Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Software Linux

Linux Getting Harder To Crack 553

AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."
This discussion has been archived. No new comments can be posted.

Linux Getting Harder To Crack

Comments Filter:
  • by CajunArson ( 465943 ) on Monday January 17, 2005 @09:56PM (#11391629) Journal
    Yes this story has already been posted. But don't worry! Since there is no link to Netcraft it will be duped again when there is official confirmation!
  • cracked (Score:4, Funny)

    by bryan986 ( 833912 ) on Monday January 17, 2005 @09:57PM (#11391631) Homepage Journal
    I cracked a linux box in 30 seconds... ...with a hammer
  • Owned? (Score:5, Funny)

    by Klar ( 522420 ) * <curchin.gmail@com> on Monday January 17, 2005 @09:57PM (#11391635) Homepage Journal
    it takes about 3 months before a unpatched Linux machine will be owned
    Maybe I'm wrong, but shouldn't it be pwnd or 0wned or 0wn3d or 0\/\/|/|3|) or some variation on that instead of owned
    • Re:Owned? (Score:5, Funny)

      by eclectro ( 227083 ) on Monday January 17, 2005 @11:35PM (#11392189)
      Maybe I'm wrong, but shouldn't it be pwnd or 0wned or 0wn3d or 0\/\/|/|3|) or some variation on that instead of owned

      Yes, you are correct. The problem is Slashdot doesn't have spell-check yet.
    • You are absolutely correct. I have no idea why you are (currently) modded "funny". It's common to adopt the l33t spelling in the security community as a way of poking fun at the script kiddies.
    • Re:Owned? (Score:4, Funny)

      by Master of Transhuman ( 597628 ) on Tuesday January 18, 2005 @12:07AM (#11392355) Homepage

      How about "pawned"?

      Since none of the /. nerd-boys can afford to actually BUY a computer since they're spending too much time on /. instead of working for a living...

      (I can't wait for the "What's YOUR excuse?" responses...)

    • Re:Owned? (Score:3, Funny)

      by Technician ( 215283 )
      it takes about 3 months before a unpatched Linux machine will be owned

      Nope, that's about right. As a newbie I put Slackware on a machine and it took about that long to get X to work with my AGP video card. Until I got a GUI, I didn't feel like I was in control. ;-)
  • interesting (Score:5, Funny)

    by tuxter ( 809927 ) on Monday January 17, 2005 @09:58PM (#11391642) Journal
    "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past."

    "A study conducted by the Honeynet Project has found that it takes about 3 minutes before a unpatched Windows SP2 machine to be owned, compared with about 72 seconds in the past.
  • As a Linux User... (Score:3, Interesting)

    by agraupe ( 769778 ) on Monday January 17, 2005 @09:59PM (#11391646) Journal
    I am happy to hear this, as I run a linux box. These reports are mostly moot, however, because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer. My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.
    • wow linux user with a linux box!!1
    • by eln ( 21727 ) on Monday January 17, 2005 @10:08PM (#11391711)
      because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.

      To create a zombie for a DDoS attack, to host child pornography or warez, to use as a spam relay. All of these and more are reasons home computers are attacked. All they want are more systems in their arsenal, to make them more resilient and more effective. It doesn't make much difference if it's a home PC or a workstation in some office somewhere.
      • by gid13 ( 620803 ) on Monday January 17, 2005 @10:30PM (#11391852)
        His point was that nobody's going to bother going through a router to do that when there are innumerable completely unprotected boxes out there.
        • by khasim ( 1285 )
          His point was that nobody's going to bother going through a router to do that when there are innumerable completely unprotected boxes out there.
          Every home machine that's been cracked has been cracked through a router.

          Did he mean "firewall" instead of "router"?

          I don't think he did because he refered to his "unfirewalled SP1 Windows XP box".

          Unless he refers to a NAT'ing device as a "router".
          • "Every home machine that's been cracked has been cracked through a router"

            No it hasn't. Beyond the false assumption that every machine ever cracked was directly beyond a router(aka cheapo linksys), many/most zombies come from people plugged directly into to the Net with no buffer. How do you think all of those worms spread so fast when all they do is simple port scans to find hosts to propagate with? Scans that a router running NAT would block. The real threat comes from users plugged directly into their
            • by Rosonowski ( 250492 ) <.moc.liamg. .ta. .ikswonosor.> on Monday January 17, 2005 @11:10PM (#11392074)
              You're thinking of router in the "linksys little blue box" sense of the word.

              How do you think your traffic gets from point A to point B on the net, though? Routers.
            • by mad flyer ( 589291 ) on Monday January 17, 2005 @11:17PM (#11392113)
              Technically it's more PAT (port address translation) rather than NAT (network address translation).

              On cisco it's also the "nat overload".

              NAT leave you somewhat vulnerable it's a mapping address for address (many to many). Don't feel secure with NAT without firewalling.

              PAT is much more closed (many to one).

              It's also true that everyone say NAT when they do PAT.
              • [pedant_mode]
                Hmmh. I see the point that "network address translation" kind of implies a one to one relation between external and internal addresses.

                However, to me "port address translation" sounds worse because the *network address* is still the key thing that gets changed in a many to one situation. The fact that the router assigns a new client port for outbound connections is just a side effect. The server and client still use the same ports, regardless the router does in between.

                "PAT" sounds more logic
            • by mabinogi ( 74033 ) on Tuesday January 18, 2005 @12:04AM (#11392340) Homepage
              Before you post another word on this topic, please demonstrate that you have the slightest idea what your talking about by defining the following words for us:

              1. Hub
              2. Switch
              3. Router
              4. Firewall
              5. NAT
              6. Proxy
              7. Modem

              Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.
              • by Dimensio ( 311070 ) <[moc.uolgi] [ta] [ratskrad]> on Tuesday January 18, 2005 @12:40AM (#11392540)
                Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

                http://www.ietf.org/rfc/rfc1149.txt?number=1149
              • by ultranova ( 717540 ) on Tuesday January 18, 2005 @07:22AM (#11393864)

                Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

                Simple.

                Computer A is set to capture its outgoing packets and print them into a piece of paper. This paper is then given to a ninja, who leaps to the other side of the world, types in the packet into machine B, and sends it through the loopback device. 0wn3d !

                Moral: firewalls are no defense against ninjas ! In fact, don't have a firewall, because if you do, a ninja will come and 0wn your computer, then flip out right there ! You wouldn't want a ninja to flip out in your house while you're asleep, now would you ?

      • by Ubi_NL ( 313657 )
        If the software is installed via social engineering, the zombie can just 'phone home' and the router wil happily pass the traffic.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday January 17, 2005 @10:17PM (#11391765)
      These reports are mostly moot, however, because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.
      What do you mean by "router"? There are probably several routers between your computer and any other computer on the Internet.

      And most of the spam I see is from home machines that have been cracked (zombies).

      Not to mention the DDoS zombies out there.

      They'd be happy to get your credit card info off of your home machine, but they attack to turn you into a zombie with bandwidth.
      • by agraupe ( 769778 ) on Monday January 17, 2005 @11:05PM (#11392052) Journal
        I do mean NAT/hardware firewall/router thingy. And, yeah, my point was that there are enough unprotected boxes out there that it doesn't make sense to hack through said NAT/firewall device, unless there was sure to be something tempting on the other side, in much the same way that having a deadbolt will protect you from most home breakins.
        • The "little blue box" is usually both a router AND a hub, and uses NAT (not much good to Joe HomeUser otherwise, since he probably bought it to link up his computers in a home network and connect them all to the net through a single i.p. address). This is enough to deter the script kiddies, unless you've gone and left all your services running without restriction or simply port-forwarded everything under the sun to a computer on your home network without thinking about it.

          Combine the little blue box with
    • by Le Marteau ( 206396 ) on Monday January 17, 2005 @10:21PM (#11391789) Journal
      My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.

      As far as you know. Gone are the days of random vandalism, where if your box was cracked you knew about it the next day. Today's box is owned not to trash it, but to use it. If your Windows box is owned, you won't always know about it, until it is sold called into use to serve its new master.
      • " Today's box is owned not to trash it, but to use it. If your Windows box is owned, you won't always know about it, until it is sold called into use to serve its new master."

        That's true of any OS, not just Windows.
    • by thrillseeker ( 518224 ) on Tuesday January 18, 2005 @01:48AM (#11392784)
      My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.

      Being infected with "just a bit of spyware" is like being just a little bit pregnant.

  • SCO (Score:3, Funny)

    by Anonymous Coward on Monday January 17, 2005 @10:00PM (#11391655)
    SCO is the easiest to crack judging from all of the smoking going on there....
  • by PornMaster ( 749461 ) on Monday January 17, 2005 @10:00PM (#11391658) Homepage
    My day job's in a big hosting facility, and it was a surprise when setting up RHEL 3.0 that it had by default quite the restrictive iptables ruleset which let very little besides SSH through, and pam_tally was set up in the install, so 5 login failures locked out the account.

    Quite refreshing to see, since I was doing the install for a customer who'd decided to go for a reimaging because their machine had been compromised.
    • Re-image because of a little thing like the box being owned? I worked for one place that let some SunOS (not Solaris) machines go after being compromised because our sites were working, and the sysadmin didn't know what they did. (At least these machines didn't processes credit cards)

      This was before I worked there, and when the current sysadmin started he bought some linux (or BSD, I'm not sure) servers and moved over to something more secure. Hasn't had a problem yet.

    • A few years ago I got a DSL line for my lab (back when that was still new and cool :-) and some of the boxes we were using were doorstop Pentium-60 and Pentium-133 machines that had become surplus when their users got newer machines. The P133 was running Win98 or maybe Win95, with all the MSOffice apps that a secretary had used (initially set up by our IT department), plus some Netscape and a shareware web server and such that I'd added. The P60 was running RedHat 6, installed right out of the box with m
  • by Anonymous Coward
    Comparing new and revised Linux installs to old and decrepit Solaris 8 & 9 installs. Distros release new versions at least once a year while Solaris 9 was released... when? A couple years ago? A default install with patches from the last 6 months versus a default install that is 2 years or so stale. Which one wins?

    DUH!
    • Solaris 9 (while we wait for the 'open-source' 10) is in current use in 'enterprise' situations.

      So presumably any compromises of Solaris production system may mean big-trouble for it's operating companies.

      This, I would suggest is the reason for the comparison.
  • by spac3manspiff ( 839454 ) <spac3manspiff@gmail.com> on Monday January 17, 2005 @10:02PM (#11391676) Journal
    Here's a summary:
    (Ranked from most crackable to least crackable)
    Linux>Solaris>Glass>Windows
  • by Anonymous Coward on Monday January 17, 2005 @10:03PM (#11391680)
    De John Wisniewski - a memorial [openvms.org]

    The game began at 10 a.m. on Friday. The VMS machine on the Green team was configured with Apache web server. As we are aware, VMS is an extremely secure operating system. While many of the other boxes in the room, mostly Unix, linux, and forms of windows, and even a Macintosh, were compromised and subsequently attended to by their masters, the VMS system remained intact. Here is where a real security issue comes into play.

    We were very confident of the VMS box, and a lot of interest was generated by it. In the spirit of spreading the good word and educating the people about VMS, we ended up answering a lot of questions about VMS, and showing how the machine automagically added user accounts, and demonstrated the various terminal games and web pages which had been created. We were also aware that, in this crowd of 5000+ hackers, someone might be able to weasel their way into the machine if any security measures were taken lightly.

    As events would have it, we had an issue, which we did not understand, with the operation of the serial port used as the operators' console. At 2:00 a.m. Saturday morning the system manager decided to telnet to the box in order to do some routine checks. Using Telnet in an environment with 5000 hackers on your network is an insecure method of administering a computer system. A lot of people were fascinated by the VMS system, and had asked many questions about it, shoulder-surfing the console operator, who of course answered their questions in this friendly game of an environment.

    One of the hackers who had been showing a lot of interest in the VMS box happened to be sniffing packets from the system manager's PC. He discovered the password to the account, a simple procedure any 13 year old kid can pull off with ease after a little social engineering. The hacker logged in, and placed a couple text files (his mark for points) in the manager's user directory, and then notified the system manager in order to claim the points. There were no points for hacking the machine because the files were placed in a user directory instead of the `root' VMS directory. He was awarded 10 points for social engineering.

    Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it. By using a telnet session on an open network, the system managers' login information was freely made available to any who cared to record it. Giving away your login info in this way to a hacker who subsequently uses it does not constitute being hacked, it constitutes an error in security procedure. The thought of improved security, such as some level of encryption for telnet on VMS, immediately comes to mind. Be very afraid.

    The Alpha was disconnected from the haxor network, the serial port issue (our fault alone) was fixed, and the network was reconnected. The incident did not repeat, nor did any hack whatsoever of the VMS system take place during the event. The hackers bombarded the box with telnets and ftp attempts to every bizarre port number imaginable, obscure ports in the 40,000 range and more. The word of the early-morning incident had spread, and those seeking glory and a reputation besieged the box.

    Another kind of social engineering, involving a clever lie intended to trap those who would think it cool to hack the NOC was presented in this way: People came by, with an IP address, saying, "here is the IP address for the NOC, have fun". It was really an outside IP address, and this was a ruse to make those who listened loose points for attacking sites outside the defcon network. Hacking outside the CTF network was forbidden.

    As the game progressed, the goons announced that there were not enough hackers (huh? The tables were *full* of people). To make it more enticing, the point award for placing your mark in the root directory of a server
    • Hard to hack a box that has no root.
    • Interesting. (Score:5, Interesting)

      by jd ( 1658 ) <imipak AT yahoo DOT com> on Tuesday January 18, 2005 @12:05AM (#11392344) Homepage Journal
      Personally, I'd have set the scoring up on a sliding scale, so that easier-to-hack boxes scored fewer and fewer points, the more they were broken into. If a system isn't getting any harder, then it damn well shouldn't be worth anything. Likewise, if a box was surviving all-out assaults, it should be gaining in value.


      (The idea being to discourage people from playing at skript-kiddie, but concentrating on the real challenges. Using the above logic, if a box was "practically uncrackable", the incentive should be so great that it becomes almost the sole focus.)


      As for Linux, a correctly-configured hardened box should come close to VMS in security. The sorts of things that you could configure to do this are as follows:


      • Configure iptables to block ports that should not be visible from the outside. Either that, or get it to return spurious data, to confuse scanners.
      • Use one (or preferably two) of SE-Linux, GRSecurity and RSBAC, to make it hard to actually use any exploits that are found.
      • Disable insecure protocols where possible. If you have to use them, run them over IPSec.
      • If a server isn't time-sensitive, then use a bounds-checker such as ElectricFence to reduce the risks.
      • Use a pro-active NIDS to block suspicious traffic (usually an indicator of a scan).
      • Verify file permissions with a utility such as TARA, although that one might be a little old these days.
      • Scan for weaknesses with the latest Nessus and -at least- one other independent security scanner.


      The reason for so many steps is that Linux is flexible. Flexibility, if used well, can make for an extremely tough system. If used badly, it can make for a highly vulnerable system. Mistakes are not always easy to catch, so it's better to have enough independent redundancy that a failure isn't catastrophic.


      VMS had flaws, too, and could be easily mis-configured. (Being able to put DCL scripts in mail subject lines was plain stupid.) But, again, if set up well, was virtually bullet-proof.

  • by Bucket Truck ( 788240 ) on Monday January 17, 2005 @10:07PM (#11391701) Homepage
    I just read an article at the Register (linking to an old article on http://www.usatoday.com/money/industries/technolog y/2004-11-29-honeypot_x.htm [usatoday.com] about un-patched XP sp1 machines only surviving for 4 minutes when connected to a broadband connection. Within 10 hours the hackers had an IRC channel running on the machines.
  • FreeBSD? (Score:4, Interesting)

    by SubTexel ( 715118 ) on Monday January 17, 2005 @10:11PM (#11391732)
    Well they list it in the list but give no data on it what so ever. So one is to assume FreeBSD was never hacked from the data presented (or lack thereof). Way to go BSD!
  • by jonastullus ( 530101 ) on Monday January 17, 2005 @10:16PM (#11391763) Homepage
    i have said it before and i will say it again: only because more and more people stand up to state how superior and ultra-safe linux is, won't necessarily make it so!

    if it is indeed true what this study claims then i am the first to applaude the kernel guys and the distribution makers.

    but there are facts that won't change:

    - software monoculture is BAD (no matter what the monoculture consists of)
    - linux is NOT the safest alternative out there (compare *BSD, VMS, ...)
    - there have been an alarming number of exploits as well for the kernel itself (local root exploits, anybody) as also many exploits for user land applications (mplayer, mpeg123, mozilla, ...). therefore it is as questionable a time to glorify linux as it will ever be.

    SECURITY IS A PROCESS NOT A STATE!

    please, dear media (and also dear slashdot), make an effort to educate people in security matters instead of putting some solution on the "security pedestal". don't make claims about the absolute security of any alternative.

    the complete solution is what makes and breaks security, not the components, and without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.

    well, at least the uprising unices make it easier for the proficient and maybe even raise the security bar for the amateurs, but alas this is not an end to itself!

    jethr0

    • well, at least the uprising unices make it easier for the proficient and maybe even raise the security bar for the amateurs, but alas this is not an end to itself!
      I would argue that by raising the bar of those qualified to attack your systems you are actually decreasing the security of your systems.

      And yes, I've been here a long time...
      davidu

    • by egarland ( 120202 ) on Tuesday January 18, 2005 @12:05AM (#11392345)
      SECURITY IS A PROCESS NOT A STATE!

      Wrong. Security is a state. Securing is a proces. Look them up, they're in the dictionary.

      I usually hear that quote from people who want to make a living out of implementing security. The fact is, with the current state of systems, a lot of time needs to go in to creating a secure system and keeping it secure. This is not inevitable however. As time goes on, computer systems and networks will simply be more secure by default, especially thanks to all the hackers out there that find the holes and let us know about them (often times via the always funny "I infected you with a virus" method.

      software monoculture is BAD

      There are huge powerful upsides to a monoculture. Sure there are downsides too but I think in the end we will have one and it will be a huge benefit, even to security.

      ... without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.

      And 640K should be enough for anyone.

      If you really think that it is impossible for security to happen automatically, ask your self exactly what is it that a security professional can do that it is theoretically impossible to automate.

      • No. You make to many assumptions in your post. What you are saying is somewhat akin to claiming humanity will someday reach a point where violence is non-existant.

        If the security gets better (just like it has over the past 40 years) its because the good guys are usually behind by a few steps, if they weren't behind they wouldnt know what to secure, or why. Even given the assumption that security somehow catches up with what the people attacking the systems are doing your also assuming that the people do
  • 133t... (Score:5, Funny)

    by bender647 ( 705126 ) on Monday January 17, 2005 @10:18PM (#11391772)
    But there was bad news for Solaris users, with three out of the four honeypots running Solaris 8 or 9 hacked within three weeks. However, a fourth has been online for six months without being compromised.

    Stop nagging, I'll get to it.

    • Re:133t... (Score:5, Funny)

      by StikyPad ( 445176 ) on Monday January 17, 2005 @11:40PM (#11392217) Homepage
      But there was bad news for Solaris users, with three out of the four honeypots running Solaris 8 or 9 hacked within three weeks. However, a fourth has been online for six months without being compromised.

      Stop nagging, I'll get to it.


      It's not that all 4 weren't compromised, it's just that they didn't notice me. I guess you're the one they caught on the first 3? It's okay, keep practicing. ;)
  • by MerryGoByeBye ( 447358 ) on Monday January 17, 2005 @10:24PM (#11391813) Journal
    Parding is such suite sorrough...
  • by Anonymous Coward
    This is just another example of how hardening keeps your servers from getting compromised. Red Hat and SuSE Linux systems now ship with every remote service in xinetd deactivated and most have a default firewall active at installation. This partly reflects the lessons we've learned with Bastille Linux [bastille-linux.org], a hardening program for SuSE, Debian, Fedora, RHEL, HP-UX, and OS X. What's interesting is that while new releases of HP-UX are shipping with Bastille pre-loaded and runnable at installation, giving the u
  • Unpatched? (Score:5, Insightful)

    by Brandybuck ( 704397 ) on Monday January 17, 2005 @10:31PM (#11391863) Homepage Journal
    Why even bother testing unpatched Solaris when Sun specifically tells you to patch your boxes? It's like never changing your car's oil and then complaining that it breaks down too often. It's almost, but not quite, as stupid as complaining your burrito is frozen because you didn't read the microwave directions.
  • It's been discovered that it takes about 3 months before an owned Windows machine will be patched.
  • of course solaris 8 and 9 didn't fare as well as Linux: you have to wait for Solaris 10 [com.com] to get the magic open source effect on security;-)
  • Half Truth (Score:5, Insightful)

    by aoptik ( 792350 ) on Monday January 17, 2005 @10:55PM (#11391990) Homepage

    Gene Spafford was interviewed by linuxplanet [linuxplanet.com] couple of years ago. He says why linux isn't completely secure, even though it is a outdated interview, I will like to say most of his ideas do make sense even today.

    Even if those honeypots are harder to penetrate that does not mean drivers, or individual applications that many people use are designed with security in mind first. Hackers are always going to be around all this means is that script kiddies are going to be able to do less and less to break into a linux but but more sophisticated hackers are going to want to try harder and within time. You will have the same problems just like in real life a ADT system can make your home safer does not mean you still will not get broken into. Plus, within this article you should be asking who are the security experts?

    All in all I would hope people read this article in hopes that linux is their solution too security out of the box. In other words if you believe in security do not rely on the distro. to be 80% secure even if you locked the system up tight like your suppose too you still have a good chance of getting hacked. This article is just showing business people in the IT world that they can setup linux and not need a administartor with good experise to be hired instead of that person they can pay half as much with little experence to manage the network because linux is so secure. See where I am going with this article?

  • by jjb ( 250135 ) <jay@nOsPaM.bastille-linux.org> on Monday January 17, 2005 @10:57PM (#11392002) Homepage
    The question is entirely one of pre-install system hardening. Solaris 9 barely improved anything hardening-wise over Solaris 8. It still ships with over 60 TCP ports open, a large number of UDP ports open, and some default-listening network services that have been deprecated for over five years, like tnamed. tnamed is the Trivial name daemon and pre-dates DNS!

    Red Hat, on the other hand, has moved to both turning no remotely-accessible inetd/xinetd services on by default and offers an easy install-time firewall that works transparently on workstations and very simple servers. The difference in exposure of vulnerabilities to attackers is tremendous. The vulnerabilities may still be there, but the attacker often can't get to them or can't get the same level of privilege out of them. For instance, running OpenSSH in privilege-separated mode the way most Linux distros do now means that some exploits don't work, while others only grant the attacker non-root access.

    Linux vendors/creators have led the commercial Unix world in pre-install hardening - I like to think this is due in part to the success of Bastille Linux [slashdot.org], a hardening program for SuSE, Red Hat/Fedora, Debian, and Mandrake Linux, as well as HP-UX and Mac OS X. Bastille ships on recent HP-UX O/S's, is available from both Debian and SuSE as a vendor-supplied package.

  • by Peter Cooper ( 660482 ) on Monday January 17, 2005 @11:09PM (#11392069) Homepage Journal
    When we rolled in Linux to automate our internal business systems, security was at the top of the flag pole for us. Our old systems (AIX) had suffered from numerous repetitive flaws particularly in areas of allowing certain connections and not allowing others, which posed a significant problem when it came to securing the entire network from outside abuse.

    We analyzed the various systems available to us at the time we were making the rearchitecture decision, some six months ago or so, and quite rapidly we reached a decision based on the data. That is.. Linux would be more secure in our company because we already have the technical people using Linux outside of work who would be able to already understand the system and be able to fix specific and non-specific security issues themselves rather than having us rely on an outside contractor or vendor. This meant we could buy vanilla beige boxes and install Linux, set up all of our business processes, all without having to go to one of those vendors such as RedHat, Sun, or one of the other many vendors in the Linux field.

    So, security is a strong concept of safeness for us, and we're glad we're running Linux.
  • by slashname3 ( 739398 ) on Monday January 17, 2005 @11:20PM (#11392123)
    Interesting study, not all that surprising.

    How about a study like this against the varous NAT/routers being used out there? How easy is it to own systems sitting behind those? This appears to be the standard anymore for the millions of cable/dsl connections.
  • Client Side Attacks (Score:5, Interesting)

    by neonfreon ( 850801 ) on Monday January 17, 2005 @11:40PM (#11392212)
    What about client side attacks, such as attacks against web browsers and email clients? These kind of security problems comprise a large portion of attacks against Windows based machines, and with the rising popularity of cheap routers that provide good protection to home users via firewall and NAT rules that will prevent direct attacks against daemons, client side attacks will be rising in popularity over the next few years, and cheaply available firewalls won't do anything to help.

    Of course, this kind of analysis would require a more involved approach to testing O/S security, rather than just installing an O/S, throwing it on the internet and sitting back and waiting for whatever randomly happens to it to happen, which doesn't really seem to be the way honeynet likes to operate.

    Keep in mind that Honeypots were originally intended to track the behavior of so called blackhats, not to analyze the security of operating systems, and they probbably aren't the best choice for the job.
  • by one_n_only_wildcat ( 847689 ) on Tuesday January 18, 2005 @12:14AM (#11392388)
    There is a way to a 100% secure system..

    http://www.worleybuggerflyco.com/flytyingtools/arr ow_diagram.jpg [worleybuggerflyco.com]

  • by hallucination ( 99572 ) on Tuesday January 18, 2005 @01:21AM (#11392665) Homepage
    Anyone who has even done basic high school statistics can tell you that the numbers in these reports are absolutely statistically insignificant. They don't mean a thing.
  • SELinux (Score:3, Interesting)

    by Sunspire ( 784352 ) on Tuesday January 18, 2005 @02:30AM (#11392911)
    I'm personally wondering how a relatively new system like SELinux combined with Exec-Shield are keeping machines from being rooted. Let's say a cracker a compromises your Apache server through a bug in the server itself or a flaw you've introduced yourself through either a CGI or PHP script. He is simply not breaking out of the kernel security context set by the SELinux policy, so what's a hacker to do these days? Would a local root exploit allow you to bypass SELinux? What if there's no root on the system anymore, which is entirely possible. Doesn't that completely mess up the hacker's plans?

    Do people still get rooted running something like Fedora Core 3 with SELinux? I can imagine they do, you just don't really hear about it anymore. Perhaps the system is still too new to tell either way. If every daemon is locked down with a targeted SELinux policy in the future, and I see no reason why you wouldn't want this once someone has done the work of writing the policy, perhaps we'll see a dramatic reduction in compromised systems.

"It takes all sorts of in & out-door schooling to get adapted to my kind of fooling" - R. Frost

Working...