Slashdot Mirror
Linux Most Attacked Server?
Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."
In all fairness, if the Windows icon is broken, shoudn't tux be bruised or crying or something?
What are the other 9.8 percent running......and why!?
Does this count the number of Windows machines that were 'compromised' by BLASTER and its children? If someone gets a binary on my server and controls what my server does ( in this case, replicating the worm ), then I'd call that hacked. Just because a worm did it vs. a human doesn't mean anything. More direct hacks on Linux machines might just mean that there was much more human effort expended.
I want to delete my account but Slashdot doesn't allow it.
How do these numbers relate to the number of servers which are 'attackable' by hackers? ...even assuming (as they do) that home desktop machines on DSL/cable modems which are compromised (by worms or hackers) are not considered 'server attacks'.
Well, they don't say that, but if you include the number of infected Windows desktops this year, I have a pretty good feeling it would be a LOT more than 12,000, even if you only include infections designed to give control to an outside party (as opposed to simply spreading).
So, I wonder....the interesting statistic to me would be what percentage of attacks against each platform are successful? This statistic is not explicitly stated. Also did they include OS X as part of the study?
Visit Jonesblog and say hello.
They count hacker attacks, although without knowing the relative numbers of servers we don't know which O/S is better.
But what about vender attacks, like patches that crash the server, or the DoS attacks that happen when a server is taken off-line for patching? And surely a precautionary disconnect when there is a MS virus storm has to count as a successful DoS attack.
-- Pot is safer than Beer
mi2g disclaims all warranties as to the accuracy, completeness or adequacy of the information. mi2g shall have no liability for errors, omissions or inadequacies in the information intelligence offered or for interpretations thereof. mi2g disclaims itself of any sales lost or damages incurred to other parties as a result of this information.
Doesn't seem like this company is too confident in any of the claims made in these reports..
Their monthly intelligence has a quote that makes their "reseach methods" look shady:
The Monthly Intelligence analyses and collects data from over 7,000 hacker groups worldwide and provides detailed monthly and year-to-date information on:
Seems a little far fetched to me, I doubt many "hacker groups" are open to research companies doing data collection.
It's a little bit vague, are they talking about "number of domains defaced" or "number of physical machines compromised"? Browse a little at Zone H to get an idea about how this could be misleading.
And now it's the other way around?
-------
Warning: Slashdot may contain traces of nuts.
Gotta consider the source of this study: mi2g. They haven't been totally reliable in the past, and mi2g seems to be more interested in generating press rather than doing anything.
Of course, nobody in The Media will consider the source: the sound bite is just too good.
Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
...who can't remember his login" my ass! More like "anonymous guy who was afraid of the lynching he'd get for posting this to /. under his real username".
do not read this line twice.
Well, you could probably conclude that, because vulnerabilities in Linux and Linux software are usually detected and fixed sooner, and Windows vulnerabilities depend on Microsoft deploying the fix (which might take a while, as we know), we have different cases of who is to blame.
First, In the Windows case, shit might happen because it takes longer for a proper fix to appear (though, on the last DCOM-related vulnerabilities, we should give credit to MS for the quick response to the problem). If a patch does not exist, the admin can not do as much (unless he has a proper firewall).
In the Linux case, patches are generally avilable quicker, and upgrade functionality like Debian's apt-get makes it fairly easy to update the systems. I would guess that most holes that lead to the attacks mentioned in the article have long been patched, and it was merely the admin's fault for not watching his system.
So, I would say (though it's a subjective opinion) that Linux systems can be much more secure, even if attack _attempts_ on Linux systems were to occur more often than on Windows systems. But it all depends on the administrators. Windows systems, on the other hand, might let you get in a situation where you depend solely on Microsoft to respond to the security problem -- not a very nice situation.
Oh, and yes, there are more viruses for Windows, but that includes the 'dumb end-user' type such as SoBig, which are purely unrelated to server attacks. And those, I'm more than sure, will _not_ appear an Linux systems since I do not know of an email client that makes it so easy for a user to execute incoming garbage straight away.
I really wonder whether there are more known attacks to Windows _server_ systems than to Linux systems if you exclude all those Desktop-user viruses. Anybody know?
The power and the loss of the Linux as a platform. It is very flexible and configurable. Nothing mandates you for something. That's why for instance Debian set of cds include perhaps over 200 different text editors.
..) available but they are not mandated on. For instance Grsecurity. If it was forced to all the distributions to be by default on, there would be a noticeable drop in the amount of break-ins.
... ? ... and there would be virtually no break-ins anymore. Really. It's not THAT hard. Microsoft is doing it and seems that the "Linux community" is unable because the idea of forcing the boxes to be secure is against the main philosophies behind Linux.
It is quite ridiculous since there are a lot of security improvements (patches, applications, workarounds, alternative programs,
Microsoft and Windows? Well, the security features are crap but even more and more of that crap is turned default ON. That's what is making the difference. Only Redhat seems to turn at least some (though not many enough) things default on and include some features.
Furthermore, Linux has been earlier sprouted "as the secure platform". The converts from the Windows world have taken it granted and dangerously let most of the settings to stand as default. The amount of education and easy to use admin tools and howtos have not been up to par.
To make the Linux a lot more secure platform there should be a base that all the distributions would conform to. All of them. To all the features. They might not be actually forced to be used but they should be there with just one click. Not perfectly, yes, but still.
What would be needed instantly, my first thoughts:
- Better logging facilities and better default configs
- Most of the features from Grsecurity (that don't break X which uses a perverted non-standard stack smashing methods for internal use)
- Only SSH2 with tight settings allowed
- Automatic updates on by default (there are a LOT non-patched apache 1.3.26's out there. I noticed even VA Linux running some, lol)
- Automatic system on updating the kernel (stables only, with grsecurity pathces naturally)
- Normal user should be almost forced to used with sudo to administer the boxes, not logging in as a root
- An automatic reaction and notification of important events to the administrator
- Telnet and other legacy things killed
- Iptables on by default, with a large set of preconfigured rules and easy tools for clicking services on and off
-
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
I must confess that the first linux server that I set up was hacked for the very reason mentioned: my ambition exceeded my knowledge.
Imagine my chagrin when I got email from a couple of companies stating that an attack had been launched on their servers from my system! Let me tell you, I fixed that right quick!
I find it interesting to note the low number of Unix boxes that the article mentions as attack victims. Based on the experience of my own personal ignorance, I figure Unix operators are probobly more savvy, ergo tighter security and fewer successful attacks. Personally, I haven't been able to figure out how to configure a Unix server in a usable manner (having tried FreeBSD and failed miserably). I find Linux easier to work with, which, perhaps, invites disaster when someone with limited savvy (such as I, once upon a time) decides to roll out a server and expose it to the wild west Internet.
[For those who wonder, the incident involved someone setting up an IRC server app on my system, which then attempted to install itself, apparantly, on other systems that were better-secured than my own. Thereafter, I put everything behind a linux firewall that was locked down tighter than a nun's dainty underthings. I hope this humble and frank admission of ignorance will learn y'all to lock those ports down TIGHT!]
Mmmmmm... Bold, yet refreshing!
12,892 Linux
4,626 Microsoft
360 BSD
------
15,878 Total attacks
43,144,374 sites (netcraft)
~64% run Apache - assume all are Linux
~23% run Microsoft
64% * 43,144,374 = 27,612,399 sites running linux
23% * 43,144,374 = 9,923,206 sites running MS
0.0466% Linux sites hacked
0.0466% MS sites hacked
So, they were each hacked equally. Now the real measure would be weather the OS was hacked or software running on the OS was hacked. In particular, compare Windows vs Linux hacks, and then Apache vs IIS hacks, and then compare all remaning. Those would be interesting.
"Time is long and life is short, so begin to live while you still can." -EV
No, what he meant was we would like to see how many *attempts* there were, not just the % of successes. Without that information it is not possible to make an intelligent conclusion.
The article seems to want us to draw the conclusion that Linux is not as secure as MS. And while I won't dismiss the idea entirely, it's not reasonable to accept this without knowing more.
Did Linux repel only 25% of the attacks on it? 50%? 90%? How well did MS fare? We don't know. It doesn't say.
To be blunt, this article is a waste of time.
I call bullshit. Most Windows problems are patched long before they're exploited. See Code Red, Nimda, Blaster, etc. All of these were fixed long before they were exploited, and yet long after the worms first appeared people were still being hit. While I will agree that there is a possibility of patches taking a while to appear from closed-source software (and that it has happened, usually regarding Internet Explorer), that has been the case only in a very minority of important patches. As well, though you call out Debian's apt-get for making it fairly easy to update systems, Microsoft has Windows Update (and they freely-available provide software to run your own Windows Update site, so that you can verify patches before pushing them out to your site). Therefore, your argument is a red herring.
Bingo! 99.999% of all of the problems with both Linux and Windows being insecure have stemmed not from late patches, but from administrators not keeping on top of security for their machines.
It's false to say that Linux will not ever be affected by such viruses, because it's quite possible. Even with proper separation of user rights and administrator rights, a user can still royally screw himself and his data. More, all it takes is one unpatched local root exploit ("I'm not too worried about local exploits, because they're local" is an attitude that will get you in trouble if you have users ...), a malicious binary that exploits it, and a dumb user. As well, with more users wanting to use Linux, the need will come for user-friendly desktop apps (what do users want to do? easily open e-mail attachments. Better code that properly, our you're going to be as bad as Outlook Express ...). Users will also want to be able to easily install software (see Lindows, and how at least initially it suggested you not only run as root, but without a password!). There's work to do on Linux before it will be acceptable to Joe Sixpack or Bettie Secretary, and unless developers keep their wits about them they can (and will!) fall into the same problems seen in Windows.
That's probably one of the worst articles I've read from Slashdot lately. The "report" in question appears to be from British security company "mi29". First of all, that name is wrong their name is mi2g. Oh wait, THAT mi2g?
Sorry people, but I don't think they're reliable or trustworthy. They're nothing but fearmongering vultures from what I've seen of them. And as for the report? Well, it's not free, it costs 30 pounds.
So we're presented with declarations from a report of which we cannot check the methodology, by a firm who likes to regularly make pronouncements of doom that never happen. Should we believe it? Certainly not. We should simply suspend judgment for the simple reason that we lack critical information to judge its value.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Needless to say, the regular server administrator for that site is in an uncomfortable spot now.
and to this day none of them have gotten owned.
:), but am fully aware that it is not if but when it will happen again. With that mindset I now have a plan to recover from a attack and am vigilant about looking for updates and possible attacks.
Not that you know of anyway.
When I was a linux noob I had two boxes rooted(one was set up to email bomb mirablis, who blocked my IP and ended up reversing the bomb on my box because of returned mail which is how I noticed the problem...pretty damn funny when you think about it). I traced it back to security hole in wu-ftp. I have sinced learned
Not that I am arguing with linx > windows, but just because its Apache doesnt mean its linux.
members are seeing something, your seeing an ad
This is actually a great proof out there. This means that even though there are more stupid linux sysadmins (or wannabe sysadmins), linux itself is more secure.
The number of linux servers affected by virus or worms, or what have you, is significantly lower than the Microsoft counter part - even though more linux sysadmins are dumb.
That means that a linux server is secure (or at least less susceptible to worms) - even if the sysadmin can't pick a good password.
Paul Seamons
Per the initial write-up: "...all successful and verifiable digital attacks against on-line servers targeted Linux..." (my emphasis)
The key word here is 'verifiable'. It is much easier to detect and validate that someone has hacked a Linux box, than a Windows box. We don't know the following that would lead more credence to any claims:
1. What is the ratio of M$ to Linux boxes that were attacked that we don't know about? (undetected and still infected - I would argue this number is much larger on the M$ side)
2. How were the percentages arrived at? If there are more Linux servers on the network than Windows servers, then we can not quantify 'percentage of total servers' and have it mean anything useful in terms of total numbers of attacks because, statistically, Linux attacks will outnumber Windows attacks given a standard distribution; since most script kiddie tools run on, and target Winblows machines, a 21% of total attacks on a few windows machines is more significant than a 67% of total attacks on a much larger group of Linux machines.
Social science numbers have no intrinsic value, except to the uninformed.
"Figures never lie, but liers tend to figure." - Longfellow
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Here's some help with the math: according to my estimates, based
on the network traffic that the (as yet unexploited, though I don't
take this for granted) Linux-based CGI server at work logs, the
_average_ Windows server is exploited by script kiddies, worms, or
viruses several times per year. Now, some of that is the same
servers being hit over and over again because the admins simply
refuse to learn about patches, so a well-maintained Windows server
will not be exploited that often. Still...
If there are more attacks on Linux servers, it's because there are
more Linux servers, or because attacks on Linux servers get noticed,
or something -- not because Linux is more likely to be targeted.
Either that, or we're only counting attacks that were conducted
against an individual server by an individual attacker with more
skills than just the ability to run prefab breakin tools.
Cut that out, or I will ship you to Norilsk in a box.
They claim a database of 280,000 attacks since 1995. They claim there were at least 18,000 attacks in August alone, or 6.5% of the total of 1% of their sample
*scratches head*
I don't get it. I mean really, WTF is "6.5% of the total of 1% of their sample"
1% of their sample = 2,800
The total of 1% of their sample = ??? what value are you totalling?
6.5% of 1% of their sample = 182
I don't really see how your math works...
For those who you know actually care about math and stuff, 18,000 is 15.6% of 280,000... which is certainly quite a large figure for a single month out of the 80+ months in which this sample data was collected...
I am disrespectful to dirt! Can you see that I am serious?!
Red Hat, especially older versions, is insecure out of the box. It's an inherent consequence of the lack of a convenient auto-update mechanism. I recommend Debian stable for quickstart web services: the key step is the one where after you have it all set up you say "apt-get update; apt-get dist-upgrade" and all of the sudden your box is protected against essentially all known exploits. Red Hat should provide Magic Carpet or apt or something as a free default service: otherwise, there's no way the distro is going to *stay* secure across time. And unlike MS, it is quite uncommon to apply a security patch and have it break existing unrelated stuff.
I know we don't consider the primary purpose of the blaster worms as being to take down networks. Regardless, there were many networks disabled, taken down purposely to stem the flow, or just slowed to a crawl. Seems to me that Windows vulnerabilities are far more powerful and prolific than those of linux.
Let's also not forget that Windows NT marked the advent of the ignorant sysadmin. MS made it so that any yahoo willing to purchase a pc and their server software could put up their own server in very little time with very little knowledge. They literally blazed the trail for security education to those that really didn't care. Linux distros have learned from that and tightened their base security a great deal from the very early Slackware distibutions that required the enthusiast to configure everything. (where I broke my teeth)
I'd say linux has come a long way. It's broken into a new area- the ignorant sysadmin (that wants to lower the bottom line). Truth is: you can't enter this arena without doing some work and without being conscientious of your environment.
Welcome to the mainstream!
There are a lot of hacked Windows machines out there sending out viruses that the owners don't even realize are hacked.
When are people with Windows machines on broadband going to do their homework and STOP CLICKING ON EVERY ATTACHMENT SENT BY STRANGERS? (Geez.. didn't their parents tell them not to talk to strangers when they were kids?)
!@#$% whole-grain cereal. When I want fiber, I eat some wicker furniture. - G. Carlin
Check your EULA. If you want more than 5 simultaneous connections to your NT/2K web server, you are NOT ALLOWED to use anything but IIS.
That way, Microsoft can say they still offer choice, but if you want to use it for anything useful, then not really....
"The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups."
So, its like, here we have an organisation that manage to track 7900 hacker gruops?
Riighht...
That should make echelon pretty jelauos. The numbers are spewed out with no explanation whyatsoever wich makes someone as paranoid as me very suspicious. I have a hard time imaging a hacker giving numbers that easily. Smart hackers tend to shut their mouth. We only see the stupid scriptkiddies who brags on irc. I hope they havent used IRC logs as a measurement even if it wouldnt surprise me at all.
"Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August."
Why arent the numbers for this accounted for? I interpret this sentence as if Windows Servers was infact more attacked at govts. Why isnt those numbers revealed? Was there like, 100 000 Windows attacks or 10? The difference is also quite amusing between the number of successfully attacked systems. It seems like the govts is better at securing their servers than comercial online shops are.
And again Riiighht...
"The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.)."
"The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion"
If im right here server attacks from hackers cost 707 million. Attacks from viruses/worms (Windows since how many has even seen a linux worm let alone experienced one?) cost about 27 billion.
In that retrospect its kind of annoying if mi29 pats Microsoft on the shoulder since they account for almost all lost productivity and loss of income. Since the Microsoft attacks costs so much more or are so much more expensive i find it very hard to come to no other conclusion than that the linux attacks are no more than supercicial breaches easy recovered from. Either that or the numbers just dont add up.
As i side note, yes i think linux need better security but to gain real security on cheap intel/amd there need to be some better memory protection and more belts and straps. If one security mesurement fails there should always be a backup system to catch what slips through the first line of defense. This is my strong belief drawn from my view that no system can be whitout faults. We should try and mimik the way airplanes are built and used.
HTTP/1.1 400
The OS is really not as important as the security habits of the sysadmin, particularly related to password strength. I've known a lot of platform bigots (you know the ones, Linux is God you Microserf, bow before me for I am root and can write perl scripts) who used really lame passwords. Compromising a machine, regardless of platform, is easier when the machine is not patched (see bugtraq) and when strong authentication is not used.
Again, I repeat myself here, but it has to be said...EVERY OS is vulnerable. If anything, this article doesn't surprise me because of the difficulty in protecting a Linux system, an inherent problem with *nix flavors. You can build them to be beautiful, screaming machines, but you have to have in-depth knowledge about what to do, how to do it and why you should set them up a certain way. If you don't know what to protect yourself against, you won't do it...
Using 3L337 as a password won't protect your system from script kiddies, sorry.
man rtfm
Since the stats for percentage hacks of linux vs. windows boxes seems to correlate very strongly with the percentage of linux servers vs windows servers (around 65% vs. 25%), it is likely that the OS being run isn't the main cause of the security problems. My theory is that the breakins are due to poor configuration and maintenance of the software. I doubt anyone would disagree that unpatched servers that aren't properly configured are vulnerable, regardless of the OS running.
Vote for Pedro
SE Linux is integrated into 2.6 and a patch to 2.4. It GREATLY improves the security of a Linux box. If someone gets root (or some other uid shell) through a buffer overflow they can no longer take over the whole system. Odds are they cannot do anything. How is this possible? By running every process in a security context carefully restricted to least priviledge through a system of mandatory access controls. If you want to see how effective this is for yourself please telnet to:
selinux.copilotconsulting.com
user: root
pass: root
I'll have to disagree with that. We're not talking Apache vs. IIS here; we're talking Windows vs. LINUX. FYI, there are many Apache sites running Solaris or one of the BSDs, in addition to other OSes!
... and the fact that Apache has more market share has nothing to do with this, since there are about the same # of Windows web servers as Linux web servers. (Shoot, stallman.org ran FreeBSD for a really long time, and just recently switched to Linux!)
The only source I could find was from netcraft, but dated to 2001 [here]. Regardless, we can assume that say, Windows and Linux are really neck and neck as WEB SERVERS. This knocks Apache's numbers down big time, when you're just talking about Apache on Linux. So, when you look at the numbers again, it's 12,892 vs 4,626
So, unless you can provide a better source that charts OS usage over time for web servers, I'll be sticking Windows Server 2003 on a box instead of RedHat for my next webserver, thank you very much.
Oh, and 2000th comment!
Then I guess they just went down in quality.
A trivial demonstration of the problem is to take the number of reported virus infections with Sobig and friends. Compare with the mi2g figures about proven break ins. Note weird difference in size of windows numbers.
As to web sites they *appear* to count each web site affected. So a single linux breakin on a big hosting site scores 10,000 while nobody hosts 10,000 sites on a windows box.
One of the problems with a lot of these metrics is the lack of a fair, formal and neutral third party methodology for analysis of such data that can handle the way proprietary vendors forget to reveal most bugs but just roll them quietly into updates, the difference between vendors in quantity of material and remove overlaps.
Unfortnately that isn't likely to change. There is a marketing game being played by many vendors and security is simply another buzzword and another set of statistics to "optimise". Customers are expendable.
I guess the final thing we all should notice. The number isnt zero. That only emphasizes the need to get more stuff like SELinux out and equivalent other OS products. Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage.
On my servers, I also un-setuid as many programs as I can, leaving only those that will be used regularly.
Useful resources:
tinydnsA VERY secure DNS server to replace BIND.
The Ultimate Guide to FreeBSD This book includes information about how to set up Jails in FreeBSD.
The firm's "news alert" -- available to reporters willing to pay 50 for it -- says hackers brought down "nine servers belonging to NASA's Jet Propulsion Laboratory" just seven hours after the shuttle exploded...
and
"For example, Forno draws our attention to a 'spooky November 11' briefing by mi2g which talks about the need for 'counter-attack-forces' to deal with the threats of 'digital terrorism' in the '5th dimension defence shield' against 'digital mass attacks' and notes that it's 'not a question of if, but when' such attacks will occur.
Read this crap and mi2g's report will make you more confident about running Linux.
Our biggest problem in this country (US) right now:
1) We are raising and building infrastructure with
admins that do not understand the technology
they are using.
2) We are educating people to be administrators
that can only push OK or CANCEL. If they can't
they complain "Oh if I can't do that then
platform isn't mature, so we don't use it."
I give analogous representations of most hapless Windows administrators to being equivalent to people who choose not to learn calculas because it is "too hard" and therefore "too expensive" to use.
If I do use calculas I will loose productivity!
Fact is, Microsoft is trying to dumb down computing to the point every possible problem you could ever have is in a wizard or dialog box.
It will never happen, and the more decisions the software makes, without approval or human intervention beyond OK or CANCEL the easier Windows is going to be to crack.
No software is ever made more secure by adding more software to fix security leaks.
The only way you reduce software vulnerabilities, is by removing software.
As we all know, every release of Windows gets bigger, and of course so does Linux.
But with Linux I have a choice on what software I install. Windows, you have only two choices.
OK and CANCEL of course.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Thier data isn't normalize.
What is the ratio of Linux to Windows servers in the study? What was the ratio of breaches VS. Attempts?
by attempting to Normalizing the numbers we can see the following.
67% + 23.2% = 90.2 % total listed.
12892 + 4626 = 17518 combined successful attacks. = 90.2% so
100% of attacks would be 19421 breaches total.
So linux out of 13012 attacks 12892 breaches
Windows 4505 attack with 4626 Breaches
Giving linux 99.07% breach rate VS.
Microsoft at 102.67% Breach rate , Per successful attack.
If they computed there numbers correcly I should have seen 100% since there are percent and actual numbers of successful attempts.
Then again maybe there are 2% that breach MS security without a successful attack?
Anyhow its stuff like this that keeps me using FreeBSD.
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
How? Easy!
67% of the attacks were against Linux servers and 12,892 sites were successfully breached.
23.2% of the attacks were against Windows servers and 4,626 sites were successfully breached.
Let's say there were 100,000 attacks, this means that the successrate for Linux is 12,892/67,000 = 19,24%, while the successrate for Windows is 4,626/23,200 = 19,94%
Linux is better than Windows. But we knew that already, didn't we...