Linux Getting Harder To Crack

AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."

how is that "interesting"?

Comparing new and revised Linux installs to old and decrepit Solaris 8 & 9 installs. Distros release new versions at least once a year while Solaris 9 was released... when? A couple years ago? A default install with patches from the last 6 months versus a default install that is 2 years or so stale. Which one wins?

DUH!

Not even remotely scientific

[QuantumG]

The number of variables in this study are not even remotely controlled. There are no sensible conclusions you can draw from this, except that an unpatched systems are susceptible to attack and that there are still people out there who are attacking susceptible systems. For all we know an increase in the cost of beef in Tokyo is encouraging the russian mafia to hire more hackers to fake livestock reports and therefore there's less hackers available to attack the useless machines involved in these tests.

Re:Not even remotely scientific

[QuantumG]

It's such a bullshit comparison. Windows XP gets owned in 3 minutes after starting up. Linux takes 3 weeks. Wooo! Linux must be harder to own! No, there's just more losers out there trying to break into random Windows XP boxes than there are losers out there trying to break into random Linux boxes. If you actually went and asked a representative sample of script kiddies which OS they found easier to attack and why you might get some valuable information, but it's more fun to "catch" hackers in your "honeypot". About the only good thing that could ever come out of The Honeypot Project is previously unknown attack methods. For example, if someone got root using some local exploit no-one had seen before we could reverse engineer the script they used and fix the bug. But this has never happened. Why? Cause no-one who has zero day exploits goes around using them on random machines. They use their zero day exploits to attack specific machines for a specific purpose, because they know that every time they use the exploit the run the risk of it being discovered.

Re:Not even remotely scientific

[ComputerSlicer23]

I'd venture to say that no science experiment ever conducted has ever been under "the same conditions". It's merely a matter of how close the conditions are, and why everything else doesn't matter. You figure that out by starting by making measurements and when you can't explain something, guess why, and form a model. Then try and setup a situation to measure if you guess is correct. Any number of "Scientific" measurements aren't repeatable (the analysis of any number of astronomical events are unique to our lifetimes and are irrepeatable in the sense you are using).

You can only draw those conclusions about water because someone has done all the scientific measurements before you.

We didn't figure out gravity all at once. Some guy started dropping balls and measuring time. Some guys started measuring the time it took to roll down planks. Eventually they made lots of measurements that were "big boiling pot of useless variables", and figured out that air resistance makes a difference. That if you measure incredibly accurately, that the latitude and longitude (more specifically your distance from the center of the earth) matter. Even more accurately, what time of year does matter (our distance from the sun changes). They sorted out the patterns in the data. What they are doing is called "basic science". It isn't sexy, and it isn't useful right away. However to start something that a is a "science", you have to start by making measurements and then explaining them. Explain to me roughly speaking, how one makes "Scientific" measurements on the internet where you have control groups? How precisely does one setup a second world wide interent that is identical in all ways except one has an extra Linux machine on it? Maybe if they continue to make such measurements, they might figure what the variables are.

That's precisely what they are doing. I'd have to read the actual statement they made to see how well they are lying with statistics. My guess is the statement they made was accurate and accurately captured what it was they measured.

Also, I'm going to guess they used the same RedHat distributions (or at least had all of the old ones, and some new ones), and they used all the same old IP's (or at least used all the old ranges, and some new ranges). So I'd further venture to guess that your "boiling water" analogy is incorrect. I've read about these guys quite often. They are fairly "scientific" about what they do, and how they do it. The biggest problem they have is man power to setup and analyze the machines and attacks. Which is really a function of their other big problem, a serious lack of financial resources. What they are doing on a large scale would result in really useful measurements. Sure what they are doing is on the level of "Grade School Science Projects" in terms of the scale and quality of science. However, that doesn't make it any less "scientific".

As to this:

get an experiment that is so wildly useless that you can't honestly call it scientific

Useful science, is called "Engineering". Useless science is all over the place. Science is about forming a hypothesis, setting up a way of measuring your hypothesis, then analyzing the data after the fact. This sure seems to fit the bill. Useless Science, is how all science started. Next you'll tell me Linux isn't at all like Unix, because it started out life as a useless terminal program.

Kirby

Re:Not even remotely scientific

[ComputerSlicer23]

For example, if someone got root using some local exploit no-one had seen before we could reverse engineer the script they used and fix the bug. But this has never happened

You really should read up on the honeynet project sometime before saying silly things like this.

For starters, they have in fact found previously unknown exploits (at least one, but possibly several). I forget the exact details off hand, but in "Honeypots" (A pretty decent book), it is covered. They cover it in the section about different types of honeypots and what they are good for. They discovered a hole in a network service that was previously unknown on Linux machines several years ago when the project first started. I can cite it tomorrow if you really don't believe me (the book is at home, I'm not). A lot of blackhats give out zero days as a way of gaining credibility. While it wans't a zero day, a honeypot was one of the first things to figure out how one of the Major worms worked (Code Red I think, but it might have been one of the others).

Also, black hats need a platform to mount their attack from that they can easily own without worry. So they attach home networks knowing that they can complete own a box and wipe the logs. Meanwhile, they can mount attacks from those machines onto others that are important. They need the intermediate machines to be anonymous. They might want to attack "American Express", or "Amazon.com". Anyone with any brains doesn't attack those from the IP's known to be in their basement. They find other machines that will have no logging, or logging that can be completely compromised to use as a base of attack. Then the trail to find them dies at these random machines on the interent.

Besides that, any one wanting to implement a "Andy Worhal Worm", needs to find a set of machines that have an exploit available. In order to find those, one has to start attacking random machines on the internet. The honeypot project could accomplish that (I don't know that they have, but it would be a very good use of it).

Finally, I don't have any important machines, so information about random machines on the internet fits me to a "T". I am more interested in what the script kiddies are doing, and what sorts of attacks they are making. The honeynet project does provide details about what JRandom guy with an IP on the internet can expect to be hit with.

Kirby

Re:Not even remotely scientific

[maxpublic]

All true, but the number of real hackers out in the wild is tiny. The overwhelming majority of 'hackers' are just script kiddies using someone else's code to attack unsecured machines. Protect yourself from them and you protect yourself from 99.9% of the people who want to seize your machine for their own use. The odds of your machine coming to the attention of a real hacker are vanishingly small, unless you've got something the hacker wants.

Max

They aren't after your data - just your connection

[khasim]

These reports are mostly moot, however, because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.

What do you mean by "router"? There are probably several routers between your computer and any other computer on the Internet.

And most of the spam I see is from home machines that have been cracked (zombies).

Not to mention the DDoS zombies out there.

They'd be happy to get your credit card info off of your home machine, but they attack to turn you into a zombie with bandwidth.

Re:RedHat comes with a pretty good iptables setup

pam_tally was set up in the install, so 5 login failures locked out the account.

So attackers can remotely DoS your accounts so you can't log in? Wonderful.

Wouldn't it be better to block the IPs from which the bad logins are coming for x hours and log something?

Re:As a Linux User...

[gid13]

His point was that nobody's going to bother going through a router to do that when there are innumerable completely unprotected boxes out there.

Unpatched?

[Brandybuck]

Why even bother testing unpatched Solaris when Sun specifically tells you to patch your boxes? It's like never changing your car's oil and then complaining that it breaks down too often. It's almost, but not quite, as stupid as complaining your burrito is frozen because you didn't read the microwave directions.

A router routes packets.

[khasim]

His point was that nobody's going to bother going through a router to do that when there are innumerable completely unprotected boxes out there.

Every home machine that's been cracked has been cracked through a router.

Did he mean "firewall" instead of "router"?

I don't think he did because he refered to his "unfirewalled SP1 Windows XP box".

Unless he refers to a NAT'ing device as a "router".

Re:A router routes packets.

[bogie]

"Every home machine that's been cracked has been cracked through a router"

No it hasn't. Beyond the false assumption that every machine ever cracked was directly beyond a router(aka cheapo linksys), many/most zombies come from people plugged directly into to the Net with no buffer. How do you think all of those worms spread so fast when all they do is simple port scans to find hosts to propagate with? Scans that a router running NAT would block. The real threat comes from users plugged directly into their cable modem or dumb dsl modem with pppoe etc which is what that person was reffering to. These people have no firewall/NAT to block outside attacks and thus join the legions of zombies out there every time a new worm comes out.

Re:A router routes packets.

[mabinogi]

Before you post another word on this topic, please demonstrate that you have the slightest idea what your talking about by defining the following words for us:

1. Hub
2. Switch
3. Router
4. Firewall
5. NAT
6. Proxy
7. Modem

Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

Re:A router routes packets.

That's not obtuse, that's encouraging correct use of terminology.

It's not the router that protects them, it's the firewall that comes with it - whether that just be simple NAT, or a full stateful firewall.

Encouraging correct use of terminology is always a good thing, and even more so when the topic is technology.

Re:A router routes packets.

[upside]

[pedant_mode]
Hmmh. I see the point that "network address translation" kind of implies a one to one relation between external and internal addresses.

However, to me "port address translation" sounds worse because the *network address* is still the key thing that gets changed in a many to one situation. The fact that the router assigns a new client port for outbound connections is just a side effect. The server and client still use the same ports, regardless the router does in between.

"PAT" sounds more logical when describing a port forwarding situation where the router is listening to port x but forwards it to a different port y on an internal server.
[/pedant_mode]

Re:interesting

[NanoGator]

"The patch is installing Linux."

Tell the millions of gamers out there about it.

Re:In other news...

[Neo-Rio-101]

L.I.N.U.X - Linux Is Not UniX

Half Truth

[aoptik]

Gene Spafford was interviewed by linuxplanet couple of years ago. He says why linux isn't completely secure, even though it is a outdated interview, I will like to say most of his ideas do make sense even today.

Even if those honeypots are harder to penetrate that does not mean drivers, or individual applications that many people use are designed with security in mind first. Hackers are always going to be around all this means is that script kiddies are going to be able to do less and less to break into a linux but but more sophisticated hackers are going to want to try harder and within time. You will have the same problems just like in real life a ADT system can make your home safer does not mean you still will not get broken into. Plus, within this article you should be asking who are the security experts?

All in all I would hope people read this article in hopes that linux is their solution too security out of the box. In other words if you believe in security do not rely on the distro. to be 80% secure even if you locked the system up tight like your suppose too you still have a good chance of getting hacked. This article is just showing business people in the IT world that they can setup linux and not need a administartor with good experise to be hired instead of that person they can pay half as much with little experence to manage the network because linux is so secure. See where I am going with this article?

Re:interesting

[atriusofbricia]

I better tell my friend to stop playing CS:Source and BF1942 then. Granted, that is with cedega, but still.

Re:RedHat comes with a pretty good iptables setup

[maelstrom]

Just have to be careful with this as someone can DoS your accounts pretty easy.

Re:interesting

[NanoGator]

Two down. Several thousand more to go.

Re:not again (the partisanship)

[egarland]

SECURITY IS A PROCESS NOT A STATE!

Wrong. Security is a state. Securing is a proces. Look them up, they're in the dictionary.

I usually hear that quote from people who want to make a living out of implementing security. The fact is, with the current state of systems, a lot of time needs to go in to creating a secure system and keeping it secure. This is not inevitable however. As time goes on, computer systems and networks will simply be more secure by default, especially thanks to all the hackers out there that find the holes and let us know about them (often times via the always funny "I infected you with a virus" method.

software monoculture is BAD

There are huge powerful upsides to a monoculture. Sure there are downsides too but I think in the end we will have one and it will be a huge benefit, even to security.

... without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.

And 640K should be enough for anyone.

If you really think that it is impossible for security to happen automatically, ask your self exactly what is it that a security professional can do that it is theoretically impossible to automate.

Re:interesting

[Lord+Kano]

Last time we checked, SP2 was a patch. I'd like to see this unpatched patched machine of which you speak.

If you slipstreamed SP2 into your install and burned a new CD would any machine that you install onto be unpatched?

After all, if you didn't run any "patches" on the machine in question, one could call that unpatched.

LK

Re:interesting

[odano]

Well lets perform a little deduction here.

Chances are high that any PC game that is sold is bought by at least a few people.

Chances are high that if a group of people buy a game, at least one person will run it on a regular basis.

Most people only care about the games they personally run.

Therefore: Chances are high that *all* games need to be ported to Linux to make most people happy.

So I am going to revise your statement from:
obviously we don't need every single PeeCee game to work on Linux for a successful gaming platform

to

the most important thing to make linux a successful gaming platform is to make sure the most popular PC games work to cover the most users

Re:interesting

[Technician]

Tell the millions of gamers out there about it.


Certianly as soon as all their Win games run with no issues.. OOPS, they haven't done that with Windows yet!

Re:interesting

[slobbargoat]

no, tell the game developers out there about it.

Re:As a Linux User...

[Ubi_NL]

If the software is installed via social engineering, the zombie can just 'phone home' and the router wil happily pass the traffic.

Re:interesting

[Omniscientist]

It is impressive that they have somewhat emulated DX, however I fail to see the features Cedega provides as being outstanding. I followed all the documentation, everything was set up correctly, and only one game ran, and it lagged terribly. This game that was lagging terrible is a game that will run perfectly at 1280x1024 resolution, with 8xS anti-aliasing, 16x anistropic filtering, and all other options set to max while running many other applications in the background in windows.

Linux itself really doesn't need that much added to it, its the game developers themselves who need to change over to making more OpenGL games so the game can run fine on both platforms.

Re:Owned?

[Tony+Hoyle]

Move.

So you're expecting someone with no income to emigrate to *another country* just because there's an economic downturn.

That's about the lamest thing I've ever heard. If you're unemployed you're going to have trouble getting bus fare let alone buying a new house in a foreign country.

Re:not again (the partisanship)

[egarland]

But security guards aren't in charge of identity, they are in charge of who get's in to a building. To fool a guard into letting you in a building, you usually just need a piece of plastic with a picture of you and a company logo. It's a hell of a lot easier to get past a security guard than it is to get past a login prompt. Riskier, yes, but definitely easier and it requires much less knowledge.