After 8 Years of Remote-Access Trojans Attacks, Can We Still Say Linux is Secure? (linuxsecurity.com) 139
Remember when BlackBerry reported Advanced Persistent Threat groups have been infiltrating critical Linux servers for at least eight years? What's the lesson to be learned?
LinuxSecurity Founder Dave Wreski argues "Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."
Writing for Linux Security, Slashdot reader b-dayyy gathered some additional responses: Some experts argue that it is the popularity of Linux that makes it a target. Joe McManus, Director of Security at Canonical, explains: "Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target." Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, adds: "From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening."
Despite the increasing number of threats targeting Linux systems, there is still a sound argument for the inherent security of Linux, which can be attributed to the core fundamentals of Open Source. Due to the transparency of open-source code and the constant scrutiny that this code undergoes by a vibrant global community, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary software and operating systems. Threat actors recognize this, and are still directing the majority of their attacks at proprietary operating systems.
These attacks do; however, serve as a much-needed wakeup call for the security community that more needs to be done to protect Linux servers. BlackBerry's report reveals that security solutions and defensive coverage available within Linux environments is "immature at best". Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits. Eric Cornelius, Chief Product Officer at BlackBerry, evaluates: "Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse."
LinuxSecurity Founder Dave Wreski argues "Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."
Writing for Linux Security, Slashdot reader b-dayyy gathered some additional responses: Some experts argue that it is the popularity of Linux that makes it a target. Joe McManus, Director of Security at Canonical, explains: "Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target." Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, adds: "From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening."
Despite the increasing number of threats targeting Linux systems, there is still a sound argument for the inherent security of Linux, which can be attributed to the core fundamentals of Open Source. Due to the transparency of open-source code and the constant scrutiny that this code undergoes by a vibrant global community, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary software and operating systems. Threat actors recognize this, and are still directing the majority of their attacks at proprietary operating systems.
These attacks do; however, serve as a much-needed wakeup call for the security community that more needs to be done to protect Linux servers. BlackBerry's report reveals that security solutions and defensive coverage available within Linux environments is "immature at best". Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits. Eric Cornelius, Chief Product Officer at BlackBerry, evaluates: "Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse."
sudo make me an admin (Score:4, Funny)
I'm not an expert in Linux security permissions, but I do have experience in the utterly asinine Windows permissions.
"You can't access that directory."
"I'm an admin."
"You can't access that directory."
"Uh, make me the owner of that directory."
"Ok."
Why? Just...why?
Re:sudo make me an admin (Score:4, Informative)
unless you're SYSTEM, you're not an admin.
Re:sudo make me an admin (Score:5, Informative)
Me: member of group 'Root'
Try some process: "only root can do that"
Being a member of group root is not being the user root. It only gives you permissions that have been granted to the root group, not the root user.
What's so hard to understand about that?
Just because you COULD become root (which you MAY be able to do as a member of the root group, depending on how your machine is configured) doesn't mean you always want to be acting with the root user's godlike permissions.
Not being root except when you need to be helps keep you from accidentally doing something damaging. So deliberately being merely an angel or a saint except when you must be god helps you, as an imperfect god, avoid breaking your universe.
Re:sudo make me an admin (Score:2, Informative)
"What's so hard to understand about that?"
It's unclear. "You have the privileges and powers (and responsibilities), of 'root' - but not really."
Granted there are some things only root should be allowed to do, but then don't have a root group - call it "Administrators" or something. Windows is also guilty of this. I'm in the Administrators group, but some things must be "run as Administrator". I've been in the "Domain Admins" and even "Enterprise Admins" group and some things still need to right-click and "Run as Administrator" to get them to work. Some maintenance tasks in the Windows Internal Database just don't work any other way, at least IME. It's not sudo, where you at least have to put in a password, it's just a dialogue "Are you sure?"
"Not being root except when you need to be helps keep you from accidentally doing something damaging"
No, it doesn't. I can do plenty of damage as a member of group 'root' - I just can't do some of the catastrophic damage that user 'root' can do. And 'sudo' is not sufficient protection - it just adds a couple of seconds for your brain to catch up with your misguided intentions, while you type your password.
Anyway, this is old news. There's got to be a better way to secure the most sensitive functions.
Re:sudo make me an admin (Score:2)
In general, any flle writable by group root but not world writable is a mistake. The same applies to read. I just audited my Fedora system for such mistakes. There are a few.
To try for yourself:
find / -xdev -type f -group root -perm /g+r \! -perm /o+r -ls /g+w \! -perm /o+w -ls
find / -xdev -type f -group root -perm
You may also want to check the special file systems such as /sys. There are a few mistakes there too.
Re:sudo make me an admin (Score:2)
but then don't have a root group - call it "Administrators" or something
Try the wheel group. But stay out of root group.
No, it doesn't. I can do plenty of damage as a member of group 'root' - I just can't do some of the catastrophic damage that user 'root' can do.
I won't split hairs here, but fuck ups are things that render your system inoperable. Your system needs to be fixed now, but the upside is that you can no longer do any additional harm. Actual damage to a system opens something up for more attacks and more problems. You throwing up sudo every so often can lead to a fuck up, but rarely does it actually lead to damage unless your copy/pasting and then you really shouldn't be at the helm. You always being root can absolutely lead to actual damage that will be hard to identify if it even exists.
Re:sudo make me an admin (Score:2)
No, being in the root group gives you the privileges and powers of the root group. Being ROOT gives you the privileges and powers of ROOT.
There are many cases where it makes perfect sense that being a specific user may grant powers not granted to the group. That's why file access is divided into user (owner) group and public sets. SURPRISE (not), the rout group works the same way.
As for alternatives, the Linux kernel certainly supports those, including systems with no root user (only the kernel is root), only subsets of capabilities.
Many Unix systems have a wheel group for users that are permitted to do some or all things as root.
Re: sudo make me an admin (Score:2)
Re:sudo make me an admin (Score:4, Informative)
"Uh, make me the owner of that directory."
Like the summary says, it comes down to poor administration if you don't know how to look at and edit permissions of directories on Windows. What you are doing would be like using chown in place of chmod on Linux.
Re:sudo make me an admin (Score:2)
I'm pretty sure you're right, and I'm pretty sure you got bogged down in specifics and missed the blindingly obvious point I was making. This is very fitting, given the topic.
Re:sudo make me an admin (Score:2)
We was simply expressing a bit of surprise at Windows security model default configuration. Even an administrator is not administrator any more. However, he can't access a directory, which is confusing as he is admin, but then he can just change ownership and access it anyway, which seems silly.
In Linux, you can have the makings of this, but by default root is unfettered and non-root can't do anything. Now if you start playing with capabilities, you can have that. So while root user has both chown and DAC override all the time, you could create a scenario in which some process has chown capability but not DAC override, then he could create that same experience in Linux.
Re:sudo make me an admin (Score:2)
I'm not an expert in Linux security permissions, but I do have experience in the utterly asinine Windows permissions.
"You can't access that directory."
"I'm an admin."
"You can't access that directory."
"Uh, make me the owner of that directory."
"Ok."
Why? Just...why?
With Linux, try reading files you don't own on an NFS mount when you're root. Doesn't work there either.
Re:sudo make me an admin (Score:2)
That is up to the nfs server. A client says they are root and the server by default remaps to nobody because by default it considers the client machine as having no business being root (though you can no_root_squash).
Re:sudo make me an admin (Score:2)
I've never had much luck explaining that to users. They just keep telling me that they "have permission" and I keep telling them that they really don't, and quit trying to run "sudo" commands in your NFS home directory.
Re: sudo make me an admin (Score:2)
Yeah, Iâ(TM)ve always loved that one!
Windows is the ultimate in Security Theater...
Re:sudo make me an admin (Score:2)
What are you talking about?
Re:sudo make me an admin (Score:5, Insightful)
Because the act of taking ownership of a directory requires user interaction in that scenario. With the default settings the screen goes dark and you get a UAC prompt front and centre asking you to confirm that you want to take ownership.
Therefore any malware running under your user account can't simply take ownership. It would have to trick you into accepting the UAC prompt as well.
This is a really good idea. Admin accounts should not be all powerful, certain actions should require confirmation even for root.
And by the way you are doing it wrong. You just need to edit the permissions on the directory, you don't need to take ownership.
Re:sudo make me an admin (Score:2)
"Some experts argue that it is the popularity of Linux that makes it a target."
Oh, the irony...
Re:sudo make me an admin (Score:2)
Why? Just...why?
To trigger a UAC prompt and prevent the user accidentally executing malware under their admin privileges that would be able to do it automatically.
The extra hoop is a specific security feature. A feature which you may not be using if you disabled UAC. Even admins trigger UAC because an Admin is not "root" they are merely a very privileged poweruser that can trigger certain actions using "system" privileges but can't actually log in with such privileges.
Years of idiots running Windows as admin users, and Linux as root users drove this behaviour.
Re: sudo make me an admin (Score:2)
That article is nonsense: just because a security feature has a bug doesnâ(TM)t mean itâ(TM)s not a security feature. A bucket with a hole is still a bucket, it just needs to be fixed.
Re: sudo make me an admin (Score:2)
so?
Re: sudo make me an admin (Score:2)
Intentional holes exist in all privilege elevation systems, otherwise the user would need access to system credentials rather than their own. What UAC does is no different than what Linux does using sudo, it elevates admins to the root without ever exposing the root or requiring the root password to be known.
You seem to think a security feature is only a security feature as wall without doors or checkpoints. You're wrong.
Re:sudo make me an admin (Score:2)
Some people are stupid. The presence of an intentional access through a security barrier for specific purposes does not make it less of a security barrier, that's the entire purpose of the barrier in the first place *control*, not complete lockout.
So back to the original point: Are you trying to imply that forcing a user to acknowledge a prompt which can only be acknowledged by the local user, not over the network, can by policy additionally be tied to credential requirements is not a security feature?
I guess then having users not logging in as root is also not security in Linux simply because sudo exists, a statement which is absurd on the face of it.
Re:sudo make me an admin (Score:2)
They are Windows users - clear evidence that their brains are not working correctly.
Re: sudo make me an admin (Score:2)
Like administrator access granted the "run as administrator" option.
FUD (Score:4, Insightful)
Excellent work "BlackBerry" - this is the same FUD we got all through the late 90s, remember the slapper worm, that one was "proof" that Linux was insecure, although if you actually read the details the worm is in Apache/OpenSSL. Heartbleed, same thing. I dont recall ever hearing about a kernel level worm...
Re:FUD (Score:5, Insightful)
The headline is not only wrong, the person who wrote it is ignorant to even think it.
Re:FUD (Score:4, Insightful)
> The headline is not only wrong, the person who wrote it is ignorant to even think it.
It's clickbait. The nerd lure says, "this headline can not be allowed to stand!" on the side.
Don't be manipulated. Don't incentivize their game.
Re:FUD (Score:5, Insightful)
remember the slapper worm, that one was "proof" that Linux was insecure, although if you actually read the details the worm is in Apache/OpenSSL. Heartbleed, same thing. I dont recall ever hearing about a kernel level worm...
Of course, Windows was the same way, for the past 15 years or so. Once the last of the Win95-legacy was put down.
TFS makes the excuse that the weaknesses are mostly due to poorly configured/administered servers, but usability is a core part of security. If people can't figure out how to lock the door, it's a problem with the design. If people don't bather to lock the door, because it's overly inconvenient, it's a problem with the design. Humans with all our flaws must be included in any security planning. This is why "default to secure" is good. This is why "elevate to the least needed access" is good.
People will screw up, and people will be lazy. Designing for that is required for good security. Stop designing things where it takes an expert to make it secure. Design things so that it takes an expert to weaken security, where the admin thinks that's the right trade-off.
Re:FUD (Score:4, Insightful)
Vulnerabilities in apache/openssl/etc are cross platform and can affect any system where this software has been installed...
TFS makes the excuse that the weaknesses are mostly due to poorly configured/administered servers, but usability is a core part of security. If people can't figure out how to lock the door, it's a problem with the design
Usually a Linux server is quite secure by default, it will have at most an ssh service exposed remotely, modern distros will force some level of password strength and won't allow you to login remotely as root. Contrast with windows which even in a non-server configuration runs SMB and a whole bunch of RPC services under a high privileged user by default.
Generally when a linux server is insecure, it's because the user has explicitly unlocked the door, not left it unlocked. These days linux servers are typically being compromised via insecure webapps and weak passwords. This is not a case of totally clueless people putting default installs out there, this is people who think they're more competent than they really are, or who know what they're doing but aren't given the time/budget to do things properly.
And exploiting linux servers hasnt just happened for 8 years, people have been attacking them for a lot longer than that. Back in the 90s, linux distributions would typically come with all kinds of unnecessary services by default and exploits of the default configuration were very common
Re:FUD (Score:3)
Contrast with windows which even in a non-server configuration runs SMB and a whole bunch of RPC services under a high privileged user by default.
Consumer windows has a lot of consumer convenience stuff running, but then Ubuntu isn't exactly stripped down either. Don't compare a Linux server distro to consumer Windows. Windows Server is very bare bones by default. (And of course it doesn't run SMB, which is a reverse-engineering of CIFS.)
Generally when a linux server is insecure, it's because the user has explicitly unlocked the door, not left it unlocked. These days linux servers are typically being compromised via insecure webapps and weak passwords. This is not a case of totally clueless people putting default installs out there, this is people who think they're more competent than they really are, or who know what they're doing but aren't given the time/budget to do things properly.
Sure, but Windows is no different. There a reason that, even in the consumer space, threats have largely changed to browser attacks and trojans. OK, really, threats have mostly moved to the phone, but even then there it's largely browser attacks and trojans.
Re:FUD (Score:4, Insightful)
Windows server has the "server core" option now, but very few people seem to use it...
The full install is anything but bare bones, and basically has all of the consumer junk too.
And yes windows does still have SMB by default, even on server core. Even if a linux system does have smb installed, it's a userland program and not tightly integrated into the system so the risks are lower.
Re:FUD (Score:2)
"but very few people seem to use it"
That's because you have to install the "desktop experience" and its whole attack vector if you want to use and manage WSUS.
Everything else can be run on server core and managed remotely.
Re:FUD (Score:3)
(And of course it doesn't run SMB, which is a reverse-engineering of CIFS.)
No, SMB was the original protocol developed by IBM/Microsoft (not 100% sure which of the two actually created it, but they both used it). It was later renamed to CIFS (Common Internet File System) and Microsoft submitted at least some of the specs to the IETF as drafts.
Samba is the server that came from reverse-engineering the SMB protocol used by LAN Server.
Re:FUD (Score:2)
Of course, Windows was the same way, for the past 15 years or so. Once the last of the Win95-legacy was put down.
That’s a trifle simplistic. Neither Blaster nor Slammer had anything to do with legacy Windows 95 compatibility.
Re:FUD (Score:3)
From my own experience one of the primary headaches when it comes to security issues are packages like PHP. There's always something that's written for an older version of PHP that can't be easily upgraded and which prevents upgrading that damned thing. So when someone decides to break backwards compatibility for an application that is used for public exposure they are themselves creating a security issue for a huge number of sites. It's not a simple task to upgrade to new versions of all the applications written in that language - because some of them may have been done quite a while ago and you'd need to find someone that can fix them because there's no support on it or it's abandonware.
There are of course other services as well that suffers from this.
Is secure? (Score:5, Insightful)
Re:Is secure? (Score:3)
Re:Is secure? (Score:3)
OpenVMS disagrees.
Re:Is secure? (Score:2)
So does OS400 (IBM i)
Re:Is secure? (Score:2)
Re:Is secure? (Score:2)
BSD is most secure.
Isn't that because it's dead?
True - and certain security definitions are proven (Score:2)
That's true.
Also if you care to be pedantic, to say something "is secure", in the sense that it can be mathematically proven, one must first rigorously define what "secure" means. There are several definitions, different types of security that can be mathematically proven and disproven similar to a geometric proof.
Any kernel with a lot of proven security guarantees must be tiny at this point, and therefore not useful on a general PC. Windows and CentOS are much too large and too complex to be an to do proofs on. However, of the commonly used PC operating systems, only Linux has ANY security guarantees for any part of it at all. So with a chosen definition of security, and chosen Linux mini-kernel, one can say that Linux is proven secure. (Again by choosing a selected definition for "secure"). One cannot do the same for Windows. There is no security guarantee for any part of Windows.
All that is mostly academic. It doesn't tell you much about practical use. What tells you something of practical value in ordinary use is to look at the announcements each patch Tuesday. Each month, once or twice a month, we get a long list of newly discovered significant vulnerabilities in Windows. Linux doesn't have a designated day of the month for releasing a long list of vulnerabilities - it doesn't need one.
ls -R has a CVE (Score:2)
> But as good as never anything is exploitable remotely.
You might be surprised just how silly some of the CVEs are.
One, for example, boils down to "the local user can run ls -R
If they run many instances of ls -R they'll make the system pretty busy". The person reporting it choose an indirect way of running ls -R, but in the end that's all it is.
You're right to watch for remotely exploitable ones, and also privilege escalation. An RCE flaw combined with privilege escalation is how bad stuff happens.
Re:Is secure? (Score:2)
Anything not airgapped is insecure... And then you rely on physical security.
Re:Is secure? (Score:2)
Re:Is secure? (Score:2)
in a vault somewhere no one but you can get at it
Is the same as saying "using a password only me know".
"Out of the box" linux is pretty secure (Score:2)
It's when you start adding services and applications and libraries that things can get hinky.
Especially when you're grabbing all kinds of app libraries to support what you're trying to do, from who knows where, and you're not constantly checking the code, or what is actually running on a system.
The other things I've seen is not putting systems behind firewalls, or loading up servers (physical or virtual) with many different applications (web, db, file transfer services, mail...) all on the same instance.
If you don't know how to install systems/services securely, you should probably practice for a while before becoming a SME.
That 10 day online cloud deployment course is only as good as the instructor/materials and years of painful bitter experience are still ahead of you.
Re:"Out of the box" linux is pretty secure (Score:3)
The other things I've seen is not putting systems behind firewalls,
Or assuming that simply having "a firewall" is a magic bullet...
What is a firewall? in most cases it's an embedded linux system these days anyway, so by adding a firewall you now have an additional system that could be attacked, that you have to manage and patch incase it gets exploited.
Then consider the machines you'd put behind the firewall... Lets say i have a webserver, it has ports 80 and 443 open so i'd need to allow those ports through the firewall... Maybe i need to manage it remotely so it also has ssh.
Since it doesn't have any other services, the firewall isn't actually blocking anything.
If someone finds a vulnerability in the web service, the presence of the firewall doesn't help.
If someone finds a vulnerability in the firewall itself, the presence of the firewall is detrimental.
So in this instance the firewall adds latency, reduces throughput, adds administrative overhead, adds a point of failure, decreases security and doesn't prevent the most likely attack vector.
Re: "Out of the box" linux is pretty secure (Score:2)
If you allow ssh from the same sources you allow http and https, you're either running an internal-only web-based app for your sysadmins (e.g. monitoring web front-end), our you're "holding it wrong".
Re: "Out of the box" linux is pretty secure (Score:2, Insightful)
It's not irrelevant. What's irrelevant is WordPress security holes for the 99.9% of Linux not running WordPress.
Re: "Out of the box" linux is pretty secure (Score:2)
Oh really? As far as I know, both Nginx and Apache are completely non-functional out of the box. You have to configure them to start as a service, you have to open up ports, you have to setup virtual hosts or whatever, etc.
MariaDB is similar. Doesn't allow anything but a local root Unix socket connection out of the box.
I think it's far more likely that you just don't know what the fuck you're doing. Setting these apps up securely isn't even all that hard. You just have to know like the first thing about security.
If a trojan is the only way to break in.... (Score:4, Interesting)
Misconfiguration (Score:2)
Re:Misconfiguration (Score:2)
Re:Misconfiguration (Score:2)
Linux allows you to configure it in ways that some will not find useful because it is meant to do everything.
Any OS (or kernel) of which that is not true is limiting you somehow.
Linux provides several mechanisms to limit configuration so that you don't shoot yourself in the foot. If you don't use them, that's your problem.
Re:Misconfiguration (Score:2)
The problem being that in this context, any platform will be abused. Linux is particularly popular in this age of very fluid spin up of containers and VMs because the licensing is permissive. Windows licensing for such a dynamic circumstance is obnoxious, even if you were willing to pay.
To the extent a platform offers security, it gets overlooked because generally enhanced security means harder/more tedious to use/develop for. You have to be more explicit about what your program is expected to do (to some extent, doing the thing that will need permission then separately describing elsewhere that the permission will be needed. When deploying, the user frequently may either explicitly add/approve every rule the application desires, or else just 'allow everything'.
We can say it's more secure than others (Score:5, Insightful)
It's more secure than Windows or OSX. It's not impervious, but what is? And when a hole is found, it's patched faster, too.
Sure, there are more secure operating systems, but none of them are realistic for desktop or handheld use, and few are reasonable choices even for limited-purpose servers.
Re:We can say it's more secure than others (Score:4, Interesting)
What makes, say, Ubuntu more secure than modern Windows? Or a Linux server distro more secure than Windows server? Both are most vulnerable when a user decides to install something outside of the recommended install process. Admittedly, it's more culturally accepted on Windows to just download and install software from some non-curated place, and maybe you can blame Windows itself for that. Anyone know if you can install Firefox through the Windows store?
But in terms of the actual OS design, both have secure kernels where actual kernel vulnerabilities are quite rare. Both have explicit user elevation to admin/root required to do dangerous things. The one advantage I see for the Linux side is that it's a lot easier for a third party to hook their update mechanism to the OS's built-in update mechanism, instead of everyone rolling their own.
The days when Windows ran everything as admin by default are a distant memory now. Hopefully no one keeps an XP box around that's still on the internet.
Re:We can say it's more secure than others (Score:2)
What makes, say, Ubuntu more secure than modern Windows?
From an end user perspective, the issue you point out - that users install from random places instead of through a repository. Linux distros have used a repository model for many years, and if you look at slashdot comments from the late 90s and early 2000s you will see this often claimed to be a weakness of linux because users "want to install random software they've downloaded or bought", until ios/android came along and demonstrated on a mass scale that the repository model works extremely well for non technical users.
From a kernel perspective this also includes drivers, and windows users are far more likely to be installing dubious drivers supplied with a cheap peripheral they bought from china, or kernel drivers installed as part of a game etc. There are all kinds of dubious things that install kernel drivers on windows (games, vpn software, audio cds, security software etc) and these often introduce vulnerabilities into the kernel.
Then you have things like SMB and RPC... Running by default as a highly privileged user, extremely complex protocol, history of exploits and even vulnerabilities being discovered in the most recently implemented features (see the smbv3 compression vulnerability), not to mention design flaws like hash passing.
Then you just have the inherent complexity... The more complex a system is, the more likely there are to be bugs and the less understanding the users have of how the system functions. windows is simply far more complex than linux.
Re:We can say it's more secure than others (Score:3)
windows users are far more likely to be installing dubious drivers supplied with a cheap peripheral they bought from china, or kernel drivers installed as part of a game etc.
Custom drivers, user installed, are largely a thing of the past, being beyond the technical competence of the average user. Games almost always come from walled gardens, such as Steam.
In theory the Windows store can fix the remaining issues, but I don't know if there's been much adoption of it. It certainly remains a weakness until most of the common free downloads can be installed from there.
Then you have things like SMB and RPC
The do have a history of exploits, but that's mostly history. Perhaps there's more cruft running on consumer Windows than Ubuntu these days, but Ubuntu certainly has its share of cruft.
windows is simply far more complex than linux.
Linux has gotten a lot more complicated over the past 15 years, though. I'm not sure what perspective you're seeing Windows as more complex these days. The internals? Windows as always has a simpler learning curve when you want to do simple things, and is maddeningly obscure when you want to take a step off the beaten path, but I htink that;s more an issue of familiarity than complexity. If you're talking about the system interfaces, they mostly converged in functionality a long time ago. I do think Windows permissions elevation through the system interface are overly fine-grained, to their net detriment. The added complexity there seems to hurt more than it helps, for all that you can theoretically have a narrower group of elevated permissions for a thread.
Re:We can say it's more secure than others (Score:3)
User installed custom drivers are extremely common, take this story from just a few days ago talking about a kernel driver installed as part of a game:
https://www.extremetech.com/ga... [extremetech.com]
SMB security holes are certainly not history, a new vulnerability was discovered just last month:
https://nakedsecurity.sophos.c... [sophos.com]
No linux distro has something so complex, opaque and deeply intwined inro the system running by default.
And yes the complexity... All the millions of undocumented registry keys, all the years of cruft and multiple versions of libraries, the various ways to do things... The internals of windows are massively more complex than linux, which gives plenty of scope for further vulnerabilities to be found.
Re:We can say it's more secure than others (Score:2)
User installed custom drivers are extremely common
No their not.
SMB security holes are certainly not history, a new vulnerability was discovered just last month:
No linux distro has something so complex, opaque and deeply intwined inro the system running by default.
Is this any different than NFS which has over its history had a functionally equally abysmal security record?
And yes the complexity... All the millions of undocumented registry keys, all the years of cruft and multiple versions of libraries, the various ways to do things... The internals of windows are massively more complex than linux, which gives plenty of scope for further vulnerabilities to be found.
How many display servers, window managers and desktop systems are there for Linux? Today it's basically impossible to compile non-trivial software and have it run on any other Linux system without stipulating specific versions and distributions. It's why all of the software is prepackaged (and often severely outdated) or you have to compile it yourself... otherwise it won't run at all.
Windows and Linux are both general purpose operating systems with long boundless histories of privilege escalation vulnerabilities. Whatever architectural differences between them means nothing in the end. They are both Swiss cheese and both of their security records establish this.
Re:We can say it's more secure than others (Score:2)
User installed custom drivers are extremely common
No their not.
SMB security holes are certainly not history, a new vulnerability was discovered just last month:
No linux distro has something so complex, opaque and deeply intwined inro the system running by default.
Is this any different than NFS which has over its history had a functionally equally abysmal security record?
Well, yes. What is wrong with you? "Installed by default, unremovable and OS won't boot without it" is very very different from "Installed by user only when they want it, easily removed and OS doesn't notice if it is there or not".
Alternate way of looking at it: All windows installations have SMB, a tiny fraction of Linux installations of NFS.
Re:We can say it's more secure than others (Score:2)
Well, yes. What is wrong with you? "Installed by default, unremovable and OS won't boot without it" is very very different from "Installed by user only when they want it, easily removed and OS doesn't notice if it is there or not".
I don't agree with the characterization. Linux distros universally have the RPC server installed and running whether you ever decide to use NFS or not.
In Windows Network filesystem access defaults depends entirely on the network type you select. It's all inaccessible behind a stealth mode firewall BY DEFAULT when you select public network.
Alternate way of looking at it: All windows installations have SMB, a tiny fraction of Linux installations of NFS.
My experience is most Linux systems will have some form of file system access installed. NFS, SMB, SCP. It's a little disingenuous to say well there are a whole bunch of options on Linux and one on Windows so therefore one specific one is not as prevalent as SMB usage on Windows.
Re:We can say it's more secure than others (Score:2)
Fresh install of debian performed 10 mins ago:
# ps aux | grep rpc
root 2339 0.0 0.0 6076 896 pts/0 S+ 12:45 0:00 grep rpc
no rpcbind running...
The only listening network service is SSH:
And i had to explicitly choose to install that during the installation, it wasn't enabled by default.
Re:We can say it's more secure than others (Score:2)
talking about a kernel driver installed as part of a game:
That's not a user installing a driver, that's a user installing a game. Games for almost everyone come from walled gardens, such as Steam. "Custom kernel driver" sounds like "obnoxious anti-cheat rootkit", which consumers are generally aware of, so if your argument is "Windows is unsecure because people knowingly install root kits to play games", them, um, OK?
MB security holes are certainly not history, a new vulnerability was discovered just last month:
And there was one in 2017. This concerns you? Whatever OS you run, it will need patching monthly. No getting around that.
And yes the complexity... All the millions of undocumented registry keys, all the years of cruft and multiple versions of libraries, the various ways to do things...
All the init systems and binary log files, all the different package management systems and the way each deals with conflicting dependencies ... yeah, you complaining about unfamiliarity, not a difference in complexity. Windows now has a single uniform way to deal with dll version dependency conflicts, and has for over 10 years now. Linux startup and service management used to be simpler than Windows, being a set of simple init scripts, but systemd fixed that.
Re: We can say it's more secure than others (Score:2)
By default, Windows users have more permissions,
Oh, like what? Are you sure you're not thinking of WinXP?
the escalation for Administrator is much more frequent and more intrusive, so more people just make themselves Admin.
Make themselves admin? Being part of the admin group doesn't avoid the escalation pop-ups. How is it more intrusive? Are you talking about the system admin experience here, or the typical home user experience?
It's nearly so hard to find Windows users running a web browser as Administrator.
I mean, it's technically possible to do that, I guess, but it certainly takes more expertise than your typical home user has, you never normally get auth pop-ups while web browsing, but if you configure a program to run as admin in the normal way in Windows, you get an auth pop-up every time you launch it, so no one is going to find that more convenient. Are you sure you're not thinking of WinXP?
Most of MS's advanced security is in fact a feeble response to mitigate the problems introduced by their users due to poor security design.
Asserted without evidence. Dismissed without evidence. We're not talking about WinXP here.
Re: We can say it's more secure than others (Score:2)
For the most part, you either get security or ease of use, hard to have both. Most users of windows opt for ease of use foregoing higher security. Nobody wants to have to type in 5 passwords and hit 4 prompts for 2 factor on systems they use for youtube and email...
Re: We can say it's more secure than others (Score:2)
Note I'm only going to talk about the GUI interactive experience, because I'm not entirely sure about headless UAC behavior in Windows.
By default, sure, you are an 'admin', but it's basically like Ubuntu's use of sudo. To gain privilege you must accept a UAC prompt of some form or another. I could understand the fact that it doesn't require password (by default) seems insecure, but UAC is integrated with the graphics stack so that you can't make a UAC-elevation control without either the dialog or the shield icon on the button. Since Linux graphics stacks don't really offer that sort of thing, you have to enter password (by default). The assumption being your screen would lock if you walked away, so an unlocked session means no additional authentication required.
One problem with the Linux desktop approach is that any application can open a dialog that *looks* like sudo prompt and gather the password. In Windows, a UAC prompt can be faked, but it would be "weird" for most people to see a password prompt, so the spoofing application wouldn't get anything. Same goes to lock screen, an application can reasonably guess the appearance of your lock screen and render that. In windows if you are paranoid you can clt-alt-delete and see that nothing happens to make sure it is the actually lock of login screen (secure access key).
Now I prefer Linux desktop platforms mainly because I like the system design better and Plasma is my favorite desktop environment, but Windows does have some interesting security design benefits for local use (mainly from XP growing pains where despite proper multi-user support, everyone ran as admin because the ecosystem demanded it), though their remote services that are enabled have bitten them so many times.
Of course, in practical terms, all this is about services and webapps and such, which neither platform can protect from crappily developed apps.
Incorrect title (Score:5, Insightful)
Title: After 8 Years of Remote-Access Trojans Attacks, Can We Still Say Linux is Secure?
Summary:"Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration."
Proper title: After 8 years of Remote-Access Trojans Attacks, Linux Administrators have still not mastered their craft
Anyone who said that 8 years ago was a fool (Score:3)
Linux can be secure-ish, but it takes work, monitoring and maintenance. Or as one professor put it some 31 years ago:
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
-- Gene Spafford, 1989.
Anyone looking for a computer that they can set up and then forget can be breached.
Re:Anyone who said that 8 years ago was a fool (Score:2)
Any system requires work, competent initial setup, competent ongoing maintenance and competent monitoring.
In this regard linux is better than windows in a variety of ways...
Initial setup - the system being more modular and flexible allows you to strip away everything you don't need, giving a smaller attack surface and a lower ongoing support burden.
Maintenance - with a smaller system, less maintenance is required, with the repository model its easier to apply necessary updates and verify that files have not been tampered with.
Simplicity - with a simpler system, the chance of the staff tasked to manage it fully understanding whats going on is higher.
But the key point is having the up front and ongoing resources to do things properly. If you don't have competent staff managing your systems they will be insecure.
And this also goes against windows, as microsoft for years were marketing their products as not requiring expensive (ie competent) sysadmins to keep running.
Re:Anyone who said that 8 years ago was a fool (Score:2)
Linux can be secure-ish, but it takes work, monitoring and maintenance.
I tend to think it takes work to make Linux insecure. Out of the box sane clean installs have nothing, or next to nothing installed that would make them insecure. It's the effort (or lack thereof) of the administrator installing and misconfiguring services that changes that state.
Of course the same can be said for many operating systems. It all comes down to the user.
Comment removed (Score:5, Interesting)
Re:You can lead a horse to water (Score:2)
deploy the code? make the CI user sudo.
They even laughed that I was shocked by it!
Re:You can lead a horse to water (Score:2)
You forgot:
-sudo won't work in automation, add NOAPSSWD to sudo, then take comfort that you are secure because "at least you aren't running as root'
-npm/pip/gem install random libraries from random sources whenever the developer provides an update
-npm/ip/gem lock a dependency to something ancient because no one wants to test updates and live with any vulnerabilities
Is there any actual hard data? (Score:2)
People like to make the "opensource is inherently more secure" argument, but I don't think I've ever seen it proven with numbers. It seems to be a belief rather than a fact, "it must be more secure because of the way it is".
If you look at the actual number of exploits, and admittedly this doesn't take severity into account, it just isn't true. Linux distros or the Linux kernel almost always have more vulnerabilities than Windows: https://www.cvedetails.com/top... [cvedetails.com]
Re:Is there any actual hard data? (Score:2)
What facts would you accept? Scientific analysis of the nature of vulnerabilities, which are rarely reported pulicly for closed source tools? Audits of the number of vulnerabilities reported?
It was an absurd thing to say to begin with (Score:4, Insightful)
The premise was flawed to begin, born from the hubris of Windoze sucks. Security is very much like TQM, it isn't something that you achieve and walk away from. Security is a process that continually evolves and improves and by definition is never solved. Microsoft had their egg on their face. They moved on years ago, but a lot of other people never did.
Only a fool gets religious about an OS. No OS is fundamentally secure. Pwn to own and other competitions pretty consistently take down all contenders in short order. By their nature they have to be used and opened to production use cases. In the real world CIS server hardening standards exist for a fair range of modern server class operating systems.
You can make pretty much any server class OS fairly secure with CIS server standards as your baseline, but it takes a lot more than that to keep it secure. Any organization worth their salt will use a lot more than the OS itself to secure their servers.
I am reminded of when I worked at a very large university that has thousands of Apple Mac computers. They composed about 30% of the user base and at least 75% of security related tickets. Why - because the people who had them could not be bothered to maintain them or practice safe hex since "Mac OS doesn't get viruses or hacked". Your security practices and users make more of a difference than the OS itself.
Re:It was an absurd thing to say to begin with (Score:2)
It wasn't absurd when it first was said, back in the 90s when home computers were running OSes without any *real* multi-user support and as such every person was really admin (MacOS classic and DOS/Windows 3.x/9x).
Even as Windows XP marked the switchover to a credibly multi-user design, it still deserved some criticism as it failed to cope with an ecosystem that made every consumer basically have to be admin still.
From Vista onward, Windows largely had the fundamental security architecture down. Of course to this day CIFS and RDP have presented problems more than the typical default set of Linux services on a desktop.
But you are right, the problems are overwhelmingly crappy applications and no good way for consumers of servies and software to immediately tell that the software is crappy on security.
Re:It was an absurd thing to say to begin with (Score:2)
You are right that Windows security was horrible back then, I clearly remember just how bad things were - Code Red and Nimda in particular come to mind. The 9.x series was completely hopeless. I remember Larry Ellison hiring every bug exterminator in Seattle to drive around the Microsoft campus when W2K was released due to how buggy it was. Sloppy programming practices for bugs impacted security just as badly as system stability. Amusingly Oracle never got their own memo and still has buggy software and their security never improved much at all compared to Microsoft.
As for *nix flavors, in those days they were inherently better as security was at least conceptually designed in instead of being bolted on afterwards. Hindsight gives us perfect 20/20 vision where we can now look back and say that everything from those days was broken. In retrospect I find it amazing that we did not have a lot more well known public breaches than we did.
I am not defending Microsoft any more than I am attacking *nix. I do not do religion on an OS, it is just a tool. I just wanted to make my point about security being a process. The original submitter had the wrong idea in their head and failed to comprehend very basic fundamentals of security.
A foodl with a tool is still a fool (Score:2)
Re:A foodl with a tool is still a fool (Score:2)
You should differentiate between Windows in a domestic situation, and windows in a business/enterprise. Windows Home *does* put up a feeble warning about "software from the internet could damage your computer", but it's better than nothing, AKA the bad ol' days.
For business/enterprise, it's a trivial exercise to roll out a group policy to stop users installing whatever they want.
Blackberry the patent troll says? (Score:3)
“Compromising Linux web servers allows for the exfiltration of massive amounts of data that can be obscured within the high volume of daily web traffic”
How is the Linux web servers compromised in the first place?
“Linux’s command-line interface also makes it less widely accessible
What is this anti Open Source Microsoft FUD doing on slashdot?
“The combination of poor security solution coverage for Linux and highly tailored, complex malware has resulted in a suite of adversary tools that has largely - if not entirely - gone undetected for years.”
“PWNLNX1 was designed to work with a Local Kernel Module (LKM), which enabled it to perform a number of rootkit functions”
How does this PWNLNX1 backdoor get onto the computer in the first place?
“Akamai observed that the botnet grew in size after using brute force attacks to obtain the password for the target Linux server”
What is this decades old, anti Open Source FUD doing on slashdot?
BlackBerry Moves to Make Money From Its Patents [fool.com]: “Another pillar of BlackBerry's turnaround is its effort to monetize its portfolio of over 44,000 patents through royalties and licensing fees”
Re:Blackberry the patent troll says? (Score:2)
It's here because lessons have to be relearned or retested as software changes. Windows, for example, has gotten bett4er. Not necessariliy good enough, but the browsers and mail clients have stabilized.
Translaughing: CEO-Speak to Real-Thought (Score:2)
Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits.
I will not invest in training for my employees, to use the tools available, correctly - there is enough open tuts out there and there is stack/buffer-overflow.
Eric Cornelius, Chief Product Officer at BlackBerry, evaluates: "Security products and services that support Linux, offerings that might detect and give us insight into a threat like this,
Our software is so shitty and we invest no resources into implementing testing and logging. So we need to rely on behind-last-line-of-defense-systems (remember LoTR: the brawl inside the stronghold)
are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse."
We would like others to invest in securing, investigation, and researching our shit - not us ofc - we'd like to put out apps not security.
Linux strength goals and architecture (Score:2)
Interesting, I always considered the architecture and goals of Linux and open source developers to be superior as the reason why it's better in the security and stability front.
Open source high profile software is made by technical people for themselves and their like. Which explains why it's (partially) not broadly adopted by the masses. On the other hand, the primary goal being the implementation of some functionality will make it serve that given enough push. Windows, on the other hand, is made by developers to make money for the company they work for. That's why Microsoft Windows is really great. Just not for the regular end user.
It explains also, why I can send an email on Easter Sunday to the email address I found in the system description of the driver that wouldn't let my new system's bus work at its maximum rated speed, and find a mail a day later with the patch. And why I have yet to receive an answer from Microsoft about any shortcoming of Windows that has irked me. They don't care, because they don't have to.
The point is gravely missed (Score:2)
VMware and sk_buff is my backdoor... OpenVPN too (Score:2)
sk_buff is a pretty little beast. It's such a shitty piece of code that it's impossible for people to understand how to use it properly. The documentation is almost always out of date and because people keep trying to "fix it" they generally compound the problems. I'd be a little surprised if anyone in the kernel development team has any idea how (or if) it works anymore. There are so many places where using it leaves memory leaks or dangling pointers etc... race conditions etc... that all you need to do to launch an effective attach is search the kernel tree for modules which use sk_buff directly and aren't really maintained. Pretty much a lot of that code is generally doing things that shouldn't be done with sk_buff.
And of course there's the endless amount of code which misuses rbtree and list. It's pretty funny how after 50 years, the C programming language still doesn't have any possible way of understanding a string, a list or a tree and is utterly unable to run any form of static code analysis on them. Forget lint and other tools... they won't help in the kernel tree. This is because writing data structures using macros makes things like lists and trees impossible to analyze. Token pasting was the worst feature ever added to the C preprocessor... it made C a bomb just waiting to explode.
Oh... as for nice, wide open front doors... I LOVE OpenVPN. It's amazing how C purists do so much damage. x509 should never ever ever be processed or parsed using non-object oriented coding. This doesn't mean you have to drop C, but it does mean that when processing buffers and strings and lists and trees and character encodings, they should be done with something at least like glib from Gnome. All the "not made here" shit in OpenVPN's certificate negotiation makes it so there's a gaping buffer overflow condition almost every 50 lines of code. I think it's one of the absolute worst examples of C coding I've encountered in decades. Every time someone adds a feature to the x509 code (which happens often), there's probably 3-4 places that just opened up for code injection attacks.
Now, before you start bitching about how I'm pro-this or pro-that and I'm an anti-Linux loser. From a security perspective, I'm pretty much anti-everything. I can tell you about nasties in Windows, Cisco IOS, Apple products and more. I don't look for them... I just stumble on them all the time. And to be honest, I really just don't care. I try to send reports, but if it looks like it'll be too much work, I just don't bother.
Cisco is the worst. I used to try and contact the about exploits I've stumbled on... like for example, a remote code injection in CDP on IOS XE (which is very very very visible on 3.7.2 when passing pnp vlans)... and I described the problem in an e-mail but I'm not a security researcher and there's no code bounty... I'd be willing to help them reproduce it, but they pretty much wanted me to spend days of work on it for free... Cisco's policy is "It's not a security vulnerability unless you're threatening to publish it". So... screwem... there's lots and lots of problems like that in Cisco products... but they make it too much work to report it and from what I can tell, most of their code has absolutely no unit or integration testing, so there's really no point in helping them fix something which will just break again tomorrow.
Nobody sane ever claimed that (Score:3)
The claim is that Linux can be secured much better and much more easily by a competent admin than the alternatives. An incompetent admin can do arbitrary damage, because Linux assumes that competent admin.
Re:OpenSSH security (Score:3)
If I expose my SSH port on the 'net with only key-based authentication (no passwords) allowed, is that a sufficient amount of security to thwart intruders?
Set up a different external SSH port (not port 22) on your router forwarded to the port 22 on your box.
That should get rid of most of the script kiddies looking for port 22 access right away. I did this a while ago and the attempts went from hundreds a day to almost nothing.
Then run something like fail2ban to automate banning of IP addresses that make failed connection attempts more than whatever thresholds you set up.
If you wanna go nuts, there are lists of ip ranges for places like China and Russia...
Re:OpenSSH security (Score:2)
Make your SSH service only available over IPv6 too, bound to a separate address than other services...
Sweeping large address ranges looking for service is not practical over IPv6, so it doesn't happen. Attacks against IPv6 only occur against services that are published publicly, eg web servers that can be found via search engines.
Re:OpenSSH security (Score:3)
Same with windows RDP, throw it on a weird port and attacks go down some. But security through obscurity only really stops the random script kiddies who don't know what they are doing for the most part.
Re:OpenSSH security (Score:2)
Same with windows RDP, throw it on a weird port and attacks go down some. But security through obscurity only really stops the random script kiddies who don't know what they are doing for the most part.
That's good enough for me - it means that if anything shows up in the logs I need to take it seriously. Security through obscure ports prevents attackers from spamming your logfile in the hope that you will miss the one that got through.
Re:OpenSSH security (Score:2)
I really hate fail2ban. I just use AllowUsers to block everything except the few users that are allowed in. Never seen any script kiddy even getting near guessing a valid user name let alone the matching password...
0r@cle
1234
12345
123456
123456789
123456zx
1234!@#$qwer
1q2w3e4r5t
1qaz@wsx123
2468
aa
abc123
abc!@#123
ac
admin
Admin
admin1
admin1234@
admin2
Administrator
ah
ai
etc...
Re:OpenSSH security (Score:2)
All are stepss towards security. They don't stop a fool outside your network with a vulnerable laptop and who has keys that allow them _into_ your network.
Re:OpenSSH security (Score:2)
If I expose my SSH port on the 'net with only key-based authentication (no passwords) allowed, is that a sufficient amount of security to thwart intruders?
Set up a different external SSH port (not port 22) on your router forwarded to the port 22 on your box.
On my VPS I set ssh to listen on $RANDOM_HIGH_NUMBER instead of 22. Same effect - went from literally hundreds of attempts per day to no attempt in the last year.
Yes-ish. Layers, value, non-standard port (Score:3)
A box is pretty secure with only ssh exposed, set to keys only.
Of course it's a good idea to have it updated too. There have been some imperfections in the last 20 years, so it's a good idea to update regularly.
It's ALSO a good idea to have layers of security, so that even IF there was a vulnerability in ssh authentication, you'd have something else to let you know there's a problem. For example, Tripwire will alert you to any system files changed on the machine.
"a sufficient amount of security" also very much depends on what is on the machine. A company I may end up working for, DTCC, processes $1.6 QUADRILLION each year. That's $152 million / second during business hours. The level of security sufficient for their root private key is very different from the level of security sufficient for your home media server.
Re:OpenSSH security (Score:2)
The real problem lies in Linux being a very popular platform for crappy devs to deploy their crappy webapp onto.
These devs will run things as root that do not need to run as root.
They will have open ports that accept communication without any authentication, because that's the easy way to do it.
The crappy web dev then gets a fanbase and their stack deployed across thousands of users who will get more mad at security mechanisms they have to disable to get the thing to work than at the application for requiring them to disable all those things. The security mechanisms are getting in the way of the value that the app is trying to provide them, and the value of the security mechanisms is only felt after you screwed yourself over..