Linux Most Attacked Server?

Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."

Staying uptodate costs money...

[JohnGrahamCumming]

No doubt the Linux faithful are going to bay and scream about this report, but there's something interesting buried in the article. The following quote:

The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.

"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

Although I don't like Microsoft's software and it's a real pain having to get all the latest patches, they do at least tell us when they've got a patch. This is an inadequacy with Free Software that in general needs to be addressed, and it will make a nice revenue stream. At my company we subscribe to RedHat's "uptodate" service that makes sure that we are always patched. Even though the software is Free we are still willing to pay someone to tell us what we need to patch.

It's ironic that Microsoft provides that service for free, whereas Linux requires paying money. But it's good because at least here there's a clear way to make money off Free Software and keep programmers like me from going hungry.

John.

Re:Staying uptodate costs money...

[HiThere]

It's a plausible claim. But I don't know how one would go about substantiating it.

Above it says that it costs 30 pounds to read the report and discover their methodology. Not worth it to me. But before I took it seriously I'd need to know their target populations and their sampling rates. It makes a big difference, for instance, if they only sample people who know and admit that they have been hacked, or whether they have some independant way of checking. And it also makes a big difference if they are counting servers in Fortune 5000 glass houses, or whatever is connected to the web, or (...what are the alternatives?).

I've seen too many bogus news stories to start taking one seriously just because it says that there are a lot of Linux machines out there.

(P.S.: staying up to date doesn't cost MUCH money. I normally run Debian, and once a day I usually run apt-get update/apt-get upgrade. This does sort of depend on a broadband connection, as some days the amount of upgrades would choke a dial up connection. OTOH, most days nothing significant to me has changed.)

Re:Yeah...

[Chester+K]

But think of how many more linux servers are out there than windows servers.......

The ratio of Windows workstations to Linux workstations has never stopped us from divining that the reason there are more viruses for Windows because of its ubiquity, not necessarily its security record.

Why should this be any different?

Help me with the math here

[Lawrence_Bird]

They claim a database of 280,000 attacks since 1995. They claim there were at least 18,000 attacks in August alone, or 6.5% of the total of 1% of their sample. Also, these numbers are meaningless without knowing the total population of each type of server. Oy!

These aren't good statistics

[BrynM]

"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.

So let me get this right. Since third party applications under Linux get hacked, it is attributed to Linux being more vulnerable while MS Windows running third party software is more secure??? So a PHP/SQL injection exploit is attributed to the OS PHP is installed on? Does the exploit count twice then? - Once for each operating system?

I think it's time to break the statistics down application by application at that point. Show me some Apache vs. IIS numbers or MySQL vs. SQL Server numbers or exclude third party applications altogether please. For the record, I run both Windows and Linux for clients and servers and am pretty neutral in the whole OS wars thing. Each has their merits and uses, both need regular security maintenance and I am pretty much happy with both for very different reasons. I'm not a Linux zealot, but I know bad numbers when I smell them. And then...

"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

So MS is shoring up third party applications then? They even go on to cite Sobig and MSBlast as the reasons for the high MS numbers. This is shifting over to a very FUD-like smell now.

Re:Yeah...

[retinaburn]

So we can rail against MS for having an insecure operating system and flaunt Linux's proliferation in the market, and then dismiss that its because of Linux's dominance that more Linux systems are getting hacked. We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed. If there was a larger percentage of windows boxes out there would anyone say 'But think of how many more windows servers are out there than linux servers.......

Linux-based systems not as simple as the buzz

[The+Revolutionary]

Folks who have traditionally been Microsoft users, who have recently installed Linux on an old machine at home or maybe as dual-boot, who have little to no real experience or training with Unix-like systems or with particular open source servers, are going into to the business IT environment and installing Linux-based systems on the hype.

Sure they can get Apache webserver serving pages, they can get Tomcat doing "something", and they can certainly run XMMS quite well on their workstation, but they really have no clue how to properly use these technologies in a production environment.

They see switching to Linux-based systems as being a simple fix.

They aren't willing to extensively review their configuration or product documentation. They aren't willing to put in the significant amount of time that is in fact required to become experts with the technologies.

Yes, they certainly do get a kick out of telling their friends that they have "Linux boxes running their shop", but security suffers due to their naive incompetence.

These techs should be fired.

Open source development may be a "we'll get that feature done when we feel like it" affair, but deploying Linux-based systems in a production environment must not be.

If anything, effectively and securely deploying Linux-based solutions requires more training and knowledge than does deploying Microsoft.

Let's stop pretending otherwise.

Re:Yeah...

[NanoGator]

"We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed."

You are right. I've read a lot of anti-MS babble here that has me a little spooked. Evidently, when Linux is more secure than Microsoft, the impression is generated that you can install a Linux based webserver and you're instantly secured. That's what I did. Being a Linux newb, I set up a Redhat/Apache server and within 2 weeks it was rooted. We had to have our sysadmin build us a new one. (It was a project for me to grow...)

It only takes one exploit to destroy your server. Vigilance is absolutely necessary on either platform. Maybe it's time to end the anti-MS pissing contest and focus on good practices in general for whatever OS you're using.

Re:Interpretations...

[dom1234]

Those are four facts leading to interesting quesitons :

• How much possible in average is it possible that someone makes an insecure Windows system ?
• How much possible in average is it possible that someone makes an insecure Linux system ?

Those probabilities should be pondered by the frequency of default installations, frequency of having an expert rather than a novice as the administrator, etc.

Thus, could someone not knowing which one to choose, and not knowing whether he is hiring an expert or not, rely on those statistics ?

Re:Yeah...

[nicodaemos]

They are not counting server boxes that have been hacked, but websites.

From MI2g website:

Do multiple website attacks resulting from a single system breach count
as one attack or many?

Mass website attacks are counted as multiple attacks because although there is a single
action on the part of the attacker, economic damage is always done to multiple victims.

So if a single ISP box gets hacked, they may count that as 100 linux sites hacked because of virtual hosting.

But even more important than their actual counting methods are where they get their data. Again, according to the same paper:
mi2g is principally reliant on data for SIPS and EVEDA from a number of sources:

1. 
   
2. Personal relationships at CEO, CIO, CISO level within the banking, insurance and
   reinsurance industry in Europe, North America and Asia. We have been involved in
   pioneering cyber liability insurance cover for Lloyd's of London syndicates which has
   given us access to case history since the late 1990s.
3. Monitoring hacker bulletin boards and hacker activity. We have several white hat
   hackers who we use for penetration testing and developing our bespoke security
   architecture that feed digital risk information through to us on a continuous basis
   including vulnerabilities, exploits and the latest serious attacks they are aware of.
4. We maintain anonymous communication channels with a large number of black hat
   hacker groups.

So their highly informed executive manager friends seem to know when their linux systems get hacked versus their windows systems, they browse the web, looking at defacement sites and they converse with script kiddies via email. Umm, does anyone else see an issue with their data collection methods besides me?

If you don't yet, then let me give you a simple example. Let's say that I wanted to bias the results. Mmm ... it appears that all I have to do is deploy one linux box that is virtual hosting say 2,000 sites that noone visits. I leave some things in a very insecure mode and let some script kiddies know about it. Once its been "hacked", the script kiddie posts on a board or sends email to mi2g.com and their numbers move by 2,000 sites.

You can show me analyst reports by people like this all day long. In the end, this report bears no relation to what I see day to day in the real world.

This is some FUD

[purdue_thor]

Come on, where do they get these figures? In August alone:
From NetworkWoldFusion

The Blaster worm - also known as MSBlast or LoveSAN - has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.

They didn't count them. Why? Most of them aren't servers, right? Well how did they differentiate Linux servers then? I bet they didn't -- did they check and only record RH Advanced Server and disregard all the RH Workstation. I doubt it. This is pure FUD by a place that has trouble with math.

Article headline

[Overly+Critical+Guy]

I'm curious, was Slashdot afraid to put "Linux Most Breached Server?" in the headline? The stats were about most breached. The point wasn't who was most attacked. I guess that one word needed to be changed to soften the blow...