Is Linux as Secure as We'd Like to Think? 1091
man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?
Ha - Ha! (Nelson voice) (Score:5, Informative)
view-source:http://www.zone-h.org/
DB connection failed ().
Lots of room to grow; OpenBSD is 1 good example (Score:1, Informative)
If you really want to stick with Linux, distros such as OWL (www.openwall.com) and Trusteddebian (which uses GRSEC and PaX) are OK too.
Popular distros have only very recently turned their attentions to security - just like M$; and as such they have a long ways to go. Projects like OpenBSD really serve as a model of what can be accomplished over a longer period of time with such a focus, yielding a thoroughly audited code base, many default security settings, and they're still usable from the get go (e.g. not all services are turned off, making it a completely useless piece, though perhaps still more constrained than some are used to).
Outside of some of OpenBSD & security conscious linux distros and OSS security minded projects - I think that the open source community as a whole has a lot of room to grow wrt to security, and really isn't all that different from everyone else be they MS or Oracle.
Re:Just give it time... (Score:1, Informative)
Re:I think its the apps (Score:5, Informative)
I don't expect everyone to know how to clean up security for a PHP site, but if they decide to use what they don't understand bad things will happen. If you know a novice that wants a site, start them out with some static HTML rather than let them use whatever code strikes their whim as "neat", "shiny" or "cool". Explain to them that they are learning how to eventually do the "shiny" stuff, but they need to learn how to use it safely first.
Re:Psychology plays a role (Score:5, Informative)
Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.
Re:Psychology plays a role (Score:5, Informative)
Re:I think its the apps (Score:3, Informative)
Since UNATTEND.TXT is the config file for an unattended installation of Windows, this is not really an uninstallation procedure so much as a way to keep a user from invoking Internet Explorer in a NEW Windows install. If you have a Windows XP machine that you bought pre-loaded with XP, the only way to take advantage of this is to re-install Windows. (And what do you want to bet MS has some language in their OEM deals that says any OEM actually using this switch will be sacrificed to satan.)
Not a very helpful feature for those of us who would like to be rid of it without starting from scratch.
Further, since the code is "Fully functional" you can assume any exploits in the IE code will also be "fully functional" whether you set this switch at setup or not.
Is Linux as Secure as We'd Like to Think? (Score:1, Informative)
Not if Bill has his way. Legions of MS evil code monkeys are studying the source code of LINUX to write anything to discredit the perception of security.
</sarcasm>
Seriously though, Patching is the key to every OS. I was shut down by my ISP because they had received complaints that I was hacking other users. I had fallen behind on my firewall distro pathes and the LINUX box was the culprit, not my windows box. So, I wiped the trusty p200 clean, installed a new firewall package, and cleared things up with my ISP and life goes on.
Simple probability (Score:5, Informative)
There are some stats [netcraft.com] (look for the pretty pie charts) which can help explain the percentage, along with a few key thoughts and speculations:
No. (Score:3, Informative)
Lets examine the reasons why blaster and not sobig. Blaster exploits a buffer overflow, requires no user interaction. Find a overflow in Apache, you'll have a worm. Not a whole lot admins can do to prepare for this except application level filtering. It will happen. Those of us who are "in the know" will be patched long before.
SoBig: This is a user spread virus. It does not exploit any vulnerbility. It mearly requires the User to click on the attachment and hit open. It relies on badly designed software, that allows a user to execute code legally, easily. Windows lets you click Open.
Contrast that to most unix mailers: You have to deliberatly save the file to disk, chmod +x it, and then run it with
About the web site defacements. Linux is more complicated to administer, I dont think anybody can argue that. Lately, people have been given this sense of "if I replace Windows with RedHat i will be more secure". That is not true. Security is up to the ADMIN and the ADMIN alone. I would venture to say that a Linux box is MORE dangerous in the wrong hands than a Windows box. Hence your 60%.
Nothing about this changes anything at all. Those "in the know", generally Unix admins, will not be exploited, weither on Windows or Unix.
This doesn't mean Unix doesn't raise the bar of your security... you just need an admin that knows how to use it for it to be even close to it's potential. With Windows you are always stuck at whatever MS deams "secure enough".... bar writing your own IIS filter or something.
What we need are more smart admins using Unix, not sucky admins that give us all a bad face.
My two cents.
Re:did you fix it for yourself, or for everyone? (Score:5, Informative)
It all came about because I am building a module for Nuke. I started looking at the code and decided to do some house cleaning. Most of the fixes I implemented are already in the public (look around at Nuke Forums [nukeforums.com] or search for "php nuke exploit"), so I'm betting that Francisco Burzi (the creator of Nuke) is working on implementing them for the next version if they aren't already in. He's been good about including fixes as problems are found.
Most of the exploits are simple SQL injection exploits, which affect all PHP/SQL code and not just Nuke. Let's say you want to query user data from a MySQL table named USERS with the USERID as the criteria:
This will work great for one user, but to make the code portable, you'll need to use a variable for the USERID, so it becomes: When the variable is passed by an online form it will look like this: Because PHP doesn't keep strict varaible types, $USERID could contain the number 5 just as easily as it can contain the string "foo". Since the variable is at the end of the SQL query, we can append SQL to the end of our URL like: As a result, PHP will hand MySQL a query that says "select * from users where USERID=5 or 1=1" (remember that %20 is an URL encoded space). Since 1 will always equal 1, MySQL will dump every record in the table instead of just the one with a USERID of 5. The way to fix this is simple. Before your line of PHP with the query, just do a simple Since our exploit relies on $USERVAR being interpreted as a string, it will fail as PHP intval() will discard everything in the variable from the first encountered non-integer onward. Thus malicious value of "5 or 1=1" becomes the number 5 again. There are a lot of places where this needs to be fixed and I haven't found them all yet. I'm working on a list that I plan to give to Francisco rather than have him try to keep track of me telling him about many individual ones and lose something along the way. Many nuke users have already fixed these themselves as well. There are other checks that need to be done for string variables, but I've already veered way too far offtopic.I would be quite the selfish bastard to only fix the security holes for my use and no one else's. I'm glad you asked though. It never hurts to remind OSS users of their responsibilities should they touch the code. ;)
The woes of small business consulting (Score:4, Informative)
If you've ever installed systems (of any kind) for small businesses (~50 people), you'd know why this was such a temptation and often a functional necessity.
Many of them have no full-time technical staff. The typical scenerio is a "operations manager" who spends most of their time dealing with production issues; a "back office" person (who's usually the consumer of the system, often the head financial person); and then whoever ends up being the technial liason, which in my experience is whatever office flunky can get WebShots installed the best or who has the copier repair phone number.
It's sad, but I've done a ton of installs where basically everyone who uses the system is root/wheel/administrator and there are no permissions. If I'm lucky and can figure out there's no one to even reliably change tapes before the equipment is set up, I have it do alternate full backups on different physical disks; I figure it's better than a burned up tape.
It keeps you in business, but it kind of sucks, since it's apparent that nobody really gives a shit...
Re:Psychology plays a role (Score:2, Informative)
IIS comes with win2000 and XP, I think it was even installed by default on 2000.
The Problem with most Windows users... (Score:2, Informative)
If you have to do e-mail - a very good and secure e-mail client is Pegasus Mail [pmail.com] which does NOT blindly open up email attachments and run code like Outlook does.
Get a decent firewall like Sygate PRO or if you must even ZoneAlarm PRO and make sure it's configured properly. Again some windows users would have problems even with something so simple as this sadly.
Want to avoid the nasty crap in Internet Explorer or other browsers? Get a proxy like Proxomitron [proxomitron.org] and JD5000 Filters for Proxomitron [jd5000.net] which then allows you lock down all that nasty MS crap like VB/ActiveX/Flash/Forced Download scripts/ADS and more that cause problems.
But as everyone else has mentioned here - all it takes is a moron to run a windows box - linux box or hell even a MAC OS X box and not keep up to date with patches. If he/she doesn't know what they are doing any of the three will be insecure.
Also with Microsoft a lot of users I believe are afraid to get the patches - because you keep seeing more and more supposed "horror stories" of how a patch broke Windows or a "feature". Same crap could also apply to same user running a Linux box.
Fact is... Some apps need to run on IIS or other (Score:1, Informative)
1. PDF web server w/ Photoshop Engine.. The PDF server uses PDFLib w/ proprietary windows license fonts.. There is no way it will run the fonts on linux w/out licensing problems. PDFlib w/ php won't cut it.
We have the IIS also use Photoshop because there is a COM object for Visual C or Visual B.. You can script Photoshop with a IIS webserver. The com object allows us to run scripts, manipulate channels, layers,etc.
We tried ImageMagick, GIMP but they don't support our 1-2 gigabyte files regardless of how fast or fully loaded the servers were.. Photoshop has a nice virtual filesystem management that actually allows us to handle 4 gigabyte files. Moreover, files are from macintosh clients which requires resource forks, On NTFS, you can manipulate resources and data forks in streams.. We have a server object that reads resource info from quark or indesign files and processed them as blob data to SQL server.
You can't do this with linux/GNU equivalents. (no real tools for resource and netatalk has issues)
if you think you can handle a 1 gig CMYK layered Photoshop file with opensource, post your contact info and I'll get back to you.
Trust me, a 600 meg file will make a P4 Xeon linux machine w/ 2 gigs of ram process the file for over 40 minutes running imagemagick while a 1 gig P3 using W2K and Photoshop/IIS will do it in 10 minutes.
2. We also have SGI servers to handle ripping of proprietary pre-press files which have no OSS equivalent.. E.G. pantone color matching, quark, etc.
They work with certain workflows.
People need to get off their OSS frenzy.
point is.. each platform will have their specific tools unavailable to other environments.
Re:Psychology plays a role (Score:2, Informative)
Worm potential (Score:4, Informative)
I think the biggest reason that something like Sobig is unlikely is that there are so few Linux machines on the Internet as compared to Windows machines, and since a majority of Linux installations are on servers an awful lot of them are behind firewalls. Worms like this spread by seeking out more systems to infect. If 95% of the systems are running Windows, a worm can spread a lot faster than if it is looking for a fraction of that other 5%. A similar worm on Linux would take a _lot_ longer to spread and would give us more time to react and put a stop to it.
Linux is Open Source (Score:1, Informative)
Just to say the obvious!
Re:Psychology plays a role (Score:5, Informative)
From an old fart, I gotta take exception to that.
The design is from Multics, which is arguably secure, down to something that is doable on a departmental minicomputer. The design doesn't preclude some degree of security but all the emphasis is on getting something useful done. That said, Unix probably does manage to get the most useable security out of the fewest bits theoretically possible. I suspect that Unix is as simple as it can be and have any pretense to security.
NT does have security "features". It has lots of them, and they take lots of bits. They are stuck in strange places. If I have a lot of files to manage, I will not be using those features. I do a DIR. I see date and time and file size. No security information whatever. Must not be important.
Unix, if I do just an ls, just gives back the file names. If I do an ls -l to see dates and file sizes, back comes a mess of x's and hyphens. Must be important. Further, these are in my face every time I'm looking at files.
Multics was designed to be secure.
Unix wasn't.
Windows was designed to be able to claim the most "features"
Copy a directory from one place to another, where you don't have permission to read some of the files or write some of the targets.
Windows will give a pop-up and die when it runs into trouble.
Unix will copy what it can and give you the error messages with it dying breath.
Windows security. Even a little bit can be too much.
Unix security. I haven't seen it get in the way, and I haven't really got into groups yet. (Big gripe. I can't have NT users and groups with the same name. Stupid.)
Re:post your IP and let me run nmap, nessus and ot (Score:1, Informative)
Re:did you fix it for yourself, or for everyone? (Score:3, Informative)
>exploits, which affect all PHP/SQL code and not
>just Nuke
Actually, that affect just about any web language where developers trust inputted code.
I personally think that is one of the biggest challenges with the web. You have people who have had no formal training in programming, design, etc being able to build these complex applications. Often times the test cases don't take into effect anything other than the user doing what she is supposed to.
For example, we recently had to have quite a lengthy discussion at work about why Javascript should *not* be relied on to format user input code, nor can just Javascript and HTTP_REFERER. On the web, there is no such thing as client side validation, except as a nicety. If you aren't doing proper server-side validation, you're dead in the water.
One further note: if you are checking user authentication by the SELECT * FROM users WHERE username = $username and password = $password be sure to check that the password returned from the query matches that which was submitted. That foils quite a few injection attacks very simply.
Re:Worm potential (Score:2, Informative)
95% of the Linux systems out there don't share 99% of their configuration. 99% of the Windows out there share 99% of their DNA. They are clones. There is a build... and there is precious little ability to deviate from that build.
For 10 given linux systems you'll find 22 different configs (that's right, twenty-two, including backups, failsafes and testsets, if you're a good admin...)
people use the M$ concept with linux (Score:2, Informative)
The key concept of UNIX are it's building blocks: you build it from the ground up, not the other way around. A good server install should use the linuxfromscratch OS, with as little installed as absolutely needed. Then you hardify, using your KNOWLEDGE of the system. That's what most users think comes with linux by default. Wrong.
With M$, you get to do what M$ thinks you will do. With linux, you get to do what you want to. The downside is you must know what you want and how to get there.
-i
Re:Another thought about server OS (Score:2, Informative)
If you consider that the windows version of apache is rather insignificant, I would assume that the total linux web server installations are in line with this number.
Actually:
1. There are a significant number of people who run apache on windows.
2. There are also a significant number of people who run apache on solaris, mac osx, bsd systems, or other posix compatible operating systems.
I would expect no more than half of those apache installations to be running linux.
Today on Zone-H (Score:3, Informative)
17 mass defacements
Win 2000 (98.2)
Linux (1.8)
Re:Psychology plays a role (Score:3, Informative)
OK, wise guy... (Score:1, Informative)
Seriously, though, the point is that bugs can be fixed once they're discovered. NT does not have any such bugs that cannot be fixed once they're known. The problem with Unix is that SUID is not a bug that can be fixed -- it's a "feature".
In the NT security model, there is no method for gaining access to another account's privileges without their authority. Even an administrative account can't run a program as a regular user without the user's password/token/ticket. In the Unix model, SUID is required in order to run necessary parts of the system, such as login and su (even mkdir, once).
aQazaQa