Slashdot Mirror
Linux Most Attacked Server?
Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."
Funding provided by Microsoft....
Where ever you go, there you are.
We're number one! We're number one! Woo! Party!
Er... wait, what? Is this a good thing?
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Good god sir, do you know where you are posting this? ;]
On the surface, this statistic serves both as a testament to linux's growing popularity as a server OS and ammo for those windows admins who have long taken abuses about the insecure nature of their OS. These ideas, particularly the latter, however, may prove misguided; breaches against servers are rooted not only in the security of their running OS, but also in the effectiveness of the security implementation of the system admin him/herself.
Okay... do the editors read the links anymore?
This clearly came from Canada's Globe and Mail newsmapaper, which is clearly has nothing in common with the British Broadcasting Company
Does this count the number of Windows machines that were 'compromised' by BLASTER and its children? If someone gets a binary on my server and controls what my server does ( in this case, replicating the worm ), then I'd call that hacked. Just because a worm did it vs. a human doesn't mean anything. More direct hacks on Linux machines might just mean that there was much more human effort expended.
I want to delete my account but Slashdot doesn't allow it.
It's ironic that Microsoft provides that service for free, whereas Linux requires paying money. But it's good because at least here there's a clear way to make money off Free Software and keep programmers like me from going hungry.
John.
So, I wonder....the interesting statistic to me would be what percentage of attacks against each platform are successful? This statistic is not explicitly stated. Also did they include OS X as part of the study?
Visit Jonesblog and say hello.
These figures correspond almost directly to netcraft. Seems to me, more linux/apache boxes out on the net means more targets. IIS holds about 24% and apache is about 64%. DUH. Its not hard to see that there will be more attacks if there are more machines. I bet they didnt factor how many OS/2 boxes got attacked.
Statistics are dumb.
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.
So while these "attacks" on servers totalling about the same damage amounts as usual there was quite a new record high obtained by the RPC vunerability...
So they are attacking an OS that is known to be running on more servers around the world and the "damage" from these attacks is holding steady, yet we don't mention in the article title that because Windows is MAJORLY vunerable, there was nearly 30 BILLION dollars in damage done!
Interesting spin.
Exactly.... the report would have been better if they had broken it down like this:
OS
% of Total Hacks
% of Servers running OS Hacked
But think of how many more linux servers are out there than windows servers.......
The ratio of Windows workstations to Linux workstations has never stopped us from divining that the reason there are more viruses for Windows because of its ubiquity, not necessarily its security record.
Why should this be any different?
NO CARRIER
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
The only way they've reduced the _proportion_ of attacks on their servers is by losing market share. The total number of attacks against Windows servers is still increasing, so it's a little premature to give them any compliments.
If voting changed anything, they'd make it illegal -- Jello Biafra
They claim a database of 280,000 attacks since 1995. They claim there were at least 18,000 attacks in August alone, or 6.5% of the total of 1% of their sample. Also, these numbers are meaningless without knowing the total population of each type of server. Oy!
I think it's time to break the statistics down application by application at that point. Show me some Apache vs. IIS numbers or MySQL vs. SQL Server numbers or exclude third party applications altogether please. For the record, I run both Windows and Linux for clients and servers and am pretty neutral in the whole OS wars thing. Each has their merits and uses, both need regular security maintenance and I am pretty much happy with both for very different reasons. I'm not a Linux zealot, but I know bad numbers when I smell them. And then...
So MS is shoring up third party applications then? They even go on to cite Sobig and MSBlast as the reasons for the high MS numbers. This is shifting over to a very FUD-like smell now.US Democracy:The best person for the job (among These pre-selected choices...)
Anonymous guy who can't remember his login
That would be WilliamGates.
So we can rail against MS for having an insecure operating system and flaunt Linux's proliferation in the market, and then dismiss that its because of Linux's dominance that more Linux systems are getting hacked. We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed. If there was a larger percentage of windows boxes out there would anyone say 'But think of how many more windows servers are out there than linux servers.......
Brought to us by our friends at mi2g. I'd take this with a grain of salt.
Number (or percentage) of successful attacks against servers maintained by professionals, sorted by operating system.
Of course there are a lot of non-secure Linux systems on the net. Lots of amateurs use Linux. After all, it's free! Notice how much the statistics in the article changed when they leveled the playing field and looked only at servers in one industry: government? Keeping to one industry caused them to look at systems maintained by sysadmins with much more equal skill levels.
From the article: Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Also, what percentage of the boxes that were hacked did the admin even detect? There are a lot of hacked Windows machines out there sending out viruses that the owners don't even realize are hacked. Where are the admin tools like /var/log/secure, last, tripwire?
ZoneAlarm? Please.
65% of successful attacks came against SCO, which MUST be running Linux since they developed it.
Folks who have traditionally been Microsoft users, who have recently installed Linux on an old machine at home or maybe as dual-boot, who have little to no real experience or training with Unix-like systems or with particular open source servers, are going into to the business IT environment and installing Linux-based systems on the hype.
Sure they can get Apache webserver serving pages, they can get Tomcat doing "something", and they can certainly run XMMS quite well on their workstation, but they really have no clue how to properly use these technologies in a production environment.
They see switching to Linux-based systems as being a simple fix.
They aren't willing to extensively review their configuration or product documentation. They aren't willing to put in the significant amount of time that is in fact required to become experts with the technologies.
Yes, they certainly do get a kick out of telling their friends that they have "Linux boxes running their shop", but security suffers due to their naive incompetence.
These techs should be fired.
Open source development may be a "we'll get that feature done when we feel like it" affair, but deploying Linux-based systems in a production environment must not be.
If anything, effectively and securely deploying Linux-based solutions requires more training and knowledge than does deploying Microsoft.
Let's stop pretending otherwise.
.sig Realistic fines for copyright in
I'd like to see them show exactly what the vast majority of these attacks consisted of. Because without that data, you can't derive whether it is the system or the person implementing it that is the cause of security failure.
I know many admins who are not worth two cents and I know others who are so swamped with tasks that they don't have time to patch much less check logs on a regular basis.
This is my sig. There are many like it but this one is mine.
If over 12000 Servers were linux and were being sucessfully cracked compared to 4000 of windows boxes. Now representing this as 67% is to skew the results. What we dont actually know is how many were in the data set ?
Did they sample 20000 Servers ? 20,000 servers or 200,000 servers ?
Linux 67 Breached Linux Servers 12892 73.59%
Windows 23 Breached Windows Servers 4626 26.41%
90Total Cracked ? 17518
Well the percentile is only 90% of the figures. Which servers were in the missing 10%.
Did the survey compare windows to linux boxes alike e.g.
1 Linux Server examined to 1 windows box. for 20,000 boxes ?
I dont see any figures here for accuracy or qualification of the figures.
What I do see is a suggestion that Linux is very popular. If this is the case and we suggest that 80% of the net is unix to 20% microsoft. then 67% of 80% of the network being interupted seems very unusuall and rather high as a figure.
So I keep coming back to wondering where the figures have actually originated and been compiled.
Im fairly sure Microsoft can be secure, but unlike Unix it tends towards insecurity. Ive often compared running Microsoft boxes to herding sheep. You spend all your time keeping them alive and free of viruses. Unix on the other hand is the sheep dog, consistent , loyal and dependent.
They can bandy these figures all they like but unless they can flatten the survey and show a clear scope of investigation and comparison then I dont think we should be worrying about the quote.
And thats why Firecrackers and kittens don't mix.
"We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed."
You are right. I've read a lot of anti-MS babble here that has me a little spooked. Evidently, when Linux is more secure than Microsoft, the impression is generated that you can install a Linux based webserver and you're instantly secured. That's what I did. Being a Linux newb, I set up a Redhat/Apache server and within 2 weeks it was rooted. We had to have our sysadmin build us a new one. (It was a project for me to grow...)
It only takes one exploit to destroy your server. Vigilance is absolutely necessary on either platform. Maybe it's time to end the anti-MS pissing contest and focus on good practices in general for whatever OS you're using.
"Derp de derp."
Well, you could probably conclude that, because vulnerabilities in Linux and Linux software are usually detected and fixed sooner, and Windows vulnerabilities depend on Microsoft deploying the fix (which might take a while, as we know), we have different cases of who is to blame.
First, In the Windows case, shit might happen because it takes longer for a proper fix to appear (though, on the last DCOM-related vulnerabilities, we should give credit to MS for the quick response to the problem). If a patch does not exist, the admin can not do as much (unless he has a proper firewall).
In the Linux case, patches are generally avilable quicker, and upgrade functionality like Debian's apt-get makes it fairly easy to update the systems. I would guess that most holes that lead to the attacks mentioned in the article have long been patched, and it was merely the admin's fault for not watching his system.
So, I would say (though it's a subjective opinion) that Linux systems can be much more secure, even if attack _attempts_ on Linux systems were to occur more often than on Windows systems. But it all depends on the administrators. Windows systems, on the other hand, might let you get in a situation where you depend solely on Microsoft to respond to the security problem -- not a very nice situation.
Oh, and yes, there are more viruses for Windows, but that includes the 'dumb end-user' type such as SoBig, which are purely unrelated to server attacks. And those, I'm more than sure, will _not_ appear an Linux systems since I do not know of an email client that makes it so easy for a user to execute incoming garbage straight away.
I really wonder whether there are more known attacks to Windows _server_ systems than to Linux systems if you exclude all those Desktop-user viruses. Anybody know?
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
I must confess that the first linux server that I set up was hacked for the very reason mentioned: my ambition exceeded my knowledge.
Imagine my chagrin when I got email from a couple of companies stating that an attack had been launched on their servers from my system! Let me tell you, I fixed that right quick!
I find it interesting to note the low number of Unix boxes that the article mentions as attack victims. Based on the experience of my own personal ignorance, I figure Unix operators are probobly more savvy, ergo tighter security and fewer successful attacks. Personally, I haven't been able to figure out how to configure a Unix server in a usable manner (having tried FreeBSD and failed miserably). I find Linux easier to work with, which, perhaps, invites disaster when someone with limited savvy (such as I, once upon a time) decides to roll out a server and expose it to the wild west Internet.
[For those who wonder, the incident involved someone setting up an IRC server app on my system, which then attempted to install itself, apparantly, on other systems that were better-secured than my own. Thereafter, I put everything behind a linux firewall that was locked down tighter than a nun's dainty underthings. I hope this humble and frank admission of ignorance will learn y'all to lock those ports down TIGHT!]
Mmmmmm... Bold, yet refreshing!
Vmyths appears to summarise the anti-mi2g camps position. Searches for mi2g on NTK and The Register, (when its search engine is working) for mi2g are as enlightening as they are amusing.
This statement clearly states that less than 2 percent of the BSD servers on the net were attacked. Yet that is not what the numbers show. The numbers state that less than 2 percent of the attacks were against BSD servers. That is a very different thing indeed.
As such, there are a number of pieces of information that are needed to make this article useful:
The net will not be what we demand, but what we make it. Build it well.
I call bullshit. Most Windows problems are patched long before they're exploited. See Code Red, Nimda, Blaster, etc. All of these were fixed long before they were exploited, and yet long after the worms first appeared people were still being hit. While I will agree that there is a possibility of patches taking a while to appear from closed-source software (and that it has happened, usually regarding Internet Explorer), that has been the case only in a very minority of important patches. As well, though you call out Debian's apt-get for making it fairly easy to update systems, Microsoft has Windows Update (and they freely-available provide software to run your own Windows Update site, so that you can verify patches before pushing them out to your site). Therefore, your argument is a red herring.
Bingo! 99.999% of all of the problems with both Linux and Windows being insecure have stemmed not from late patches, but from administrators not keeping on top of security for their machines.
It's false to say that Linux will not ever be affected by such viruses, because it's quite possible. Even with proper separation of user rights and administrator rights, a user can still royally screw himself and his data. More, all it takes is one unpatched local root exploit ("I'm not too worried about local exploits, because they're local" is an attitude that will get you in trouble if you have users ...), a malicious binary that exploits it, and a dumb user. As well, with more users wanting to use Linux, the need will come for user-friendly desktop apps (what do users want to do? easily open e-mail attachments. Better code that properly, our you're going to be as bad as Outlook Express ...). Users will also want to be able to easily install software (see Lindows, and how at least initially it suggested you not only run as root, but without a password!). There's work to do on Linux before it will be acceptable to Joe Sixpack or Bettie Secretary, and unless developers keep their wits about them they can (and will!) fall into the same problems seen in Windows.
Needless to say, the regular server administrator for that site is in an uncomfortable spot now.
and to this day none of them have gotten owned.
:), but am fully aware that it is not if but when it will happen again. With that mindset I now have a plan to recover from a attack and am vigilant about looking for updates and possible attacks.
Not that you know of anyway.
When I was a linux noob I had two boxes rooted(one was set up to email bomb mirablis, who blocked my IP and ended up reversing the bomb on my box because of returned mail which is how I noticed the problem...pretty damn funny when you think about it). I traced it back to security hole in wu-ftp. I have sinced learned
From MI2g website:
So if a single ISP box gets hacked, they may count that as 100 linux sites hacked because of virtual hosting.
But even more important than their actual counting methods are where they get their data. Again, according to the same paper:
mi2g is principally reliant on data for SIPS and EVEDA from a number of sources:
reinsurance industry in Europe, North America and Asia. We have been involved in
pioneering cyber liability insurance cover for Lloyd's of London syndicates which has
given us access to case history since the late 1990s.
hackers who we use for penetration testing and developing our bespoke security
architecture that feed digital risk information through to us on a continuous basis
including vulnerabilities, exploits and the latest serious attacks they are aware of.
hacker groups.
So their highly informed executive manager friends seem to know when their linux systems get hacked versus their windows systems, they browse the web, looking at defacement sites and they converse with script kiddies via email. Umm, does anyone else see an issue with their data collection methods besides me?
If you don't yet, then let me give you a simple example. Let's say that I wanted to bias the results. Mmm
You can show me analyst reports by people like this all day long. In the end, this report bears no relation to what I see day to day in the real world.
Not that I am arguing with linx > windows, but just because its Apache doesnt mean its linux.
members are seeing something, your seeing an ad
Obligatory MallRats quote:
Needless to say, the regular server administrator for that site is in an uncomfortable spot now
"You mean like the backseat of a Volkswagen?"
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
Well, I'm sure the end result will be the same. :-)
Heh, the best was when I was helping to run the web server at my high school (this happened back in 98 or so). I was logged in from home checking email or something when I got a "write" from root that said, "I think you have some security holes..." I ended up in a ytalk with him and it was some dude from kentucky who had broken his leg and had nothing better to do or something.
I honestly can't remember if we ever reported him to anyone or not, but we reinstalled right quick (I think he'd used an nfs exploit and then backdoored one of our other services, can't remember which). In any case it was obvious what had happened - the logs we so full of "help! someone's trying to hack me!" type messages that it was even funny at the time. Especially since nobody ever went to our webpage and we just used the machine as a local quake server anyway...
Per the initial write-up: "...all successful and verifiable digital attacks against on-line servers targeted Linux..." (my emphasis)
The key word here is 'verifiable'. It is much easier to detect and validate that someone has hacked a Linux box, than a Windows box. We don't know the following that would lead more credence to any claims:
1. What is the ratio of M$ to Linux boxes that were attacked that we don't know about? (undetected and still infected - I would argue this number is much larger on the M$ side)
2. How were the percentages arrived at? If there are more Linux servers on the network than Windows servers, then we can not quantify 'percentage of total servers' and have it mean anything useful in terms of total numbers of attacks because, statistically, Linux attacks will outnumber Windows attacks given a standard distribution; since most script kiddie tools run on, and target Winblows machines, a 21% of total attacks on a few windows machines is more significant than a 67% of total attacks on a much larger group of Linux machines.
Social science numbers have no intrinsic value, except to the uninformed.
"Figures never lie, but liers tend to figure." - Longfellow
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
The Globe and Mail is the older and generally more respected newspaper. The National Post is a recent upstart. It is generally considered much more right-wing and a bit downscale.
Free Software: Like love, it grows best when given away.
Come on, where do they get these figures? In August alone:
From NetworkWoldFusion
The Blaster worm - also known as MSBlast or LoveSAN - has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.
They didn't count them. Why? Most of them aren't servers, right? Well how did they differentiate Linux servers then? I bet they didn't -- did they check and only record RH Advanced Server and disregard all the RH Workstation. I doubt it. This is pure FUD by a place that has trouble with math.
- Security is a relative measure, there is no absolute security.
OK, fine, we're past that. Now, from an architectural point of view, MS has no hope of being as secure as a BSD, or even a Linux. The reason is the tight coupling between components within not only their OS architecture, but also the server-side software as well.
The problem is that creates an environment where undue damage can occur due to the compromise of what should be an extraneous service. An example was a flaw in IE which allows a "root" type exploit. Another is Biztalk requires a number of software packages which should not be needed (i.e. Visual Studio) on the machine. This is both a security and stability issue.
Linux and Tomcat or Apache require exactly that, the kernel, network libs, and Tomcat / Apache. The issue IMHO as to why so many Linux boxes are getting hammered is beacuse of vendors like Red Hat which include a number of unneeded services and have them active by default. They've gotten BETTER, but they still have garbage on there that is ABSOLUTELY not needed. Example, we've drunk the RH "kool-aid" at my company. Fine, I like Linux, but in hardening our servers we have to pull out TONS of sh!t from what was a CUSTOM install!!! (now using kickstart) I hate to admit, this is a sore spot with me
In essence they're created a Windows-like system in that regard. The only difference is that you can remove it post-install. Regardless, my point stands.
The de-coupled nature of Linux and BSD create an environment where one can create a "more" secure environment then what Windows can provide. Stupid vendors can undo this, but for the most part...
The other point is that this "survey" did nothing to point out what kinds of attacks these were? Were these hitting the OS, or a service that ran on top of it (i.e. Apache or IIS)? This article seems like flamebait to me... I agree with your points on desktop users. I disagree on one minor point - Blaster. My Dad keeps his machines patched and has anti-virus (McAffee - I know, I know...) and he was still hit. My company pushes updates as well and so were we.
Computer Science is Applied Philosophy
I'm curious, was Slashdot afraid to put "Linux Most Breached Server?" in the headline? The stats were about most breached. The point wasn't who was most attacked. I guess that one word needed to be changed to soften the blow...
"Sufferin' succotash."