Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet 230
An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.
To remove this... (Score:5, Funny)
So, to remove this do I just have to do this? /sbin/iptables
sudo rm -r
Re: (Score:3)
Re: (Score:2)
sudo rm -r /
It has advantage of removing all viruses.
Just the ones alphabetically before /lib*/libc+
Watch out - those crazy virus writers will start statically linking!
Re: (Score:2)
Sure, or even simpler: sudo rm -r / It has advantage of removing all viruses.
Actually, you really should use the 'f' parameter as well, or else the viruses might ask you if you really want to delete it. As in 'rm -rf /'
Oh, and you're welcome!
Re: (Score:2)
Last time I tried that it gave me some error. Something about needing --no-preserve-root
Advisory location ... (Score:2)
Is this it? [prolexic.com]
iptables malware (Score:2)
Oh yes, I am familiar with this iptables malware. I once had a machine running using ipchains, but iptables somehow made its way on to my machine and pretty much just killed ipchains functionality. I could not get it working again no matter how hard I tried. In case it modified my kernel, I even downloaded the latest from kernel.org (2.4.x) and compiled a new one, but to no avail.
I gave up and went to Windows.
CVEs? (Score:2)
CVEs or it doesn't exist.
Any /. article that talks about security vulnerabilities or exploits and does not reference the relevant CVEs in the summary is a worthless piece of shit.
Re: (Score:2)
SOMEONE IS WRONG ON THE INTERNET, I MUST CORRRRRRRECC... Point if this is the botnet side and the indicators of compromise.
The question I hear more often at $DAYJOB whenever one of these pops up is: "Are we affected?", which more often than not can be answered with some introspection (you know your patching practices), rather than looking at the current patch level. This applies to 90% of the companies.
Why do you care about the CVEs? Just fucking patch it. Unsure if that fixes it? Patch it again. HD leds are blinking in a funny way that makes you think you're affected? PATCH IT HARDER.
Absolutely. Because there's never an issue that can't be fixed by patching. No one ever has an insecure/incorrect configuration. Please send me your resume so I can file it with the other "never hire this moron" resumes. Thanks.
JAVA (Score:4, Informative)
"Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities"
Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java.
To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Re: (Score:3)
To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Right. Just like Nigerian 419 scams are conducted in English, so English is a vulnerability.
Re: (Score:2)
> To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Right. Just like Nigerian 419 scams are conducted in English, so English is a vulnerability.
Interesting parallel - both 419 and this vulnerability stem from people who fail to utilize the absolute minimum of self-protection mechanisms.
And the attackers in both cases deliberately exploit these low-hanging fruits of incompetence. It's a good economic strategy - why pick the high fruit when you don't have to?
Of course, our worries stem
Re: (Score:3)
The applications you mention are all Open Source, which people on here keep insisting are secure.
Re:JAVA (Score:4, Insightful)
The applications you mention are all Open Source, which people on here keep insisting are secure.
Nope. This is a varied community, so people here believe lots of things, but probably not as many believe this simplistic view as you think.
FLOSS applications have the *potential* to be more secure than proprietary/closed source. They also have the potential to become more secure over time if the community/contributors have more resources available to fix security problems than a proprietary vendor. Most importantly, FLOSS applications can be scanned by anyone for bugs and security problems, and fixed by anyone. Those activities are limited for proprietary code to those who have access to it and allowed (by privilege or managerial decree) to fix it or even publicise that there's a problem in the first place.
Depending on the situation (skillset of the development team, size of the team, interest in maintaining and fixing the code), this can either lead to a particular piece of FLOSS or proprietary code being more secure. *In general*, it seems that FLOSS code tends to be more secure because greater resources can be brought to bear, particularly over time as proprietary vendors stop supporting code for older products and move their teams on to something new (gotta keep paying the bills). In some cases that doesn't hold true and proprietary code is more secure.
Re: (Score:2)
Do you know what the vulns are? Tomcat has a list of vulnerabilities on their website but they're all DoS attacks or information disclosure. It's pretty hard to write a Java app that can actually be completely taken over via the network, although I've seen one or two spectacularly dumb web server designs that allowed it anyway (e.g. url parameter names were treated as arbitrary paths through the entire apps object heirarchy using reflection, letting anyone modify any global variable by just doing a GET - no
Re: (Score:2)
Should a Linux kernel privilege scalation bugs be called a C vulnerability? no, those are bugs on code that use a particular language. If you say that the bug was found on the embeeed XML parser or any other library that is part of the Java Runtime, I would say yes, but this time no
Re: (Score:2)
More to the point, they use particular packages written in that language.
A Linux kernel privlege escalation bug is a Linux bug. It's only a C bug if it depends on a violation the the C language standard. C misfeatures aren't bugs, but they sure make be cautious when I use it. In particular, one C misfeature is that it's impossible to check the length of an array at run time. In any lengthy piece of code I get quite paranoid about that. But if I make a mistake it's a bug in my code. In C it's only a mi
Re: (Score:3)
Nope... A vulnerability in a library is not a vulnerability in the underlying programming language. Just because the JRE *is* an execution environment, does not mean that the execution environment being run by a malicious user is a vulnerability in the JRE. That's like saying, there's a vulnerability in C, because Flash is written in C and there's a Flash vulnerability. The point is there is a **critical** vulnerability in older versions of the Struts library, which is used to escalate privileges to the JRE
Dude, no. (Score:2)
From TFA. "Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities" Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java. To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Uh, no. It would be Struts/Tomcat architectural vulnerabilities. Not various versions of the Java Runtime have/had vulnerabilities, but in these particular cases, the vulnerabilities were within the software systems, not on the language they were written or the runtime that hosted them.
Re: (Score:2)
Or more likely a bug in an Apache Commons library they all use.
eg Struts is from Apache, Tomcat is from Apache, Elasticsearch is based on Lucene which is also from Apache.
Think of the Childr...Hollywoods (Score:2)
Re:Think of the Childr...Hollywoods (Score:4, Funny)
Are porn sites part of "entertainment industry"? If so, this is a serious threat and it needs dealt with ASAP.
not compromised server, honeypot (Score:2)
If the administrator deliberately activates software known to make a system (Linux, Windows, ...) vulnerable to compromise, that is NOT a compromised server, it is a honeypot. If you make a honeypot, you must mitigate any damage it may cause outside your domain.
Sue the admins of those systems into getting a job compatible with their IT skills (probably involving a toilet brush).
Wow, who would have though (Score:2)
Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine
Holy misleading headline, Batman! Any server that's not maintained is vulnerable, how is this news other than it's a Linux server botnet? OMG unpatched servers are vulnerable to hackers!
Perl would reduce the incidence of these problems. (Score:2)
This underlines an important point I made previously, that part of the problem here is C/C++ and its manual memory management. Ruby, Perl and Python eliminate a whole class of programming errors by doing memory management automatically, making it easier to develop secure applications. People laugh when you say the web browser should be written in Perl, as the web server should be, but its true. The result would be a safer, and even a faster system because a Perl program would lack as many memory leaks and t
Re: (Score:2)
Since the problem appears to lie in Java libraries, I don't understand your argument at all.
Consider the source (Score:2)
I find it interesting that Akamai is complaining about server vulnerabilities, when something like 30% of all the alarms on our IPS are set off by hosts they control.
Malicious? (Score:2)
Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals
Whatever happened to "the enemy of my enemy is my friend"?
Yes, there's technical solutions like the upcoming Tor-like anonymized version of tribler [tribler.org] that will try to route around the Copyright Crooks-induced Internet Censorship.
Re: (Score:3)
Re: (Score:2)
...Or they should gave gentoo'd their installations.
Re:hmmm.... (Score:5, Funny)
They should have installed Gentoo!
In hopes that the 'malicious actors' would get tired of waiting for the required binaries to be built and give up?
Re: (Score:2)
Well if they just had installed Linux.... Oh, damn.
Perhaps they should apply security patches too or perhaps actually TRY to configure their servers in a secure way? No, no other OS's have issues with this.
Re: (Score:3, Insightful)
Re: Hmmm (Score:2)
The vast majority of Linux deployments are on server systems. These are easier to lock down, since there are no users downloading cool stuff and bringing in malware. Generally speaking, a remote exploit is required to bring down a server system. There are two newsworthy things in this report. First, a botnet of (presumably well-connected) Linux machines has been used in a DDOS, probably not the first time this has happened. Secondly, and this should not be newsworthy, not keeping up with patches will sink a
Re: Hmmm (Score:4, Interesting)
Mostly valid points. None of them invalidate the parent's point. If there is a significant infection of malware, then it is newsworthy. What factors led to the infection don't make it unnewsworthy.
"These[server systems] are easier to lock down, since there are no users downloading cool stuff and bringing in malware." Your comparing desktop usage to server usage. Regardless of Linux or Windows the same issues are there for each usage scenario.
-Desktop: If there is a vulnerability in a Linux or Windows desktop, the usage pattern of users is going to be a pathway onto the machine for malware. These days you could probably take any average user since most are unfamiliar with desktops, stick them with a desktop of any OS flavor, and they will in both cases go to a browser and do things that put the system at risk. These days they implement similar levels of security. Many flavors of both prompt you to escalate an process to root/admin privilage, so each are vulnerable to users unwisely escalating software of questionable sources.
-Server: If there is a vulnerability in a server, regardless of OS, "a remote exploit is required to bring down a server system". This doesn't invalidate the parent's point.
Parent's point is that it is newsworthy because many naive individuals in the Linux community likes to purport that Linux is somehow invulnerable to such exploits. When I say "many naive" I don't mean to say all Linux users are naive, just that there are a fair share who don't understand that Linux and software running on Linux has the same potential to harbor undiscovered vulnerabilities as any other competing OS/software.
This means they make blanket statements about how this or that security problem effecting Windows isn't a concern for Linux. They don't know about clarifying criteria that Linux is more secure under the circumstances that you maintain updates and properly administer WAN facing interfaces.
The result is you have individuals running unmaintained Linux servers because they think they are more secure, but which require significantly more attention than similar Windows counterparts. So you have two factors working against the security of Linux, misinformation, and ease of maintenance.
Even in situation where you have a capable staff who understand the importance of maintaining updates. If you have updates that are fragile and require lots of testing, require alot of babysitting to apply, or are in other ways difficult to automate in a reliable way, then you are going to occasionally create situations for admins where their manpower isn't enough to get to those updates immediately. That's not to imply that Windows updates don't sometimes break things and require testing, but I would say they are easier to automate overall and more reliable. Probably due to the fact there are far fewer flavors of Windows, so updates which do have issues are quickly hotfixed. When I've had updates on Linux fail, sometimes there is a good bit of manual work to back them out, fix whatever went wrong, and re apply them.
I am not trying to say Windows is better than Linux, as I am not trying to do a compelte comparison of the two, but simply pointing out that this article highlights some of the factors that contribute to the formation of such an infection. Certainly Windows has some of these same issues as well and we've seen infections that targeted machines that weren't up to date. However, I think Windows has done a better job at least with the automatic updates to address this kind of problem. It certainly isn't always perfect, but its pretty good.
Re:Hmmm (Score:5, Insightful)
The people that have their servers compromised in this way are amateurs and shouldn't have put their servers on the web, EVER. This is roughly equivalent to fielding IIS from 2001 on windows XP and not keeping your patch set up to date. You are going to be hacked.
Any sysadmin who is thinking about it, would put a web server and all it's components in a chroot jail and force it to run in user space and set up to refuse interactive logins for this user.. That way any "escalations" of privilege won't get you much more than the web server. It's easy, quick and effective.
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
Re: (Score:2, Insightful)
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
The point of comparison should be between the server OSes. So, do you really think Linux on the server is more secure than Windows Server 2012R2 ?
Re: (Score:2)
Re: (Score:3)
On one hand, Linux has had a reputation for being secure. On the other hand, Windows has made great strides in improving things.
On the gripping hand, security really belongs to the person sitting at the admin console [1]. The first thing a lot of Linux users do is kill SELinux, which weakens the security model tremendously, where it takes is just one weak SUID program or one running as root to have the machine. The second thing is that because Linux doesn't have signed executable functionality [2], somet
Re: (Score:3)
There is a lot of room for improvement on both sides of this argument. I would support a "trusted" executable and shared library loader as being a vast improvement in Linux security, but the fact remains... Windows/Microsoft has been playing catch-up in security where Linux has been leading over the last decade. Microsoft has been gaining ground, but they are still running in second place in security (well, maybe third if you include Apple, Fourth if you include SCO Unix and fifth if we include Solaris).
Re: (Score:2)
but the fact remains... Windows/Microsoft has been playing catch-up in security where Linux has been leading over the last decade.
So where are those facts?
Because they way I look at it there has been several embarrasing, high-profile successful attacks on Linux servers over the past few years:
Debian server compromised: http://www.zdnet.com/debian-se... [zdnet.com]
Ubuntu servers compromised: http://www.theregister.co.uk/2... [theregister.co.uk]
kernel.org compromised: http://lwn.net/Articles/457142... [lwn.net] (we're still waiting for the post morten on that)
linuxfoundation.org and linux.com compromised: http://thehackernews.com/2011/... [thehackernews.com]
red hat and fedora servers compromised:
Re: (Score:3)
Ok your brain is broken in two ways here:
1. You keep talking about history. Nobody gives a shit which OS was more secure in 1986, we care which is more secure now. The question is, if I were standing up a server today, which OS would be the best choice?
2. You're redefining "Linux" to mean whatever happens to make it best in any given situation. Saying OpenSSL isn't part of "Linux" is both technically correct, and extremely intellectually dishonest.
To be perfectly frank: the grandparent has an extremely good
Re: (Score:3)
Ok your brain is broken in two ways here:
1. You keep talking about history. Nobody gives a shit which OS was more secure in 1986, we care which is more secure now. The question is, if I were standing up a server today, which OS would be the best choice?
Best choice or most secure choice? I cannot answer the first question for you because there are reasons to use Windows and reasons to use Linux which have noting to do with security. Most secure choice? That too depends, but if you are talking about a situation where "all other things are equal" then a properly configured Linux box seems like a better choice to me. Of course, if you cannot manage a Linux box properly, then go with what you know that you can manage, but in that case we are not "all thing
Re: (Score:2)
I'm making no argument one way or the other. I'm saying that's completely irrelevant.
Right, but based on what? Just your humble opinion? Do you have any evidence whatsoever? Have you even used recent versions of Windows Server?
Because your extreme ignorance of it tells me you have not, and as a result your humble opinion isn't worth jack.
Re: (Score:2)
I think you are trollin now..
I have decades experience with both windows and Linux and just happened to finish up an Windows Server 2008 R2 install for a customer delivery yesterday. No, I've not had the opportunity to play with Windows Server 2012 yet, but it's likely in my future.
Of course, all this "My Experience is better than yours" bluster amounts to nothing more than arguments about who has the biggest...... If you don't like what my 20+ years of experience says, feel free to ignore me. When you g
Re: (Score:3)
Do you remember DOS? Windows 3.1.1? Security was woefully lacking, it wasn't even a concern. At the same time, Linux was being developed, with the security model it has today, mostly unchanged. Windows has gong though many revisions and changes in the security design from ZERO security and no such thing as having separate user accounts to where we are now. Linux started out, very similar to what it is now.
Please stop repeating that, it stopped being true as of 10 years ago since Windows ME was the last OS based on DOS/Win 3.1.1 code.
XP, Vista, 7 and 8 are all based on the Windows NT family which was developed with security in mind and separate user accounts etc.
http://en.wikipedia.org/wiki/W... [wikipedia.org]
Re: (Score:2)
Please stop repeating that, it stopped being true as of 10 years ago since Windows ME was the last OS based on DOS/Win 3.1.1 code.
XP, Vista, 7 and 8 are all based on the Windows NT family which was developed with security in mind and separate user accounts etc.
Ok, I'll stop. Just one more question... Where do you think the designers of NT came up with that idea? Hmmmmm? Wouldn't have been Unix now would it?
OK, OK, I'll stop rubbing it in that Microsoft has spent the last decade working on their security... Just stop debating at my assertion that Windows starts less secure and needs to have stuff added to it for security reasons....
Re: (Score:3)
I don't run X on any "server" system I manage. Not for this reason, but for the general security concept that you don't run stuff you don't use. Good luck turning off the GUI on your windows box...
Didn't you say that you just finished off setting up a Windows Server 2008R2? And you do not know about Server Core? I sense much deceit here. (IOW: I don't believe you).
However, if you did have X running, it's only going to accept X client connections from the local machine (unless you've opened it up further). This means that any attack vector though X will have to be launched from the local box. Which means that the attacker will have to compromise the local box in some other way.
Goes to show your grasp of this security thingy. There's this security principle called isolation:
Windows has been dealing with so-called shatter attacks where rogue processes sent messages remotely controlling windows belonging to other processes. Up until Windows Vista, Windows only isolated processes belonging to different users. With Vi
Re: (Score:3)
But we are talking ONE issue now which has long been known and easily avoided.
No, we are talking an issue that is the result of an inadequate security model that is incapable of securing anything but files.
Windows NT was designed with access control in place for files, devices, mailslots, pipes (named and anonymous), jobs, processes, threads, events, keyed events, event pairs, mutexes, semaphores, shared memory sections, I/O completion ports, LPC ports, waitable timers, access tokens, volumes, window stations, desktops, network shares, services, registry keys, printers, Active Direct
Re: (Score:2)
Not exactly the same. Windows 3.x line died back with Windows ME. Windows XP and beyond are all using a different kernel with a different architecture based on the Windows NT line, but share much of the same public APIs (Win32). You don't "install components to make it more secure", and that hasn't been true for nearly 20 years (20 if you used the Windows NT line). At least no more true than it is for linux, or any other OS. Of course there are packages that attempt to identify and mitigate issues, but
Re: (Score:2)
Re: (Score:2)
I think you meant to say windows NT?
Re: (Score:2)
So when Linux gets infected, it's the users fault but when Windows gets infected, it's Microsoft's fault[1]?
[1] http://yro.slashdot.org/commen... [slashdot.org]
Gotta love Slashdot logic.
Re: (Score:3)
So when Linux gets infected, it's the users fault but when Windows gets infected, it's Microsoft's fault?
Personally, I haven't said that here..
Microsoft chooses to install and activate a lot of risky stuff that most Linux distributions don't, but having a box compromised is not the vendor's fault. I'd never put a Windows freshly installed box on the network without first applying all service packs and locking the system down. However, a Linux box is not a risk (at least not the distributions I run) after a clean install so I don't have an issue drooping them on the net to pull patches and configure the soft
Re: (Score:3)
"It's news because it illustrates that, as much as Linux users like to throw stones at Windows, they too are vulnerable. Anyone can pick through the source and find security holes what can be exploited - perhaps even much more subtle ones than anyone would ever find on Windows."
I find this fascinating. Some Windows fans will grab onto something like this, an exploitable bug in Linux, and use that to "prove" that Windows is better. "Look here, Linux has an exploitable bug, obviously it's no good. I told yo
Re: (Score:2)
...Linux source is readily available while Windows source is not?
To the general public that is true, but don't forget this leak [theinquirer.net] and more recently this disgruntled employee [slashdot.org]. And remember - these are only the leaks of source code that we know about. I am sure that a lot more of the source is available to those with fewer scruples than you or I.
Re: (Score:2)
In a way, I'm hoping for more eyes on Linux for security vulnerabilities. The reason is that if they appear, they can get fixed almost immediately. MS is decent at handling patches, but most bugs end up waiting until Patch Tuesday, unless it warrants an out of band fix.
Maybe I'm showing my age... part of the standard procedure of getting Linux set up and deployed was getting onto security mailing lists like Bugtraq and its successors. It is a lot of mail, but better some time spent finding and fixing a v
Re: (Score:2)
Neither OS is secure unless it's behind a firewall.
Unless you (or the distribution you use) configures it, Linux is 100% secure from network attacks when installed. Why? Because the network card driver won't be loaded and the network adapter will be unconfigured and ZERO services will be running. All three will need to be true, or nobody is getting into your system from the net.
So.. Unless you intend to protect your server from physical fires, you don't need a firewall on a bare Linux system...
However, both Windows and Linux have fine network firewall'
Re: (Score:2)
If I can get code to execute in a context of a jailed UNIX process, such as a webserver, which would allow me to send traffic in and out, a malware writer has a usable client for a botnet, for spam, DDoS, and other uses. Even if they just have control of that webserver's port 80, they can use that and modify the server to occasionally serve malformed pages in hopes of nailing a buggy browser or browser add-on.
Similar to a program that just gets access to a user context in Windows. With just user access, t
Re: (Score:2)
Re:Hmmm (Score:4, Funny)
I prefer to throw at the users. The chance to hit the culprit is so much higher.
Re: (Score:2, Informative)
Linux was not vulnerable it was Apache and other software. running Apache on BSD, Windows or OSX would give them the same attack vector. This is the same as Outlook launching and running an executable in an email. It's not the OS it's an application that has the problems.
Lastly it's all software that has not been updated in a very long time and is not being maintained.. That alone causes giant holes in any OS or software ever made.
FYI: there are a LOT of windows machines out there running ancient IIS...
Re: (Score:2)
"code red worm ..."
Those words gave me a twinge of nostalgia. :-)
Yes, I just got a bit sentimental about an old buffer overflow.
Sysadmin Things (tm)...
Re: (Score:2)
Everyone is vulnerable when they aren't patched (and sometimes when they are). This particular warning only affects unpatched servers. I assume because servers, though they should be patched right away, they often aren't, because businesses (business managers) doesn't want to down the server for the patch. New technologies will allow patches even to the kernel without taking down the server. When that happens things like this will mostly disappear.
No, most reasonable people do not say that Linux is invu
Re: (Score:2)
No, unmaintained web servers getting attacked and turned into bots is not news. This problem is not even specific to Linux systems. Any server that isn't patched with latest security fixes for the OS and applications is at risk regardless of the OS used.
The biggest difference we see between proprietary and FOSS systems is that the lack of maintenance in proprietary systems is often the fault of the vendor. In short, there's no way to keep a service or application patched, because there are no patches forthcoming.
Lack of maintenance by the sysadmin is a more common source of insecurity on Linux systems. The patches are often (not always, but often) there, but they do have to be applied by someone.
Re: (Score:2)
Re:Hahahahahahaha (Score:5, Insightful)
Not a Linux apologist (Windows pays my bills), but in defense of Linux, these were programs running on Linux that had exploits. Of course, many of the exploits in Windows are through programs running on Windows and not the OS itself.......but Linux fanboys wouldn't be as quick to point that out.
Re: (Score:3)
Are you still bitter about that because I'm pretty sure most people got over that pretty quickly.
Re: (Score:2)
Re: (Score:2)
True. But we are over them now.
I remember how unstable that software was. I remember cursing at their software daily.
Re: (Score:2)
Ahh, so you are bitter.
IE was part of the OS. M$ said so. (Score:2, Troll)
Not only was it virtually impossible to get rid of, MS in several cases argued that it was an integral part of the OS and therefore it could not be removed and replaced with any other browser.
Re: (Score:2)
Wasn't Internet Explorer so tied into early windows versions that it was considered part of the OS itself since mare mortals couldn't just uninstall it till a few years ago?
No.
The OS and Internet Explorer shared (and I believe still does) rendering components. Which means that some of the control panel views especially in XP was rendered using the Trident rendering engine - not IE. IE *also* used the Trident rendering engine.
There is also a difference between the kernel and the core OS. Components can belong to what is considered the core OS (with the GUI rendering parts) without being executed in kernel space.
But it makes great FUD.
Re: (Score:2)
If you notice, this doesn't effect desktop Linux users. Only servers.
Re: (Score:3)
insert joke about there being no linux desktops, and the eventual "year of linux on the desktop" ?
Re: (Score:2)
LOL!!!
Re: (Score:3)
What, none of all 5 of them?
Now seriously, if you want to develop malware, you'd first think of "how many potential victims would I have?".
Also... a Linux box is a Linux box. The difference between "server" and "desktop" lies in which software it runs, period. One could become the other just by installing something or enabling something.
Question for you: if I have a Linux server and install KDE on it, or X - would you name it a "Desktop"? Or is it still a server? Or both? I'm confused.
Re: (Score:2)
If you read the summary, it clearly says the vector of attack was web servers (such as Apache Tomcat). Most desktops are not running a web server - thus not vulnerable.
Re: (Score:2)
If you notice, this doesn't effect desktop Linux users. Only servers.
Great. Nothing to worry about then. And here I was concerned that somebody would build a botnet of powerful, high-bandwidth computers. Silly me.
Re: (Score:3)
It was not a virus, it was an exploit of server software that was unpatched.
Re: (Score:2)
It was not a virus, it was an exploit of server software that was unpatched.
And the privilege escalation?
Re: (Score:2)
But Netcraft confirms 47% market share http://news.netcraft.com/archi... [netcraft.com]
Re: (Score:2)
What the hell is a vertical?
It's perpendicular to horizontals.
Re: (Score:2)
Phew! At least they're not congruent.
Re: (Score:2)
Companies within the same industry. As in Telecom, Healthcare, Financial Services, etc. In this case Entertainment is the vertical so I imagine targets are record companies, production companies, studios, maybe the **AA's.
Re: (Score:2)
Re:must me false (Score:4, Interesting)
Yes, but there is a logical reason for this.
Linux and Windows approach security in totally different ways. When you load a Linux kernel, it's secure, it starts that way. When you load windows, it's NOT secure, you have to load other stuff to make it secure.
So, if you have a Linux box that get's hacked, the admin really is a lot more responsible for this. He/she left the hole open for the attacker to get in. Sure, there are times when we don't know the hole exists, but the admin loaded the software.
Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on. Not to mention they are starting from the security posture of Windows 3.1 and have been trying to put up defenses since. They have made a lot of progress, but it's still harder to shore up a bad design then it is to loosen up a secure design.
Re:must me false (Score:5, Insightful)
This used to be true, it's by far no longer the case.
It's the ancient battle of usability vs. security. The most secure system is by design also the least usable one. And that's where the two systems came from. Windows was once "usability trumps security, no matter what". Linux was the exact opposite. Hence the reputation of Linux that you need to have a masters in CS to boot the damn thing, and for a network connection nothing less than a doctorate will do.
Various distributions now made it all a bit easier while at the same time Windows tightened security quite a bit (I mean, look back at Win95 and tell me they didn't...). The are approaching each other... if they haven't met already in the middle between the two extremes.
Re: (Score:2)
Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on.
Can you list what dangerous services are turned on by default on a Windows Server install? If you don't it's a pretty sign that you have no clue about what you're talking about and last used Windows about 15 years ago.
Re:must me false (Score:5, Insightful)
Yes, but there is a logical reason for this.
Linux and Windows approach security in totally different ways. When you load a Linux kernel, it's secure, it starts that way. When you load windows, it's NOT secure, you have to load other stuff to make it secure.
Sorry, but that is BS. When you load Linux it comes up with a security model through which there has already (by design) been punched a big hole: SUID. When you load Windows it comes up with a security model which has no need for such a massive hole. Countless otherwise benign bug has been turned into total system compromise bugs because of SUID.
Under Windows, all kernel objects types are securable with security descriptors. Linux was designed with only file system permissions. Processes did not have security descriptors, and such objects need to be mapped to files and filepermissions used to (inadequately) describe access permissions.
Windows services run in a separate session - interprocess communication is severely restricted. A process in another session cannot break through to e.g. the desktop, i.e. a daemon/background service cannot interact with the desktop. There is no such isolation in Linux unless you run SELinux. In Windows it is the default.
Most Windows services run under service hardening. Even custom sites you set up will by default run under service hardening. Under service hardening an ad-hoc identity is implicitly created for the service/website and this identity has no permissions whatsoever by default. It has to be granted any access permission it needs. You'd have to run SELinux or apparmor with a significant amount of configuration to achieve the same level of isolation under Linux. Under Windows it is default and straightforward.
Windows has mandatory DEP, much stronger ASLR, stack and heap encryption/checksumming and several other mitigation technologies not found in Linux. On by default.
Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on. Not to mention they are starting from the security posture of Windows 3.1
What century do you live in? Since Windows Server 2008 (!) only the minimal set of services are turned on, and *no* network facing services until you configure them.
Re:must me false (Score:5, Informative)
Let me see, last time I loaded Windows 8 pro, there was a raft of services turned on for me by default.
Windows 8, Windows 7 and even Windows Vista comes up and asks you if you *want* to turn on services. If you answer no, it will not have any network ports listening. Get it yet? That's the *desktop user* targeted operating systems.
Windows Server comes by default with NO network services turned on by default, and NO listening ports. Get it yet?
Linux *desktop user* targeted distros do turn on network services. Get it yet?
Yes the distribution may turn on some services
Yes, indeed. Get it yet?
Linux distributions targeted at "servers" generally come w/o any services even installed by default.
Yes. Just like the Windows Server versions. Get it?
If you go to "desktop" installs, where Windows 8 Pro lives, Linux comes out of the normal distribution much more locked down and secure
Nope. Linux lacks many, many of the security features in Windows 8. In distros using apparmor it only protects some of the daemons. Windows 8 comes with Mandatory Integrity Control built-in sandboxing.
Windows 8 supports multiple (and simultaneous) network firewall profiles which are automatically selected based on where you are: On a corporate network SMB services may be available, on a public network without a trusted domain controller it selects the public (locked down) profile. Linux does not.
I still cannot believe that the DEFAULT behavior of a Windows box is to have the main user be an Administrator
Good you do not believe it, because it is false. This is one of the hardest things for Linux fanatics to understand: Windows has tokens and with UAC even if you do log in with an account with administrative rights, the token will not have administrative rights. This means that the processes started by the shell will not have administrative rights. Get it yet?
Linux is not like this, and most desktop distributions today don't allow you to login as root.
No, but they do allow you to elevate to root as effective user - using sudo or other SUID utilities, which is a blatant violating of one of the most fundamental security principles: Least privilege.
In Linux you elevate to the highest, unrestricted and all-powerfull user just to change your own password??? Have you any idea how f* up that is?
Get it yet?
Re: (Score:3)
You do understand that it takes ROOT to set the SUID bit on a file right?
You do understand what the SUID bit does when the file is owned by ROOT, right? When you run such a file, you elevate to root just to change the password. That is *vastly* more power than you need, and it is a serious danger: Just a simple bug like a buffer overflow can cause total system compromise when it allows the attacker to execute as root.
This is why you will find all SUID programs set to read only and owned by an administrative user (such as root). It is why you instruct your sysadmin staff to NEVER SUID anything w/o good reason and permission and It is also why you scan systems for SUID binaries and scripts regularly so you can find and remove such nonsense as SUID security holes.
Yes, it is because the interent danger in SUID root utilities. Now imagine a security model that does not need anything like SUID.
And if you find any unexplained SUID stuff on your box, you pull the plug on everything and start looking for where the break in happened because you've been compromised and your whole network is suspect.
Yes, but how do you audit the "exp
Re:must me false (Score:4, Informative)
Windows 8 isn't a server. You're comparing apples to oranges, and being intellectually dishonest, and you know it.
The truth is: you haven't used Windows Server 2008, you haven't used Windows Server 2012, and you (obviously from your grandparent post) have absolutely NO idea what you are talking about when it comes to Windows Server security.
And instead of just admitting as much and bowing-out gracefully, you pull the "hahaha you are wrong but it's a waste of time to argue with you!" card. Disgusting.
Re: (Score:2)
I just finished loading a Windows 2008 server running IIS yesterday, but I guess that means I don't have any experience with Windows... Hate to bust your assumptions here.
If I had to rate my Windows vrs Linux experience, I am much more comfortable with Unix variants than Windows, but I have decades of install, configuration and management experience on both. I may not be a Linux Guru but I can manage Linux systems on par with most. I am not as comfortable with Windows but I've literally installed and confi
Re: (Score:2)
Before you selected the web server role, how many ports did it have open?
Just as a reminder, you yourself said:
If that's true, and if you have recent experience of it, you should have no trouble at all telling me what part of your initial Window
Re: (Score:2)
Look. I don't believe you. Nobody who works with Windows Server would say the OS is descended from Windows 3.1. It's not possible for that combination of expertise and ignorance to co-exist. You're lying to me about setting up a Windows Server. I'm not buying what you're selling, buddy.
So now we have "Windows" isn't "Windows" argument? Look, Microsoft has kept the basic features of "windows" including how the user interface operates all the way though from 3.1.1. They have brought along a lot of baggage in the process. People, users, administrators expect that the next version will work much like the current one. I remember the jump to NT, what a mess. But Microsoft had no choice but to break a lot of expected behavior though the years, many times for security reasons, but they bring
Re: (Score:2)
And yes, if you don't know what you are doing bad things happen.
Reminds me of my wedding night...
Re: (Score:2)
Re:what? (Score:4, Insightful)
> may use infected Linux systems to launch DDoS attacks against the entertainment industry...
WHERE IS THE DOWNLOAD LINK?
It's behind a registration form so that the fine folks at Prolexic can get your PII for marketing purposes. One of the *many* benefits is that once you register, nice folks from Prolexic will send you emails and maybe even call you on the phone to let you know about all the wonderful products and services you can buy from them.
So many vendors just report this kind of stuff to CERT [us-cert.gov] so it gets assigned a stupid CVE number and all the details are then available without the consumer of information giving up any PII that can be used to sell them stuff. Stupid vendors!
Prolexic is using a real vulnerability to enhance their contacts DB and increase the surface area of their sales efforts. Disgusting.
Re: (Score:2)
Prolexic is using a real vulnerability to enhance their contacts DB and increase the surface area of their sales efforts. Disgusting.
This is why the Internet invented things like 10 Minute Mail [10minutemail.com]
Thanks for sharing the link. It's much appreciated. But that doesn't change the fact that the fine folks at Prolexic are acting like douchebags. Which was my point.