Slashdot Mirror
Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet
An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.
A link to get a white paper needing a registration is even worse than linking to a paywall
Well if they just had installed Linux.... Oh, damn.
everyone knows only windows can get infected
Who says that I mind if my computer gets used to attack the RIAA?
After all these years of neckbeard fanbois telling me they don't get viruses, here's proof that linux too is vulnerable! Finally I can link to this article whenever I hear this bogus claim hahahaha. Because we all know in reality linux doesn't have many viruses because only less than 1% market share!
How is Ballmer responsible for this?
So, to remove this do I just have to do this? /sbin/iptables
sudo rm -r
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
How do these exist?
Is this it?
It little behooves the best of us to comment on the rest of us.
It's news because it illustrates that, as much as Linux users like to throw stones at Windows, they too are vulnerable. Anyone can pick through the source and find security holes what can be exploited - perhaps even much more subtle ones than anyone would ever find on Windows.
> may use infected Linux systems to launch DDoS attacks against the entertainment industry...
WHERE IS THE DOWNLOAD LINK?
Oh yes, I am familiar with this iptables malware. I once had a machine running using ipchains, but iptables somehow made its way on to my machine and pretty much just killed ipchains functionality. I could not get it working again no matter how hard I tried. In case it modified my kernel, I even downloaded the latest from kernel.org (2.4.x) and compiled a new one, but to no avail.
I gave up and went to Windows.
Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.
What the hell is a vertical?
The vast majority of Linux deployments are on server systems. These are easier to lock down, since there are no users downloading cool stuff and bringing in malware. Generally speaking, a remote exploit is required to bring down a server system. There are two newsworthy things in this report. First, a botnet of (presumably well-connected) Linux machines has been used in a DDOS, probably not the first time this has happened. Secondly, and this should not be newsworthy, not keeping up with patches will sink a system of any kind. Server, client, Linux, Mac, Windows, all need to keep up with rapidly evolving security threats.
The people that have their servers compromised in this way are amateurs and shouldn't have put their servers on the web, EVER. This is roughly equivalent to fielding IIS from 2001 on windows XP and not keeping your patch set up to date. You are going to be hacked.
Any sysadmin who is thinking about it, would put a web server and all it's components in a chroot jail and force it to run in user space and set up to refuse interactive logins for this user.. That way any "escalations" of privilege won't get you much more than the web server. It's easy, quick and effective.
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
CVEs or it doesn't exist.
Any /. article that talks about security vulnerabilities or exploits and does not reference the relevant CVEs in the summary is a worthless piece of shit.
the growth in cynicism and rebellion has not been without cause
they throw stones at the OS mainly
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
This infection seems to come through apache tomcat (java servlet/JSP) and/or apache Struts/Elasticsearch (java MVC framework/ java search lib).
It has a proper name according to This guy.
This threat is known as the infection of .IptabLex and .IptabLes ELF #DDoS backdoor trojan (malware).
From TFA.
"Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities"
Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java.
To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Death has been proven to be 99% fatal in lab rats.
Once again, every component compromised was a piece of Java software. When will people learn that running a JVM is the most insecure thing you can do on any system?
That is the summary and contains the link to the full advisory.
Spoiler Alert:
Bash commands
Two bash commands from PLXsert are designed to clean a system infected with the ELF IptabLes binary. After running these commands, system administrators are advised to reboot the system and run a thorough system inspection.
sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';'
ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9
"... may use infected Linux systems to launch DDoS attacks against the entertainment industry... " Seriously? That's our worry? or whom you are trying to scare?
Not only was it virtually impossible to get rid of, MS in several cases argued that it was an integral part of the OS and therefore it could not be removed and replaced with any other browser.
Every server needs a dead operator's switch.
I prefer to throw at the users. The chance to hit the culprit is so much higher.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If the administrator deliberately activates software known to make a system (Linux, Windows, ...) vulnerable to compromise, that is NOT a compromised server, it is a honeypot. If you make a honeypot, you must mitigate any damage it may cause outside your domain.
Sue the admins of those systems into getting a job compatible with their IT skills (probably involving a toilet brush).
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
The point of comparison should be between the server OSes. So, do you really think Linux on the server is more secure than Windows Server 2012R2 ?
No, unmaintained web servers getting attacked and turned into bots is not news. This problem is not even specific to Linux systems. Any server that isn't patched with latest security fixes for the OS and applications is at risk regardless of the OS used.
This comparison is pointless and simply minded or just a troll. Security is about layers, so who really cares, one layer or another always needs attention, sanity, and in particluar maintenance. The parent had good points, but still, again, who really cares about out of the box? No one who should have a job setting up servers. Out of the box my bricked Nintendo is very secure. Or should we say OpenBSD for all cases? No of course not.
Yes, but that doesn't mean you don't need to apply security updates when they show up. GNU/Linux is easier to maintain the security of. Users on the desktop only have to worry about one screen popping up, not dozens. It's allot harder to get tricked into installing a malicious piece of software when everything you need to install comes from a well maintained central repository. The default settings are also more secure (macros as example aren't on by default, unnecessary services don't start automatically for desktop distributions, etc). By default users are segregated and even hooking up a dial-up modem requires permission be granted to the user.
Linux was not vulnerable it was Apache and other software. running Apache on BSD, Windows or OSX would give them the same attack vector. This is the same as Outlook launching and running an executable in an email. It's not the OS it's an application that has the problems.
Lastly it's all software that has not been updated in a very long time and is not being maintained.. That alone causes giant holes in any OS or software ever made.
FYI: there are a LOT of windows machines out there running ancient IIS... I see code red worm attempts in my logs daily. It's not the OS, it's the idiots that own and run the machines.
Do not look at laser with remaining good eye.
It's still compiling...
"code red worm ..."
Those words gave me a twinge of nostalgia. :-)
Yes, I just got a bit sentimental about an old buffer overflow.
Sysadmin Things (tm)...
-- My Weblog.
The people that have their servers compromised in this way are amateurs and shouldn't have put their servers on the web, EVER. This is roughly equivalent to fielding IIS from 2001 on windows XP and not keeping your patch set up to date. You are going to be hacked.
Any sysadmin who is thinking about it, would put a web server and all it's components in a chroot jail and force it to run in user space and set up to refuse interactive logins for this user.. That way any "escalations" of privilege won't get you much more than the web server. It's easy, quick and effective.
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/
Daemons are NOT chrooted by default.
Processes inside a chroot can still execute privilege escalation attacks against the kernel.
Root can escape a chroot.
On top of all THAT, a normal user inside a chroot is PERFECTLY capable of joining a DDoS botnet anyway.
Remember Windows 3.1... and forget twenty years of Linux bugs?
I'm just going to repeat the GP..
"It's news because it illustrates that, as much as Linux users like to throw stones at Windows, they too are vulnerable. Anyone can pick through the source and find security holes what can be exploited - perhaps even much more subtle ones than anyone would ever find on Windows."
Linux security is not magic, _especially_ "by default".
What low IQ dumbfuck modded this down? it's 100% correct. Software is far more of an attack vector than the OS is. and it always has been.
Simpler to lockdown desktops since you don't leave services/daemons running as "listeners" that *may* have security issues (like webservers for example, or database engines).
These are easier to lock down, since there are no users downloading cool stuff and bringing in malware
No, just users downloading content management systems outside of package management, and thus never updating them or their accompanying modules.
The majority of spam I receive is coming from Linux systems. The majority of brute force attacks I see knocking on port 22 are coming from Linux systems.
Easier to secure, absolutely. But Windows itself is in the realm of "easy" to secure. It's all meaningless if people aren't freaking securing it.
Is SeLinux turned on & 'to the max' by default in all Linux distros? No. Why's SeLinux even THERE in the 1st place then too?? Answer = Linux is *NOT* fully security-hardened from the get-go, despite your b.s. to that effect...
* How the HELL you got a +5 for your b.s. utterly astounds...
(Especially the CRAP about Win3.x being anything *remotely* like Windows NT-based OS' from MS onwards - not even REMOTELY the same other than the interface/shell in Windows NT 3.x/3.5x & Win3.x... lol!)
APK
P.S.=> Lastly: *ANY* modern OS out there can be security-hardened, MORE - & yes - that includes Linux, hence my points on SeLinux above (as well as Windows - I know, I wrote the very FIRST online guides for doing it back in 1997 @ NTCompatible.com, which grew into these from circa 2006-2008 (got me PAID @ 1 spot online even, pretty cool) -> http://www.bing.com/search?q=%... )
... apk
Any sysadmin who is thinking about it, would put a web server and all it's components in a chroot jail and force it to run in user space and set up to refuse interactive logins for this user.. That way any "escalations" of privilege won't get you much more than the web server. It's easy, quick and effective.
If an attacker find a way to escalate privileges to "root" within the chroot jail, he can take over the whole system. So, a chroot jail does not help much except by limiting the surface of the attack to escalate privilege. For example, you can eliminate all suid programs within the jail environment. However, such manual installation can be difficult to maintain as automatic updates may not work. So, the chroot jail is not any better than properly configured AppArmour or SELinux, which also allows significantly to restrict what the web user can access.
Usually a more secure and simpler solution is to use OpenVZ (or another paravirtualization) to isolate the virtual machine that run the web server.
Linux is BY DEFAULT more secure than Windows, mainly by design.
I am not sure I can fully agree with you here. A lot depends on application installed, the system configuration, and how the system is used, and other things that have nothing to do with design. The only thing where Linux clearly wins is when you want to harden security accordingly to your needs. Linux is far more transparent, so it is easy to configure it properly, while Windows does a lot of things behind your back and some of them may unintentenly can compromise security.
The people that have their servers compromised in this way are amateurs and shouldn't have put their servers on the web, EVER. This is roughly equivalent to fielding IIS from 2001 on windows XP and not keeping your patch set up to date. You are going to be hacked.
Any sysadmin who is thinking about it, would put a web server and all it's components in a chroot jail and force it to run in user space and set up to refuse interactive logins for this user.. That way any "escalations" of privilege won't get you much more than the web server. It's easy, quick and effective.
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
Neither OS is secure unless it's behind a firewall.
Not exactly the same. Windows 3.x line died back with Windows ME. Windows XP and beyond are all using a different kernel with a different architecture based on the Windows NT line, but share much of the same public APIs (Win32). You don't "install components to make it more secure", and that hasn't been true for nearly 20 years (20 if you used the Windows NT line). At least no more true than it is for linux, or any other OS. Of course there are packages that attempt to identify and mitigate issues, but so does every other OS, including linux.
From TFA. "Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities" Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java. To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Uh, no. It would be Struts/Tomcat architectural vulnerabilities. Not various versions of the Java Runtime have/had vulnerabilities, but in these particular cases, the vulnerabilities were within the software systems, not on the language they were written or the runtime that hosted them.
"It's news because it illustrates that, as much as Linux users like to throw stones at Windows, they too are vulnerable. Anyone can pick through the source and find security holes what can be exploited - perhaps even much more subtle ones than anyone would ever find on Windows."
I find this fascinating. Some Windows fans will grab onto something like this, an exploitable bug in Linux, and use that to "prove" that Windows is better. "Look here, Linux has an exploitable bug, obviously it's no good. I told you how much better Windows is, now it's proven science!" And the additional comment about finding bugs more subtle than those on Windows? Where's the evidence for that statement, other than perhaps in the fact that Linux source is readily available while Windows source is not?
Any OS has exploitable bugs. Failure to patch is, as noted by many other posters, the real issue. Don't necessarily condemn one system or the other because there are bugs. Instead, maybe we might look at the track record, in which case some conclusions should emerge.
Neither OS is secure unless it's behind a firewall.
Unless you (or the distribution you use) configures it, Linux is 100% secure from network attacks when installed. Why? Because the network card driver won't be loaded and the network adapter will be unconfigured and ZERO services will be running. All three will need to be true, or nobody is getting into your system from the net.
So.. Unless you intend to protect your server from physical fires, you don't need a firewall on a bare Linux system...
However, both Windows and Linux have fine network firewall's these days. You might want to tweak them to your needs, but they exist. Where I would recommend not putting anything directly on the internet if you can avoid it, most firewall's are pretty useless unless you actually think about what you let in and out and configure the thing properly. In any case, I'd not be totally opposed to putting a Linux box on the Internet if necessary, but I'd never do that with a windows box. Just my opinion though.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine
Holy misleading headline, Batman! Any server that's not maintained is vulnerable, how is this news other than it's a Linux server botnet? OMG unpatched servers are vulnerable to hackers!
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
If you tried to remove the browser, any program that embedded the browser control wouldn't work, and a ton of business software did just that. I know a whole lot of cadd software (in 2014) STILL embeds the browser control for fonts and text editing and a lot used it for their help systems. It was also used in a lot of places in windows because it was available. Stripping it out would require replacement with something that had the same quirks/bugs/features etc. Technically removing it was possible, practically removing it would cause major pain for businesses.
On one hand, Linux has had a reputation for being secure. On the other hand, Windows has made great strides in improving things.
On the gripping hand, security really belongs to the person sitting at the admin console [1]. The first thing a lot of Linux users do is kill SELinux, which weakens the security model tremendously, where it takes is just one weak SUID program or one running as root to have the machine. The second thing is that because Linux doesn't have signed executable functionality [2], something like AIDE or tripwire is a must.
From there, it is about basic security practices. If a server sits for months to years without updates, it doesn't matter what OS it runs, eventually there will be a hole, and eventually it will get pwned.
[1]: Be it an actual window, a serial port, a VMWare console, SCVMM window, remoted in via SSH or RDP.
[2]: It would be nice if the Linux kernel had functionality compared to trustchk in AIX. It isn't signed executables per se (since it uses a manifest list), but it does help prevent unauthorized stuff from loading, even libraries.
Software and security is nuanced and layered requiring thought and analysis. Commenting here is neither and there's certainly little thought.
I think you meant to say windows NT?
In a way, I'm hoping for more eyes on Linux for security vulnerabilities. The reason is that if they appear, they can get fixed almost immediately. MS is decent at handling patches, but most bugs end up waiting until Patch Tuesday, unless it warrants an out of band fix.
Maybe I'm showing my age... part of the standard procedure of getting Linux set up and deployed was getting onto security mailing lists like Bugtraq and its successors. It is a lot of mail, but better some time spent finding and fixing a vulnerability, than the time it takes dealing with a successful attack, or even an intrusion attempt, especially if an organization has different IT groups (network, system, SAN, etc.)
Frankly I have to ask if that is even ethical, and while I realise computer security is a tough business, I expect a whole lot better attitude and behaviour from Akamai or an Akamai owned company.
It impedes the dissemination of critical information, which is primary goal of an advisory bulletin. Anything else is marketing, to and at the expense of those affected.
I understand that Akamai / Prolexic have invested their time and expertise into discovering / creating that information, and deserve recognition and acknowledgement for that effect, but the control and restriction of an security advisory is an ethical and moral decision, not a business decision.
In fact, given that it does appear to be marketing oriented, it may well have civil liability issues in some jurisdictions for failing to make the advisory more readily available. If this DDoS attack increases costs of any Akamai customers, there may well be a conflict of interest and/or breech of trust.
I expect better from CEO / co-founder Dr. Leighton, as I respect him and Akamai whom I have always found very professional.
This underlines an important point I made previously, that part of the problem here is C/C++ and its manual memory management. Ruby, Perl and Python eliminate a whole class of programming errors by doing memory management automatically, making it easier to develop secure applications. People laugh when you say the web browser should be written in Perl, as the web server should be, but its true. The result would be a safer, and even a faster system because a Perl program would lack as many memory leaks and therefore you would end up with less memory swapping as a result. So much for how much Slashdot people know about security, or good software design, that they would then that C/C++ is a good development environment for the web browser or web server, when it obviously is a source of huge numbers of vulnerabilities. People here must be totally inept or clueless to miss that Perl has automatic memory management, reference counting and automatic allocation that you eliminate hanging pointers and out of bound access errors.
If I can get code to execute in a context of a jailed UNIX process, such as a webserver, which would allow me to send traffic in and out, a malware writer has a usable client for a botnet, for spam, DDoS, and other uses. Even if they just have control of that webserver's port 80, they can use that and modify the server to occasionally serve malformed pages in hopes of nailing a buggy browser or browser add-on.
Similar to a program that just gets access to a user context in Windows. With just user access, their files can be encrypted for random, pictures can be copied off for blackmail, and the machine can still function as a botnet client.
Layers are critical. Even with limited contexts, firewalls are still crucial (to prevent a web server from making outgoing communication, for example), as well as integrity checks.
So on the one hand we have asshats wanting to exploit your system and on the other we have asshats trying to opportunistially exploit this chance to dig for information about anyone wanting to know what's going on? Yeah, they obviously took the attack seriously... Screw 'em. They're both bad actors.
There is a lot of room for improvement on both sides of this argument. I would support a "trusted" executable and shared library loader as being a vast improvement in Linux security, but the fact remains... Windows/Microsoft has been playing catch-up in security where Linux has been leading over the last decade. Microsoft has been gaining ground, but they are still running in second place in security (well, maybe third if you include Apple, Fourth if you include SCO Unix and fifth if we include Solaris).
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Since the problem appears to lie in Java libraries, I don't understand your argument at all.
I think we've pushed this "anyone can grow up to be president" thing too far.
So why have all of the NT kernel based systems required anti-virus programs from multiple vendors?
I guess you call anti-virus programs "components".
...Linux source is readily available while Windows source is not?
To the general public that is true, but don't forget this leak and more recently this disgruntled employee. And remember - these are only the leaks of source code that we know about. I am sure that a lot more of the source is available to those with fewer scruples than you or I.
How come Slashdot never gets Slashdotted?
but the fact remains... Windows/Microsoft has been playing catch-up in security where Linux has been leading over the last decade.
So where are those facts?
Because they way I look at it there has been several embarrasing, high-profile successful attacks on Linux servers over the past few years:
Debian server compromised: http://www.zdnet.com/debian-se...
Ubuntu servers compromised: http://www.theregister.co.uk/2...
kernel.org compromised: http://lwn.net/Articles/457142... (we're still waiting for the post morten on that)
linuxfoundation.org and linux.com compromised: http://thehackernews.com/2011/...
red hat and fedora servers compromised: http://www.cnet.com/news/red-h...
(and we do not even mention the OpenSSL fiasco)
So where are the widespread Windows Server compromises?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
I find it interesting that Akamai is complaining about server vulnerabilities, when something like 30% of all the alarms on our IPS are set off by hosts they control.
Sit, Ubuntu, sit. Good dog.
but the fact remains... Windows/Microsoft has been playing catch-up in security where Linux has been leading over the last decade.
So where are those facts?
Because they way I look at it there has been several embarrasing, high-profile successful attacks on Linux servers over the past few years:
Debian server compromised: http://www.zdnet.com/debian-se...
Ubuntu servers compromised: http://www.theregister.co.uk/2...
kernel.org compromised: http://lwn.net/Articles/457142... (we're still waiting for the post morten on that)
linuxfoundation.org and linux.com compromised: http://thehackernews.com/2011/...
red hat and fedora servers compromised: http://www.cnet.com/news/red-h...
(and we do not even mention the OpenSSL fiasco)
So where are the widespread Windows Server compromises?
To be frank, I don't think anyone bothers reporting on them anymore. For a journalist "Linux server compromised" sounds far more sexy than "windows server compromised." These guys, after all, have to get readers in order to put food on the table.
Well, it's for a good cause... TFS did mention DDOS against the entertainment industry. Good news is news worth reading.
$
So when Linux gets infected, it's the users fault but when Windows gets infected, it's Microsoft's fault[1]?
[1] http://yro.slashdot.org/commen...
Gotta love Slashdot logic.
Ok your brain is broken in two ways here:
1. You keep talking about history. Nobody gives a shit which OS was more secure in 1986, we care which is more secure now. The question is, if I were standing up a server today, which OS would be the best choice?
2. You're redefining "Linux" to mean whatever happens to make it best in any given situation. Saying OpenSSL isn't part of "Linux" is both technically correct, and extremely intellectually dishonest.
To be perfectly frank: the grandparent has an extremely good point that you're completely ignoring. In recent years, Linux server security has been measurably worse than Windows server security.
Comment of the year
Do you remember DOS? Windows 3.1.1? Security was woefully lacking, it wasn't even a concern. At the same time, Linux was being developed, with the security model it has today, mostly unchanged. Windows has gong though many revisions and changes in the security design from ZERO security and no such thing as having separate user accounts to where we are now. Linux started out, very similar to what it is now.
Please stop repeating that, it stopped being true as of 10 years ago since Windows ME was the last OS based on DOS/Win 3.1.1 code.
XP, Vista, 7 and 8 are all based on the Windows NT family which was developed with security in mind and separate user accounts etc.
http://en.wikipedia.org/wiki/W...
Everyone is vulnerable when they aren't patched (and sometimes when they are). This particular warning only affects unpatched servers. I assume because servers, though they should be patched right away, they often aren't, because businesses (business managers) doesn't want to down the server for the patch. New technologies will allow patches even to the kernel without taking down the server. When that happens things like this will mostly disappear.
No, most reasonable people do not say that Linux is invulnerable, however, the Linux desktops and servers are far less vulnerable than almost all other operating systems.
You can lead a man with reason but you can't make him think.
So when Linux gets infected, it's the users fault but when Windows gets infected, it's Microsoft's fault?
Personally, I haven't said that here..
Microsoft chooses to install and activate a lot of risky stuff that most Linux distributions don't, but having a box compromised is not the vendor's fault. I'd never put a Windows freshly installed box on the network without first applying all service packs and locking the system down. However, a Linux box is not a risk (at least not the distributions I run) after a clean install so I don't have an issue drooping them on the net to pull patches and configure the software.
In both cases, if you mismanage their security, you get a bad result. It's just harder, in general, to get a secured Windows box, because you have to actively do something to secure things before it is safe, while a minimal Linux box starts out fairly safe and goes down hill from there. One comes off the install media in an unsafe configuration, the other is usually locked down.
So who's fault is it? Yours, if you put an unpatched unconfigured Windows box directly on the net right after you install it. It's also yours if you open up the holes in your Linux install.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Do you remember DOS? Windows 3.1.1?
Yes, they were from over 2 decades ago and their code has long since been purged from the modern codebase (over a decade ago). Making them completely irrelevant.
At the same time, Linux was being developed, with the security model it has today, mostly unchanged.
Which is part of the problem.
So you are claiming there where no widespread Windows Server compromises? I can see you are new here, never ran NT and IIS then? Shesh... Newbies..
Why are you living in the past? The world has changed and you obviously can't keep up, time to retire grandpa.
Ok your brain is broken in two ways here:
1. You keep talking about history. Nobody gives a shit which OS was more secure in 1986, we care which is more secure now. The question is, if I were standing up a server today, which OS would be the best choice?
Best choice or most secure choice? I cannot answer the first question for you because there are reasons to use Windows and reasons to use Linux which have noting to do with security. Most secure choice? That too depends, but if you are talking about a situation where "all other things are equal" then a properly configured Linux box seems like a better choice to me. Of course, if you cannot manage a Linux box properly, then go with what you know that you can manage, but in that case we are not "all things being equal" anymore.
2. You're redefining "Linux" to mean whatever happens to make it best in any given situation. Saying OpenSSL isn't part of "Linux" is both technically correct, and extremely intellectually dishonest.
To be perfectly frank: the grandparent has an extremely good point that you're completely ignoring. In recent years, Linux server security has been measurably worse than Windows server security.
I think you are wrong on that. There has been an explosion of Linux based servers on the Web in the last decade. Many of these are not appropriately managed and suffer as a result, plus you also see a lot LESS Windows/IIS installs out there for a number of reasons (mostly due to cost and the past issues with IIS exploits) so the attack surface is much larger. Given the number of these servers which are not appropriately managed, there are a lot more systems compromised. If you don't keep your system up to date and watch the security posture of your system, it's going to eventually get hacked, I don't care what OS you run.
You see, I'm not claiming Linux is perfect, obviously it has had issues. I'm claiming that Windows has been playing catch up on security issues. Obviously they have made great strides. You want to claim windows is better... Ok, if that's what you can manage correctly, it's better for you. IMHO Linux is better, both historically (which even you cannot argue with apparently) and currently remains better. Your mileage may vary, past performance is no guarantee of future performance, and all such fine print you are accustom to reading..
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Mostly valid points. None of them invalidate the parent's point. If there is a significant infection of malware, then it is newsworthy. What factors led to the infection don't make it unnewsworthy.
"These[server systems] are easier to lock down, since there are no users downloading cool stuff and bringing in malware." Your comparing desktop usage to server usage. Regardless of Linux or Windows the same issues are there for each usage scenario.
-Desktop: If there is a vulnerability in a Linux or Windows desktop, the usage pattern of users is going to be a pathway onto the machine for malware. These days you could probably take any average user since most are unfamiliar with desktops, stick them with a desktop of any OS flavor, and they will in both cases go to a browser and do things that put the system at risk. These days they implement similar levels of security. Many flavors of both prompt you to escalate an process to root/admin privilage, so each are vulnerable to users unwisely escalating software of questionable sources.
-Server: If there is a vulnerability in a server, regardless of OS, "a remote exploit is required to bring down a server system". This doesn't invalidate the parent's point.
Parent's point is that it is newsworthy because many naive individuals in the Linux community likes to purport that Linux is somehow invulnerable to such exploits. When I say "many naive" I don't mean to say all Linux users are naive, just that there are a fair share who don't understand that Linux and software running on Linux has the same potential to harbor undiscovered vulnerabilities as any other competing OS/software.
This means they make blanket statements about how this or that security problem effecting Windows isn't a concern for Linux. They don't know about clarifying criteria that Linux is more secure under the circumstances that you maintain updates and properly administer WAN facing interfaces.
The result is you have individuals running unmaintained Linux servers because they think they are more secure, but which require significantly more attention than similar Windows counterparts. So you have two factors working against the security of Linux, misinformation, and ease of maintenance.
Even in situation where you have a capable staff who understand the importance of maintaining updates. If you have updates that are fragile and require lots of testing, require alot of babysitting to apply, or are in other ways difficult to automate in a reliable way, then you are going to occasionally create situations for admins where their manpower isn't enough to get to those updates immediately. That's not to imply that Windows updates don't sometimes break things and require testing, but I would say they are easier to automate overall and more reliable. Probably due to the fact there are far fewer flavors of Windows, so updates which do have issues are quickly hotfixed. When I've had updates on Linux fail, sometimes there is a good bit of manual work to back them out, fix whatever went wrong, and re apply them.
I am not trying to say Windows is better than Linux, as I am not trying to do a compelte comparison of the two, but simply pointing out that this article highlights some of the factors that contribute to the formation of such an infection. Certainly Windows has some of these same issues as well and we've seen infections that targeted machines that weren't up to date. However, I think Windows has done a better job at least with the automatic updates to address this kind of problem. It certainly isn't always perfect, but its pretty good.
Unless you (or the distribution you use) configures it, Linux is 100% secure from network attacks when installed. Why? Because the network card driver won't be loaded and the network adapter will be unconfigured and ZERO services will be running.
Yes and this rock that I have here is equally functional and equally secure.
They haven't required it, but if you're going to be downloading and installing things from dubious sources and browsing the web then yes it is advisable no matter what platform you are on. Just like there is avast!, bitdefender, AVG, Kaspersky, Trend Micro, Norton, McAfee, etc... for Android, which is Linux.
I'm making no argument one way or the other. I'm saying that's completely irrelevant.
Right, but based on what? Just your humble opinion? Do you have any evidence whatsoever? Have you even used recent versions of Windows Server?
Because your extreme ignorance of it tells me you have not, and as a result your humble opinion isn't worth jack.
Comment of the year
No, unmaintained web servers getting attacked and turned into bots is not news. This problem is not even specific to Linux systems. Any server that isn't patched with latest security fixes for the OS and applications is at risk regardless of the OS used.
The biggest difference we see between proprietary and FOSS systems is that the lack of maintenance in proprietary systems is often the fault of the vendor. In short, there's no way to keep a service or application patched, because there are no patches forthcoming.
Lack of maintenance by the sysadmin is a more common source of insecurity on Linux systems. The patches are often (not always, but often) there, but they do have to be applied by someone.
Crumb's Corollary: Never bring a knife to a bun fight.
I think you are trollin now..
I have decades experience with both windows and Linux and just happened to finish up an Windows Server 2008 R2 install for a customer delivery yesterday. No, I've not had the opportunity to play with Windows Server 2012 yet, but it's likely in my future.
Of course, all this "My Experience is better than yours" bluster amounts to nothing more than arguments about who has the biggest...... If you don't like what my 20+ years of experience says, feel free to ignore me. When you get into trouble, let me know, I'll help you when you are willing to listen. So get of my lawn, until you can talk nice to the old guy... ;)
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Please stop repeating that, it stopped being true as of 10 years ago since Windows ME was the last OS based on DOS/Win 3.1.1 code.
XP, Vista, 7 and 8 are all based on the Windows NT family which was developed with security in mind and separate user accounts etc.
Ok, I'll stop. Just one more question... Where do you think the designers of NT came up with that idea? Hmmmmm? Wouldn't have been Unix now would it?
OK, OK, I'll stop rubbing it in that Microsoft has spent the last decade working on their security... Just stop debating at my assertion that Windows starts less secure and needs to have stuff added to it for security reasons....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Any operating system has security holes... unix/linux has less... and you take a security risk when you outsource or just hire newbies out of school. You need to hire people who have been at it a while, pay them what they are worth.. and hire newbies for the sr. system engineers to mentor. they get what they get. and java... well.. Oracle Sucks.. we all know that. You can code around it.. just code with security in mind, close all security holes. don't run external processes as a trusted user.
Ok, I'll stop. Just one more question... Where do you think the designers of NT came up with that idea? Hmmmmm? Wouldn't have been Unix now would it?
DEC VAX?
Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals
Whatever happened to "the enemy of my enemy is my friend"?
Yes, there's technical solutions like the upcoming Tor-like anonymized version of tribler that will try to route around the Copyright Crooks-induced Internet Censorship.
When the copyright term is "forever minus a day", live every day like it's the last.
A DDOS attack against the most prolific scumbags in the entertainment industry, eh? How can I get infected? I'd be DELIGHTED to participate!
Where do you think the designers of NT came up with that idea? Hmmmmm? Wouldn't have been Unix now would it?
Wrong again, it was designed by someone who quite hated Unix.
en.wikipedia.org/wiki/Dave_Cutler
http://www.theverge.com/gaming...
Windows NT's primary inspiration was VMS.
http://en.wikipedia.org/wiki/O...
Windows NT did not start less secure.
You idiot, go correct your facts.
The source has nothing to do with it, but yes, any one unpatched OS can be at risk just like any other ... if improperly configured.
I'm quite certain with a properly configured SELinux configuration even unpatched Apache would survive however.
- Michael T. Babcock (Yes, I blog)
Its just miseducation on your part to think that OpenSSL is part of Linux. It may ship with a given Linux distribution, or it may not. Its a library used by third party software, some of which may or may not be part of the problem.
Most vulnerable systems have disabled SELinux, disabled other security features and are running fast and loose with their user permissions.
- Michael T. Babcock (Yes, I blog)
The point of comparison should be between the server OSes. So, do you really think Linux on the server is more secure than Windows Server 2012R2 ?
Yes.
The cesspool just got a check and balance.
So NT came from VMS, no argument there, but where did VMS come from? Unix on the PDP-11.
Now this is before my time, but I seem to recall that Unix was developed for the PDP-11 as an effort to allow a common OS across multiple hardware platforms way back in 1969. Just so happens that Digital PDP-11 was the predecessor of the Digital VAX-11780 for which the initial VMS version was written for. VMS was initially released in 1977 (a full 7 years after Unix). Unix leads to VMS, which leads to NT.. So, when the primary developer of NT jumped ship at Digital and boarded the USS Microsoft he brought along his hate for all things VMS, but adopted many of the security concepts of VMS, which adopted them from Unix. Well Unix and the equivalent of the NSA's recommendations for things like ACL's and audit trails.
So, despite your scorn, I am right on the idea that multi-user came to Windows from Unix.
Windows NT can off the distribution media much less secure, not necessarily because the kernel was ill-conceived or implemented, but because it had to be "Windows" and had to work with existing network infrastructure which was already fielded. Infrastructure which was full of huge holes and required services that exposed the boxes to exploits we would consider atrocities today. But that's what Microsoft had to do to keep it's customer base buying their software. Once security became an issue they started to shore up things, but they've been hampered by the "it has to work with what's out there" requirement, so we where forced to live with the stupid security of Windows for decades.
Was NT as secure as Unix? Maybe the kernel was, but NT certainly was not more secure in the normally fielded form. We've come a long way since 1981, but because of it's legacy install base, Windows has lagged in being secure.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Ok, I'll stop. Just one more question... Where do you think the designers of NT came up with that idea? Hmmmmm? Wouldn't have been Unix now would it? DEC VAX?
The progression goes like this..
1. Unix was developed on the Digital Equipment Corp PDP-11 hardware in about 1970. Unix started as a multi-user system that supported memory segment protection between user processes and kernel space.
2. VMS followed on the next generation of DEC hardware the VAX-11780, which made it's appearance in the late 1970's. This system introduced Virtual Memory spaces for user processes. (Thus it's name Virtual Memory System) VMS was not first in being muti-user, commercially that was Unix.
3. Windows NT arrived in the late 80's, and not surprisingly ran on DEC VAX hardware as well as x86 based systems, as the chief engineer of NT came out of the VMS development team at DEC.
So NT got this idea from VMS which got it from Unix....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I agree with the notion that C and C++ are dangerous security risks in the hands of most developers. They normally use raw arrays and raw pointers. The U.S. military (which NSA-GCHQ is part of), Chinese intelligence and the Russkie mafia really, really like this practice. They call it the "cyber war domain". Little coincidence that Bell Labs, a U.S.G. branch at that time, develop this stuff. They apparently had nightmares of millions of C64 and Amiga computers being used as soft-SIGABAs, which would have turned them blind, sigint-/comint-wise.
BUT, Perl is no ideal fix. Rather, its lack of type safety opens up lots of new exploit opportunities. It has been designed by an Ex-NSA contractor, Larry Wall.
And, you can do memory-safe languages/untimes very nicely WITHOUT Garbage Collection: Just use reference-counted memory management. You need to break pointer cycles yourself, though.
Professor Wirth of ETH Zürich had the basics of this technology done in the 80s. It was called PASCAL and ADA. Here is a slightly improved variant of this kind of language (includes some good features of C++ such as Destructors):
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/
And yeah, quite prototypical, but it demonstrates what is possible outside the World Of C Pain. If you really want to use it, drop me an email and I will assist you into getting it running on you *nix platform or cygwin. I once even had it running on Windows. Not pretty, but effective.
Frank Gerlach
frankgerlach74@web.de
Württemberg
Germany
Because they have rolled lots of unnecessary stuff right into the Windows Kernel: GUI rendering, font parsing (enabling some very nice drive-by exploits for browsers once) and a whole bunch of other nasty "design" decisions. Or should we call it "anti-patterns" ?
Only Win 8 has brought software stores (10 years after Linux) and Sandboxing is still the exception, not the rule. Compare that to Linux, where you have at least 2 major infrastructures (AppArmor and SE Linux). Plus you can build your own sandboxing using the the LSM API. Do you finally have this in Windows ???
Your sales argument is that "every monkey can operate a computer". They might be able to turn it on, but sure as hell a monkey will configure it insecurely. You NEED a CS degree to set up a secure computer. Linux or otherwise.
And yeah, Windows still is a shithole of insecurity. You folks still cannot break it to users that they need an admin and a normal account. Instead you do this UAC crapola.
So, go back under your rock and leave the adults alone.
...they elevated Guest print jobs to Admin rights in Windows ? So that StuxNet could do its work ?
We have AppArmor on Linux - it is rather simple and straightforward. Lock all the SW crappiles into their respective sandboxes.
...take the time to create an AppArmor profile for your application. Then the maximum damage is limited to what you allowed in the AppArmor profile. User-based security actually is a quite shitty concept. What is the business of Acrobat Reader in reading my VHDL and my CATIA files ?
I once did it for firefox and it was a two-day effort. Firefox can be considered a complex program relative to AppArmor.
Linux had and has a string of security issues, including things like this.
http://theinvisiblethings.blog...
Try doing that on a Terminal Server.
What multiuser security again?
I don't run X on any "server" system I manage. Not for this reason, but for the general security concept that you don't run stuff you don't use. Good luck turning off the GUI on your windows box...
However, if you did have X running, it's only going to accept X client connections from the local machine (unless you've opened it up further). This means that any attack vector though X will have to be launched from the local box. Which means that the attacker will have to compromise the local box in some other way.
X should only be run by systems doing "desktop" duty, which if you are comparing apples to apples means you have to compare this to a Windows desktop OS. If you let somebody into your Windows desktop box, they can launch stuff that compromises your system too.
So, Nice try, not a problem that is unique to Unix/Linux when you look at similarly configured Windows systems.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
...Akamai got a big discount (for their Windows licenses) or a check from Microsoft under the condition that they badmouth the Linux OS, when the problem was actually one of some hipster library developers. The same problem would probably exist on Windows and MacOS, if you ran Struts on these platforms.
We have seen this pattern with various assortments of PHP shite like phpMyAdmin and those PHP-web-server consoles for the shell-illiterates of the "business world". Those who are not able to do their work via ssh+shell scripts.
Don't get me started on the PHP shite in general.
Yeah, nothing new in the Corrupt Western World of 2014.
Now I *KNOW* you haven't used any of the Windows Servers released in the past 5 years. Don't want the GUI? Don't install it!
Well-written modern C++ does not have manual memory management.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Yes; I was there Digital's ULTRIX was "going to run everything anywhere" and save the wurld.
Well, it's for a good cause... TFS did mention DDOS against the entertainment industry. Good news is news worth getting infected.
FTFY
What about multiuser systems that are used as remote desktops? What about privilege separation? Why should a user logged into a machine be able to read keystrokes of all the others even though they're a normal user and not root? That doesn't happen with Windows.
You are mixing modes and comparing apples to oranges here.
If you are using a Linux box as a remote desktop server, you don't run the X server on the box in question, it runs on the machine that has the user's display. The "issue" in question is about applications that share the same X server, which in this case, each user has their own. However, this is rarely done anymore. If you have a LInux desktop running X, you don't usually run your applications on another box anyway, it runs locally, so you never open up the XHOST restriction and nobody can connect.
The privilege separation issue is a valid complaint, but again, I don't manage my servers using a GUI in the first place so I don't have X running, much less loaded so I don't have to worry about this issue. If you insist on running X, don't use it to administrate the box and you don't have this issue.
So, though my security practice, I avoid this issue. But we are talking ONE issue now which has long been known and easily avoided. There has been a raft of issues with Windows which where not so easy to avoid, detect and eliminate. Ever wonder why they picked the [CTL][ALT][DEL] key sequence in Windows NT? Think about it... Windows has the same kinds of issues, you just don't want to think about it. Ever Since TSR's where introduced in DOS, you've had this problem.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
O, I only had Samba and a python app on the 1 server, no apache, tomcat or elastic.
The progression goes like this..
1. Unix was developed on the Digital Equipment Corp PDP-11 hardware in about 1970. Unix started as a multi-user system that supported memory segment protection between user processes and kernel space.
2. VMS followed on the next generation of DEC hardware the VAX-11780, which made it's appearance in the late 1970's. This system introduced Virtual Memory spaces for user processes. (Thus it's name Virtual Memory System) VMS was not first in being muti-user, commercially that was Unix.
3. Windows NT arrived in the late 80's, and not surprisingly ran on DEC VAX hardware as well as x86 based systems, as the chief engineer of NT came out of the VMS development team at DEC.
So NT got this idea from VMS which got it from Unix....
Unix was never implemented for PDP-11 by DEC. 3rd parties adapted several versions so that they could run on the PDP-11. A number of generations of "realtime" operating systems were developed by DEC for the PDP-11 and later the VAX-11 series.
Dave Cutler was on the teams for many of these OSes. Dave Cutler left for Microsoft to design Windows NT. Dave Cutler *never* implemented an OS for PDP-11 based on Unix. In fact, he *disliked* Unix.
And no, Unix did not invent access control. I sense that you need Unix to be some type of god-like hero. It is an operating system, and an aging one at that. Cool off.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
I don't run X on any "server" system I manage. Not for this reason, but for the general security concept that you don't run stuff you don't use. Good luck turning off the GUI on your windows box...
Didn't you say that you just finished off setting up a Windows Server 2008R2? And you do not know about Server Core? I sense much deceit here. (IOW: I don't believe you).
However, if you did have X running, it's only going to accept X client connections from the local machine (unless you've opened it up further). This means that any attack vector though X will have to be launched from the local box. Which means that the attacker will have to compromise the local box in some other way.
Goes to show your grasp of this security thingy. There's this security principle called isolation:
Windows has been dealing with so-called shatter attacks where rogue processes sent messages remotely controlling windows belonging to other processes. Up until Windows Vista, Windows only isolated processes belonging to different users. With Vista and MIC (Mandatory Integrity Control), processes were prohibited from sending such messages to windows of higher-integrity processes.
X based Linux distros have absolutely zero isolation. Do you have any idea how serious this is? If there is a memory corruption bug in Firefox and the process is taken over (FF does not have sandboxing), it can install a keyboard hook in X and read every single keystroke entered into any windows. That includes a terminal windows, and worse, even if you sudo to root user, the keyboard hook read every single keystroke including the sudo password.
If that's a superior security model than I have a tower in Paris you may want to invest in.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
But we are talking ONE issue now which has long been known and easily avoided.
No, we are talking an issue that is the result of an inadequate security model that is incapable of securing anything but files.
Windows NT was designed with access control in place for files, devices, mailslots, pipes (named and anonymous), jobs, processes, threads, events, keyed events, event pairs, mutexes, semaphores, shared memory sections, I/O completion ports, LPC ports, waitable timers, access tokens, volumes, window stations, desktops, network shares, services, registry keys, printers, Active Directory objects, and so on. Yes Active Directory objects are in that list, because the model was designed to be extensible
We are talking you claiming that an operating system which cannot even pass the Orange Book requirements without severe redesign by NSA is more secure out of the box than an operating system which has met those requirements from day 1.
Ever wonder why they picked the [CTL][ALT][DEL] key sequence in Windows NT? Think about it... Windows has the same kinds of issues, you just don't want to think about it
The secure attention sequence is guaranteed to be non-hookable by software on the box. The reason for that is added security (that Linux lacks), not a remediation of lacking isolation. Yes, Windows has had similar (but far from as severe) problems with shatter attacks. And there's learning for you in how it was handled:
After UAC was introduced with Windows Vista it was made illegal for lower-integrity processes to send messages (or hook keyboard etc) of higher-integrity processes - even if they were running as the same user. Combined with the fact that IE ran as low-integrity it was made exceedingly difficult for an attacker to hook the kayboard or remote control other windows, even if he compromised the IE process.
However, trojan malware that users were tricked into installing as normal-integrity processes could still hook the keyboard. With Windows 7 Microsoft added to the protection: No longer can an equal-level (integrity level) process hook another process' window or keyboard. To accomodate accessibility tools which frequently need to do that, Microsoft allowed a slightly *higher* integrity level *if* and only if a certain manifest requires it and the files has been digitally signed.
The point of this is that both enhancements were achieved through the already extensible security model. Integrity levels were simply assigned SIDs. If the low-integrity SID is in your process token you are a low-integrity process.
You can *never* extend the simplistic Linux security model like this. It is forever limited to user identities. A process under Linux does not have a token - it has an effective user. It was designed with the faulty assumption that a process in all aspects could represent the user who started it. Proper tokens recognize that processes may have fewer rights, or even more rights than the user who launched it.
You have uttered unbased claims through this entire thread. Now it's time to tell the world how - specifically - the Linux mode is inherently more secure than the Windows model.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*