After 8 Years of Remote-Access Trojans Attacks, Can We Still Say Linux is Secure? (linuxsecurity.com) 139
Remember when BlackBerry reported Advanced Persistent Threat groups have been infiltrating critical Linux servers for at least eight years? What's the lesson to be learned?
LinuxSecurity Founder Dave Wreski argues "Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."
Writing for Linux Security, Slashdot reader b-dayyy gathered some additional responses: Some experts argue that it is the popularity of Linux that makes it a target. Joe McManus, Director of Security at Canonical, explains: "Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target." Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, adds: "From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening."
Despite the increasing number of threats targeting Linux systems, there is still a sound argument for the inherent security of Linux, which can be attributed to the core fundamentals of Open Source. Due to the transparency of open-source code and the constant scrutiny that this code undergoes by a vibrant global community, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary software and operating systems. Threat actors recognize this, and are still directing the majority of their attacks at proprietary operating systems.
These attacks do; however, serve as a much-needed wakeup call for the security community that more needs to be done to protect Linux servers. BlackBerry's report reveals that security solutions and defensive coverage available within Linux environments is "immature at best". Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits. Eric Cornelius, Chief Product Officer at BlackBerry, evaluates: "Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse."
LinuxSecurity Founder Dave Wreski argues "Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."
Writing for Linux Security, Slashdot reader b-dayyy gathered some additional responses: Some experts argue that it is the popularity of Linux that makes it a target. Joe McManus, Director of Security at Canonical, explains: "Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target." Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, adds: "From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening."
Despite the increasing number of threats targeting Linux systems, there is still a sound argument for the inherent security of Linux, which can be attributed to the core fundamentals of Open Source. Due to the transparency of open-source code and the constant scrutiny that this code undergoes by a vibrant global community, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary software and operating systems. Threat actors recognize this, and are still directing the majority of their attacks at proprietary operating systems.
These attacks do; however, serve as a much-needed wakeup call for the security community that more needs to be done to protect Linux servers. BlackBerry's report reveals that security solutions and defensive coverage available within Linux environments is "immature at best". Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits. Eric Cornelius, Chief Product Officer at BlackBerry, evaluates: "Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse."
sudo make me an admin (Score:4, Funny)
I'm not an expert in Linux security permissions, but I do have experience in the utterly asinine Windows permissions.
"You can't access that directory."
"I'm an admin."
"You can't access that directory."
"Uh, make me the owner of that directory."
"Ok."
Why? Just...why?
Re:sudo make me an admin (Score:4, Informative)
unless you're SYSTEM, you're not an admin.
Re:sudo make me an admin (Score:5, Informative)
Me: member of group 'Root'
Try some process: "only root can do that"
Being a member of group root is not being the user root. It only gives you permissions that have been granted to the root group, not the root user.
What's so hard to understand about that?
Just because you COULD become root (which you MAY be able to do as a member of the root group, depending on how your machine is configured) doesn't mean you always want to be acting with the root user's godlike permissions.
Not being root except when you need to be helps keep you from accidentally doing something damaging. So deliberately being merely an angel or a saint except when you must be god helps you, as an imperfect god, avoid breaking your universe.
Re: (Score:2, Informative)
"What's so hard to understand about that?"
It's unclear. "You have the privileges and powers (and responsibilities), of 'root' - but not really."
Granted there are some things only root should be allowed to do, but then don't have a root group - call it "Administrators" or something. Windows is also guilty of this. I'm in the Administrators group, but some things must be "run as Administrator". I've been in the "Domain Admins" and even "Enterprise Admins" group and some things still need to right-click and "
Re: (Score:2)
In general, any flle writable by group root but not world writable is a mistake. The same applies to read. I just audited my Fedora system for such mistakes. There are a few.
To try for yourself:
find / -xdev -type f -group root -perm /g+r \! -perm /o+r -ls /g+w \! -perm /o+w -ls
find / -xdev -type f -group root -perm
You may also want to check the special file systems such as /sys. There are a few mistakes there too.
Re: (Score:2)
but then don't have a root group - call it "Administrators" or something
Try the wheel group. But stay out of root group.
No, it doesn't. I can do plenty of damage as a member of group 'root' - I just can't do some of the catastrophic damage that user 'root' can do.
I won't split hairs here, but fuck ups are things that render your system inoperable. Your system needs to be fixed now, but the upside is that you can no longer do any additional harm. Actual damage to a system opens something up for more attacks and more problems. You throwing up sudo every so often can lead to a fuck up, but rarely does it actually lead to damage unless your copy/pasting and then you really shouldn't be at the helm. You always being ro
Re: (Score:2)
No, being in the root group gives you the privileges and powers of the root group. Being ROOT gives you the privileges and powers of ROOT.
There are many cases where it makes perfect sense that being a specific user may grant powers not granted to the group. That's why file access is divided into user (owner) group and public sets. SURPRISE (not), the rout group works the same way.
As for alternatives, the Linux kernel certainly supports those, including systems with no root user (only the kernel is root), on
Re: sudo make me an admin (Score:2)
Re:sudo make me an admin (Score:4, Informative)
"Uh, make me the owner of that directory."
Like the summary says, it comes down to poor administration if you don't know how to look at and edit permissions of directories on Windows. What you are doing would be like using chown in place of chmod on Linux.
Re: (Score:2)
I'm pretty sure you're right, and I'm pretty sure you got bogged down in specifics and missed the blindingly obvious point I was making. This is very fitting, given the topic.
Re: (Score:2)
We was simply expressing a bit of surprise at Windows security model default configuration. Even an administrator is not administrator any more. However, he can't access a directory, which is confusing as he is admin, but then he can just change ownership and access it anyway, which seems silly.
In Linux, you can have the makings of this, but by default root is unfettered and non-root can't do anything. Now if you start playing with capabilities, you can have that. So while root user has both chown and DAC
Re: (Score:2)
I'm not an expert in Linux security permissions, but I do have experience in the utterly asinine Windows permissions.
"You can't access that directory."
"I'm an admin."
"You can't access that directory."
"Uh, make me the owner of that directory."
"Ok."
Why? Just...why?
With Linux, try reading files you don't own on an NFS mount when you're root. Doesn't work there either.
Re: (Score:2)
That is up to the nfs server. A client says they are root and the server by default remaps to nobody because by default it considers the client machine as having no business being root (though you can no_root_squash).
Re: (Score:2)
I've never had much luck explaining that to users. They just keep telling me that they "have permission" and I keep telling them that they really don't, and quit trying to run "sudo" commands in your NFS home directory.
Re: sudo make me an admin (Score:2)
Yeah, Iâ(TM)ve always loved that one!
Windows is the ultimate in Security Theater...
Re: (Score:2)
What are you talking about?
Re:sudo make me an admin (Score:5, Insightful)
Because the act of taking ownership of a directory requires user interaction in that scenario. With the default settings the screen goes dark and you get a UAC prompt front and centre asking you to confirm that you want to take ownership.
Therefore any malware running under your user account can't simply take ownership. It would have to trick you into accepting the UAC prompt as well.
This is a really good idea. Admin accounts should not be all powerful, certain actions should require confirmation even for root.
And by the way you are doing it wrong. You just need to edit the permissions on the directory, you don't need to take ownership.
Re: (Score:2)
"Some experts argue that it is the popularity of Linux that makes it a target."
Oh, the irony...
Re: (Score:2)
Why? Just...why?
To trigger a UAC prompt and prevent the user accidentally executing malware under their admin privileges that would be able to do it automatically.
The extra hoop is a specific security feature. A feature which you may not be using if you disabled UAC. Even admins trigger UAC because an Admin is not "root" they are merely a very privileged poweruser that can trigger certain actions using "system" privileges but can't actually log in with such privileges.
Years of idiots running Windows as admin users, and Lin
Re: sudo make me an admin (Score:2)
That article is nonsense: just because a security feature has a bug doesnâ(TM)t mean itâ(TM)s not a security feature. A bucket with a hole is still a bucket, it just needs to be fixed.
Re: (Score:2)
so?
Re: (Score:2)
Intentional holes exist in all privilege elevation systems, otherwise the user would need access to system credentials rather than their own. What UAC does is no different than what Linux does using sudo, it elevates admins to the root without ever exposing the root or requiring the root password to be known.
You seem to think a security feature is only a security feature as wall without doors or checkpoints. You're wrong.
Re: (Score:2)
Some people are stupid. The presence of an intentional access through a security barrier for specific purposes does not make it less of a security barrier, that's the entire purpose of the barrier in the first place *control*, not complete lockout.
So back to the original point: Are you trying to imply that forcing a user to acknowledge a prompt which can only be acknowledged by the local user, not over the network, can by policy additionally be tied to credential requirements is not a security feature?
I gue
Re: (Score:2)
They are Windows users - clear evidence that their brains are not working correctly.
Re: (Score:2)
Like administrator access granted the "run as administrator" option.
FUD (Score:4, Insightful)
Excellent work "BlackBerry" - this is the same FUD we got all through the late 90s, remember the slapper worm, that one was "proof" that Linux was insecure, although if you actually read the details the worm is in Apache/OpenSSL. Heartbleed, same thing. I dont recall ever hearing about a kernel level worm...
Re:FUD (Score:5, Insightful)
The headline is not only wrong, the person who wrote it is ignorant to even think it.
Re:FUD (Score:4, Insightful)
> The headline is not only wrong, the person who wrote it is ignorant to even think it.
It's clickbait. The nerd lure says, "this headline can not be allowed to stand!" on the side.
Don't be manipulated. Don't incentivize their game.
Re:FUD (Score:5, Insightful)
remember the slapper worm, that one was "proof" that Linux was insecure, although if you actually read the details the worm is in Apache/OpenSSL. Heartbleed, same thing. I dont recall ever hearing about a kernel level worm...
Of course, Windows was the same way, for the past 15 years or so. Once the last of the Win95-legacy was put down.
TFS makes the excuse that the weaknesses are mostly due to poorly configured/administered servers, but usability is a core part of security. If people can't figure out how to lock the door, it's a problem with the design. If people don't bather to lock the door, because it's overly inconvenient, it's a problem with the design. Humans with all our flaws must be included in any security planning. This is why "default to secure" is good. This is why "elevate to the least needed access" is good.
People will screw up, and people will be lazy. Designing for that is required for good security. Stop designing things where it takes an expert to make it secure. Design things so that it takes an expert to weaken security, where the admin thinks that's the right trade-off.
Re:FUD (Score:4, Insightful)
Vulnerabilities in apache/openssl/etc are cross platform and can affect any system where this software has been installed...
TFS makes the excuse that the weaknesses are mostly due to poorly configured/administered servers, but usability is a core part of security. If people can't figure out how to lock the door, it's a problem with the design
Usually a Linux server is quite secure by default, it will have at most an ssh service exposed remotely, modern distros will force some level of password strength and won't allow you to login remotely as root. Contrast with windows which even in a non-server configuration runs SMB and a whole bunch of RPC services under a high privileged user by default.
Generally when a linux server is insecure, it's because the user has explicitly unlocked the door, not left it unlocked. These days linux servers are typically being compromised via insecure webapps and weak passwords. This is not a case of totally clueless people putting default installs out there, this is people who think they're more competent than they really are, or who know what they're doing but aren't given the time/budget to do things properly.
And exploiting linux servers hasnt just happened for 8 years, people have been attacking them for a lot longer than that. Back in the 90s, linux distributions would typically come with all kinds of unnecessary services by default and exploits of the default configuration were very common
Re: (Score:3)
Contrast with windows which even in a non-server configuration runs SMB and a whole bunch of RPC services under a high privileged user by default.
Consumer windows has a lot of consumer convenience stuff running, but then Ubuntu isn't exactly stripped down either. Don't compare a Linux server distro to consumer Windows. Windows Server is very bare bones by default. (And of course it doesn't run SMB, which is a reverse-engineering of CIFS.)
Generally when a linux server is insecure, it's because the user has explicitly unlocked the door, not left it unlocked. These days linux servers are typically being compromised via insecure webapps and weak passwords. This is not a case of totally clueless people putting default installs out there, this is people who think they're more competent than they really are, or who know what they're doing but aren't given the time/budget to do things properly.
Sure, but Windows is no different. There a reason that, even in the consumer space, threats have largely changed to browser attacks and trojans. OK, really, threats have mostly moved to the phone, but even then
Re:FUD (Score:4, Insightful)
Windows server has the "server core" option now, but very few people seem to use it...
The full install is anything but bare bones, and basically has all of the consumer junk too.
And yes windows does still have SMB by default, even on server core. Even if a linux system does have smb installed, it's a userland program and not tightly integrated into the system so the risks are lower.
Re: (Score:2)
"but very few people seem to use it"
That's because you have to install the "desktop experience" and its whole attack vector if you want to use and manage WSUS.
Everything else can be run on server core and managed remotely.
Re: (Score:3)
(And of course it doesn't run SMB, which is a reverse-engineering of CIFS.)
No, SMB was the original protocol developed by IBM/Microsoft (not 100% sure which of the two actually created it, but they both used it). It was later renamed to CIFS (Common Internet File System) and Microsoft submitted at least some of the specs to the IETF as drafts.
Samba is the server that came from reverse-engineering the SMB protocol used by LAN Server.
Re: (Score:2)
Of course, Windows was the same way, for the past 15 years or so. Once the last of the Win95-legacy was put down.
That’s a trifle simplistic. Neither Blaster nor Slammer had anything to do with legacy Windows 95 compatibility.
Re: (Score:3)
From my own experience one of the primary headaches when it comes to security issues are packages like PHP. There's always something that's written for an older version of PHP that can't be easily upgraded and which prevents upgrading that damned thing. So when someone decides to break backwards compatibility for an application that is used for public exposure they are themselves creating a security issue for a huge number of sites. It's not a simple task to upgrade to new versions of all the applications w
Is secure? (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3)
OpenVMS disagrees.
Re: (Score:2)
So does OS400 (IBM i)
Re: (Score:2)
Re: (Score:2)
BSD is most secure.
Isn't that because it's dead?
True - and certain security definitions are proven (Score:2)
That's true.
Also if you care to be pedantic, to say something "is secure", in the sense that it can be mathematically proven, one must first rigorously define what "secure" means. There are several definitions, different types of security that can be mathematically proven and disproven similar to a geometric proof.
Any kernel with a lot of proven security guarantees must be tiny at this point, and therefore not useful on a general PC. Windows and CentOS are much too large and too complex to be an to do pro
ls -R has a CVE (Score:2)
> But as good as never anything is exploitable remotely.
You might be surprised just how silly some of the CVEs are.
One, for example, boils down to "the local user can run ls -R
If they run many instances of ls -R they'll make the system pretty busy". The person reporting it choose an indirect way of running ls -R, but in the end that's all it is.
You're right to watch for remotely exploitable ones, and also privilege escalation. An RCE flaw combined with privilege escalation is how bad stuff happe
Re: (Score:2)
Anything not airgapped is insecure... And then you rely on physical security.
Re: (Score:2)
Re: (Score:2)
in a vault somewhere no one but you can get at it
Is the same as saying "using a password only me know".
"Out of the box" linux is pretty secure (Score:2)
It's when you start adding services and applications and libraries that things can get hinky.
Especially when you're grabbing all kinds of app libraries to support what you're trying to do, from who knows where, and you're not constantly checking the code, or what is actually running on a system.
The other things I've seen is not putting systems behind firewalls, or loading up servers (physical or virtual) with many different applications (web, db, file transfer services, mail...) all on the same instance.
If
Re: (Score:3)
The other things I've seen is not putting systems behind firewalls,
Or assuming that simply having "a firewall" is a magic bullet...
What is a firewall? in most cases it's an embedded linux system these days anyway, so by adding a firewall you now have an additional system that could be attacked, that you have to manage and patch incase it gets exploited.
Then consider the machines you'd put behind the firewall... Lets say i have a webserver, it has ports 80 and 443 open so i'd need to allow those ports through the firewall... Maybe i need to manage it remotely so it also has
Re: "Out of the box" linux is pretty secure (Score:2)
If you allow ssh from the same sources you allow http and https, you're either running an internal-only web-based app for your sysadmins (e.g. monitoring web front-end), our you're "holding it wrong".
Re: "Out of the box" linux is pretty secure (Score:2, Insightful)
It's not irrelevant. What's irrelevant is WordPress security holes for the 99.9% of Linux not running WordPress.
Re: "Out of the box" linux is pretty secure (Score:2)
Oh really? As far as I know, both Nginx and Apache are completely non-functional out of the box. You have to configure them to start as a service, you have to open up ports, you have to setup virtual hosts or whatever, etc.
MariaDB is similar. Doesn't allow anything but a local root Unix socket connection out of the box.
I think it's far more likely that you just don't know what the fuck you're doing. Setting these apps up securely isn't even all that hard. You just have to know like the first thing about sec
If a trojan is the only way to break in.... (Score:4, Interesting)
Misconfiguration (Score:2)
Re: (Score:2)
Re: (Score:2)
Linux allows you to configure it in ways that some will not find useful because it is meant to do everything.
Any OS (or kernel) of which that is not true is limiting you somehow.
Linux provides several mechanisms to limit configuration so that you don't shoot yourself in the foot. If you don't use them, that's your problem.
Re: (Score:2)
The problem being that in this context, any platform will be abused. Linux is particularly popular in this age of very fluid spin up of containers and VMs because the licensing is permissive. Windows licensing for such a dynamic circumstance is obnoxious, even if you were willing to pay.
To the extent a platform offers security, it gets overlooked because generally enhanced security means harder/more tedious to use/develop for. You have to be more explicit about what your program is expected to do (to some
We can say it's more secure than others (Score:5, Insightful)
It's more secure than Windows or OSX. It's not impervious, but what is? And when a hole is found, it's patched faster, too.
Sure, there are more secure operating systems, but none of them are realistic for desktop or handheld use, and few are reasonable choices even for limited-purpose servers.
Re:We can say it's more secure than others (Score:4, Interesting)
What makes, say, Ubuntu more secure than modern Windows? Or a Linux server distro more secure than Windows server? Both are most vulnerable when a user decides to install something outside of the recommended install process. Admittedly, it's more culturally accepted on Windows to just download and install software from some non-curated place, and maybe you can blame Windows itself for that. Anyone know if you can install Firefox through the Windows store?
But in terms of the actual OS design, both have secure kernels where actual kernel vulnerabilities are quite rare. Both have explicit user elevation to admin/root required to do dangerous things. The one advantage I see for the Linux side is that it's a lot easier for a third party to hook their update mechanism to the OS's built-in update mechanism, instead of everyone rolling their own.
The days when Windows ran everything as admin by default are a distant memory now. Hopefully no one keeps an XP box around that's still on the internet.
Re: (Score:2)
What makes, say, Ubuntu more secure than modern Windows?
From an end user perspective, the issue you point out - that users install from random places instead of through a repository. Linux distros have used a repository model for many years, and if you look at slashdot comments from the late 90s and early 2000s you will see this often claimed to be a weakness of linux because users "want to install random software they've downloaded or bought", until ios/android came along and demonstrated on a mass scale that the repository model works extremely well for non te
Re: (Score:3)
windows users are far more likely to be installing dubious drivers supplied with a cheap peripheral they bought from china, or kernel drivers installed as part of a game etc.
Custom drivers, user installed, are largely a thing of the past, being beyond the technical competence of the average user. Games almost always come from walled gardens, such as Steam.
In theory the Windows store can fix the remaining issues, but I don't know if there's been much adoption of it. It certainly remains a weakness until most of the common free downloads can be installed from there.
Then you have things like SMB and RPC
The do have a history of exploits, but that's mostly history. Perhaps there's more cruft running on consumer Wind
Re: (Score:3)
User installed custom drivers are extremely common, take this story from just a few days ago talking about a kernel driver installed as part of a game:
https://www.extremetech.com/ga... [extremetech.com]
SMB security holes are certainly not history, a new vulnerability was discovered just last month:
https://nakedsecurity.sophos.c... [sophos.com]
No linux distro has something so complex, opaque and deeply intwined inro the system running by default.
And yes the complexity... All the millions of undocumented registry keys, all the years of cru
Re: (Score:2)
User installed custom drivers are extremely common
No their not.
SMB security holes are certainly not history, a new vulnerability was discovered just last month:
No linux distro has something so complex, opaque and deeply intwined inro the system running by default.
Is this any different than NFS which has over its history had a functionally equally abysmal security record?
And yes the complexity... All the millions of undocumented registry keys, all the years of cruft and multiple versions of libraries, the various ways to do things... The internals of windows are massively more complex than linux, which gives plenty of scope for further vulnerabilities to be found.
How many display servers, window managers and desktop systems are there for Linux? Today it's basically impossible to compile non-trivial software and have it run on any other Linux system without stipulating specific versions and distributions. It's why all of the software is prepackaged (and often severely outdated) or you have to compile it yourself... otherwise it won't run at all.
Re: (Score:2)
User installed custom drivers are extremely common
No their not.
SMB security holes are certainly not history, a new vulnerability was discovered just last month:
No linux distro has something so complex, opaque and deeply intwined inro the system running by default.
Is this any different than NFS which has over its history had a functionally equally abysmal security record?
Well, yes. What is wrong with you? "Installed by default, unremovable and OS won't boot without it" is very very different from "Installed by user only when they want it, easily removed and OS doesn't notice if it is there or not".
Alternate way of looking at it: All windows installations have SMB, a tiny fraction of Linux installations of NFS.
Re: (Score:2)
Well, yes. What is wrong with you? "Installed by default, unremovable and OS won't boot without it" is very very different from "Installed by user only when they want it, easily removed and OS doesn't notice if it is there or not".
I don't agree with the characterization. Linux distros universally have the RPC server installed and running whether you ever decide to use NFS or not.
In Windows Network filesystem access defaults depends entirely on the network type you select. It's all inaccessible behind a stealth mode firewall BY DEFAULT when you select public network.
Alternate way of looking at it: All windows installations have SMB, a tiny fraction of Linux installations of NFS.
My experience is most Linux systems will have some form of file system access installed. NFS, SMB, SCP. It's a little disingenuous to say well there are a whole bunch
Re: (Score:2)
Fresh install of debian performed 10 mins ago:
# ps aux | grep rpc
root 2339 0.0 0.0 6076 896 pts/0 S+ 12:45 0:00 grep rpc
no rpcbind running...
The only listening network service is SSH:
And i had to explicitly choose to install that during the installation, it wasn't enabled by default.
Re: (Score:2)
talking about a kernel driver installed as part of a game:
That's not a user installing a driver, that's a user installing a game. Games for almost everyone come from walled gardens, such as Steam. "Custom kernel driver" sounds like "obnoxious anti-cheat rootkit", which consumers are generally aware of, so if your argument is "Windows is unsecure because people knowingly install root kits to play games", them, um, OK?
MB security holes are certainly not history, a new vulnerability was discovered just last month:
And there was one in 2017. This concerns you? Whatever OS you run, it will need patching monthly. No getting around that.
And yes the complexity... All the millions of undocumented registry keys, all the years of cruft and multiple versions of libraries, the various ways to do things...
All the init systems and
Re: (Score:2)
By default, Windows users have more permissions,
Oh, like what? Are you sure you're not thinking of WinXP?
the escalation for Administrator is much more frequent and more intrusive, so more people just make themselves Admin.
Make themselves admin? Being part of the admin group doesn't avoid the escalation pop-ups. How is it more intrusive? Are you talking about the system admin experience here, or the typical home user experience?
It's nearly so hard to find Windows users running a web browser as Administrator.
I mean, it's technically possible to do that, I guess, but it certainly takes more expertise than your typical home user has, you never normally get auth pop-ups while web browsing, but if you configure a program to run as admin in the normal
Re: (Score:2)
For the most part, you either get security or ease of use, hard to have both. Most users of windows opt for ease of use foregoing higher security. Nobody wants to have to type in 5 passwords and hit 4 prompts for 2 factor on systems they use for youtube and email...
Re: (Score:2)
Note I'm only going to talk about the GUI interactive experience, because I'm not entirely sure about headless UAC behavior in Windows.
By default, sure, you are an 'admin', but it's basically like Ubuntu's use of sudo. To gain privilege you must accept a UAC prompt of some form or another. I could understand the fact that it doesn't require password (by default) seems insecure, but UAC is integrated with the graphics stack so that you can't make a UAC-elevation control without either the dialog or the shiel
Incorrect title (Score:5, Insightful)
Title: After 8 Years of Remote-Access Trojans Attacks, Can We Still Say Linux is Secure?
Summary:"Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."
Proper title: After 8 years of Remote-Access Trojans Attacks, Linux Administrators have still not mastered their craft
Anyone who said that 8 years ago was a fool (Score:3)
Linux can be secure-ish, but it takes work, monitoring and maintenance. Or as one professor put it some 31 years ago:
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
-- Gene Spafford, 1989.
Anyone looking for a computer that they can set up and then forget can be breached.
Re: (Score:2)
Any system requires work, competent initial setup, competent ongoing maintenance and competent monitoring.
In this regard linux is better than windows in a variety of ways...
Initial setup - the system being more modular and flexible allows you to strip away everything you don't need, giving a smaller attack surface and a lower ongoing support burden.
Maintenance - with a smaller system, less maintenance is required, with the repository model its easier to apply necessary updates and verify that files have not
Re: (Score:2)
Linux can be secure-ish, but it takes work, monitoring and maintenance.
I tend to think it takes work to make Linux insecure. Out of the box sane clean installs have nothing, or next to nothing installed that would make them insecure. It's the effort (or lack thereof) of the administrator installing and misconfiguring services that changes that state.
Of course the same can be said for many operating systems. It all comes down to the user.
Comment removed (Score:5, Interesting)
Re: (Score:2)
deploy the code? make the CI user sudo.
They even laughed that I was shocked by it!
Re: (Score:2)
You forgot:
-sudo won't work in automation, add NOAPSSWD to sudo, then take comfort that you are secure because "at least you aren't running as root'
-npm/pip/gem install random libraries from random sources whenever the developer provides an update
-npm/ip/gem lock a dependency to something ancient because no one wants to test updates and live with any vulnerabilities
Is there any actual hard data? (Score:2)
People like to make the "opensource is inherently more secure" argument, but I don't think I've ever seen it proven with numbers. It seems to be a belief rather than a fact, "it must be more secure because of the way it is".
If you look at the actual number of exploits, and admittedly this doesn't take severity into account, it just isn't true. Linux distros or the Linux kernel almost always have more vulnerabilities than Windows: https://www.cvedetails.com/top... [cvedetails.com]
Re: (Score:2)
What facts would you accept? Scientific analysis of the nature of vulnerabilities, which are rarely reported pulicly for closed source tools? Audits of the number of vulnerabilities reported?
It was an absurd thing to say to begin with (Score:4, Insightful)
The premise was flawed to begin, born from the hubris of Windoze sucks. Security is very much like TQM, it isn't something that you achieve and walk away from. Security is a process that continually evolves and improves and by definition is never solved. Microsoft had their egg on their face. They moved on years ago, but a lot of other people never did.
Only a fool gets religious about an OS. No OS is fundamentally secure. Pwn to own and other competitions pretty consistently take down all contenders in short order. By their nature they have to be used and opened to production use cases. In the real world CIS server hardening standards exist for a fair range of modern server class operating systems.
You can make pretty much any server class OS fairly secure with CIS server standards as your baseline, but it takes a lot more than that to keep it secure. Any organization worth their salt will use a lot more than the OS itself to secure their servers.
I am reminded of when I worked at a very large university that has thousands of Apple Mac computers. They composed about 30% of the user base and at least 75% of security related tickets. Why - because the people who had them could not be bothered to maintain them or practice safe hex since "Mac OS doesn't get viruses or hacked". Your security practices and users make more of a difference than the OS itself.
Re: (Score:2)
It wasn't absurd when it first was said, back in the 90s when home computers were running OSes without any *real* multi-user support and as such every person was really admin (MacOS classic and DOS/Windows 3.x/9x).
Even as Windows XP marked the switchover to a credibly multi-user design, it still deserved some criticism as it failed to cope with an ecosystem that made every consumer basically have to be admin still.
From Vista onward, Windows largely had the fundamental security architecture down. Of course t
Re: (Score:2)
You are right that Windows security was horrible back then, I clearly remember just how bad things were - Code Red and Nimda in particular come to mind. The 9.x series was completely hopeless. I remember Larry Ellison hiring every bug exterminator in Seattle to drive around the Microsoft campus when W2K was released due to how buggy it was. Sloppy programming practices for bugs impacted security just as badly as system stability. Amusingly Oracle never got their own memo and still has buggy software and the
A foodl with a tool is still a fool (Score:2)
Re: (Score:2)
You should differentiate between Windows in a domestic situation, and windows in a business/enterprise. Windows Home *does* put up a feeble warning about "software from the internet could damage your computer", but it's better than nothing, AKA the bad ol' days.
For business/enterprise, it's a trivial exercise to roll out a group policy to stop users installing whatever they want.
Blackberry the patent troll says? (Score:3)
“Compromising Linux web servers allows for the exfiltration of massive amounts of data that can be obscured within the high volume of daily web traffic”
How is the Linux web servers compromised in the first place?
“Linux’s command-line interface also makes it less widely accessible
What is this anti Open Source Microsoft FUD doing on slashdot?
“The combination of poor security solution coverage for Linux and highly tailored, complex malware has resulted in a suite of adversary tools that has largely - if not entirely - gone undetected for years.”
“PWNLNX1 was designed to work with a Local Kernel Module (LKM), which enabled it to perform a number of rootkit functions”
How does this PWNLNX1 backdoor get onto the computer in the first place?
“Akamai observed that the botnet grew in size after using brute force attacks to obtain the password for the target Linux server”
What is this decades old, anti Open Source FUD doing on slashdot?
BlackBerry Moves to Make Money From Its Patents [fool.com]: “Another pillar of BlackBerry's turnaround is its effort to monetize its portfolio of over 44,000 patents through royalties and licensing fees”
Re: (Score:2)
It's here because lessons have to be relearned or retested as software changes. Windows, for example, has gotten bett4er. Not necessariliy good enough, but the browsers and mail clients have stabilized.
Translaughing: CEO-Speak to Real-Thought (Score:2)
Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits.
I will not invest in training for my employees, to use the tools available, correctly - there is enough open tuts out there and there is stack/buffer-overflow.
Eric Cornelius, Chief Product Officer at BlackBerry, evaluates: "Security products and services that support Linux, offerings that might detect and give us insight into a threat like this,
Our software is so shitty and we invest no resources into implementing testing and logging. So we need to rely on behind-last-line-of-defense-systems (remember LoTR: the brawl inside the stronghold)
are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse."
We would like others to invest in securing, investigation, and researching our shit - not us ofc - we'd like to put out apps not security.
Linux strength goals and architecture (Score:2)
Interesting, I always considered the architecture and goals of Linux and open source developers to be sup
The point is gravely missed (Score:2)
VMware and sk_buff is my backdoor... OpenVPN too (Score:2)
sk_buff is a pretty little beast. It's such a shitty piece of code that it's impossible for people to understand how to use it properly. The documentation is almost always out of date and because people keep trying to "fix it" they genera
Nobody sane ever claimed that (Score:3)
The claim is that Linux can be secured much better and much more easily by a competent admin than the alternatives. An incompetent admin can do arbitrary damage, because Linux assumes that competent admin.
Re: (Score:3)
If I expose my SSH port on the 'net with only key-based authentication (no passwords) allowed, is that a sufficient amount of security to thwart intruders?
Set up a different external SSH port (not port 22) on your router forwarded to the port 22 on your box.
That should get rid of most of the script kiddies looking for port 22 access right away. I did this a while ago and the attempts went from hundreds a day to almost nothing.
Then run something like fail2ban to automate banning of IP addresses that make failed connection attempts more than whatever thresholds you set up.
If you wanna go nuts, there are lists of ip ranges for places like China and Russia...
Re: (Score:2)
Make your SSH service only available over IPv6 too, bound to a separate address than other services...
Sweeping large address ranges looking for service is not practical over IPv6, so it doesn't happen. Attacks against IPv6 only occur against services that are published publicly, eg web servers that can be found via search engines.
Re: (Score:3)
Same with windows RDP, throw it on a weird port and attacks go down some. But security through obscurity only really stops the random script kiddies who don't know what they are doing for the most part.
Re: (Score:2)
Same with windows RDP, throw it on a weird port and attacks go down some. But security through obscurity only really stops the random script kiddies who don't know what they are doing for the most part.
That's good enough for me - it means that if anything shows up in the logs I need to take it seriously. Security through obscure ports prevents attackers from spamming your logfile in the hope that you will miss the one that got through.
Re: (Score:2)
I really hate fail2ban. I just use AllowUsers to block everything except the few users that are allowed in. Never seen any script kiddy even getting near guessing a valid user name let alone the matching password...
0r@cle
1234
12345
123456
123456789
123456zx
1234!@#$qwer
1q2w3e4r5t
1qaz@wsx123
2468
aa
abc123
abc!@#123
ac
admin
Admin
admin1
admin1234@
admin2
Administrator
ah
ai
etc...
Re: (Score:2)
All are stepss towards security. They don't stop a fool outside your network with a vulnerable laptop and who has keys that allow them _into_ your network.
Re: (Score:2)
If I expose my SSH port on the 'net with only key-based authentication (no passwords) allowed, is that a sufficient amount of security to thwart intruders?
Set up a different external SSH port (not port 22) on your router forwarded to the port 22 on your box.
On my VPS I set ssh to listen on $RANDOM_HIGH_NUMBER instead of 22. Same effect - went from literally hundreds of attempts per day to no attempt in the last year.
Yes-ish. Layers, value, non-standard port (Score:3)
A box is pretty secure with only ssh exposed, set to keys only.
Of course it's a good idea to have it updated too. There have been some imperfections in the last 20 years, so it's a good idea to update regularly.
It's ALSO a good idea to have layers of security, so that even IF there was a vulnerability in ssh authentication, you'd have something else to let you know there's a problem. For example, Tripwire will alert you to any system files changed on the machine.
"a sufficient amount of security" also very m
Re: (Score:2)
The real problem lies in Linux being a very popular platform for crappy devs to deploy their crappy webapp onto.
These devs will run things as root that do not need to run as root.
They will have open ports that accept communication without any authentication, because that's the easy way to do it.
The crappy web dev then gets a fanbase and their stack deployed across thousands of users who will get more mad at security mechanisms they have to disable to get the thing to work than at the application for requiri