks really want to know is how does OS choice affect security for their organization. This study doesn't give them that information.
1) You need to get a sense of reporting bias.
2) you need to make sure you are comparing
servers in similar situations
(i.e. Linux servers at major, unpopular
corporations vs. Windows servers at major,
unpopular corporations)--and make sure they
are equally interesting targets.
I can believe that ISP's that service
certain neighborhoods are especially vulnerable
to attack--and that ISP's don't use Windows.
3) I would compare how setting affects this. I
could believe for example that Linux/BSD
are much more secure in the hands of
a professional and Linux is less secure in the
hands of a novice.
I have heard of VERY few people running Apache on Windows. What's the point?
It would be stupid and reckless to tell a bunch of MCSE's to scrap a Windows server and replace it with Linux. If your organization doesn't have any Linux experience, the next best thing to moving away from Windows is using Apache instead of IIS.
Come on, where do they get these figures? In August alone:
From NetworkWoldFusion
The Blaster worm - also known as MSBlast or LoveSAN - has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.
They didn't count them. Why? Most of them aren't servers, right? Well how did they differentiate Linux servers then? I bet they didn't -- did they check and only record RH Advanced Server and disregard all the RH Workstation. I doubt it. This is pure FUD by a place that has trouble with math.
Another thing that's not clear here is what is classified as a successful breach? Does that mean defacing a web page? Does that mean getting full access to the box? I've had a web page on my server get defaced because I forgot to upgrade PHP, but I didn't really care that much. On the other hand getting my box rooted by somebody is a serious problem.
This sig has been temporarily disconnected or is no longer in service
I'll probably get modded down for this, but oh well.
I post often about how Linux is no less insecure than Windows or any other OS. And constantly, I get bashed, downmodded, told that there are more Linux servers but are less hacked, etc.
And yet here is a study that shows otherwise. Now look at all those people try to dismiss it. Try to dance around it, making excuses, and so on. If this study had shown that Windows was the most breached, people would take it at face value and we'd have the requisite hundreds of "I told you so" posts, heresay, anecdotes from idiots who don't patch their servers, and so on.
I'm sorry, but I just wanted to say, I told you so. All operating systems are as secure as their admins. Microsoft has millions of dollars and some of the top programmers in the world. They're damn secure. So is Linux. So are all the others, reasonably speaking. Linux is not the end-all of secure systems, and this just makes people who act that way look like idiots (especially when they're making ridiculous excuses to try to diffuse the study).
"Sufferin' succotash."
I'm curious, was Slashdot afraid to put "Linux Most Breached Server?" in the headline? The stats were about most breached. The point wasn't who was most attacked. I guess that one word needed to be changed to soften the blow...
"Sufferin' succotash."