Linux Most Attacked Server?

Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."

Server already slow, here is the text

[Anonymous Coward]

Linux is favourite hacker target: Study

By JACK KAPICA
Globe and Mail Update

E-mail this Article
Print this Article

Advertisement

Linux, not Microsoft Windows, remains the most-attacked operating system, a British security company reports.

During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.

Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August.

The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups.

Linux remained the most attacked operating system on-line during the past year, with 51 per cent of all successful overt digital attacks.

Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.

The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).

The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion, about as much as Cmdr Taco makes per year as a male prostitute.

The Sobig and MSBlast malware that afflict Microsoft platforms contributed significantly to the record estimate.

"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.

"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

Canadan Newspaper != The BBC

[LostCluster]

Okay... do the editors read the links anymore?

This clearly came from Canada's Globe and Mail newsmapaper, which is clearly has nothing in common with the British Broadcasting Company

Corresponds with Netcraft

[clustersnarf]

These figures correspond almost directly to netcraft. Seems to me, more linux/apache boxes out on the net means more targets. IIS holds about 24% and apache is about 64%. DUH. Its not hard to see that there will be more attacks if there are more machines. I bet they didnt factor how many OS/2 boxes got attacked.

Statistics are dumb.

Re:Active or passive attacks?

[LostCluster]

Numbers without a counting methodogy are usually worthless. We've got a small article that doesn't even name what "british security company" released the data, and a summary that somehow gets the BBC involved even though they're nowhere to be found in the story.

Uhm... slow /. day?

Re:Yeah...

[notsewmit]

Exactly.... the report would have been better if they had broken it down like this:

OS
% of Total Hacks
% of Servers running OS Hacked

Re:Staying uptodate costs money...

[Kevinv]

Both debian and gentoo (and Red Hat) have security mailing lists that list packages/ebuilds that have been updated for security reasons. I know Debian & Red Hat's are cross-posted with Bugtraq, not sure about Gentoo's.

Finding updated packages isn't a big deal. Harder is finding what software has an announced vulnerability that hasn't been patched by it's respective distribution yet. Red Hat uptodate has the same problem, if Red Hat hasn't patched the vunerability yet you won't know about it.

Of course in the Open Source world the updates come pretty quick after the annoucement anyway, but if there were some software app that had a real old version with no maintaniner as the default it could present a problem.

Re:Staying uptodate costs money...

[Anonymous Coward]

You could subscribe to Secunia's free mailing list, which mails out exploit information frequently...

Don't forget WEB-IIS nsiislog.dll access

[dark-br]

Payload (Hex):
4745 5420 2F73 6372 6970 7473 2F6E 7369 6973 6C6F
672E 646C 6C0D 0A0D 0A

Payload (ASCII):
GET /scripts/nsiislog.dll....

Re:Article Text

[advocate_one]

"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

ha ha.... making good of their rapidly shrinking server market share... oh this is classic. Those figures almost exactly match the market shares for Apache and Microsoft

news.netcraft.com [netcraft.com]

Apache 64.52% ... Microsoft 23.54%...

so just who is trying to kid who with the figures???

Re:Staying uptodate costs money...

[Anonymous Coward]

If you use Debian or Conectiva you can just use apt-get. Debian use apt-get for years and you dont have to pay a cent!

mi2g

[FrostedWheat]

Brought to us by our friends at mi2g [theregister.co.uk]. I'd take this with a grain of salt.

Re:Staying uptodate costs money...

[jimfrost]

Although I don't like Microsoft's software and it's a real pain having to get all the latest patches, they do at least tell us when they've got a patch.

I don't know about Linux vendors in general, but Red Hat has offered such a notification service for years. You don't even have to pay them for it, just sign up for their security mailing list. I've been getting such notifications for a long time; I probably get a dozen a week.

Re:Yeah...

[Foofoobar]

Well according to netcrafts statistics, nearly 70% of all websites run Apache in comparison to around 23% running IIS. Now keep in mind that Apache CAN run on Windows (as I have an installation with PHP and MYSQL running on our companies servers as they won't let me use Linux) but this is rare and seldom the case.

All in all the stats are fairly accurate. Microsoft is not very loved as a server.

Re:Staying uptodate costs money...

[shibashaba]

All the updates security updates are free with mandrake. Just about any general linux site like linux today will tell you about all the vulns and where to get patches if you would like to do it on your own.

You don't hack into operating systems, you hack into the servers running on it. The article is dead right putting most of the blame on the sysadmins. Only two percent of bsd servers were breached but both linux and bsd run the same servers and software.

I do think the distrubters like Red Hat need to come up with a very comprehensive security program. Basically, sys admins should be able to go to there web site and not just find about what patches are available, but have all the info the need and tools to maintain and keep their systems secure without having a lot of experience with unix in general since so many are comming from windows.

Re:Active or passive attacks?

[loftwyr]

Read the article!

The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups.

Re:"Linux Most Attacked Server?"

[thebatlab]

Maybe you didn't see this part:

"A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."

Re:Staying uptodate costs money...

[lordcorusa]

If the only reason you pay for Red Hat Network is to get automatic updates, I strongly suggest you look at apt-get for rpm [freshrpms.net]. It provides the exact same updates as up2date, only they are free. If you don't trust them you can check the digital sigs on the packages; they come unaltered from Red Hat. Optionally, it can also provide additional packages not found on the Red Hat distribution.

Apt-get doesn't explicitly notify you when updates come in, however it is trivial to write a script to automate the process of checking for updates. For the super-lazy, you can even continue to use the free version of Red Hat's up2date notification icon to alert you when updates come in, and then use apt-get to actually fetch them.

Of course, there are probably other reasons you pay for RHN, such as technical support, a desire to give back to Red Hat, etc...

Just thought I'd make sure you know about an excellent free alternative.

Re:Staying uptodate costs money...

[trickycamel]

It's ironic that Microsoft provides that service for free, whereas Linux requires paying money.

No it doesn't. Tried Debian security advisories [debian.org]?

Re:Staying uptodate costs money...

[whoever57]

It's ironic that Microsoft provides that service for free, whereas Linux requires paying money.

1. You are confusing "free as in beer" with "free as in speech".
2. It's pretty easy to set up a cron job to automatically download the patches from a mirror ("wget -m ...."). As you see a new patch is downloaded, install your already downloaded update(s).
3. Mailing lists, mailing lists. Gentoo has a mailing list for announcements that is very quiet and seems to have only security announcements. I'm sure there are others for other distros.

Re:Staying uptodate costs money...

[Mikey-San]

Actually, MS doesn't want people talking about security holes they find in MS software:

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/columns/security/essays/noarch.as p

http://www.pcworld.com/news/article/0,aid,63784, 00 .asp

As Steve Jobs once said, "Every security scheme that is based on secrets eventually fails."

mi2g Intelligence Unit

[taybin]

Any information that comes out of mi2g is suspect. They have been heavily [vmyths.com] criticized [vmyths.com] by Rob Rosenburger of Vmyths [vmyths.com], a computer security hysteria site.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:67% and 23% of How many in the Data Set ?

[Anonymous Coward]

Which servers were in the missing 10%.

Most likely Solaris (or a combination of multiple proprietary unices). But that is just a guess.

mi2g - computer security hysteria specialists

[tagishsimon]

mi2g - authors of the report being discussed, are the single most dissed security company I know of. They're derided by such a long list of organisations, that one might wonder if there's any point giving their work houseroom. They certainly appear to be PR whores, and, bless' em, good at this part of their job.

Vmyths [vmyths.com] appears to summarise the anti-mi2g camps position. Searches for mi2g on NTK [ntk.net] and The Register, [theregister.co.uk] (when its search engine is working) for mi2g are as enlightening as they are amusing.

This is from mi2g

[Population]

http://www.theregister.co.uk/content/55/28233.html

They suck.

Re:Staying uptodate costs money...

[gmhowell]

You're wrong. For a single user for a single computer, you can get updates for free from RH.

Um, check your facts sport...

[jonfromspace]

Netcraf September 2003 survey [netcraft.com] says otherwise...

Re:Yeah...

[B3ryllium]

I believe that NT variants of Windows have full event logging and such (for instance, I think there's a GUI tool similar to last, but harder to find). The hacked windows machines that send out viruses, however, are typically desktop machines and wouldn't be counted in this 'study'.

Never trust statistics that don't show a margin of error, and never trust possibly skewed sampling.

Re:Hmm...

[SillySlashdotName]

Not the BBC, from Globe News - No I hadn't ever heard of them either.

From a press release from the people at mi2g - google for it, interesting information in the SECOND entry...

Not funded by MS, this is a security consulting group of dubious integrity.

Some of my favorite quotes in reference to their press releases -

"Mathmatical Masturbation" Richard Forno (InfoWarrior.org).

"Winn Schwartau, author of Pearl Harbor Dot Com, noted that mi2g seems to be relying solely on hacks that have been publicly documented".

"Their statistics are basically worthless." Marquis Grove, editor of the Security News Portal.

"mi2g continue to drum up PR about an "Inter-fada," or holy cyber-war, that rages between Palestine & Israel."

and

"Fearmongers" Rob Rosenberger, Vmyths editor.

Read more at Vmyths.com [vmyths.com]

Globe and Mail

[Stephen Samuel]

The Globe and Mail [globeandmail.com] is one of Canada's two national newspapers. It's national competition is the The National Post [nationalpost.com].

The Globe and Mail is the older and generally more respected newspaper. The National Post is a recent upstart. It is generally considered much more right-wing and a bit downscale.

Re:Help me with the math here

[C10H14N2]

"One wonders how much mathematical masturbation takes place when analysing and generating these numbers," -- John Leyden in an article from The Register on "Why mi2g is so unpopular."

http://www.theregister.co.uk/content/55/28233.ht ml

Re:Help me with the math here

[Anonymous Coward]

These results btw really are not statistically significant. The percentage of servers to proportions of attacks are essentially equal. Nothing but FUD for non stochastic minded people.

Re:No Challenge to Breaching Windows Security

[Homology]

Anybody can into Windows, but it takes a real hacker to get into Linux.

In the book Repelling the Wily Hacker there is an amusing story about a Unix box getting rooted, and the script kiddie starts typing DOS commands.

Just to give an example that it does not take a real hacker to get into a Linux box as such. Other factors are also quite important.

Re:Yeah...

[tiny69]

I believe that NT variants of Windows have full event logging and such (for instance, I think there's a GUI tool similar to last, but harder to find).

Are you refering to Event Viewer? The logging you see isn't as verbose as what you can get through syslog. And the entries in Event Viewer will sometimes let you know when something is wrong, but trying to figure out what the exact problem is and how to fix it is not always easy. About the most useful entry is the Event ID, but doing a search for that on TechNet will 9 times out of 10 give you the same worthless description of the problem that the entry in the Event Viewer gives you. And don't get me started on the lack of logging with Active Directory. I've seen it lock up several times and the only error you get is DNS complaining about not being able to contact Active Directory. I still have no idea what went wrong since there was no errors logged any where.

Re:Yeah...

[Osty]

Here [microsoft.com] you [microsoft.com] go [microsoft.com]. (and I apologize for the poorly-worded sentence in my previous post -- I just noticed that it really sucked, though it got the point across)

Re:Um, check your facts sport...

[wasabii]

Incorrect. This is on Professional editions of Windows, 2k included. You can have 10 simultanious connections from externals hosts at one time. This includes IIS and Windows shares and Apache. The license for Server edition does not have this clause. There is no IIS restriction.

Re:Help me with the math here

[LittleDan]

Acutally, 18,000 is 6.4% of 280,000. This is probably what he was getting at, but I'm not sure what he meant by 1%. You divided 280,000 by 18,000, and found that 280,000 is 15.6 of 18,000. But you should have divided 18,000 by 280,000. If you want to question the 1%, fine. But don't forget arithmetic.

This is nonsense

[crmartin]

... he said gently.

I don't know what their methodology was, but from looking at the results from ethereal, it's clear that there were more than 20 Windows boxes that were successfuly attacked on my broadband provider's local NAT domain alone. I doubt the proportion of clueless Windows users in this subnet is unusually high (if anything, it's likely low) so it seems very probable that many tens of thousands of windows bozes were attcked by SoBig alone.

It seems therefore extremely unlikely that only 4000-odd Windows boxes were hacked total in their study. This makes me suspect that they are playing fast and loose with their counting methods.

Re:Globe and Mail

[Tony-A]

One of the problems with a lot of these metrics is the lack of a fair, formal and neutral third party methodology for analysis ...
That is a big problem under the best of circumstances. With any marketing games going on, the numbers can be expected to be, if not wrong, highly misleading. The statistics tend to be like "A bank was robbed. 1300 pieces of paper were taken." The unanswered key question is what was attacked. Why would also be worthwhile knowing. Actually, this one seems more informative than most.

Speaking of damage, from the article:

"The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).

The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion."

What I find interesting is that Linux attacks are up and damage due to Linux attacks are down.

"Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August."

Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage.
Yep, although I would expect any such to not really live up to expectations. Linux (and moreso the BSDs) in many subtle ways encourage people to be aware of what is going on. What is required for containment is rapid response, not by the best and brightest, but by the poor saps who happen to be on the firing line at the time. Prediction: (he who lives by the crystal ball shall learn to enjoy ground glass) The reaction will resemble the Keystone Kops, but the damage will be less than one should expect.

Re:Interpretations...

[Gleef]

golgotha007 wrote:
if you have physical access to a system, the game is freaken over.

you could just tkae the drives out and mount them on a diff system...

Yes.

The one exception to that is if you have encrypted filesystems that require a security token (password, smart card, whatever) be supplied at mount time. You also must make sure there is insufficient information without that token to decrypt the data.

The downside of this setup is that this feature means that the machine (or the process with secured data) would never be able to boot unattended, so most system administrators refuse to have them in their environment.