Linux servers 'attacked more often'

Linux servers 'attacked more often'

Summary: Online servers running Linux were attacked more often in January than those running Windows, according to a security firm

SHARE:
Linux advocates often take pride in the operating system being more secure than Windows but this claim may have attracted unwanted attention from the hacking community.

An analysis of hacker attacks on online servers in January by UK-based security consultancy mi2g found that Linux servers were the most frequently hit, accounting for 13,654 successful attacks, or 80 percent of the survey total. Windows came in a distant second with 2,005 attacks.

A detailed analysis of government servers also found Linux to be more susceptible, accounting for 57 percent of all security breaches.

In a similar study last year, Microsoft Windows proved to be more vulnerable, accounting for 51 percent of successful attacks on government servers.

However, the sharp rise in Linux breaches probably reflects a lack of training and deployment expertise rather than inherent security problems within Linux, mi2g officials suggested.

"The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers," mi2g chairman DK Matai said in a statement.

According to the study, the most secure OS turned out to be BSD (Berkley Software Distribution) and Mac OS X.

mi2g said its study focused on "overt digital attacks" and did not include other methods of intrusion such as viruses and worms.

Topics: Apps, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Welcome to the real world Linux! I hope you decided to stay awhile and not float off again into another theory driven pipe-dream hazy of utopian bliss.

    I have admired the ambition but some Linux guys you been making wild claims for years which we in business have found hard to believe, but we have given the benefit of the doubt.

    Confidence is a shallow thing in business. So here is the tip to the Linux community ... Be totally realistic about your security claims and when other operating systems are having a tough time in media hell, stay quiet, it can also so soon backfire and then there is egg just everywhere. Then we all loses as IT itself, as a whole, just looks plain stupid.
    anonymous
  • Not suprising is you consider Linux is used by the overwhelming vast majority of personal and hobby websites which due to the amateur nature of such sites are never going to be as secure as commercial websites often hosted by commercial web hosting companies with professional administrators and support teams (which according to netcraft atleast) is the main situations where Microsoft's IIS server is used.

    If anything, considering the amount of such amateur Linux websites, I'm surprised the succsessful attacks on Linux aren't higher.
    anonymous
  • mi2g is a dodgy company with dodgy staff in need of cash and publicity....
    Check this link:
    http://www.attrition.org/errata/charlatan/mi2g-history.html
    I wouldn't put too much faith in the report.
    anonymous
  • The MI2G study of servers "did not include other methods of intrusion such as viruses and worms"

    The same firm mi2g also wrote the following
    http://www.mi2g.com/cgi/mi2g/press/190204.php
    QUOTE
    London, UK - 19 February 2004, 13:30 GMT - mi2g Intelligence Unit data shows that partially as a result of the growth of the MyDoom family of malware, lingering effects of Mimail, Dumaru, Sobig, Swen, Klez, Sober, Yaha, BugBear and Fizzer, and also as a result of new strains of Bagle, February 2004 has already become the worst month for malware proliferation on record with 10 days to go. As of today, the total economic damage from all malware epidemics in February is estimated to lie between $43.8bn and $53.6bn worldwide, two thirds more than the record breaking previous month of January.
    UNQUOTE

    Symantic also predicted this in its September 2003 Internet Threat report.

    http://downloads.securityfocus.com/library/InternetThreatReportSept2003.pdf
    QUOTE
    Blended Threats
    BLENDED THREATS INCREASING IN SPEED AND FREQUENCY
    Blended threats, which use combinations of malicious code to begin, transmit, and spread attacks, are increasing and are among the most important trends to watch and guard against this year. By using multiple techniques, blended threats can spread to large numbers of hosts, causing rapid and widespread damage. During the first half of 2003, blended threats increased nearly 20% over the last half of 2002. One blended threat alone, Slammer, disrupted systems worldwide in less than a few hours. Slammer s speed of propagation, combined with poor configuration management on many corporate sites, enabled it to spread rapidly across the Internet and cause outages for many corporations. Companies hit by Slammer were not harmed as badly as they might have been, because it was designed to propagate quickly, degrade networks, and to compromise vulnerable systems rather than cause destruction or steal confidential data. Corporations that had updated firewalls, updated patches, and virus protection throughout the enterprise were prepared for this attack.

    Blended-Threat Targets
    MICROSOFT IIS VULNERABILITIES
    Microsoft IIS is one of the most widely deployed Web servers throughout the world. Symantec has documented several high-severity vulnerabilities affecting it. Their characteristics render these vulnerabilities attractive targets for future blended threats. Given Microsoft IIS s susceptibility to past blended threats such as Code Red and Nimda, Symantec believes that it may again be hit by highly destructive malicious-code attacks.

    MICROSOFT INTERNET EXPLORER VULNERABILITIES
    Several vulnerabilities allow attackers to compromise client systems through Web pages containing embedded malicious code. Others can enable the easy and almost undetectable installation of spyware, which allows attackers to extract confidential data.

    THEFT OF CONFIDENTIAL DATA
    The release of Bugbear and its variant Bugbear.B (discovered in early June 2003) were good examples of theft of confidential data. Once systems were infected, confidential data was extracted such as file names, processes, usernames, keystrokes, and other critical system information, and delivered to a third party, potentially compromising passwords and decryption keys. Furthermore, it appears that the creator of Bugbear specifically targeted banks. During the first half of 2003, Symantec saw a 50% increase in confidential data attacks using backdoors. By granting access to compromised systems, backdoors allow data to be exported to unauthorized individuals. For example, entire sessions can be logged, and passwords for systems and applications can be taken. Companies need to implement controls that make it difficult for malicious code to steal confidential data, such as updated firewalls, patch management policies, intrusion detection, virus protection, and so on.

    ATTACKERS EXECUTING COMMANDS FROM THOUSANDS OF INFECTED SYSTEMS
    Once a system is compromised, an a
    anonymous
  • Continued...

    ATTACKERS EXECUTING COMMANDS FROM THOUSANDS OF INFECTED SYSTEMS
    Once a system is compromised, an attacker can install malicious code known as a bot that allows the attacker to use the system for future scanning or as a launching point for future attacks (such as planned, distributed denial-of-service attacks). Once a system has become infected, the attacker can maintain a running list of the entire botnet (network of infected systems) by simply issuing commands through Internet Relay Channel (IRC is a common communication channel used by bots). Afterwards, all listening bots (sometimes numbering in the thousands) will execute any command issued by the attacker. Symantec examined an automated tool like this, which accounted for supposable Nimda (blended threat) traffic, after it was captured in a Honeypot network3.

    CONCLUSION
    The evidence in this report clearly shows that the risk of blended threats and attacks is rising. Understanding how to budget for security and what products and services are needed will involve some of the most important decisions that every corporation faces in the 21st century. The trends that we discuss in this report help executives understand some of the threats faced by their systems administrators every day. Symantec carefully monitors other potential threats such as the rise in peer-to-peer attacks (including instant messaging), mass mailers (like SoBig), the general trend toward theft of confidential information, and the rapid increase in the number of Windows 32 (Win32) threats.
    UNQUOTE

    Conserning the rest of the Mi2g study...
    How was this data taken? What was the sampling method? What was considered an attack?

    In other words, how far into the OS did the attacks go. For Linux, a relevant question is "did the attack just breach a user's account, or did it penetrate to the root?". Did the attacker just replace the webpage?

    Lastly, were the vulrabilities exploited an inherent part of the OS and Webserver or an addon such as PHP-Nuke?

    Read "A Grain of Salt: dealing with Operating Systems security debate"
    http://www.thinkmagazine2.org/versione_layer/security.html
    anonymous
  • a) All the windows servers are already compromised, therefore no need to attack (Seriously)
    b) 13654 servers successfully attacked, where would they get a number like that: extrapolation or heuristics? You can't log that many cases.
    c) Author states it does not include worms. Duh.

    This article appears to be a cross between anecdotal and toung-in-cheek.
    anonymous
  • Most likely open mail relays were considered "compromised systems". That's the only way you could actually count the numbers.

    I think the study is bogus.
    anonymous
  • Yes... From my experience, GNU/Linux systems are more likely to be attacked. It's less secure than Windows when unpatched and more secure when patched. Plus, it's a far more attractive target due to the power of the tools, once inside. Not so much is available in Windows servers.

    So many people experiment with GNU/Linux, turning on every service and leaving them unsecured and unpatched. With Windows servers, they are so expensive that they are more likely to be deployed by professionals...not experimenters.

    The solution, in my opinion, would be Role-based configuration utilities such as the one I am working on, "Server Roller". By configuring a server according to its basic roles, as opposed to raw services, the system can make safe presumptions for automatic firewalling and/or setting mandatory access controls. Mandatory access controls alone would halt ~99% of all attackers. And yet, it allows experimenters to even more easily try out services.

    I've only been working on this project about a week and just applied for a sourceforge account. But I have a few people already offering to collaborate on the project. Perhaps in a few months or half a year, we'll be able to drop those numbers down to a tiny fraction of what they are now.

    As per fully patched GNU/Linux servers running minimal services, I think you'll find they are far less likey to be breached.....or attacked than Windows. BSD is safer mainly because it's doesn't get new features nearly as often.....and experimenters largely prefer GNU/Linux.
    anonymous
  • I had to laugh at this comment: "With Windows servers, they are so expensive that they are more likely to be deployed by professionals...not experimenters"

    LOL, give me a break, every computer you buy comes with a copy of ms windows. One must spend a bit more effort to obtain a linux powered system - so ms windows is indeed the platform of choice for joe average, while serious linux users tend to be among the intelligentsia.

    The problem here is the methodology of the study - a rather goofy methodology, once you look at it, and one guaranteed to yield bizarre results. We all know, for instance, that the main security issue of the past year has been the proliferation of microsoft worms and virii, one after another. So this so-called study begins by discarding all the serious microsoft security issues, then focuses on what's left, which would by design, look mainly at non-microsoft systems.

    I'd love to see their methodology for determining the number of "successful" linux attacks, if only to satisfy my morbid curiosity - I'm sure it will be quite amusing, given the firm's history and reputation. Go look them up on google for a heads-up!
    anonymous
  • Mi2g is a very dodgy company. I'm not sure you want to be putting up their stuff :-/


    http://www.attrition.org/errata/charlatan/mi2g-history.html

    \\http://www.theregister.co.uk/content/55/28233.html
    anonymous
  • did they control for the number of servers? and how did they distinguish servers from other computers? I'd guess that they measured fewer windows "servers", and have conveniently defined all those compromized windows desktops as "non-servers".

    this sort of result is simply blatantly false on its face. look around you: how many windows boxes do you see, and how many of their owners live in fear of the next worm? in my environment (I'm a university sysadmin), I see many hundreds of windows boxes, *most* of which have been compromised in the past year. I also see somewhat fewer (still hundreds) of linux boxes, of which perhaps one a year is compromised, mainly because someone has forgotten it.
    anonymous
  • This is just the begining of the mess.

    For years other operating systems have borne the brunt of millions of users immediately groping up to any new technology. the avregae linux-joe on the other hand had to be someone smart enough to set up his swap partition and figure how to create a new user aftre he figured how use deb packages. Other systems like windows on the other hand had everyone's mom and some people's pets using the OS, along with Turing award winners as well as Nobel laureates.

    The scope of mess was much more.
    Now that Linux has claimed its way to the marketplace and laughed at others, often attacking teh person instead of the reasoning, welcome. Lets see see what happens when the shit hits the fan.

    The last we heard was the debain server breach due to kernel flaws and now stuff like this:
    http://news.com.com/2100-1002_3-5162055.html?tag=nefd_top
    (Did I miss a lot in between ?)

    You are yet to add you 200 cool new usability features and a usable clipboard and an inegrated scripting environment and a copmonent model in your OS. Lets see these things become pervasive standards in the OS instead of being locked to one small subset of applications and then lets see how you fare.

    While you are here, welcome.
    Dont run away, and you are welcome to attck me instead of the reasoning and you are welcome to pull out your obscure examples.

    - Spark
    anonymous
  • That doesn't mean that Linux servers are bad. The fact is that there are more Unix servers than Windows servers and the information hackers would like to have is on Unix servers not on Windows servers. They tried to attack Linux serves. They didn't even try to attack Windows servers so there could be more attacks on Linux serves. The other thing is how did the company count attacks? How can you count attacks if you even don't know if attack was or was not? If people counted attacks they could make up something unreal. If software counted attacks it could be a bit silly programmed. One of my friends work in one software company and he says they found out that Windows servers are easier to bo sucessfully breaken in. And that Linux servers are harder to break in if it's properties and config files are set correctly. If there are some penniles people who buy Linux servers because of no-fee and they can't configure config files, that's their problem. This data on this site is something bla bla bla... :P
    anonymous
  • Well. I agree that they counted more Linux servers! They didn't count my Linux server, who is quiet important, was attacked several times but they didn't managed it :> I agree with the man who wrote that if you are good config-file-writter noone can break in :) Not even you yourself :P Could anyone tell me the why how to count hacker attacks? Noone can count hacker attacks =) There is no way doing it :P
    anonymous