Unpatched Linux Lives 3 Months on Internet

Allnighterking writes "The Honeypot project Honeynet.org has released their study on the expected lifetime of an unpatched default Linux install. If some of you remember AvanteGarde recently did a study of its own with several versions of Windows products and found that the average lifetime was about four minutes. Internet Week has an article on the study and the PDF with the full details of the study is available on Honeynet.org. Needless to say, from my viewpoint this is a good reason to limit Windows installations in IT that any PHB and/or Smiling Man can understand. Have them put into a spreadsheet and see what this kind of security means to their bottom line."

It depends

[PrivateDonut]

That value would depend on the distro and its age.

Distro choice

[KiloByte]

Note that the distros they used were basically just Red Hat variants (RH7.2, 5*RH7.3, RH8.0, 8*RH9, 2*FC1) and Suse (6.3 and 7.2). Suse is very similar to Red Hat, and Red Hat is what my friends call "Microsoft Linux" as it doesn't exactly excel in security.

It would be an interesting thing to see how the other dists would fare. I suspect Debian and Gentoo should survive quite a bit longer than those 3 months. After all, a default minimal Debian Woody installation is 34MB, compared to 0.5GB of Red Hat, and this means you simply don't have that many unnecessary services that can fail.

Re:Distro choice

[dasunt]

It would be an interesting thing to see how the other dists would fare. I suspect Debian and Gentoo should survive quite a bit longer than those 3 months. After all, a default minimal Debian Woody installation is 34MB, compared to 0.5GB of Red Hat, and this means you simply don't have that many unnecessary services that can fail.

Due to age, I am guessing that a Debian woody installation would fall rather quickly -- its just too old. Sure, the minimal install is tiny, with almost nothing to hijack, but a typical default server install has far too many things listening on every interface.

I'm curious how long an older (3.4 or 3.3) version of OpenBSD would have faired with a typical (not default) setup.

(My server right now is running Debian Woody, and has been since Potato was stable.)

Re:Distro choice

[BladeMelbourne]

Red Hat may not be the underdog in the Linux world - and ppl love the underdog and hate the top dog. But I wouldn't call it insecure because some people call it "Microsoft Linux".

Why? I have never ever had any security problems. With or without iptables on. I have never used SELinux, I hear the security is beefed up.

I have never encountered a "failed service" on RH or FC. OK VMware sometimes comes close ;-) But security being affected doesn't enter the equation.

I would think an FC3 box with iptables, SELinux and unused services turned off would last much longer than all Debian boxes, except maybe unstable. But I dont have broadband at home, and the firewall at work is too beefy. So it's just a guess. Plus I dont want to be paying the electricity bill.

I will agree with you that RH/FC come with too many services turnes on after an install. And the minimal install size is far too big. But even on my 56 kbps modem, it's not unmanageable to keep up2date.

I really dont know why anyone would use RH9 or earlier. They are outdated. Says me who dualboots FC3 and Win98. lol. To each his own...

Merry Christmas :-)

Re:Distro choice

[Profane+MuthaFucka]

I'd expect Woody to survive a very long time, as it's just too old.

You see, the packages in Woody are kept up-to-date in the security department. The age of the packages is irrelevant to the security of the packages. All security fixes are backported to the Debian stable distribution.

Re:Distro choice

[dasunt]

You see, the packages in Woody are kept up-to-date in the security department. The age of the packages is irrelevant to the security of the packages. All security fixes are backported to the Debian stable distribution.

I was referring to the test -- which did not involve any security updates.

In such a situation, an unpatched debian woody distro may fall rather quickly.

Re:Distro choice

Fedora FC2 or Fedora FC3 are even more secure because
SELinux and Exec Shield, and
iptables are now standard on Fedora.

SELinux is awesome, truly awesome in its power to secure.

Re:Distro choice

[mr_tenor]

I think you would be correct in the case where one installed Debian Woody using some dusty old CDs. However, the normal way of installing Debiean is to install over the internet from the Debian servers, which are by definition up to date with security patches.

4 Minutes, or never

[MadMirko]

From TFA:

Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.

Also:

The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added

And finally and most importantly:

"No machine is immune," he counseled. "No human is safe from every virus, and it's the same for machines. That's why people have to have some personal responsibility about security. You have to be a good citizen on the network, so you're not only protecting yourself, but others who might be attacked from exploits originating on your machine."

Re:4 Minutes, or never

[pipingguy]

The assholes that release viruses, worms and other malware on the computing world are also well aware that the average Linux user is much more difficult to hoodwink than the average Windows user (your grandma, for example).

The past ~10 years of the popular web has exposed the best (altruism, open source efforts, education, anti-bullshit) and the worst (scammers, spammers, hate groups, SCO) of global society.

Have a great 2005 everyone.

Re:4 Minutes, or never

[Daedala]

The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added

Prove it. (I'm talking more to the guy in the article than you, btw.)

That is just the kind of nonsense people say when they're trying to look "balanced" regarding Windows' security failures. I find it infuriating. The Mac and Linux boxen were "attacked" that often because they were on the same network and everything on that network was being attacked. Why? Because Windows machines were attacking them.

The argument that Windows has the most marketshare & therefore is attacked more isn't true in the web server and database markets. Yet while apache and Oracle have problems, they're not anywhere near as bad as IIS and SQL Server. (If anyone has hard data to the contrary, I'd be very glad to see it.)

The argument that Mac and Linux boxes are lone islands in a sea of Windows and therefore worms can't gain critical mass for major infections is equally bogus: the Witty worm attacked only boxes that were running certain versions of ISS BlackIce, yet managed to compromise most of its potential threat profile before it ran out of victims. There are easy, easy ways to find concentrations of Mac and Linux users if you need 'em. Try spamming certain domains with a virus, for example. That argument simply doesn't hold water.

I'm not saying that *NIX computers can't be hacked. I'm not saying that they will never fall victim to automated exploits. I am saying that they are much, much less vulnerable, even if the code were tailor-written to those systems. Privilege escalation vulnerabilities are much rarer and more difficult to exploit -- and no, getting privileges by the asking the user to sudo for you isn't a privilege escalation vulnerability. Social engineering is a cross platform flaw.

Spam, phishing, Witty, and fractions-of-a-penny theft schemes all prove the profitability of niche compromises. I have faith in the entrepreneurial spirit of the new commercial crackers. It will happen. The reason it hasn't happened yet is that OS X and Linux are not as vulnerable and it's hard.

In short, what Windows has is the most market share on bugs.

A firewall would help

[Mad+Merlin]

I'd wager that any distro that enables an iptables firewall (that doesn't leave any inbound ports open) stays alive longer than the hardware lasts.

Re:A firewall would help

[funked]

That'll be a pretty sweet server. Imagine the bandwidth you'll save...

It's a good idea to limit Windows?

[Digital+Dharma]

Because Administrators can't patch their own shit? What makes you think they would patch Linux if they were to switch?

Re:It's a good idea to limit Windows?

[Mr.Ned]

For example, if you're running Debian stable, most security updates require two commands: 'apt-get update && apt-get dist-upgrade'. Because it's 'stable', Debian guarantees that the security fixes will not change the functionality of the program.

I don't know if Microsoft guarantees that its fixes won't screw things up (or even work), but there track history would make me hesitant before deploying 'fixes'.

Re:It's a good idea to limit Windows?

[Digital+Dharma]

Well, my whole point is that in order to have an unsecured system attached to the 'Net, you need an Admin who either doesn't know or doesn't care. In which case, no system would be a good idea. The article attempts to place blame on Microsoft for people's laziness and ineptness, which is just more of the anti-Microsoft zealot-ism drivel I've come to hate from Slashdot as of late.

Best security

[syynnapse]

I assure you that i can run a box with any OS without any sort of internet attacks longer than you can.*

*it will not be connected to any outside network at all. your box will be. (Microsoft pulled this to give a high security rating to NT, i believe)

Re:Best security

[Isao]

it will not be connected to any outside network at all. your box will be. (Microsoft pulled this to give a high security rating to NT, i believe)

Not exactly. I don't want to be an MS apologist, but the TCSEC rating that MS got for Windows NT was indeed while it was not connected to a network. We all agree that is rather useless these days. The problem was the TCSEC (Orange Book) certification; it specifically does not cover networked systems. Networks are covered by the Red Book. This problem is one of the reasons the Common Criteria was created, which can certify systems including networks.

tired argument

[Zork+the+Almighty]

This is one time when the argument about Windows being a bigger target really applies. The rate of infection is proportional to the number of vulnerable hosts.

What about newer distros ?

[e_AltF4]

SuSE 6.2 (release date: August 1999)

Question about Red Hat

[identity0]

I know this isn't a help forum, but I have a question...

I have an old Red Hat box sitting around, version 9 (last one before Fedora), I think. I'm using it as a file server using Samba & NFS on my home LAN, which is behind a NAT on a cable modem. Should I be worried about my RH box becoming compromised? Do I have to upgrade?

Re:Question about Red Hat

[TheGratefulNet]

you have NAT. that's goodness #1.

if your cable modem has a firewall, turn that on also.

the less public you make your home box, the less up-to-date it has to be, in terms of security patches.

I still prefer to keep my internal boxes up to date. and it all boils down to how much you trust your vendor and the patch/pkg process (and the reviewers of all the code and patches).

after spending about 5 yrs in the linux world of things, chasing this and that distro, fixing pkgs mostly by hand, tracking things mostly myself - it got old, real fast. then I saw the wonder of the bsd's (freebsd, since I'm still all x86 based). ONE disto. ONE pkg system. ALL eyes are spent on bsd code (ie, all the ones who care about freebsd, review THE freebsd.) that kind of singularity seemed like the best model - especially if you are worried about security.

compare to the linux world where pkg owners update things on their own and vendors are a level between them and you (the user). in bsd, that middle layer (the vendor) is kind of a pass-thru. and when a check-in breaks, its quickly noticed and cvs'd out or fixed in very short order. again, the 'one set of eyes' principle here.

you can fix and secure almost any o/s. but for my money, I daily do a cvsup on my bsd systems, rebuild kernel and world and then updates /usr/ports and portupgrade-a and I'm done. no worries, and I know its the best set of code for that day, as agreed upon by 'the community' of bsd.

quite a diff model than linux. worth looking into.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Actually no,

[SimianOverlord]

Linux versus windows in the workplace will not be decided by showing them a spreadsheet of fiddled figures. This test is hardly a good way to test security, its an interesting sideshow, no more.

The message isn't Linux > Windows, it's that not keeping up to date with your patches is dangerous, and Linux is less of a target than Windows at the moment. By the submitters criterion, you would be recommending Apple to your PHB, not Linux, as an unpatched box wasn't even hit with any OS specific exploits!

Another desperately bad spin on an otherwise mildly interesting article.

Re:Actually no,

[node+3]

What the hell are you talking about? This article is like *any* article in that it applies only in the areas it applies.

The relevant data here is that if you are going to set up an internet server, a computer that will connect directly to the internet, or a computer in an untrusted environment in general, that Linux and Mac OS X are statistically least vulnerable to remote exploits (with some caveats related to the configuations tested).

It's just another (and a very important, but not necessarily the *most* important) metric to use when choosing a server OS.

Duh. So actually, yes, this *IS* a potential reason to choose Linux over Windows (or Mac OS X over Linux and Windows, if you don't mind the single-vendor limitation).

To quote the story:

Needless to say, from my viewpoint this is a good reason to limit Windows installations in IT that any PHB and/or Smiling Man can understand. Have them put into a spreadsheet and see what this kind of security means to their bottom line.

Looks right on the mark. "this is a good reason to limit Windows" that "any PHB ... can understand".

I think you've mistaken the story for one which says Linux is perfect for all situations, or something.

So what?

[jgartin]

It takes me about 1 1/2 hours to setup a Windows ME install like the one I've been using for 4 years. It's been problem free for that long. Boots in about 23 seconds. Responsive GUI. And you can run programs--you're not just limited to poorly written open source stuff.

Re:So what?

[inu_maru]

Yep, WinMe Boots almost as fast as it crashes.

Re:So what?

why not image it with norton ghost once its in a state where you want it.

Re:So what?

[jgartin]

Maybe I missed something. Why should I image it? I've never had to reinstall in 4 years.

Re:So what?

[TheGratefulNet]

not just boot time, either.

TTCFF (time to crash first file) is much faster on win98 and winme than any other o/s.

we're talking blue-ribbon, here.

Network services are what matters...

[jbms]

Although exploits of facilities implemented in standard linux kernels, such as arp requests or ICMP echo requests, are possible, they are far rarer than exploits of higher-level network services, such as HTTP or SSH. Consequently, a basic install of a distribution such as Gentoo, in which only those basic network services implemented in the kernel are active, would likely remain unexploited for years. Of course, this only shows that in the case of Linux, the `base install' does not provide for a very good test. (In practice, people are far more likely to use Microsoft Windows, or Linux distributions with a more expansive `base install' than Gentoo or Debian, in their base configurations.)

Re:Network services are what matters...

[Macphisto]

...and anyway, ARP isn't routable, which means you can rule out attacks that aren't from hosts on the same segment.

This is senseless

[obeythefist]

I'll get modded flamebait for this, but...

The Linux box wasn't compromised because it was being attacked as if it were a Windows box.

Therefore, in this case, the article is suggesting that Linux is secure because it is *obscure*. Linux can't be hacked because nobody would want to/nobody knows how to because it's so rare in comparison to Windows = Security through Obscurity.

Microsoft also uses this practice by threatening to sue anyone who exposes a vulnerability in their OS, and by hiding their source code. Hiding source code and vulnerabilities = Security through Obscurity.

I find it morally offensive that Linux hacks are trying to pass of Linux as secure on exactly the same grounds that Microsoft uses to try and keep their own leaky OS as private and secure as they can. Thankfully the author is sensible enough to write a few disclaimers, but as usual, the Slashdot submitter decided to omit that for the sake of sensationalism (and for a quick boot into Microsoft because we all like that).

I bet I could put an unpatched Windows 3.11 box on the internet, too. I bet no-one would hack that. I'd suggest more people are out trying to exploit even Linux or Mac than old Win3.11/DOS. Or how about an OS/2 box? I bet that would last even longer than Linux. Perhaps we should all switch to OS/2?

Re:This is senseless

[Curtman]

Meanwhile my poor Linux/Apache has had 293 requests of:

• "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ xb1\x02"... etc

in the last 72 hours.. Where are all these IIS servers that are being targeted? Apache outnumbers them 2 to 1. Wouldn't it make more sense to target Apache?

Re:This is senseless

[the+eric+conspiracy]

Therefore, in this case, the article is suggesting that Linux is secure because it is *obscure*.

From a pragmatic point of view, why should I care what the reason is?

Re:This is senseless

Perhaps we should all switch to OS/2?


Perhaps you should have done it back in '94 and you people might not constantly bemoan the Microsoft monopoly today.

Feelin' cranky today...

Re:This is senseless

[g4sy]

UH

I RTFA, and I agree that it wasn't the greatest piece comparison in the world.

I read you post, and I'm sick from the faux pas that you're using. EW, GROSS. Seriously, you're comparing a USELESS OS (windows 3.11) with the most useful OS (linux, I know that some things such as video editing are lacking, but all around, it is the most practical). And you're expecting me to draw a security comparison? Please. I would consider comparing OSX (quite a useful piece of OS) and maybe windows XP or 2003 (modern things that are deployed for REAL WORK in the MODERN WORLD) with linux. Then I'll start listening to you.

So.... you made an excellent point, maybe they're not comparing equally deployed products (duh we all know there are more Windows boxen than linux boxen). But when you screem "faux pas" and point, there are three more fingers pointing back at you.

Re:This is senseless

[Klingensor]

Among others, I run an OS/2 machine, protected by the built-in but undocumented AIX firewall. Nothing out there could even hope to compromise it. That doesn't mean it's impossible, of course, but I trust it more than Linux, from which I'm writing now. That machine, on eCS 1.1, (Warp 4+) handles my entire network. She has never crashed, and her best up-time, eight-plus months, was curtailed only for a hardware upgrade. If you want something reliable and rock-solid, go with OS/2. If you want to play games, buy a Nintendo or whatever those things are called these days. If you want to be among the sheeple, there's always Microsoft. Sure, I use Linux, and exol its virtues. But, when it all comes down to dust, I'd take OS/2 with me to a desert island. Well, that would be far down on the priority list....

Re:This is senseless

[PCM2]

Where are all these IIS servers that are being targeted? Apache outnumbers them 2 to 1. Wouldn't it make more sense to target Apache?

Because publicizing a fault in an open source software product like Apache -- by publishing an exploit in the form of a pushbutton script kiddie tool, for example -- results in the fault getting fixed. Meanwhile, even if Microsoft does patch a known fault in IIS, a lot of home users/amateur server admins either won't know about the patch, or do know about it but don't bother to apply it. Open source users are much more attuned to the benefits of point-release upgrades, because they tend to be 1.) timely, and 2.) effective. Plus, if a patch applied to open source software causes more problems than it fixes (something admins frequently complain of Microsoft patches), it's usually trivial to roll back to the previous version, and you can be confident that another version will come out on a timely basis that will correct the new issues discovered -- so there's less hesitance to apply patches when they arrive.

Re:This is senseless

[obeythefist]

Because that path leads to the dark side. Once you start down that path, forever will it control your destiny.

But seriously, that's like not filling out your TPS reports. Pragmatically it doesn't seem like fun but you need to take quality assurance and correct procedures and practices into account, or it will bite you hard down the track.

Namely, don't *hide* your vulnerabilities, *fix* your vulnerabilities. That's why I started this whole rant. Linux shouldn't be secure because people don't know anything about it/don't bother hacking it, Linux should be secure because it's secure.

Re:This is senseless

[obeythefist]

This may be a surprise, but I was not actually serious about Windows 3.11 or using OS/2. I'm sorry you didn't pick up on my little joke there.

What disturbed me about the article is that the same points he was applying to Linux regarding security also applied to Win3.11 and OS/2. It's obscure, therefore it's secure. This is foolish and dangerous thinking. It's exactly the same kind of justifications Microsoft uses for selling their OS.

Linux is more secure simply because the open source nature of the software enables any security holes to be fixed quicker.

A more useful test would be to observe how quickly the box would be compromised if the assailants were specifically targetting the box and knew exactly which OS it was running, what patch level, and had the correct tools available to use it.

Suggesting that Linux is secure because Windows hacking tools don't work on it is madness. We can make better arguments than this, surely?

Re:This is senseless

[g4sy]

Ahh now you make much more sense, and i see your gripe with the article (i will add it to my long list of gripes with the article).

A more useful test would be to observe how quickly the box would be compromised if the assailants were specifically targetting the box and knew exactly which OS it was running, what patch level, and had the correct tools available to use it.

Interestingly, what you suggest has already been tried and dismissed by the infallible moderators of slashdot. Case dismissed. NEXT! :)

Actually, while I was reading some of that stuff... made me so angry I thought "Let those ignorant Windows users keep on thinking that their beloved OS is uncompromisable. I don't need them enlightened anytime soon." Now I know why others do advocacy and NOT me :)

short on details

[TheGratefulNet]

but it seems that no other free unix was used in the test? I would have loved to see how freebsd (or any bsd) would compare.

I left linux for bsd since I consider it more secure. linux is great, but it is a popular attack for kiddies. so far [knock disk] bsd has been spared such, uhm, 'popularity'.

I would bet a similarly configured bsd box would last longer than any of them.

Why unpatched?

Why do they use unpatched boxes in these types of tests? It just doesn't make a good security test, IMO. Why don't they setup a Linux box and a Windows box, and patch them both. Set up automatic updates in Windows, and a cron job on Linux to download updates nightly. Maybe install a few server processes just for fun (mail, web, ftp, and file shares / samba services for instance). Open the ports for those services, and block everything else with the vendor's firewall. I bet both boxes would stay un-hacked for years.

Re:Why unpatched?

[SoulMaster]

I completly agree. This article is effecivly saying the same thing as "A 1992 Ford Explorer without the recalls fixed will explode faster than a 1992 Chevy Blazer, without it's recalls fixed.

This just isn't logical and it pains me to see that people get paid to waste thier time on somehting this moronic, or, that I am not one of the people getting paid to waste my time. It's one of those, I'm sure.

-S

Ninnle lasts at least two YEARS!

Unpatched, no virus protection, no firewall, and it just keeps going. Ninnle Linux, the Energizer Bunny of the Internet!

Unpatched Linux Lives 3 Months on Internet

[SpaceLifeForm]

Imagine the nutritional value of Internet2 !

I've seen this

[anthony_dipierro]

Last time I moved I set up my laptop running Win2K on my new DSL connection without a firewall. It was just for 5-10 minutes or so, to set up the connection. Within those few minutes, I managed to pick up a worm. This was even with most of the latest patches already installed.

Firewalls/NAT greatly cuts down on your risk. Running firefox pretty much gets rid of the rest. But if you put Windows on the internet without a firewall and you're not a security expert who has done a thorough audit of your machine, you're asking for trouble.

Tell me...

[SI285]

Why doesn't someone put a fully patched windows box on the internet. Because it would last as long as a Linux box, that's why.

Re:Tell me...

[SpaceLifeForm]

Objection: calls for speculation.

If you have any evidence of a 'fully patched windows box' on the internet, please post an ip address.

Re:Tell me...

[SI285]

No...if you read the PDF you would have read

"However, we did have two Win32 honeypots in Brazil online for several months before being compromised by worms."

and it you read the techweb article you would have read

"Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks."

Why would I post an IP address? So I can have my network disrupted with a flood of attempts? Nice try but I don't think so.

Re:Tell me...

[DemENtoR]

Slashdot has been going down the tubes, ever since these windows users have been alowed to have accounts.... Or more like the past 3 years.

Re:Tell me...

[SI285]

At least I know how to spell allowed! Something which seems to have eluded you!

Re:Tell me...

H3r3 15 7h3 ip 0f my 1337 windows box:127.0.0.1

this is nice, but...

[mattwarden]

This is nice, but the implication that this is evidence that a default install of linux fares better than a default install of Windows is silly. While I'm sure that is the case, this isn't supporting evidence. I hate to continue the broken record of the if-linux-were-as-popular-as-windows-there-would-be -more-$attack-out-there mantra we're all sick of hearing, but in this case it directly applies.

Re:this is nice, but...

Yeah, there's some truth in what you say. I suppose something like "SkyOS" or "Atheos" isn't on anyone's radar. On the other hand, just today, four new Windows vulnerabilities were announced. But who makes the rules anyway? OK, so Windows is more popular leading to more crack attacks. That's life.

While some less popular operating system might not be much more secure in some absolute way, the fact that they are subject to fewer attacks is worth something in a real, practical way. An ersatz form of security, but it's a form of security nonetheless. Therefore, a tangible benefit of using a less popular operating system is that security is increased by being a lower profile target.