Slashdot Mirror
Linux Is Not As Safe As You Think (betanews.com)
BrianFagioli writes via BetaNews: Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft's operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft's Windows operating systems are still the most targeted platforms despite the year over year decline -- far beyond Linux. Also, just because there is an increase in malware attack methods doesn't necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code. "At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down. In October, the Mirai code appeared freely available on the Internet. Since then, the AV-TEST systems have been investigating an increasing number of samples with spikes at the end of October, November and beginning of December," says AV Test of the Mirai malware. "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices. The detection systems of AV-TEST first detected the Tsunami malicious code in the year 2003. Although, at that time, practically no IoT devices existed, the Linux backdoor already offered attack functions which even today would be suitable for virtually unprotected attacks on routers: In this manner, Tsunami can download additional malicious code onto infected devices and thus make devices remote controllable for criminals. But the old malware can also be used for DDoS attacks. The Darlloz worm, known since 2013, as well as many other Linux and Unix malware programs, have similar attack patterns which AV-TEST has been detecting and analyzing for years."
didn't take no guff
water ought to be clean and free
so he fought the fight and he set things right
with his openBSD
Baby Timmy grew 300% but Uncle Bob shrunk 5%. Who is bigger?
This isn't a "Linux problem," it's a "proprietary vendors using Linux and not passing on patches in a timely manner because money problem."
Linux is exactly as safe as I think it is, though. That's why I'm careful to lock it down just as I would any other system.
Resistance is futile. Reactance buggers it up.
Well yeah, of course it's that open sores stolen software's fault. If you bought it on a CD like any God-fearing capitalist, you'd have been safe, but no, you went and downloaded it without paying for it like some sort of Satan-loving communist.
The DSL router issue was /that/ distro, not linux as a whole. That's like lumping Adobe Flash issues in with WinXP issues.
At least I can see the holes in swiss cheese. Unlike the MSFT "processed" cheese-like product.
Thank you IoT vendors who don't maintain their devices for creating a breeding ground of consumer-grade security holes. Let us all pray that these widgets aren't internet facing in some way and that the consumer grade routers are sufficient at keeping external attack vectors to a minimum. There isn't much we can do for consumers who like to click on internet candy to infect themselves.
that a particular brand of car can be stolen easily if you leave them parked on the street with the door open and the keys in the ignition.
because that's what router and IoT etc manufacturers did with default passwords and backdoors and generally undermining security for the sake of convenience (mostly their own convenience, not their customers')
Nobody will ever hack CP/M
Nobody will ever hack MS-DOS
Nobody will ever hack Windows
Nobody will ever hack Macintosh OS (iOS)
Nobody will ever hack.
Security is not the same as obscurity.
-- Tigger warning: This post may contain tiggers! --
Linux, unlike Windows and Apple's iOS, *can* be made much more secure with a little bit of effort.
How? By not using monolithic kernels that support every device in creation, and stripping the kernel down to what is installed on the system -- especially with things like IOT devices. If it isn't installed, it doesn't need patched, it can't break, and it can't be exploited.
Ditto for added software and apps. Take a look at many of the Linux-based router firmwares out there, both sold by commercial vendors and FOSS projects, and you'll see attempts to compete with high-end Cisco feature sets for home or small business use.
Having that available is great! However, turning all of that on by default, and user thinking they should get something not because it suits their needs but because it supports 10,000 features, gets you a complex, insecure mess.
With Microsoft and Apple you can't remove many of those features. The company controls it and, Enterprise customer with a decade experience or not, you will damn well have Telemetry and like it! And dozens of other "features" that you'll never use, don't want, and just are waiting to get exploited.
Linux gives you the ability to shape much of your own system, including making it much more secure than a run-of-the-mill device. Whether or not you take the time and effort to do that is up to you.
I've seen way to many Linux-based routers and gadgets that are exposed to a network and still have default admin passwords to blame "Linux" for security headaches.
Learning HOW to think is more important than learning WHAT to think.
Almost all the major infections, back-doors and security problems are the result of the userland, improper implementation of the kernel, bad firmwares, lack of security knowledge, improper development, sloppy implementation and etc... etc... etc..
To say Linux is more insecure then Windows, means that the kernel, as released by Linus, and nothing else, is insecure. Well some security issues are discovered residing in the kernel, almost all other attacks and vectors have nothing to do with the base release kernel.
Please compare apples to apples...
>"At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were "
How many routers run MS-Windows?
> "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices."
How many IOT devices run MS-Windows?
Routers and IOT devices are notorious about having crappy firmware with Linuxes that are hacked up and rarely (or sometimes never) updated. Comparing those to desktops and servers is much less a function of the security of Linux and more about the lack of maintenance and updates with the unusual role of the devices.
Sure, *ALL* operating systems have security risks and vulnerabilities. Anyone that thinks Linux (or any OS) is impervious to malware and safe needs to have their head examined. But the sensationalistic article title isn't really comparing machines of the same class, so it doesn't do the topic much justice.
"...unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down."
Linux. You keep using that word. I do not think it means what you think it means.
It's a absolute joke to lump in devices that most people who who actually use Linux would define as one fucking step above the Internet of Shitty Things from a security perspective.
SystemD?
So rise up, all ye lost ones, as one, we'll claw the clouds.
This is a silly write up. There are three times more malware programs targeting Linux systems. That tells us nothing about the number of Linux vulnerabilities, or the number of vulnerable systems, or the general security of the system.
Linux[Redhat[1,537]/Debian[1,120]...2,657 total]
You can't just add them up. Many, if not most, will be the same vulnerabilities.
Red Hat gets a few more because of their long life cycles: 10 years, plus a few years more if paying for extended life cycle support, compared to Debian LTS being five years plus however many months to match the next LTS release.
That means more risk of old software bugs being discovered and patched in Red Hat. Which is not a bad thing.
So, first indicator for incompetence already present: Author does not even know basic terminology. Second thing is that Linux is not inherently more secure than, say, Windows, but the mind-set of application developers is better and it is far easier to secure. It is also easy to make completely insecure, but a competent person will find it far easier to have a secure Linux installation than with the competition, because Linux gives you access and allows you to do things, while with, say Windows or OSX you are pretty much at the mercy of the OS vendor.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A router running an OS that probably hasn't been patched in years, thus containing multiple vulnerabilities long ago patched, is hardly the same thing as an OS full of holes. That's like condemning Windows because of unpatched vulnerabilities in Windows XP and Vista.
Here's a tip. Don't buy shitty routers running years' old firmware, and expect that somehow the magic update faerie is going to make the vulnerabilities go away.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Not to mention many of the holes are in vendor add-on software, not in Linux itself.
There's something to be said about year's old firmware, however. For a device like a router, turning off all unnecessary services, closing everything off and then opening things as needed, and only patching security vulnerabilities... never upgrading anything unless you have to to get the security fix... is actually a good strategy. On commercial routers what you do is stay current on an old release chain.
This is because a very large proportion of bugs are introduced with new features, and you'll never be exposed to them if you never install that feature... meanwhile security on average do increase your security, believe it or not. So the most secure systems end up being the older codebases with up to date security backport patches.
Lately Linux has been dinged a lot for privilege escalation bugs. These are mostly secondary vectors that rely on another vulnerability in a service or client to get on the system in the first place. As transit devices, routers have very low surface area in these categories, if you take care to turn off the crap.
Someone had to do it.
The term "monolithic kernel" doesn't mean modules are statically linked. It means that the kernel contains the full interface to hardware in kernel space. In a microkernel architecture kernel space is used for less, device drivers, file systems etc. operate in user space.
The Linux kernel is modular and monolithic. The modular nature makes it possible to remove parts that aren't needed, but those parts still run in kernel space.
You mean like this?
ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
https://www.itwire.com/open-sa...
Linux has been attacked for years, there have been rootkits and exploits out there since the early days of slackware... Linux has had a significant presence on servers almost since its inception, and is now starting to make inroads in many other markets.
On the other hand, what people think of as "linux" in this context is a multitude of different versions of the linux kernel with various modifications and all manner of different userlands running on top. Literally anyone can build a linux-based system and pile whatever garbage software they like on top of an ancient version of the kernel.
Windows on the other hand comes from one place, in a small set of versions, and all of the vulnerabilities attributed to windows are present in this version and usually in a default configuration.
Microsoft fully control the versions of windows being released, and if a third party produces a device that bundles a windows install but has some additional vulnerable software running on top of it or a stupid default configuration (eg default passwords) that vulnerability is blamed on the device vendor and not on windows.
There are no shortage of such devices, and they routinely get compromised not only due to their own poor configuration but also because of vulnerabilities in windows itself (eg eternalblue).
When it comes to embedded devices, Linux is massively more widespread than windows, most people are likely to have more linux devices than windows and usually don't even realise it, only a subset of these devices are getting compromised because the manufacturers of those devices make stupid mistakes when building them and then fail to either provide updates, or provide a user-friendly way to apply them.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
So you'd like a potentially exploitable version of the router software burned into an unpatchable ROM.
I'd agree with you if you wanted to go for user replaceable ROM. Still doesn't stop RAM resident malware. Sure, a restart would work, but that's usually only done when the wifi drops out.
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
There are two kinds of company: those who know their servers have been compromised, and those who don't know.
(We used to say this in the security group at a big company in New York that almost certainly has better security than your company.)
It's not that XP is a good product, it's that it was followed by Vista, and having learned from that fiasco, people avoided Windows 7 until it was proven that it wasn't simply another Vista.
Unfortunately, just as people were starting to plan the switch to Windows 7, Microsoft started promising that Windows 9 would be much better, and people decided to wait.
Then when people saw that Windows 10 was another fiasco, and started considering Windows 7 once more, Microsoft started forcing Windows 10 upon Windows 7 users, and decided that XP was the safer choice.
Is Windows XP really less secure than any of it's successors, if you consider all the people who came home to find Windows 10 installed without their consent as malware attacks, along with all the spyware in Windows 10?
Anyone can easily reduce the attack surface of the linux instances you choose to deploy by simply
a) only compiling in the drivers/kernel features required
b) only installing just enough in userspace to do the job, and
c) running shit with least privilege
Not so easy with windows...
The fact so much cheap crap out there was pushed out by manufacturers that give zero fucks towards basically securing their provided OS is not a reflection on the kernel/OS as a whole.