Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Linux Software

Linux Most Attacked Server? 815

Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."
This discussion has been archived. No new comments can be posted.

Linux Most Attacked Server?

Comments Filter:
  • Hmm... (Score:4, Funny)

    by BeninOcala ( 664162 ) on Thursday September 11, 2003 @03:08PM (#6935491) Homepage
    Funding provided by Microsoft....
    • Re:Hmm... (Score:5, Funny)

      by Anonymous Coward on Thursday September 11, 2003 @03:18PM (#6935671)
      For the attacks or the study?
      • Article headline (Score:5, Insightful)

        by Overly Critical Guy ( 663429 ) on Thursday September 11, 2003 @06:07PM (#6937508)
        I'm curious, was Slashdot afraid to put "Linux Most Breached Server?" in the headline? The stats were about most breached. The point wasn't who was most attacked. I guess that one word needed to be changed to soften the blow...
    • It was SCO (Score:4, Funny)

      by Isochrome ( 16108 ) on Thursday September 11, 2003 @03:25PM (#6935798)
      65% of successful attacks came against SCO, which MUST be running Linux since they developed it.
    • Re:Hmm... (Score:5, Informative)

      by SillySlashdotName ( 466702 ) on Thursday September 11, 2003 @04:06PM (#6936326)
      Not the BBC, from Globe News - No I hadn't ever heard of them either.

      From a press release from the people at mi2g - google for it, interesting information in the SECOND entry...

      Not funded by MS, this is a security consulting group of dubious integrity.

      Some of my favorite quotes in reference to their press releases -

      "Mathmatical Masturbation" Richard Forno (InfoWarrior.org).

      "Winn Schwartau, author of Pearl Harbor Dot Com, noted that mi2g seems to be relying solely on hacks that have been publicly documented".

      "Their statistics are basically worthless." Marquis Grove, editor of the Security News Portal.

      "mi2g continue to drum up PR about an "Inter-fada," or holy cyber-war, that rages between Palestine & Israel."

      and

      "Fearmongers" Rob Rosenberger, Vmyths editor.

      Read more at Vmyths.com [vmyths.com]
      • Globe and Mail (Score:5, Informative)

        by Stephen Samuel ( 106962 ) <samuel AT bcgreen DOT com> on Thursday September 11, 2003 @04:32PM (#6936609) Homepage Journal
        The Globe and Mail [globeandmail.com] is one of Canada's two national newspapers. It's national competition is the The National Post [nationalpost.com].

        The Globe and Mail is the older and generally more respected newspaper. The National Post is a recent upstart. It is generally considered much more right-wing and a bit downscale.

        • Re:Globe and Mail (Score:5, Interesting)

          by Alan Cox ( 27532 ) on Thursday September 11, 2003 @07:19PM (#6938099) Homepage
          Then I guess they just went down in quality.

          A trivial demonstration of the problem is to take the number of reported virus infections with Sobig and friends. Compare with the mi2g figures about proven break ins. Note weird difference in size of windows numbers.

          As to web sites they *appear* to count each web site affected. So a single linux breakin on a big hosting site scores 10,000 while nobody hosts 10,000 sites on a windows box.

          One of the problems with a lot of these metrics is the lack of a fair, formal and neutral third party methodology for analysis of such data that can handle the way proprietary vendors forget to reveal most bugs but just roll them quietly into updates, the difference between vendors in quantity of material and remove overlaps.

          Unfortnately that isn't likely to change. There is a marketing game being played by many vendors and security is simply another buzzword and another set of statistics to "optimise". Customers are expendable.

          I guess the final thing we all should notice. The number isnt zero. That only emphasizes the need to get more stuff like SELinux out and equivalent other OS products. Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage.
  • Yeah... (Score:3, Insightful)

    by Viper168 ( 650370 ) on Thursday September 11, 2003 @03:08PM (#6935492)
    But think of how many more linux servers are out there than windows servers.......
    • Re:Yeah... (Score:3, Insightful)

      by Anonymous Coward
      Linux/UNIX does run on 70% of web servers out there. Therefore, these numbers might make some sense.
    • Re:Yeah... (Score:5, Informative)

      by notsewmit ( 655779 ) * <[tim] [at] [tim-weston.com]> on Thursday September 11, 2003 @03:14PM (#6935600)
      Exactly.... the report would have been better if they had broken it down like this:

      OS
      % of Total Hacks
      % of Servers running OS Hacked
      • Re:Yeah... (Score:4, Insightful)

        by dfung ( 68701 ) on Thursday September 11, 2003 @03:21PM (#6935723)
        I absolutely agree...

        OK, who's going to pay for the survey that shows the "most attacked" desktop OS? What? MS doesn't want to pay for that? :-)

      • Re:Yeah... (Score:5, Insightful)

        by Smallpond ( 221300 ) on Thursday September 11, 2003 @03:24PM (#6935786) Homepage Journal
        Also, what percentage of the boxes that were hacked did the admin even detect? There are a lot of hacked Windows machines out there sending out viruses that the owners don't even realize are hacked. Where are the admin tools like /var/log/secure, last, tripwire?

        ZoneAlarm? Please.

      • Re:Yeah... (Score:5, Insightful)

        by Foofoobar ( 318279 ) on Thursday September 11, 2003 @03:29PM (#6935868)
        I'd like to see them show exactly what the vast majority of these attacks consisted of. Because without that data, you can't derive whether it is the system or the person implementing it that is the cause of security failure.

        I know many admins who are not worth two cents and I know others who are so swamped with tasks that they don't have time to patch much less check logs on a regular basis.
      • Blatant innumeracy (Score:5, Insightful)

        by dsplat ( 73054 ) on Thursday September 11, 2003 @03:56PM (#6936213)
        Just 360 -- less than 2 per cent -- of BSD Unix servers were successfully breached in August.

        This statement clearly states that less than 2 percent of the BSD servers on the net were attacked. Yet that is not what the numbers show. The numbers state that less than 2 percent of the attacks were against BSD servers. That is a very different thing indeed.

        As such, there are a number of pieces of information that are needed to make this article useful:

        1. How many servers were there running each OS on the net?
        2. What consistutes a successful, verifiable attack? Does a DDoS that cuts you off from the net count? Then the OS of the compromised machines counts for more than the OS of the tarket.
        3. What percentage of attacks go unreported? If that is high enough, the stats are meaningless. Self-reporting will generally bias results.
        4. Is the count actually by the number of servers, or is it by domain?

    • Re:Yeah... (Score:5, Insightful)

      by Chester K ( 145560 ) on Thursday September 11, 2003 @03:14PM (#6935613) Homepage
      But think of how many more linux servers are out there than windows servers.......

      The ratio of Windows workstations to Linux workstations has never stopped us from divining that the reason there are more viruses for Windows because of its ubiquity, not necessarily its security record.

      Why should this be any different?
      • Re:Yeah... (Score:3, Funny)

        by Hayzeus ( 596826 )
        The ratio of Windows workstations to Linux workstations has never stopped us from divining

        This is /. Obviously you meant to write "denying" in place of "divining".

      • Re:Yeah... (Score:5, Interesting)

        by mindriot ( 96208 ) on Thursday September 11, 2003 @03:40PM (#6936021)
        Well, you could probably conclude that, because vulnerabilities in Linux and Linux software are usually detected and fixed sooner, and Windows vulnerabilities depend on Microsoft deploying the fix (which might take a while, as we know), we have different cases of who is to blame.

        First, In the Windows case, shit might happen because it takes longer for a proper fix to appear (though, on the last DCOM-related vulnerabilities, we should give credit to MS for the quick response to the problem). If a patch does not exist, the admin can not do as much (unless he has a proper firewall).

        In the Linux case, patches are generally avilable quicker, and upgrade functionality like Debian's apt-get makes it fairly easy to update the systems. I would guess that most holes that lead to the attacks mentioned in the article have long been patched, and it was merely the admin's fault for not watching his system.

        So, I would say (though it's a subjective opinion) that Linux systems can be much more secure, even if attack _attempts_ on Linux systems were to occur more often than on Windows systems. But it all depends on the administrators. Windows systems, on the other hand, might let you get in a situation where you depend solely on Microsoft to respond to the security problem -- not a very nice situation.

        Oh, and yes, there are more viruses for Windows, but that includes the 'dumb end-user' type such as SoBig, which are purely unrelated to server attacks. And those, I'm more than sure, will _not_ appear an Linux systems since I do not know of an email client that makes it so easy for a user to execute incoming garbage straight away.

        I really wonder whether there are more known attacks to Windows _server_ systems than to Linux systems if you exclude all those Desktop-user viruses. Anybody know?
        • Re:Yeah... (Score:5, Interesting)

          by Osty ( 16825 ) on Thursday September 11, 2003 @03:58PM (#6936230)

          First, In the Windows case, shit might happen because it takes longer for a proper fix to appear (though, on the last DCOM-related vulnerabilities, we should give credit to MS for the quick response to the problem). If a patch does not exist, the admin can not do as much (unless he has a proper firewall).

          I call bullshit. Most Windows problems are patched long before they're exploited. See Code Red, Nimda, Blaster, etc. All of these were fixed long before they were exploited, and yet long after the worms first appeared people were still being hit. While I will agree that there is a possibility of patches taking a while to appear from closed-source software (and that it has happened, usually regarding Internet Explorer), that has been the case only in a very minority of important patches. As well, though you call out Debian's apt-get for making it fairly easy to update systems, Microsoft has Windows Update (and they freely-available provide software to run your own Windows Update site, so that you can verify patches before pushing them out to your site). Therefore, your argument is a red herring.


          But it all depends on the administrators.

          Bingo! 99.999% of all of the problems with both Linux and Windows being insecure have stemmed not from late patches, but from administrators not keeping on top of security for their machines.


          Oh, and yes, there are more viruses for Windows, but that includes the 'dumb end-user' type such as SoBig, which are purely unrelated to server attacks. And those, I'm more than sure, will _not_ appear an Linux systems since I do not know of an email client that makes it so easy for a user to execute incoming garbage straight away.

          It's false to say that Linux will not ever be affected by such viruses, because it's quite possible. Even with proper separation of user rights and administrator rights, a user can still royally screw himself and his data. More, all it takes is one unpatched local root exploit ("I'm not too worried about local exploits, because they're local" is an attitude that will get you in trouble if you have users ...), a malicious binary that exploits it, and a dumb user. As well, with more users wanting to use Linux, the need will come for user-friendly desktop apps (what do users want to do? easily open e-mail attachments. Better code that properly, our you're going to be as bad as Outlook Express ...). Users will also want to be able to easily install software (see Lindows, and how at least initially it suggested you not only run as root, but without a password!). There's work to do on Linux before it will be acceptable to Joe Sixpack or Bettie Secretary, and unless developers keep their wits about them they can (and will!) fall into the same problems seen in Windows.


          • Re:Yeah... (Score:5, Insightful)

            by rutledjw ( 447990 ) on Thursday September 11, 2003 @04:58PM (#6936826) Homepage
            May I offer an opinion? First off, let's get one thing out of the way

            - Security is a relative measure, there is no absolute security.

            OK, fine, we're past that. Now, from an architectural point of view, MS has no hope of being as secure as a BSD, or even a Linux. The reason is the tight coupling between components within not only their OS architecture, but also the server-side software as well.

            The problem is that creates an environment where undue damage can occur due to the compromise of what should be an extraneous service. An example was a flaw in IE which allows a "root" type exploit. Another is Biztalk requires a number of software packages which should not be needed (i.e. Visual Studio) on the machine. This is both a security and stability issue.

            Linux and Tomcat or Apache require exactly that, the kernel, network libs, and Tomcat / Apache. The issue IMHO as to why so many Linux boxes are getting hammered is beacuse of vendors like Red Hat which include a number of unneeded services and have them active by default. They've gotten BETTER, but they still have garbage on there that is ABSOLUTELY not needed. Example, we've drunk the RH "kool-aid" at my company. Fine, I like Linux, but in hardening our servers we have to pull out TONS of sh!t from what was a CUSTOM install!!! (now using kickstart) I hate to admit, this is a sore spot with me

            In essence they're created a Windows-like system in that regard. The only difference is that you can remove it post-install. Regardless, my point stands.

            The de-coupled nature of Linux and BSD create an environment where one can create a "more" secure environment then what Windows can provide. Stupid vendors can undo this, but for the most part...

            The other point is that this "survey" did nothing to point out what kinds of attacks these were? Were these hitting the OS, or a service that ran on top of it (i.e. Apache or IIS)? This article seems like flamebait to me... I agree with your points on desktop users. I disagree on one minor point - Blaster. My Dad keeps his machines patched and has anti-virus (McAffee - I know, I know...) and he was still hit. My company pushes updates as well and so were we.

    • by Houn ( 590414 )
      Sure, we all know that Linux is on more Web Servers than MS.

      But consider this: Do people attack the server because it's running Linux, or because it's hosting the SCO website?

      I think the CONTENT drives far more hacks than the OS it's on...
    • Re:Yeah... (Score:5, Insightful)

      by retinaburn ( 218226 ) on Thursday September 11, 2003 @03:18PM (#6935668)
      So we can rail against MS for having an insecure operating system and flaunt Linux's proliferation in the market, and then dismiss that its because of Linux's dominance that more Linux systems are getting hacked. We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed. If there was a larger percentage of windows boxes out there would anyone say 'But think of how many more windows servers are out there than linux servers.......
      • Re:Yeah... (Score:5, Insightful)

        by NanoGator ( 522640 ) on Thursday September 11, 2003 @03:35PM (#6935945) Homepage Journal
        "We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed."

        You are right. I've read a lot of anti-MS babble here that has me a little spooked. Evidently, when Linux is more secure than Microsoft, the impression is generated that you can install a Linux based webserver and you're instantly secured. That's what I did. Being a Linux newb, I set up a Redhat/Apache server and within 2 weeks it was rooted. We had to have our sysadmin build us a new one. (It was a project for me to grow...)

        It only takes one exploit to destroy your server. Vigilance is absolutely necessary on either platform. Maybe it's time to end the anti-MS pissing contest and focus on good practices in general for whatever OS you're using.
      • Well, well, well (Score:4, Insightful)

        by Overly Critical Guy ( 663429 ) on Thursday September 11, 2003 @05:05PM (#6936880)
        I'll probably get modded down for this, but oh well.

        I post often about how Linux is no less insecure than Windows or any other OS. And constantly, I get bashed, downmodded, told that there are more Linux servers but are less hacked, etc.

        And yet here is a study that shows otherwise. Now look at all those people try to dismiss it. Try to dance around it, making excuses, and so on. If this study had shown that Windows was the most breached, people would take it at face value and we'd have the requisite hundreds of "I told you so" posts, heresay, anecdotes from idiots who don't patch their servers, and so on.

        I'm sorry, but I just wanted to say, I told you so. All operating systems are as secure as their admins. Microsoft has millions of dollars and some of the top programmers in the world. They're damn secure. So is Linux. So are all the others, reasonably speaking. Linux is not the end-all of secure systems, and this just makes people who act that way look like idiots (especially when they're making ridiculous excuses to try to diffuse the study).
    • Re:Yeah... (Score:5, Insightful)

      by nicodaemos ( 454358 ) on Thursday September 11, 2003 @04:06PM (#6936321) Homepage Journal
      They are not counting server boxes that have been hacked, but websites.

      From MI2g website [mi2g.com]:
      Do multiple website attacks resulting from a single system breach count
      as one attack or many?


      Mass website attacks are counted as multiple attacks because although there is a single
      action on the part of the attacker, economic damage is always done to multiple victims.

      So if a single ISP box gets hacked, they may count that as 100 linux sites hacked because of virtual hosting.

      But even more important than their actual counting methods are where they get their data. Again, according to the same paper:
      mi2g is principally reliant on data for SIPS and EVEDA from a number of sources:

      1. Personal relationships at CEO, CIO, CISO level within the banking, insurance and
        reinsurance industry in Europe, North America and Asia. We have been involved in
        pioneering cyber liability insurance cover for Lloyd's of London syndicates which has
        given us access to case history since the late 1990s.
      2. Monitoring hacker bulletin boards and hacker activity. We have several white hat
        hackers who we use for penetration testing and developing our bespoke security
        architecture that feed digital risk information through to us on a continuous basis
        including vulnerabilities, exploits and the latest serious attacks they are aware of.
      3. We maintain anonymous communication channels with a large number of black hat
        hacker groups.

      So their highly informed executive manager friends seem to know when their linux systems get hacked versus their windows systems, they browse the web, looking at defacement sites and they converse with script kiddies via email. Umm, does anyone else see an issue with their data collection methods besides me?

      If you don't yet, then let me give you a simple example. Let's say that I wanted to bias the results. Mmm ... it appears that all I have to do is deploy one linux box that is virtual hosting say 2,000 sites that noone visits. I leave some things in a very insecure mode and let some script kiddies know about it. Once its been "hacked", the script kiddie posts on a board or sends email to mi2g.com and their numbers move by 2,000 sites.

      You can show me analyst reports by people like this all day long. In the end, this report bears no relation to what I see day to day in the real world.
  • Woo! (Score:4, Funny)

    by Dirtside ( 91468 ) on Thursday September 11, 2003 @03:08PM (#6935494) Journal
    We're number one! We're number one! Woo! Party!

    Er... wait, what? Is this a good thing?
  • What? (Score:5, Funny)

    by ascalon ( 683759 ) on Thursday September 11, 2003 @03:08PM (#6935497) Homepage
    Good god sir, do you know where you are posting this? ;]
  • Interpretations... (Score:5, Insightful)

    by mgcsinc ( 681597 ) on Thursday September 11, 2003 @03:08PM (#6935498)
    On the surface, this statistic serves both as a testament to linux's growing popularity as a server OS and ammo for those windows admins who have long taken abuses about the insecure nature of their OS. These ideas, particularly the latter, however, may prove misguided; breaches against servers are rooted not only in the security of their running OS, but also in the effectiveness of the security implementation of the system admin him/herself.
    • by Zigg ( 64962 ) on Thursday September 11, 2003 @03:12PM (#6935563)

      I'm going to go out on a limb and say a lot of these probably happened inside cut-rate shared-hosting environments, where Linux is uber-popular and security is often kept lax to keep customer questions at a minimum. Let's face it, it's easier to clean up a defaced homepage than try to explain chmod to folks...

      • by Gaijin42 ( 317411 ) on Thursday September 11, 2003 @03:17PM (#6935659)
        Im going out on a pretty wide limb and saying that Windows problems were also largely in the same boat.

        ITs possible to make a secure windows system. Its possible to make a secure linux system.

        ITs possible to make an insecure windows system.
        Its possible to make an insecure linux system.

        • by dom1234 ( 695331 ) on Thursday September 11, 2003 @03:44PM (#6936080) Journal

          Those are four facts leading to interesting quesitons :

          • How much possible in average is it possible that someone makes an insecure Windows system ?
          • How much possible in average is it possible that someone makes an insecure Linux system ?

          Those probabilities should be pondered by the frequency of default installations, frequency of having an expert rather than a novice as the administrator, etc.

          Thus, could someone not knowing which one to choose, and not knowing whether he is hiring an expert or not, rely on those statistics ?

  • by LostCluster ( 625375 ) on Thursday September 11, 2003 @03:10PM (#6935527)
    Okay... do the editors read the links anymore?

    This clearly came from Canada's Globe and Mail newsmapaper, which is clearly has nothing in common with the British Broadcasting Company
  • by Gothmolly ( 148874 ) on Thursday September 11, 2003 @03:10PM (#6935529)
    Does this count the number of Windows machines that were 'compromised' by BLASTER and its children? If someone gets a binary on my server and controls what my server does ( in this case, replicating the worm ), then I'd call that hacked. Just because a worm did it vs. a human doesn't mean anything. More direct hacks on Linux machines might just mean that there was much more human effort expended.
    • by LostCluster ( 625375 ) on Thursday September 11, 2003 @03:13PM (#6935593)
      Numbers without a counting methodogy are usually worthless. We've got a small article that doesn't even name what "british security company" released the data, and a summary that somehow gets the BBC involved even though they're nowhere to be found in the story.

      Uhm... slow /. day?
      • by imipak ( 254310 ) on Thursday September 11, 2003 @04:04PM (#6936296) Journal
        British security company? This wouldn't be the notorious (as publicity whore cowboys) London-based "security consultancy" run by a character called D.K. Matai, by any chance? If so, the value of this study is exactly zero. They put out a similar press release every few months and occasionally it gets picked up by a semi-mainstream news source (like Slashdot... or more commonly, mailing lists.) Search Need To Know for the gory details.
  • How do they relate (Score:4, Interesting)

    by ceswiedler ( 165311 ) * <chris@swiedler.org> on Thursday September 11, 2003 @03:10PM (#6935530)
    How do these numbers relate to the number of servers which are 'attackable' by hackers? ...even assuming (as they do) that home desktop machines on DSL/cable modems which are compromised (by worms or hackers) are not considered 'server attacks'.

    Well, they don't say that, but if you include the number of infected Windows desktops this year, I have a pretty good feeling it would be a LOT more than 12,000, even if you only include infections designed to give control to an outside party (as opposed to simply spreading).
  • by JohnGrahamCumming ( 684871 ) * <slashdot@ j g c . o rg> on Thursday September 11, 2003 @03:10PM (#6935534) Homepage Journal
    No doubt the Linux faithful are going to bay and scream about this report, but there's something interesting buried in the article. The following quote:
    The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.

    "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

    Although I don't like Microsoft's software and it's a real pain having to get all the latest patches, they do at least tell us when they've got a patch. This is an inadequacy with Free Software that in general needs to be addressed, and it will make a nice revenue stream. At my company we subscribe to RedHat's "uptodate" service that makes sure that we are always patched. Even though the software is Free we are still willing to pay someone to tell us what we need to patch.

    It's ironic that Microsoft provides that service for free, whereas Linux requires paying money. But it's good because at least here there's a clear way to make money off Free Software and keep programmers like me from going hungry.

    John.

    • by Kevinv ( 21462 ) <kevin&vanhaaren,net> on Thursday September 11, 2003 @03:18PM (#6935667) Homepage
      Both debian and gentoo (and Red Hat) have security mailing lists that list packages/ebuilds that have been updated for security reasons. I know Debian & Red Hat's are cross-posted with Bugtraq, not sure about Gentoo's.

      Finding updated packages isn't a big deal. Harder is finding what software has an announced vulnerability that hasn't been patched by it's respective distribution yet. Red Hat uptodate has the same problem, if Red Hat hasn't patched the vunerability yet you won't know about it.

      Of course in the Open Source world the updates come pretty quick after the annoucement anyway, but if there were some software app that had a real old version with no maintaniner as the default it could present a problem.
    • by HiThere ( 15173 ) * <charleshixsn.earthlink@net> on Thursday September 11, 2003 @03:22PM (#6935738)
      It's a plausible claim. But I don't know how one would go about substantiating it.

      Above it says that it costs 30 pounds to read the report and discover their methodology. Not worth it to me. But before I took it seriously I'd need to know their target populations and their sampling rates. It makes a big difference, for instance, if they only sample people who know and admit that they have been hacked, or whether they have some independant way of checking. And it also makes a big difference if they are counting servers in Fortune 5000 glass houses, or whatever is connected to the web, or (...what are the alternatives?).

      I've seen too many bogus news stories to start taking one seriously just because it says that there are a lot of Linux machines out there.

      (P.S.: staying up to date doesn't cost MUCH money. I normally run Debian, and once a day I usually run apt-get update/apt-get upgrade. This does sort of depend on a broadband connection, as some days the amount of upgrades would choke a dial up connection. OTOH, most days nothing significant to me has changed.)
    • by jimfrost ( 58153 ) * <jimf@frostbytes.com> on Thursday September 11, 2003 @03:23PM (#6935771) Homepage
      Although I don't like Microsoft's software and it's a real pain having to get all the latest patches, they do at least tell us when they've got a patch.

      I don't know about Linux vendors in general, but Red Hat has offered such a notification service for years. You don't even have to pay them for it, just sign up for their security mailing list. I've been getting such notifications for a long time; I probably get a dozen a week.

    • by lordcorusa ( 591938 ) on Thursday September 11, 2003 @03:26PM (#6935808)
      If the only reason you pay for Red Hat Network is to get automatic updates, I strongly suggest you look at apt-get for rpm [freshrpms.net]. It provides the exact same updates as up2date, only they are free. If you don't trust them you can check the digital sigs on the packages; they come unaltered from Red Hat. Optionally, it can also provide additional packages not found on the Red Hat distribution.

      Apt-get doesn't explicitly notify you when updates come in, however it is trivial to write a script to automate the process of checking for updates. For the super-lazy, you can even continue to use the free version of Red Hat's up2date notification icon to alert you when updates come in, and then use apt-get to actually fetch them.

      Of course, there are probably other reasons you pay for RHN, such as technical support, a desire to give back to Red Hat, etc...

      Just thought I'd make sure you know about an excellent free alternative.
    • by trickycamel ( 696375 ) on Thursday September 11, 2003 @03:29PM (#6935869)

      It's ironic that Microsoft provides that service for free, whereas Linux requires paying money.
      No it doesn't. Tried Debian security advisories [debian.org]?
    • It's ironic that Microsoft provides that service for free, whereas Linux requires paying money.

      1. You are confusing "free as in beer" with "free as in speech".
      2. It's pretty easy to set up a cron job to automatically download the patches from a mirror ("wget -m ...."). As you see a new patch is downloaded, install your already downloaded update(s).
      3. Mailing lists, mailing lists. Gentoo has a mailing list for announcements that is very quiet and seems to have only security announcements. I'm sure the
    • by Mikey-San ( 582838 ) on Thursday September 11, 2003 @03:31PM (#6935897) Homepage Journal
      Actually, MS doesn't want people talking about security holes they find in MS software:

      http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/columns/security/essays/noarch.as p

      http://www.pcworld.com/news/article/0,aid,63784, 00 .asp

      As Steve Jobs once said, "Every security scheme that is based on secrets eventually fails."
      • by Bas_Wijnen ( 523957 ) on Thursday September 11, 2003 @03:55PM (#6936206)

        As Steve Jobs once said, "Every security scheme that is based on secrets eventually fails."

        Well, he's got it wrong. He probably meant obscurity, not secrets. Then he would be right. Your gpg private key is a secret. Not telling how the encryption works is obscurity. There's a big difference between the two.

        Security through obscurity (as you correctly show is Microsoft's way of working) is bad for security, because it gives the people the feeling that they're safe, while they're not. That means that the end result can be worse than no security at all (in which case the user would perhaps choose not to put sensitive data on the device).

    • by Experiment 626 ( 698257 ) on Thursday September 11, 2003 @03:44PM (#6936079)
      It's ironic that Microsoft provides that service [patch notification] for free, whereas Linux requires paying money.

      That's a bit misleading. With Linux, you don't have to pay anything up front for the OS, and you can take whatever support strategy works best for your particular situation, from building updated sources yourself (free), downloading RPMs (free), using Red Hat's limited trial up2date (free), or getting one of the Red Hat Network subscription packages ($60+).

      With Windows, you pay $300 or so up front for the OS plus whatever an office suite, developer tools, a DBMS, and the other types of apps that would have come free in the Linux distro cost you. Part of this cost goes to support, so you can use Windows Update all you want... you already paid for it. Unlike up2date and its counterparts in the other distros, however, Windows Update just updates the base OS, so you have to take additional steps to update your word processor, C++ compiler and such.

      I'd say the Linux way isn't such a bad deal after all.

  • stats? (Score:5, Interesting)

    by BWJones ( 18351 ) on Thursday September 11, 2003 @03:11PM (#6935544) Homepage Journal
    So, I wonder....the interesting statistic to me would be what percentage of attacks against each platform are successful? This statistic is not explicitly stated. Also did they include OS X as part of the study?

  • by clustersnarf ( 236 ) on Thursday September 11, 2003 @03:11PM (#6935553) Homepage
    These figures correspond almost directly to netcraft. Seems to me, more linux/apache boxes out on the net means more targets. IIS holds about 24% and apache is about 64%. DUH. Its not hard to see that there will be more attacks if there are more machines. I bet they didnt factor how many OS/2 boxes got attacked.

    Statistics are dumb.
    • by goldspider ( 445116 ) on Thursday September 11, 2003 @03:32PM (#6935912) Homepage
      "Its not hard to see that there will be more attacks if there are more machines."

      That's not the point.

      The point is that this report handily debunks the myth that a Linux server is inherantly more secure than a Windows server.

      The more rational among us here have tried to get the message out that no server is secure if there's an idiot at the helm.

      Good admins make secure servers, not an operating system, despite what the zealots would have us believe.

  • by Hieronymus Howard ( 215725 ) * on Thursday September 11, 2003 @03:13PM (#6935578)
    Yes, my Linux server is certainly being attacked constantly. I know this because I keep finding entries like these in the apache log files:
    212.181.127.182 xxxxxxxx.org - [08/Sep/2003:21:36:02 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
    12.242.55.56 xxxxxxxx.org - [09/Sep/2003:21:41:54 +0100] "get /scripts/..%c0%af..%c0%af..%c0%af.. %c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/syste m32/cmd.exe?/c%20dir" 501
    62.194.103.198 xxxxxxxx.org - [11/Sep/2003:10:31:35 +0100] "GET /scripts/nsiislog.dll" 404
    HH
  • Jesus... (Score:5, Insightful)

    by garcia ( 6573 ) * on Thursday September 11, 2003 @03:13PM (#6935595)
    The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.

    So while these "attacks" on servers totalling about the same damage amounts as usual there was quite a new record high obtained by the RPC vunerability...

    So they are attacking an OS that is known to be running on more servers around the world and the "damage" from these attacks is holding steady, yet we don't mention in the article title that because Windows is MAJORLY vunerable, there was nearly 30 BILLION dollars in damage done!

    Interesting spin.
  • by jimsum ( 587942 ) on Thursday September 11, 2003 @03:14PM (#6935596)
    They count hacker attacks, although without knowing the relative numbers of servers we don't know which O/S is better.

    But what about vender attacks, like patches that crash the server, or the DoS attacks that happen when a server is taken off-line for patching? And surely a precautionary disconnect when there is a MS virus storm has to count as a successful DoS attack.
  • by Future Man 3000 ( 706329 ) on Thursday September 11, 2003 @03:14PM (#6935611) Homepage
    Linux has gained enough acceptance in the server field to be deployed in large numbers and at high-visibility targets. Additionally, the level of competence of the people deploying Linux is probably dropping somewhat, as it's moving from something that is just installed by those who love it and are willing to take the time to monitor all of the security flaws to something that is installed by people who just want something that works.

    Also, it has gained something of a reputation as a secure system, at least compared to IIS, and this may be undeserved in installations where best security practices are not followed (most of them). This is perhaps a wakeup call that it's important to patch, only set up services that are necessary, and use a firewall and intrustion detection system, but most people know that already.

  • by runchbox ( 578541 ) on Thursday September 11, 2003 @03:15PM (#6935620) Homepage Journal
    "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

    The only way they've reduced the _proportion_ of attacks on their servers is by losing market share. The total number of attacks against Windows servers is still increasing, so it's a little premature to give them any compliments.
  • by BrynM ( 217883 ) * on Thursday September 11, 2003 @03:16PM (#6935628) Homepage Journal
    "The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
    So let me get this right. Since third party applications under Linux get hacked, it is attributed to Linux being more vulnerable while MS Windows running third party software is more secure??? So a PHP/SQL injection exploit is attributed to the OS PHP is installed on? Does the exploit count twice then? - Once for each operating system?

    I think it's time to break the statistics down application by application at that point. Show me some Apache vs. IIS numbers or MySQL vs. SQL Server numbers or exclude third party applications altogether please. For the record, I run both Windows and Linux for clients and servers and am pretty neutral in the whole OS wars thing. Each has their merits and uses, both need regular security maintenance and I am pretty much happy with both for very different reasons. I'm not a Linux zealot, but I know bad numbers when I smell them. And then...

    "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
    So MS is shoring up third party applications then? They even go on to cite Sobig and MSBlast as the reasons for the high MS numbers. This is shifting over to a very FUD-like smell now.
  • by eweu ( 213081 ) on Thursday September 11, 2003 @03:16PM (#6935632)
    Anonymous guy who can't remember his login

    That would be WilliamGates.
  • What about worms? (Score:3, Insightful)

    by GrenDel Fuego ( 2558 ) on Thursday September 11, 2003 @03:17PM (#6935655)
    I seem to recall some 500,000 servers being compromised by a worm last month. Do they only count attacks by people?
  • by jimfrost ( 58153 ) * <jimf@frostbytes.com> on Thursday September 11, 2003 @03:18PM (#6935661) Homepage
    "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

    Well, that's sensible if you ignore the half million or so infections by Blaster - which clearly this article does.

    I think that any analysis of digital attacks that filters out malware is missing a huge part of reality. Certainly you'd have to be nuts to call August a good month for Microsoft servers.

  • by asv108 ( 141455 ) * <asvNO@SPAMivoss.com> on Thursday September 11, 2003 @03:18PM (#6935672) Homepage Journal
    I don't have the expertise to comment on the validity or invalidity of their report, but from a marketing point of view, this article is the perfect way to generate interest in their reports. This company has a varity of businesses, one of which is to sell reports [mi2g.com]. If you choose to buy the report, it comes with some pretty intersting terms and conditions [mi2g.com]..

    mi2g disclaims all warranties as to the accuracy, completeness or adequacy of the information. mi2g shall have no liability for errors, omissions or inadequacies in the information intelligence offered or for interpretations thereof. mi2g disclaims itself of any sales lost or damages incurred to other parties as a result of this information.

    Doesn't seem like this company is too confident in any of the claims made in these reports..

    Their monthly intelligence [mi2g.com] has a quote that makes their "reseach methods" look shady:

    The Monthly Intelligence analyses and collects data from over 7,000 hacker groups worldwide and provides detailed monthly and year-to-date information on:

    Seems a little far fetched to me, I doubt many "hacker groups" are open to research companies doing data collection.

  • by gillbates ( 106458 ) on Thursday September 11, 2003 @03:19PM (#6935677) Homepage Journal
    We've become complacent. I mean, as Linux users, we expect the systems to be secure, where as with Windows systems, we know they're insecure, so we're more vigilant, always patching them.

    I think a much more meaningful statistic would be how many fully patched Windows and Linux servers are successfully hacked. With Windows, you are always vulnerable, because the rate at which vulnerabilities are discovered far surpasses the rate at which patches are issued. With OSS, OTOH, a patch is usually issued a few hours or days after the vulnerability is discovered. Hence, the amount of time a successful Linux exploit is usuable is usually much lower than an exploit for Windows.

    I would guess that most Linux machines that get hacked are due to unpatched/deliberately insecure configurations - like using a dictionary word for a root password.

  • mi2g (Score:5, Informative)

    by FrostedWheat ( 172733 ) on Thursday September 11, 2003 @03:20PM (#6935712)
    Brought to us by our friends at mi2g [theregister.co.uk]. I'd take this with a grain of salt.
  • by PMuse ( 320639 ) on Thursday September 11, 2003 @03:21PM (#6935734)
    Here's a statistic I'd like to see.

    Number (or percentage) of successful attacks against servers maintained by professionals, sorted by operating system.

    Of course there are a lot of non-secure Linux systems on the net. Lots of amateurs use Linux. After all, it's free! Notice how much the statistics in the article changed when they leveled the playing field and looked only at servers in one industry: government? Keeping to one industry caused them to look at systems maintained by sysadmins with much more equal skill levels.

    From the article: Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.

  • Mi2g (Score:3, Interesting)

    by Jacco de Leeuw ( 4646 ) on Thursday September 11, 2003 @03:23PM (#6935766) Homepage
    A few months ago Mi2g [mi2g.com] seemed to be of the opinion that Linux and other Unices were less vulnerable than Windows. Microsoft even complained [pcworld.com] about that...

    And now it's the other way around?

  • by phsolide ( 584661 ) on Thursday September 11, 2003 @03:26PM (#6935819)

    Gotta consider the source of this study: mi2g. They haven't been totally reliable [theregister.co.uk] in the past, and mi2g seems to be more interested in generating press [vmyths.com] rather than doing anything.

    Of course, nobody in The Media will consider the source: the sound bite is just too good.

  • by The Revolutionary ( 694752 ) on Thursday September 11, 2003 @03:27PM (#6935822) Homepage Journal
    Folks who have traditionally been Microsoft users, who have recently installed Linux on an old machine at home or maybe as dual-boot, who have little to no real experience or training with Unix-like systems or with particular open source servers, are going into to the business IT environment and installing Linux-based systems on the hype.

    Sure they can get Apache webserver serving pages, they can get Tomcat doing "something", and they can certainly run XMMS quite well on their workstation, but they really have no clue how to properly use these technologies in a production environment.

    They see switching to Linux-based systems as being a simple fix.

    They aren't willing to extensively review their configuration or product documentation. They aren't willing to put in the significant amount of time that is in fact required to become experts with the technologies.

    Yes, they certainly do get a kick out of telling their friends that they have "Linux boxes running their shop", but security suffers due to their naive incompetence.

    These techs should be fired.

    Open source development may be a "we'll get that feature done when we feel like it" affair, but deploying Linux-based systems in a production environment must not be.

    If anything, effectively and securely deploying Linux-based solutions requires more training and knowledge than does deploying Microsoft.

    Let's stop pretending otherwise.
  • by mykepredko ( 40154 ) on Thursday September 11, 2003 @03:32PM (#6935914) Homepage
    Anybody can into Windows, but it takes a real hacker to get into Linux.

    Seriously, I suspect that difference comes into play when you look at where the servers are used. You'll find that Linux is used in more servers that are much more worthwhile targets (ie credit card transaction processing) than Windows. So going back to the original comment, not only is it less of a challenge to break into Windows, but I suspect that there is also less reason to want to attempt to break into Windows servers.

    myke
    • by Homology ( 639438 ) on Thursday September 11, 2003 @04:54PM (#6936796)
      Anybody can into Windows, but it takes a real hacker to get into Linux.

      In the book Repelling the Wily Hacker there is an amusing story about a Unix box getting rooted, and the script kiddie starts typing DOS commands.

      Just to give an example that it does not take a real hacker to get into a Linux box as such. Other factors are also quite important.

  • by taybin ( 622573 ) <taybin@tOOOaybin.com minus threevowels> on Thursday September 11, 2003 @03:32PM (#6935916) Homepage
    Any information that comes out of mi2g is suspect. They have been heavily [vmyths.com] criticized [vmyths.com] by Rob Rosenburger of Vmyths [vmyths.com], a computer security hysteria site.
  • by Nik Picker ( 40521 ) on Thursday September 11, 2003 @03:34PM (#6935938) Homepage
    If over 12000 Servers were linux and were being sucessfully cracked compared to 4000 of windows boxes. Now representing this as 67% is to skew the results. What we dont actually know is how many were in the data set ?

    Did they sample 20000 Servers ? 20,000 servers or 200,000 servers ?

    Linux 67 Breached Linux Servers 12892 73.59%
    Windows 23 Breached Windows Servers 4626 26.41%
    90Total Cracked ? 17518

    Well the percentile is only 90% of the figures. Which servers were in the missing 10%.

    Did the survey compare windows to linux boxes alike e.g.

    1 Linux Server examined to 1 windows box. for 20,000 boxes ?

    I dont see any figures here for accuracy or qualification of the figures.

    What I do see is a suggestion that Linux is very popular. If this is the case and we suggest that 80% of the net is unix to 20% microsoft. then 67% of 80% of the network being interupted seems very unusuall and rather high as a figure.

    So I keep coming back to wondering where the figures have actually originated and been compiled.

    Im fairly sure Microsoft can be secure, but unlike Unix it tends towards insecurity. Ive often compared running Microsoft boxes to herding sheep. You spend all your time keeping them alive and free of viruses. Unix on the other hand is the sheep dog, consistent , loyal and dependent.

    They can bandy these figures all they like but unless they can flatten the survey and show a clear scope of investigation and comparison then I dont think we should be worrying about the quote.
  • Well, Of Course (Score:3, Insightful)

    by carrier lost ( 222597 ) on Thursday September 11, 2003 @03:35PM (#6935944) Homepage


    During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by...


    All the Windows boxes that are 0wnZ3r3d are not verifiable!


    MjM


    Groovy. Gear. Mod.

  • by pjt48108 ( 321212 ) <{mr.paul.j.taylor} {at} {gmail.com}> on Thursday September 11, 2003 @03:45PM (#6936090)
    "The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.

    I must confess that the first linux server that I set up was hacked for the very reason mentioned: my ambition exceeded my knowledge.

    Imagine my chagrin when I got email from a couple of companies stating that an attack had been launched on their servers from my system! Let me tell you, I fixed that right quick!

    I find it interesting to note the low number of Unix boxes that the article mentions as attack victims. Based on the experience of my own personal ignorance, I figure Unix operators are probobly more savvy, ergo tighter security and fewer successful attacks. Personally, I haven't been able to figure out how to configure a Unix server in a usable manner (having tried FreeBSD and failed miserably). I find Linux easier to work with, which, perhaps, invites disaster when someone with limited savvy (such as I, once upon a time) decides to roll out a server and expose it to the wild west Internet.

    [For those who wonder, the incident involved someone setting up an IRC server app on my system, which then attempted to install itself, apparantly, on other systems that were better-secured than my own. Thereafter, I put everything behind a linux firewall that was locked down tighter than a nun's dainty underthings. I hope this humble and frank admission of ignorance will learn y'all to lock those ports down TIGHT!]
  • by tagishsimon ( 175038 ) on Thursday September 11, 2003 @03:45PM (#6936093) Homepage
    mi2g - authors of the report being discussed, are the single most dissed security company I know of. They're derided by such a long list of organisations, that one might wonder if there's any point giving their work houseroom. They certainly appear to be PR whores, and, bless' em, good at this part of their job.

    Vmyths [vmyths.com] appears to summarise the anti-mi2g camps position. Searches for mi2g on NTK [ntk.net] and The Register, [theregister.co.uk] (when its search engine is working) for mi2g are as enlightening as they are amusing.

  • by Lodragandraoidh ( 639696 ) on Thursday September 11, 2003 @04:23PM (#6936535) Journal
    Per the initial write-up: "...all successful and verifiable digital attacks against on-line servers targeted Linux..." (my emphasis)

    The key word here is 'verifiable'. It is much easier to detect and validate that someone has hacked a Linux box, than a Windows box. We don't know the following that would lead more credence to any claims:

    1. What is the ratio of M$ to Linux boxes that were attacked that we don't know about? (undetected and still infected - I would argue this number is much larger on the M$ side)
    2. How were the percentages arrived at? If there are more Linux servers on the network than Windows servers, then we can not quantify 'percentage of total servers' and have it mean anything useful in terms of total numbers of attacks because, statistically, Linux attacks will outnumber Windows attacks given a standard distribution; since most script kiddie tools run on, and target Winblows machines, a 21% of total attacks on a few windows machines is more significant than a 67% of total attacks on a much larger group of Linux machines.

    Social science numbers have no intrinsic value, except to the uninformed.

    "Figures never lie, but liers tend to figure." - Longfellow
  • This is some FUD (Score:5, Insightful)

    by purdue_thor ( 260386 ) on Thursday September 11, 2003 @04:50PM (#6936767)
    Come on, where do they get these figures? In August alone:
    From NetworkWoldFusion [nwfusion.com]

    The Blaster worm - also known as MSBlast or LoveSAN - has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.

    They didn't count them. Why? Most of them aren't servers, right? Well how did they differentiate Linux servers then? I bet they didn't -- did they check and only record RH Advanced Server and disregard all the RH Workstation. I doubt it. This is pure FUD by a place that has trouble with math.
  • Ehhr, oookeeey? (Score:4, Interesting)

    by miffo.swe ( 547642 ) <daniel...hedblom@@@gmail...com> on Thursday September 11, 2003 @05:43PM (#6937306) Homepage Journal
    "The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups."

    So, its like, here we have an organisation that manage to track 7900 hacker gruops?
    Riighht...
    That should make echelon pretty jelauos. The numbers are spewed out with no explanation whyatsoever wich makes someone as paranoid as me very suspicious. I have a hard time imaging a hacker giving numbers that easily. Smart hackers tend to shut their mouth. We only see the stupid scriptkiddies who brags on irc. I hope they havent used IRC logs as a measurement even if it wouldnt surprise me at all.

    "Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August."

    Why arent the numbers for this accounted for? I interpret this sentence as if Windows Servers was infact more attacked at govts. Why isnt those numbers revealed? Was there like, 100 000 Windows attacks or 10? The difference is also quite amusing between the number of successfully attacked systems. It seems like the govts is better at securing their servers than comercial online shops are.

    And again Riiighht...

    "The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.)."

    "The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion"

    If im right here server attacks from hackers cost 707 million. Attacks from viruses/worms (Windows since how many has even seen a linux worm let alone experienced one?) cost about 27 billion.

    In that retrospect its kind of annoying if mi29 pats Microsoft on the shoulder since they account for almost all lost productivity and loss of income. Since the Microsoft attacks costs so much more or are so much more expensive i find it very hard to come to no other conclusion than that the linux attacks are no more than supercicial breaches easy recovered from. Either that or the numbers just dont add up.

    As i side note, yes i think linux need better security but to gain real security on cheap intel/amd there need to be some better memory protection and more belts and straps. If one security mesurement fails there should always be a backup system to catch what slips through the first line of defense. This is my strong belief drawn from my view that no system can be whitout faults. We should try and mimik the way airplanes are built and used.
  • by Tracy Reed ( 3563 ) <treed@ultrGAUSSa ... g minus math_god> on Thursday September 11, 2003 @07:02PM (#6937991) Homepage
    SE Linux is integrated into 2.6 and a patch to 2.4. It GREATLY improves the security of a Linux box. If someone gets root (or some other uid shell) through a buffer overflow they can no longer take over the whole system. Odds are they cannot do anything. How is this possible? By running every process in a security context carefully restricted to least priviledge through a system of mandatory access controls. If you want to see how effective this is for yourself please telnet to:

    selinux.copilotconsulting.com
    user: root
    pass: root

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...