When it comes to launching online attacks, criminals are getting more organised and branching out from the Windows operating system, says eBay’s security chief. eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay’s chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University. “The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,” he said.
This is what happens when people use root account for everyday desktop usage.
This is what happens when you run SSH with weak passwords (ideally root ssh login should be disabled, keypairs used, and default deny all in hosts.deny).
People think this is for their *own* protection, but it’s not. It’s to keep us *all* safe.
I see what you did there. You assumed that a clueless speaker, at a Microsoft conference, would speak the truth about Linux.
If Thom would’ve taken a moment to look around and read, say, the comments that followed the same story in The Register days ago, perhaps he’d have benefitted from other people already debunking this ridiculous report and save OSNews the embarrassment:
http://www.theregister.co.uk/2007/10/03/ebay_paypal_online_banking/
While there, he noticed an unusual trend when taking down phishing sites. “The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,” he said.
This is either utter stupidity, or FUD. Home computers are not used for phishing. Phishing is run from cheap webhosting, which may be running on Linux, but definitely not on “rootkitted boxes”. If there’s a rootkit on your home computer there’s no need for phishing anymore, is there? It can use a keylogger and just wait for your login. Or scrape your browser cache or files for data.
Not to mention that eBay is refusing to show any proof and I personally have yet to hear of any worm or form of rootkit affecting any significant number of Linux home desktop users. And if there’s no security hole to take over machines there can be no botnets built on Linux.
The whole article is a mix of innuendo and plain bullshit. It’s so obvious a cheap shot at Linux that it’s not even funny. It’s just boring. Slow newsday, eh, Thom?
Edited 2007-10-08 01:09
The article does give the impression to me that he’s either confused or talking about multiple issues.
Botnets could definitely be possible from regular desktop machines, in fact it’d probably be preferred to not only increased the load and spectrum of attack points but also to deflect the real “source”, that is the group organising it.
It would be possible however to conceive the notion that if eBay was slow people would notice immediately and be suspicious. A botnet could be used to try and mask any slowness in response times. Envisage a botnet which is running a small web server one each node, and when people connect to what they believe is eBay the request is directed to their fastest neighboring botnet node to serve that request, whilst in the background these name nodes transfer the collected data elsewhere.
This is possible and quite conceivable.
Unless eBay were to release more specifics on what they discovered then we’re really just guessing, but to say that they suspect every desktop as almost a matter of default, are very strong words indeed.
I also wouldn’t look at this as a cheap shot on Linux. Sure Microsoft were a sponsor of the event, but there’s no compelling reason for eBay to put themselves in the middle of any anti-whatever propaganda. It doesn’t make any sense to me.
Is it not possible that it was merely a statement of the facts as they discovered and documented them?
Also, a lot of people myself included have taken shots at OSNews for the quality of their articles. The phrase, “slow news day” seems rather typical. It doesn’t really help. I can see you’ve only submitted one article and that was back in 2006. Perhaps you could submit or author some to improve the quality of this site?
Cheers.
“””
“””
Unless Ebay were paid well for doing so, of course.
I’m contributing comments to put things right, am I not? It’s not my job to find meaningful stories to run on OSNews, it’s Thom’s and his fellow editors. And there’s an undeniable trend of sensationalistic trolling on OSNews for some time now. I guess they look at the comments and are happy when they go over 100 for a story and that’s that.
Come on, it can’t be that hard. Simply scanning my RSS feeds gives me far more better reading, there’s got to be useful subjects you can pick.
Undeniable?
Little has changed on OSNews since Eugenia took it over, and now. Eugenia and I rarely, if ever, disagree over what stories to publish, and I myself haven’t changed my criteria all that much either.
This story in particular is interesting because it’s a major company (eBay) claiming something interesting about Linux. The fact that the securiry event is “sponsored” by MS is clearly stated by me in the teaser; if I were sensationalist, as you claim to be fact, I would have left that out, now, wouldn’t I?
It’s always easy to claim nonsense like you do from your armchair, but the fact that you say it doesn’t actually mean it’s true. What if this eBay guy had gone to a Red Hat/IBM sponsored event (they exist too!) and had said that “The vast majority of the threats we saw were rootkitted Windows boxes”, would you still have complained?
I have presented this story for what it is: company A claiming something about product B, during an event sponsored by company C. That’s it.
Novell must have a golden plate in front their forehead.
Relax, Thom. It is far easier for some people to bash than to actually do something constructive, like say write an article or post a link with a short intro. I did find the article interesting and plausible.
Many Linux users have adopted the same complacency that they accuse Mac users of having. “What, me worry”, I run Linux so I am safe. Well, having been around in the computer world for over 30 years I can tell you, folks, it ain’t so. Harder than with Windows, yes. Impossible, no.
And let me close by saying that while I find some of the articles not worth my time, I would have to say overall I find a lot of interesting leads here. I have enjoyed this site for quite some time and hope to continue to do so. Thanks to the staff.
The article doesn’t talk about Linux users, but about Linux servers being used to control Phishing botnets. That you would assume that this was about people failing to secure their home Linux PCs is a perfect example of how misleading the eBay guy’s statement was. Thanks for proving my point.
Relax, Thom. It is far easier for some people to bash than to actually do something constructive, like say write an article or post a link with a short intro. I did find the article interesting and plausible.
Many Linux users have adopted the same complacency that they accuse Mac users of having. “What, me worry”, I run Linux so I am safe. Well, having been around in the computer world for over 30 years I can tell you, folks, it ain’t so. Harder than with Windows, yes. Impossible, no.
And let me close by saying that while I find some of the articles not worth my time, I would have to say overall I find a lot of interesting leads here. I have enjoyed this site for quite some time and hope to continue to do so. Thanks to the staff.
I have one more submission than you on this site, FWIW. But I don’t see how my submissions or yours have anything to do with Thom’s. Unless you blame poor stories on lack of choice. “If only there were more stories to choose from, we wouldn’t have to read this.” Hilarious.
Turn the other cheek, Thom.
Bugger me, I could’ve sworn not so long ago OSNews stories were better. Either my sense of time is deteriorating in my old age, or my taste is improving. Either way, I’m not pleased. But since you don’t feel that anything is amiss you won’t change anything so that’s that, I guess. At some point I’ll give it up. I’m not saying it’s gonna be a big loss for the site, I’m just saying.
I would’ve said something along the lines of “duh!” and complain about why it would be considered news. Because it’s such an obvious fact that it begs no questions anymore.
That’s not what I’m complaining about. It’s the fact you chose to run it in the first place. It is poor quality, full of contradicting terms, and offers no proof. That’s what we call FUD, and it comes, what a surprise, from a FUD-master-sponsored-event. I don’t know about others but I call that sensationalistic or trolling.
I’m not saying OSNews has completely gone down the drain and there’s nothing good to read here anymore. It’s just that there seem to be a disturbing amount of this kind of articles. More than I remember there used to be. And I believe I’m not alone in that.
‘k we still love you but eBay makes more from sugaring its partner relations (OpenBSD only…I could wish) and actionable advice than from quality advice; and you might pepper in some Intrusion Detection Kit and Appropriate Use of VMs advice from the quarters of the Service News Chef or Saucier’s worktable.
Normally of course OSNews editorial standards call for 6 or more ‘I am feeling sick’ screens from various built-in OS utilities. They’re not gonna fit in the icon, after all.
This is either utter stupidity, or FUD.
I vote for FUD.
Slow newsday, eh, Thom?
It’s becoming a daily routine: have a peek at OSNews, discover some silly/FUDdy/flamy article, skip directly to something else (usually Gnome Files). Which is what I’m going to as soon as I’ve posted this comment. Sad.
Rehdon
I love it when I see Linux users becoming what they accuse Mac users of, complacent.
Three questions for you:
1) Why do you love it? Security issues such as Phishing affect everyone. I don’t use Windows at home, and I’m not a big MS fan, but I’m not happy when I see Windows boxen being turned into phishing or spamming bots. That attitude seems very immature to me.
2) Who is being complacent, here? Who are these Linux users you’re talking about so knowingly? If you’re going to make such blanket allegations, shouldn’t you learn more about the issue? Specifically, there’s *no* indication from the article that Linux workstations are being used in botnets. To point fingers at Linux users (a term that pertains almost exclusively to Linux enthusiasts who have installed it at home, or those that use it on their workstations) seems erroneous, to say the least.
3) When have Linux users ever accused Mac users of complacence?
Edited 2007-10-08 15:44
Fair enough. Your response is polite and well thought out so you deserve a reply.
1. Why do you love it? – The use of the term, while maybe not completely clear, was more a slap at the irony of the situation. There is just too much smugness in all the OS camps about security.
2. Who is being complacent, here? Who are these Linux users you’re talking about so knowingly? – A generalized statement is called for here. Since this is not the only site I read I only speak from my experiences overall. Time and again I have read posts about how security is not a major concern because the person posting runs Linux. And it you are honest about it I am sure you have seen many such posts.
3) When have Linux users ever accused Mac users of complacence? – I have read posts by both Linux and Windows users about this subject. In fact is is one area where I think the label might be a bit justified. I have both a Mac and A PC here and I take security very seriously on both.
While maybe not the response you are looking for it will have to do. And I will stand by my assertion that security is not taken seriously enough by many users in the Linux camp.
Well, these were probably Linux users, i.e. using Workstations. And, in fact, security is not as major a concern for Linux workstation users, because most Workstation issues are malware-based, and there is virtually no malware for Linux. So indeed, for the office/home user who does not run servers, security is a minor concern for Linux (and Mac) users, and rightly so.
For servers, the situation is completely different, and I think the problem with your posts is that you don’t differentiate between servers and workstations. Most server admins *will* be security-conscious, as they shoud. Apparently there are lots of cheap web-hosting servers that are not well-protected. That is not an issue with Linux or Linux users (as you seem to claim), but rather *bad* server administrators.
I find that hard to believe…that Windows users would accuse Mac users of complacence, yes, but Linux users? You could say Linux and Mac users are equally complacent, because neither of them has to deal with the constant threat of malware – and as long as they don’t run servers, they can indeed allow themselves to worry a little less worried.
The answer was all right, but you really need to address Servers and Workstations separately, because many of your comments seem to target “Linux users”, which suggest workstation users (servers having admins instead).
I disagree with you on your assertion: I think most Linux people are security-conscious. I know I am, perhaps that clouds my judgement, but then again I run servers so I *have* to know. A Linux (or Mac) workstation is quite safe (though a router/firewall is always a good idea).
I don’t run linux, but I frequent slashdot, which is full of linux users and linux advocates, and while a handful of slashdotters dismissed this info because the ebay guy was speaking at a Microsoft-sponsored event, by and large, most slashdotters agreed with the info:
http://it.slashdot.org/article.pl?sid=07/10/05/1234217
And I never saw any of them “debunk” it at all.
I only read OSNews very occasionally since he became staff. It’s mostly just rubbish now, except when Eugenia posts.
I was thinking that it was not exactly so, but not with so much ad homiem. Phishing is still likely under a rooted box because it can phish out email/hosting attacking other people’s credentials (not so much machines.)
Linux VMs under Vista distros (cough), for example. OS X distros somehow seemed like a blind alley.
It would be a nice punchline to say it was just 2 beowulf clusters of 320-core cards IBM was testing they’ve locked down now.
Certainly if they want to release any information which would help an punter (or admin) run an IDK or ICE or antivirus, it would help to drop a partial tell; correspondingly:
-http server ident?
-linux Apache server tells?
-they misheard LAMP as LIMP and expanded it to _LIMP is no phisher_ after best practices….?
-English (Fr/Sp/Ch/Ko/Vi/Pr/Ge) grammar!!!LOLZ
-Does this count the banks sending us blank checks and pre-credentialed credit applications in the mail?
Actually, the most common attack vector for these so-called ‘rootkits’ are just code injection/php-injection attacks on badly-written web-software. The sort of thing that PAX and SELinux can defend against, but the SSH/Root usage stuff is not a common vulnerability.
With the number of new users streaming into Linux thanks to easy-to-use distros like Ubuntu, there are many users who do not have the requisite knowledge to adequately secure their computers–maybe even believing, albeit falsely, that Linux is inherently safe out of the box.
As more Linux systems are brought on line it is not surprising to see the number of compromised Linux boxes increase.
This does not point to a weakness of Linux per se; it points out the problem that many users are not doing enough to secure their computers.
Linux’ track record still stands as a monument to the security and power of open source.
Edited 2007-10-07 23:24
pbkac, or there about?
“pbkac, or there about?”
More like ‘pbkaa’ (problem between keyboard and Africa).
*no offense meant to any Africans of course.
IMHO the “pbkac” theory never holds water when applied to security.
Anything designed for the “average” user (and not limited to people that are trained and/or knowledgeable and/or experienced) needs to have security systems designed for the average user.
You can complain that an OS designed for trained users is marketted towards average users. You can complain that an OS designed for average users doesn’t have enough security for it’s intended market. You can’t blame average users when they use an OS marketted towards average users if the security isn’t designed for average users, which is what you’re doing by claiming it’s a “pbkac”.
The real question would be, if distributions like Ubuntu aren’t secure out of the box, then why aren’t they?
the problem is that for a average user, a compromised computer is bad even if its not fully rooted, as it had most likely already spilled anything the user had stored in its personal account.
question is, how to separate network activity from personal activity without having to annoy the user with context switching or access barriers.
remember, this is people that want to upload just about anything onto places like facebook or myspace. and download random stuff for their desktop, like pretty screensavers and pointers.
this kind of use just flies in the face of any sense of security what so ever.
There are problems, but it’s a matter of perspective – are they problems with “bad users” that should be ignored, or problems that OS designers and researchers should be trying to fix (or even problems that should’ve been fixed already)?
As more and more of the world starts using computers & the internet, the number of trained/experienced users is decreasing. You can’t *assume* the user isn’t an idiot.
One method may be to detect anything that might compromise security (e.g. downloading any executable from the internet onto your desktop and trying to run it) and then switching to “tutorial mode”, where the user isn’t allowed to continue until they’ve correctly answered some test questions (and read any of the provided educational material necessary for them to answer the test questions correctly). Once they have answered correctly (and demonstrated an understanding of the security issues involved) the specific tutorial would be disabled so it only annoys people once.
I’m also thinking that the time has come for root/administrator to be locked out of most applications – games, email, web browsers, peer-to-peer file sharing software, etc. Give them just enough access to do administration tasks and read help files and nothing else, and make normal users hate logging in as root/administrator.
Of course these are just ideas from the top of my head – I haven’t thought about them much, but surely there are better ways of either securing systems or educating users than are currently in use.
The point is that ignoring the problems or dismissing them as “pbak” won’t make the problems go away.
dismissing the problem isnt what im attempting to do. rather, its showing that even with all the advances that have been done, the weakest link is still the user.
also, one does not need to be root to run a spam bot. it can just as well run as a user process.
thats the big problem, that one really dont need root to do some damage. these days, a lot of juicy data is stored in the users home area.
in the end, the question is, can you protect the user from himself?
That, considering the minuscule installed base of users that don’t understand security running Linux desktops, probably isn’t the case. More likely, this problem is stemming from compromised web servers running Linux, which weren’t secured properly.
Actually, no. The problem that created botnets is the lax security and the monoculture of Windows. It is Windows machines after all that are the bots.
Even if it is true that Linux machines are being used for botnet command and control (debatable), that is almost irrelevant. There would be no bots to command or control without Windows.
Okay, I’m not normally one to jump on the Microsoft-against-free-software conspiracy bandwagon, but this one line stood out to me:
“…speaking at a Microsoft-sponsored security symposium…”
I hate to say it, but this makes me question the impartiality of the speaker’s opinion regarding this subject.
I’m not saying that a Linux box can’t be compromised by a rootkit; after all, there are volumes of information available online to harden your system against it. It’s just that, unless you open up a glaring hole yourself, by installing untested or compromised software with superuser privileges, you aren’t likely to be running a Linux-based bot.
Given that there isn’t really a big market at all for hacked/cracked software on Linux compared to Windows, combined with the less than 1% desktop market share of Linux, the numbers just don’t seem to add up.
I get this impression as well. It’s by no means impossible to root a remote Linux box if it isn’t properly patched. But it is prohibitively difficult to root thousands of remote Linux boxes using a sufficiently automated attack vector. There’s simply not enough monoculture within the Linux community.
I’m not sure whether the eBay guy (intentionally or otherwise) misled the journalist or if the journalist was trying to sensationalize the story. I’m guessing the former, since the Symantec guy told a much more believable story: that the vast majority of botnet command and control boxes run Linux, but an even more pronounced majority of bots run Windows.
Once again, I won’t deny that the Linux community isn’t where it needs to be in terms of security. SELinux and AppArmor, once smoothly integrated with Linux distributions, will be a big leap forward. However, for the time being, Linux is much more attractive as a platform for hackers than as a target.
Before anyone accuses these Linux-using hackers of attacking Windows as a form of OS zealotry, it’s important to understand that the world is chock-full of mercenaries whose only loyalty is to whoever signs their checks. Whether they use Linux or AK-47s is irrelevant–it’s international warfare for hire, the world’s most lucrative industry until being overtaken by fractional reserve banking. Together they represent the ultimate threat to peace and prosperity.
Yeah, LOL, saying that this was said on a “Microsoft-sponsored security symposium”, this takes all credibility from the statement, so, this is false, do not believe this piece of FUD. Also important to notice, “the company is not releasing the results of this analysis” why? because it is false. So long, and thanks for the good laugh of a non-true article. OMG, I thought today was April fools.
I can completely agree to your statement. Seems very obvious and typical. I just wonder why eBay got into there.
“OMG, I thought today was April fools.”
Erm… no, it’s my 1st anniversary today (joined one year ago). Yippee. Great present, MICROS~1, really great, gotta download an update of MSTRUTH.EXE soon! 🙂
Statement of the day: Phisher’s Phritze phisht phrishe phishe. =^_^=
Edited 2007-10-08 03:01
“…really great, gotta download an update of MSTRUTH.EXE soon!”
Just make sure you get the latest version as it changes regularly…
“Just make sure you get the latest version as it changes regularly…”
There were rumours that claimed the MSTRUTH.EXE would come with a built-in self-updating update using the 1984’s “room 101 algorithm” for three, four and / or five fingers. 🙂
I think the issue is made worse given that there is no evidence used; the other question; if the ‘study’ (quotations deliberate) found Windows to be the single vector for phishing, would it have been mentioned?
Until the raw data, how the data was collected and conclusions drawn – its nothing more than an exercise of a said company using information in such a way to suite and agenda.
Its like when a government claims that ‘crime has reduced’ but never mentions which metric is actually used.
And that’s amongst zealots and their arrogance in believing “It’s my favorite OS and therefore invulnerable, because it’s superior to the other one(s)!”
Either Windows NT-based OS’s or Linux-based OS’s (or many others, for that matter) can be made quite secure, if you know what you’re doing and administrate according to that knowledge.
And, before you jump in, Lemur2, shut up, will ya? All you do is fight to put down others, proving how much of the zealot you are, and you gain nothing for your cause, unless it’s to annoy everyone else.
WTF? Is it my fault if you don’t like to hear the truth?
Name one (1) instance where I have “put down others” without there first being an attack from them on what I said, and without the facts supporting my point.
As far as rootkits on Linux goes … yes indeed, there are rootkits for Linux. That is why there exist utilities such as chkrootkit and rkhunter.
http://en.wikipedia.org/wiki/Rootkit#Detecting
http://en.wikipedia.org/wiki/Rkhunter
http://en.wikipedia.org/wiki/Chkrootkit
http://www.rootkit.nl/projects/rootkit_hunter.html
Over.
Correction. Most default Linux distro’s nowadays (not to mention other Unixes, such as BSD’s or OS X) are very secure nowadays. They are secure, no need to be made so by installing a firewall, antispyware, antivirus, then pray while Windows installs the latest security patches, then keep your fingers crossed for the moment a work still manages to break in remotely, in spite of all these.
How do Linux or BSD or OS X manage it? Very simple: they don’t come with anything listening for network connections out of the box. Basic idea that eliminates the need for all the defences. Why should anything listen to remote connections? If I need to enable daemons, most of them will work fine listening on the loopback interface. If I do need to enable something, they’re usually solid pieces of software and, more importantly, patched very fast as soon as a vulnerability appears.
How do Linux or BSD or OS X manage it? Very simple: they don’t come with anything listening for network connections out of the box.
You must be extremely knowledgeable about Linux and BSD distros to speak on behalf of all of them and all their versions… Most distros have just as many ports open as Windows, if not more.
Obviously however, some distros are more secure than others.
I seriously doubt it. If for no other reason that the fact it defies all logic. Why would they? They’d gain nothing by shipping default installs with open ports. There’s nothing that can’t be enabled easily if there’s a need for it (sharing printing and files, most likely). Shipping an OS with open ports for no serious reason is stupid.
Do you have a source for that? It seems that most popular distros (i.e. the ones newcomers are likely to use) come with very ports open. Ubuntu, for example, ships with no open ports on public interfaces.
The trouble is that some software is inherently vulnerable by design (i.e. PHP). Unless SELinux or AppArmour is installed and very carefully configured, any bug in PHP software running on the server can be exploited to run code (Not a ‘rootkit’ but the guy’s allowed to get it slightly wrong).
This happened to us, and the only way it was detected was by running a scheduled anti-virus (actually anti-malware) scan on the box.
Programming languages like PHP are not “vulnerable by design”. They are tools that enable programmers to do stuff, including to provide points of entry for hackers. It’s like blaming the knife for the murder because “it’s sharp”.
Face the reality: you are giving a person the possibility of designing an interface visible to the world and with access to the guts of your machine. My first thought in such circumstances would be “it had better be a damn rock solid interface, with no possibility of cracking”.
Bad programmers are a security risk, but instead of getting better programmers who design secure from the ground up, people prefer to blame the language or use symptomatic treatment. Scanning for viruses or malware is simply wrong from a security point of view. You’ll never keep up with all the malware and you have to do it again and again with no guarantee for success.
Media is partially to blame for this. We’ve become complacent. We consider malware and break-ins the norm, just because Windows has accustomed us to it and because the antivirus companies are parasites who live off the malware and security issues with Windows. And the media blames hackers and worms and botnets, but never the bad engineers who designed software that is so easy to crack that mindless bots can do it.
And I don’t see why the guy’s “allowed to get it slightly wrong” when he’s making such allegations. If it was a unified entity he was targeting, such as a company, he’d be asked to retract by now or face a lawsuit for baseless defamation. The article was a bunch of nonsense glued together in a haste.
Modded down for personal attack. Tsk.
In all fairness, the numbers here doesn’t quite add up.
How can the majority of threats be from an OS that supposedly has a very small market share, does not have nearly as much malware and isn’t usually a botnet’s bots?
When you then weigh in the fact that he was talking at a *Microsoft* sponsored security symposium and that we are told nothing about how this data was acquired and measured it does not paint a pretty picture.
The Symantec guys comment seems more anchored in reality:
“We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based.”
I have no problem believing that but that Linux is the dominant botnet bot? No.
Also, eBay and security? That’s gotta be a joke, right?
It’s about time that people realize that passwords don’t provide good security, at least not when used alone. For example, a combination of public-key infrastructure, trusted devices (*) and passwords entered only at these trustred devices can provide much better security. I’ll explain this in detail if needed but it doesn’t need a lot of imagination.
(*) trusted by the *user*, as in, modifications to the device can at most compromise the security of the user who uses a modified device. That’s bad enough (imagine “phishers” sending out hacked devices to customers), but it’s still a lot better than what we are at now.
You’re assuming that people are commonly breaking into boxes by guessing passwords.
> You’re assuming that people are commonly breaking into boxes by
> guessing passwords.
Why do you think so? After all, I’m blaming password-based security in general to be vulnerable to phishing attacks, and proposing alternatives where phishing is both harder (the advice to enter one’s password *only* into the trusted physical boxes is much easier to follow than the advice about where to enter one’s ebay password, especially in the light of fake ebay homepages) and less useful (the password is worthless without access to the physical key, e.g. an USB stick or magnetic card).
If guessing passwords was that easy, phishing wouldn’t be necessary.
This is not surprising if you consider that there may be way too many people out there that think just because they are using a non-Windows OS they can simply disregard ALL security. Think this doesn’t happen? Sadly many of us have seen this way too many times. People that think there is no need for a firewall because they “Can’t” get a virus…not realizing there is no connection between the two.
Today, which OS one uses is 110% meaningless if the user choses to disregard security. Almost any computer connected is vulnerable, and people need in some fashion.
The point of this should not be another mindless Windows vs. Linux flamewar, the point is that in the end it comes down to the user and how they operate their computers.
Oh, I forgot that “phishers now hack linux boxes” is much more important here…
Actual information about how eBay determined that Linux servers were behind various attacks and how the attacks were performed would be useful to the community as a whole. There is no reason why eBay cannot expose some details of the attacks without “giving away the farm”.
This is no different than how DoD deals with certain exploits, and while it classifies the information to protect “sources and methods” it also does very little to strengten the community against further attacks.
If the data eBay collected is in fact correct and Linux servers are being exploited, then it shows that sloppy administration and poor configurations can signifcantly affect Linux as easily as it does a Windows machine, or another possibility is that a 0 day sploit has been written to take advantage of a inherent weakness of one or more Linux distros. Again more information released to the community would be nice.
the ebay representative said that when taking down phising sites, -“the vast majority of the threats were rootkitted linux boxes”, he said nothing of the general windows/linux rootkit infection ratio.
later in the article, a Symantec representative said that -“we see alot of linux machines used in phishing”, -“we see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based.”
indicating to me that linux boxes are a minority of infected machines but are more frequently used to control the large botnets which consists mainly of infected windows machines.
so basically linux is a great os to use when administering a large group of windows boxes, there’s some good linux advertising in here somewhere.
Without any meaningful data, everybody is speculating about the announcement. And while you can manage Windows machines with Linux, I can do the same thing with Solaris 10 (I do this everyday from my Sun Ray using Solaris 10), so I wouldn’t say that Linux has a unique advantage here.
Actually, there’s an excellent reason. They don’t exist.
I don’t really bother to read the article, I’m just wondering are those Linux zombie boxes server machines or are they typical home user machines? I haven’t used any other distro than Gentoo in ages but I’d assume a distro aimed for regular users wouldn’t ship with all sorts of remote exploitable services enabled, and even less with poor default security policies. Like f.ex. should SSH server be even running on a regular user’s box? No, it shouldn’t. It can be hacked given enough time. If it is running there should atleast be a daemon like denyhosts running and disable access to the SSH server if you’ve typed the password wrong three times.
Then again, if it is a corporate server the admin should be kicked and hard! It’s not that difficult to secure a Linux box, you just need a little bit of time for that. A good practice is NOT to run more than one service on a single server, or atleast run them all in completely separate VMs. But if you’ve got f.ex. POP3, SSH and WWW running on the same machine you’re just plain asking for trouble..Besides, as someone already said, you should NEVER use password authentication with SSH. Use keypairs instead! Preferably also disable access to the servers from anything else but a few specific IP addresses. Oh darn..the list could go on forever..
It’s a bit confusing actually. At one point the article implies that it is regular users who don’t even know their boxes are compromised. Later on, it describes the phishers as setting up Linux servers to run botnets. Given that pretty much any Linux box can be configured as a server, I went with the assumption that it is home users who are compromised. After all, any enterprise Linux administrator worth his salt will have already hardened his company’s machines against rootkits and such.
I’m sort of responding to myself, and sort of just making a general comment to this story:
The Linux boxes in question are most likely running a WWW server through which they have been compromised. Perhaps due to poor PHP coding skills or some such. Anyway, those compromised boxes are most likely not part of any botnet but rather used to control such ones. And also, those boxes could well serve as phishing sites. But the things to note here are that almost all Linux WWW servers are running Apache and Apache could just as well be run under Windows. Someone running buggy PHP code on Apache doesn’t mean either platform is any less secure by itself, it just means that buggy software on ANY platform makes the whole system vulnerable.
As for home user Linux boxes..Well, I much doubt there are many, if at all, compromised home user boxes. The fact is that most distros aimed for the average user DO NOT ship with services like SSH or WWW enabled, or maybe even installed at all. An average box wouldn’t even have any ports open so it would be practically impossible to attack one without having physical access to it. Also, I atleast have never seen/heard of any Linux malware spreading via email or such whereas I frequently get mail from f.ex. “Windows Update” telling me to update my software by installing the attachment.
So, this eBay guy saying compromised Linux boxes are their biggest threat…Well, he must have gotten something completely screwed up. I’d figure the thousands of compromised Windows boxes working as part of a botnet are the single biggest threat whatsoever on the Internet. Even just thinking about the numbers..how many Windows boxes are there? Compared to the far fewer number of Linux boxes?
PS. I’m not saying Linux is invulnerable, I’m not saying this is some sort of MS PR (I don’t believe this has anything to do with MS actually) or such, I’m just saying it’s very improbable that any botnet would have even 30% of it comprised of compromised Linux boxes..
Hello,
From what I’ve seen on Internet-facing traffic, a good portion of the exploits used are for cross-site scripting, SQL Injection, and improper command processing that is directly aimed at the Linux/mySQL/PHP and Perl (yes, I’ve seen Perl-based exploits that use SQL Injection and improper command parsing)-based Content Management Systems, such as Xoops, phpBB, WordPress, Blogsmith, cPanel, and vBulletin.
The reason why these boxes get hit are:
1. They’re easy to hit. One Google search for a bunch of blogs that use a vulnerable URL (and yes, some of these use Google to search), and you’ve got a lot of targets.
2. They have more upstream bandwidth. These boxes usually sit at large hosting providers, not someone’s basement. They have at least a T1’s worth, if not significantly more, of bandwidth. Compare that with Comcast, who caps at a lot less, and you’re less effective on bandwidth when you are aiming for Windows boxes.
3. ISP staffs usually don’t notice. Again, since people are willing to pay a very low amount of money to host their blog somewhere, they will go to the lowest bidder. This explains why a lot of the computer-buying public who reads Craigslist will buy their software from the guy who sells warezed copies, instead of from a reputable store.
Using this rule, many people will go to the $5 a month provider to host their WordPress blog and site. Many of these people don’t know any better, and the tech support staff can’t/won’t/doesn’t know how to automate scripting the WordPress and/or CPanel updates to a few thousand sites like your average ISP does.
The same ISP staff probably won’t notice the outbound and inbound traffic spikes, or that their blog server front-end is making egress SSH and HTTP connections to machines in Russia, or machines which are part of one of the blacklists. Your average competent ISP/WebHost will. Your cut-rate web hosts won’t. It’ll take them a few days, and even then, probably by many frantic calls from other ISPs and/or eBay themselves, before they notice.
4. It’s less complicated. Maintaining a fast-flux web site, even though SecurityFocus makes it seem like it is simple, is significantly harder than what it’s made out to be in practice, and costs more to maintain. Why not go for the lowest-cost solution, which is to own a bunch of blog and message board servers, and use them?
5. Linux is ubiquitous. Linux/Apache is used for at least 2/3rds of the web sites in existence, if not more. This means that more people are going to be running Apache, mySQL, PHP, Perl, and badly written CMS systems that run on a combination of the four above, than there are for .NET. Unfortunately, badly written CMS systems are the norm, and not the exception. You just have to write one bot, and just have different delivery systems for it based on the type of CMS vulnerability you wish to exploit.
Many people (and I mean an average user, NOT the average user of this site) also don’t have a clue how to update and patch them, or that installing them is more than a few clicks on a site control panel to patch or upgrade, or even running yum, apt-get, or rpm to get the latest RPMs and/or patches for their software updated. However, they want to have their blog.
This has been happening for at least a year, if not longer. Finally, eBay says what everyone else didn’t want to say. Just because it’s Linux doesn’t mean it’s more secure. Combine Linux, or any other OS, with badly written code, and yes, it will be much less secure. The effect of using Linux as the front-end for scams and phishing is a lot more, because Linux is used more on the server-side, and used on machines that have significantly more upstream bandwidth than your average Windows machine.
That’s a very nice (and long) rant. Only one problem with it: complete lack of evidence. Show me the proof. I want to see a serious threat that’s exploiting all these many hosts and CMS’s you argue are out there, waiting for mayhem.
There is none. Oh, there are small outbreaks occasionally. At some point there were scanners using Google to pick up phpBB forums and try to exploit one vulnerability automatically. It went away with the next round of updates. Nowadays all I see in my 404 logs is stuff like /_vti_bin/owssvr.dll or /MSOffice/cltreq.asp. Funny, that.
There’s not likely to be any major outbreak in the conditions you outlined. Two reasons, both coming from natural evolution laws. (1) The Linux/BSD Internet medium is too varied and you can find almost nothing widespread enough to be worth attacking. This is a basic rule of agriculture: vary the crops and should one or two fall ill, the rest will survive. (2) The few pieces of software that are widely used got this way because they underwent a lot of toughening up. It’s the law of evolution. They are used in a lot of places because they’re tough and secure. Unlike the world of clueless home users, the business world is pragmatic; it won’t use unsecure software for long, if they want to stay in business.
It happens all the time. Constantly. I just looked at zone-h’s attack archive and just today I see hundreds of defaced sites running on Linux.
While this is more likely due to bad PHP or other dynamic website programming errors it’s still a site running on Linux.
So what does that tell us? Nothing. No useful information. The same goes for worm writers. A “crew” who defaces sites approaches each one on a case by case basis and there’s humans doing the breaking in. Bots have to be automated and need an omnipresent, identical vulnerability in order to spread. But there isn’t any. With Linux, you don’t get world epidemics, just minor colds or a flu, at worst.
Good points overall that applies to *any* hosting service, whether they use Linux, Windows or whatever.
This does not make a difference for botnet bots though. The advantage of botnets is power by numbers and each bot does not need a lot of bandwidth. In fact, the less bandwidth is uses the better since that will make it less likely that you’re discovered.
This is a big secret? Just look at any defacement archive and you’ll see a LOT of defaced and otherwise compromised Linux hosts.
Note that defacement is very different from being able to use a host for attacks though. A properly configured hosting service does not become “owned” just because an individual site is compromised. Then again, there are a lot of bottom-of-the-barrel hosting companies these days.
Here’s my responses:
1. If you want to use machines for DDOS attacks, Web Host machines make the best ones.
2. On most Internet web sites, these types of vulns (crap CMS systems) are glossed over.
There ARE a lot of bottom of the barrel, as you say, hosting companies these days. Many of them actually are nothing more than a few co-lo’ed servers in another web hosting company’s data center, and are not run by the sharpest tacks
.
Well hopefully this news will be a wake up call.
Just using Linux doesn’t make your box secure. You can have a Linux box as insecure as Windows 95 without updates.
The user has to make it secure and the distro has to provide the tools to the user.
Everyone who runs a *nix server should do the following:
1) Download chkrootkit and rkhunter and scan their system with both.
2) Do a port scan on the server and close all unnessesary ports and the services bound to them.
Gnome Network Tools is nice GUI utility for this.
3) Enable SELinux/AppArmor and put into enforcing mode.
4) Check security log files for unauthorized access attempts, file and permission changes.
5) Check password and group files for unusual entries (/etc/passwd, /etc/group).
6) Make sure your software and hardware/router firewall are enabled.
7) Another useful but unnecessary thing is to clean junk files off your system. On Gnome I use FSLint and gconf-cleaner; on KDE… Kleansweep.
Everything you’ve described has to do with treating the symptoms and is NOT good security. It’s a diseased mindset that stems from using Windows for too long. Please read this to understand your many errors:
http://www.ranum.com/security/computer_security/editorials/dumb/
Linux (or BSD, or OS X) are more secure because they do not offer outside listening daemons with a default install. This way, even if the system is out of date, nothing can enter. That’s all.
Thanks, just printing the article you mentioned. 🙂
“Linux (or BSD, or OS X) are more secure because they do not offer outside listening daemons with a default install. This way, even if the system is out of date, nothing can enter. That’s all.”
I think this depends on the Linux distribution or the BSD variant (PC-BSD / DesktopBSD). In order to make the user feel more comfortable, some services are enabled, usually services to interoperate with “Windows” services. The “more basal” services such as WWW, SSH or FTP are not enabled by default, fortunately, because users who want to use these services are smart enough to enable and configure them by theirselves, I assume.
Compared to that installing antivirus, antispyware and a firewall in Windows seems like a small task
What I mention is mainly for Linux servers (though I do it on my desktop because I have potentially unsafe network services enabled). Securing certain network services like OpenSSH also help.
SELinux and Exec-Shield provide coverage for network daemon by default in Fedora and there are plenty of resources for those interested in securing critical apps by making their own security policies.
On Windows there is a very similar set of tasks that should be completed. There are anti-rootkit apps for Windows, NTFS ACL permissions to check, UAC to enable, spyware and adware to scan, event logs to check, so on.
What is not surprising is how the Linux community is handling this issue, not very well I think.
I’ve been telling users for years that if we continue to tell people that Linux is more secure and that you don’t have to worry about rootkits, spyware, viruses, etc, then one day it will blow up in our faces.
Regardless of whether it’s true or not doesn’t matter, what matters is how it’s handled.
A good wake up call this is.
What “issue” are you talking about, exactly? Because what I’ve seen so far is a glaring lack of evidence and some (I believe intentional) confusion over how Linux is involved.
What the eBay guy seemed to imply was that rooted Linux boxes represented the “majority of threats”, but in reality it seems that the actual bots are still virtually all Microsoft boxes, and that the botmasters use Linux servers (not clear if they are actually rooted) for managing the botnets.
I agree with others, the way this was presented seems like a deliberate attempt to mislead the public with regards to the vulnerability of Linux. In this context, trying to then put the spotlight on “the Linux community” for not responding well to this *alleged* issue seems downright dishonest.
I find it amusing that you simply cannot believe that linux boxes can be owned. Aren’t Linux boxes run by naive admins just like Windows boxes? Why is it inconceivable to you that people misconfigure their apache installs and have their boxes taken over?
Anecdotally, I saw a linux box of a close friend get taken over by an Australian hacker who was using a vulnerable (perhaps misconfigured) apache module to access my university’s online research facilities. It happens all the time.
Frankly, if I were running a large organization that is heavily attacked, I’d prefer to run Windows these days while following the usual practices of isolating pieces of the network and keeping things as locked down as possible while allowing my users to get their work done. Consider that Microsoft itself runs Windows and uses it to guard their source code and other assets. It has undoubtedly one of the most remotely attacked networks in the world, yet we haven’t heard of any breaches in their security for a long time. It’s also used in the DoD and in many banks. If it were so easily hacked as people claim with comments about “swiss cheese security”, we’d have serious economic problems right now and everyone would currently have access to the Windows Source.
For the end-user, I often recommend Macs because there are fewer social engineering attacks for them than there are for Windows.
Edited 2007-10-08 02:34 UTC
Way to misrepresent what I said. Linux servers can be hacked, of course. The issue is that what the eBay guy said is misleading: bots are still by far almost exclusively Windows PCs. That hackers use Linux as their OS of choice to control the botnets doesn’t say anything about Linux security in itself (if anything, it shows how easy it is to “administer” multiple remote machines with Linux).
Even if the “command and control” servers are in fact compromised boxes – and the article isn’t clear on that – there is not *anything* in this that could suggest that home Linux users are seeing their PCs being compromised.
Yes, well that would no doubt be due to your oft-demonstrated anti-Linux bias (despite your misleading nickname).
So is Linux. What’s your point?
Forgot to include: I’d use Windows on the desktop in a heavily-attacked organization.
Windows desktop software is used in those organizations far more than Linux. Who knows what EoP vulnerabilities lie in X and all of its paraphanelia?
Oh, and my nickname was chosen a couple years ago. At that time I was on Linux and was looking into how to write a basic OS. I got around to it much later, but by then Linux had lost its charm for me. I wouldn’t say I’m anti-Linux. But I am against Linux triumphalism and the arrogant claims of superiority in some parts of the Linux community (especially a number of Kernel devs). Linux is an incredibly fast and flexible kernel (more so than NT, Solaris, or Mach), but it is not the best one out there for all purposes. It’s a great resource for learning, but I don’t consider it innovative, or even well-engineered.
VMS/NT was the last generation of Operating System innovation, and Singularity is likely to be the next. The open-source community is living in the past and the present, but does not seem to be investing in the future.
Edited 2007-10-08 05:55 UTC
As long as those desktops are not exposed to the wider Internet, this would be OK I suppose.
Expensive, hard to maintain, requires a large IT support staff, makes the organisation subject to BSA audit and requires extra staff to keep track of license compliance & IT inventory, prone to require expensive forced updates for hardware and software every few years, high risk of “orphaning” older documents due to extensive use of proprietary formats which are deliberately and rapidly made obsolete, probable need for user retraining because of “new improved GUIs”, severe lack of interoperability with other platforms, non-compliance with ISO standards, and make the organisation locked in to a critical sole-source supplier … but otherwise OK.
Edited 2007-10-08 06:21
I’d use SELinux, though that is irrelevant. You want to protect your outer periphery, i.e. servers facing the Internet. What you use on desktop software is not really relevant.
Source, please.
Yeah, and Iraq had WMDs, right? That’s textbook FUD: you don’t know that there are vulnerabilities in X, but you insinuate that there are, without any proof whatsoever.
And that warrants your bias against Linux? What about just telling the truth, even if some kernel devs are hotheads? If an arrogant, obnoxious person screams “2+2=4”, does the fact that they are dislikable mean that 2+2 no longer equal 4?
It’s not “triumphalism” to defend Linux when it is *constantly* attacked by Microsoft. You want a less shrill environment? Put pressure on MS to stop the OS cold war, and to truly embrace coexistence and interoperability. Then you’ll be true to your nickname.
You’re burying your head in the sand and denying that vulnerabilities exist when you have no idea how things are tested. You seem to have no idea what kind of scrutiny XOrg recieves, but you’re willing to compare finding bugs there to finding WMD in Iraq. The difference of course, is that WMD are created intentionally while bugs crop up on their own by accident. Take these two in the X Font Server, for instance: http://labs.idefense.com/intelligence/vulnerabilities/display.php?i….
The first bug mentioned is an honest mistake. Integer overflows are hard to spot and the only real way to eliminate them is rigorous use of a checked integer library like SafeInt for buffer sizing with static code analysis to make sure you didn’t miss any places.
The second bug may be a real design mistake. Letting people remotely swap an arbitrary number of bytes on the heap is not a good idea.
I was making that insinuation about X EoP attacks with this recent bug in mind. I also suspect that X doesn’t get nearly as much scrutiny from *nix security researchers as Apache or Samba. And XOrg is in a serious state of flux right now, so new vulnerabilities can arise as the code is refactored and extended.
My point is that your arrogance about Linux security is unjustified. Sure, bugs get fixed quickly after they are reported, but how long do those fixes take to get to the corporate desktop? Also, how long can a zero-day attack last in the Linux world? Microsoft has nothing to celebrate here because their track record was piss-poor before 2003. Things changed there at that time and now they’re pretty paranoid about security. How paranoid is the linux crowd? They’re certainly not like Theo’s gang at OpenBSD.
First, I can’t be arrogant, since I haven’t actually made claims about Linux security. So that would make you ignorant, I guess.
Second, you try to argue that Linux can be attack because of an unexploited vulnerability in XFS…how is *that* related to the current discussion? Are you talking about home PCs or servers? Why focus on Linux? Solaris, the BSDs and other Unix systems might also use XFS. Are these systems insecure as well, from your point of view? OpenBSD *also* uses XFS as part of X, does that make it insecure by your definition?
Again, you show dishonesty by claiming that I somehow think that Linux has no security problems ever (when I believe nothing of the sort). Linux, like all OSes, has security issues, and software that runs on Linux also sometimes has issues. That has *nothing* to do with the current discussion, which is whether or not Phishing botnets are made mostly of Linux boxes, as the eBay guy insinuated, or if this is yet another PR job to convey the false notion that Windows is more secure than Linux.
Geez, you’re scrambling.
I brought up X and the XFS issue because that’s where I feel the most chance of finding linux vulns is. I’m just trying to defend my claims that Windows has a chance of being a better OS for a secure corporate desktop. I’m not talking about servers or about botnets. It’s undisputed and obvious that most botnets are made of Windows boxes. There simply are more Windows boxes under the care of unsophisticated users who are susceptible to social engineering attacks. I’d be a lot more worried if these bots were boxes from corporations with an IT staff.
I’m guessing that most phishing servers are linux boxes because Linux gives you more control over the webserver and makes it easier to spoof someone else’s site.
OpenBSD is focussed on the server and they do not do seem to do special reviews of the X code AFAIK. I just cite them as people who seem to do the right things about security with results they can be proud of. And even they have had a few vulnerabilities.
When you talk about “unexploited vulnerabilities,” that really bothers me. The only things that make a vulnerability unexploited are a lack of discovery or unfavorable economics for exploiting it. If I’m running a firm that’s susceptible to network intrusion attempts, I’d be just as worried about unexploited vulnerabilities as by exploited ones. A sufficiently motivated attacker wouldn’t refrain from writing the exploit.
So, by your own admission, this has little to do with the topic at hand – and I’m the one who’s scrambling?
As for the off-topic question of secure corporate desktops, there’s no reason to believe Windows is more or less secure than Linux – because security should be handled by the side of the company that’s exposed to the Internet, i.e. firewalls and servers.
Nevertheless, OpenBSD distributions include X, just like Linux. Why discriminate between the two with regards to this very issue?
Again, this is *completely* irrelevant to the topic at hand – unless corporate networks somehow have the XFS outbound port open to the Internet on an unpatched machine, which would be a rather stupid thing to do.
Now, how about actually sticking to the topic?
You’re willing to go off-topic whenever it suits you… don’t start trying to shift back onto topic when you feel like your case is threatened
. You called my statements about X ‘unfounded insinuations,’ so of course I wanted to discuss them. It’s perfectly rational. Trying to manipulate the terms of debate is also a rational tactic, but you really should have more respect for your opponents than doing it so transparently.
The topic at hand is which machines are bots. Those are mostly Windows desktop machines in people’s homes. I have strong doubts (though no data) that you’ll find many Windows servers in the bot corps. I have personal friends who have had Linux server boxes taken over for nefarious purposes. It’s part of the ‘monoculture’ effect… lots of people run CMS systems like Drupal or PHPNuke which have had serious remote vulnerabilities, so you’d expect to see these machines taken over. Same effect as in Windows of the past: easy to set up insecurely… insufficient awareness of good practices.
But instead of acknowledging that the Linux software community should be more careful about secure defaults and sensible messages about Linux security (i.e. that it is not a silver bullet), you are jumping on anyone who claims that Linux can be taken. You use words like “alleged” and act incredulous that crackers could possibly be compromising linux servers.
Really? Where did I go off-topic in this discussion? On the contrary, I keep trying to bring it back on-topic.
Actually, my case *isn’t* threatened. On the contrary, it is *your* case that is threatened (mostly because you keep trying to shift the debate to Workstation security…).
They were also off-topic in the first place – and that’s what I should have answered the first time. They were off-topic then, and off-topic now (in addition to the fact that the vulnerability you pointed to has been patched, and that it affects XFS, a subset of X which more often than not is not running – for example, it is not installed by default on Ubuntu boxes).
You’re the one posting off-topic stuff, such as XFS vulnerabilities, and I’m the one trying to manipulate the terms of the debate? Give me a break.
I am not. I am simply casting doubts on Cullinane’s Windows-biased declaration, and correcting those who are gung-ho about propagating the notion he seems to suggest, i.e. that a “majority of threats” comes from Linux boxes. That’s all I’m doing. I’m not saying that Linux is the silver bullet – it isn’t (neither is Windows, by the way). But you and others have been repeating the straw man argument all over in this thread, despite being called on it.
I think it’s only natural to be suspicious (not incredulous) when the Symantec guy basically contradicted what Cullinane seemed to imply with his “majority of threat” declaration – for someone who’s not biased towards Microsoft, of course.
I actually like it when people start using logical fallacies in arguments against my posts. It is a sure sign the opponent is geeting desperate to mount any decent counter-aurgument.
Three logical fallacies in the one discussion is probably a record in topics I have ever followed. The desperation level in your opponent must be exceptionally high.
“Consider that Microsoft itself runs Windows and uses it to guard their source code and other assets.”
Really? How do you know that? Do you work for Microsoft?
What else do you think they use?
You don’t have to work there to know that they use Windows for everything they can.
Except windows update, which funny enough has run on Linux servers for a long time now.
Interesting… that might well be Akamai or some other edge-networking company.
In the past, Microsoft definitely used Digital PDP and VAX machines for “server” roles. They also used their own Xenix version of UNIX (reportedly it was one of the better ones of the day). HoTMaiL was run on FreeBSD when it was purchased (and used as a testbed for deploying an at-the-time unready Windows Server system).
Whoooooooooo boy, that’s a biggie. I don’t think so.
http://www.google.com/search?hl=en&q=%22homeland+security%2…
4 million hits.
… let alone the admission from Microsoft itself a few weeks ago that Windows Update has a backdoor into Windows …
Edited 2007-10-08 05:40
“I agree with others, the way this was presented seems like a deliberate attempt to mislead the public with regards to the vulnerability of Linux. In this context, trying to then put the spotlight on “the Linux community” for not responding well to this *alleged* issue seems downright dishonest.”
What implications can be seen in this attempt?
1. “Linux boxes are a threat, because they’re rootkitted and running bots.”
If proven to be wrong (see opinions above), there’s more:
2. “Linux boxes are a threat, because they’re used by criminals to gain control over poor ‘Windows’ boxes that are running bots.”
Does this imply Linux users to be criminals because they’re using an OS that’s used to control criminal actions? Using the same “logic”, cellphone users, car drivers or other users of common means can be looked at like at criminals…
So, following this logic some more, “Windows” users are just victims – the Linux users are the evildoers?
So, are you saying that Microsoft is funding/training crackers to use Linux to attack other boxes, to give Linux a bad name as a crackers operating system? And if so, they could argue [to the US government or whoever], that Linux encourages unlawful activity, and on that basis alone it should be forcibly outlawed?
I really hope that’s not what you’re saying…I’m a conspirationalist at the best of times, but not even I’d go that far lol…
Dave
“So, are you saying that Microsoft is funding/training crackers to use Linux to attack other boxes, to give Linux a bad name as a crackers operating system? And if so, they could argue [to the US government or whoever], that Linux encourages unlawful activity, and on that basis alone it should be forcibly outlawed?”
You’ve got a strange mind, Sir… 🙂
“I really hope that’s not what you’re saying…I’m a conspirationalist at the best of times, but not even I’d go that far lol…”
Don’t mind, I didn’t want to say this. Your ideas are interesting. Have you thought of getting employed by the MICROS~1 interoperability and security team lately? 🙂
To be serious again: It seems that MICROS~1 is using third party statements (i. e. eBay) to bring Linux into miscredit, claiming it’s used by (unspecified) evildoers in an (unspecified) criminal way. I had a great laugh reading the article. As a sidenote, it mentiones Linux security issues (rootkits etc.), but, as it has been said before, “Windows” boxes (or, their lack of security, and / or the lack of proper administration) are the real threat to the Internet. Of course, you can make a Linux box insecure, too. But this seems to be much more complicated, and it does not pay because Linux has not enough oh joy oh market share.
I don’t think MICROS~1 encourages anyone to use Linux as a means for a criminal action, because it tries to convince everyone to keep hands off Linux in any way. Thus said, it would not give training to persons in order to take over “Windows” boxes, this seems to be easy enough. But a cool imagination, though… another anniversary present for me, thank you. 🙂
As I understand it, a botnet relies upon there being a large group of vulnerable computers all connected to the Internet, all similarly configured and all vulnerable to remote exploits. A botnet relies on the existence of a “monoculture” of computing platforms. The machines targetted to become bots must all have the same binary-compatible software base installed, and they must all be the same computer architecture.
http://en.wikipedia.org/wiki/Botnet
This means that the machines that are the actual “bots” are necessarily ALL Windows machines. (Note: this fact does not mean that the small number of botnet command and control machines are, or are not, Linux boxes).
In the phrase from your post where you say
you don’t need to have included the word “virtually”.
The argument that the botnet command and control computers are Linux machines is somewhat strengthened by the observation made in the quoted Wikipedia article to the effect that:
Edited 2007-10-08 02:56
Thanks for the clarification. So now we know that bots are *all* Windows PCs, and yet the spin we’re seeing is that Linux is somehow equally (or even moreso) to blame.
God, Microsoft’s PR machine makes me sick…
“Thanks for the clarification. So now we know that bots are *all* Windows PCs, and yet the spin we’re seeing is that Linux is somehow equally (or even moreso) to blame.
God, Microsoft’s PR machine makes me sick…”
You’re either easily sickened, or want an excuse to claim that you’re sickened.
If you read the article, you’ll see that there are three people saying different (possibly contradictory) things from their own points of view, that’s all. There’s no “Microsoft PR machine” at work here.
The article has a link to the “Microsoft sponsored symposium’s” site:
http://www.scu.edu/sts/trustonline/
Read the list of speakers and contributers. Are you (and the rest of the folks dismissing this on the basis that the symposium was sponsored by Microsoft) making the charge that that they were all paid off by Microsoft to spout Microsoft PR? The list of speakers includes very serious minded security people; I’d be very surprised if any of them were paid to spout Microsoft PR. Are you saying that they are serving as paid Microsoft shills?
Edited 2007-10-08 08:18
No, I am certainly not saying this at all, and I resent you insinuating this, though I’m not surprised, considering how low you’re usually willing to go to defend Microsoft. I was referring to the eBay guy’s comment, and to how this is being recuperated by some to somehow insinuate that Linux has big security problems.
Oh, and “slashdotters are agreeing with this?” This is at least the third time that you use this particular logical fallacy here. Once upon a time the majority of Europeans believed the world was flat – that didn’t make it so. Look up “argument by popularity” one of these days.
Again, my exception is with the insinuation that somehow large numbers of Linux boxes have been hacked as part of botnets. I still haven’t seen anything to corroborate this, and your usual PR-worthy talk hasn’t changed this a bit.
“No, I am certainly not saying this at all, and I resent you insinuating this, though I’m not surprised, considering how low you’re usually willing to go to defend Microsoft. I was referring to the eBay guy’s comment, and to how this is being recuperated by some to somehow insinuate that Linux has big security problems.”
Oh, you “resent it”, eh? You have some gall being resentful of anything *I* have to say, considering how often you’ve insulted me personally on this site. Which you continue to do with even the above comment, I might add.
Now, you say that you “are not saying at all” that the ebay guy or any of the speakers/contributers of the Microsoft sponsored symposium at Santa Clara University were paid to or directed to say whatever they had to say. You’re only upset about the spin on what the guy said, that such spin is due to the “Microsoft PR machine” that “makes you sick” right? Where in God’s name do you see any Microsoft PR machine at work here? The article in question wasn’t written by Microsoft. The two places where I’ve seen stories on the article (slashdot and OSNews) are not controlled by Microsoft (and indeed, the former hates Microsoft unabashedly). The article in question quotes another person from Symantec saying that he sees things differently from the ebay guy. The article also quotes someone else as saying root-kitted linux boxes are highly-prized by the hacker community because linux is easier to control/administer remotely, but he says that as a *positive*. How can you say that the ebay guy’s comments are being spun by “Microsoft PR” machine that “makes you sick” when the story they appear in wasn’t written by Microsoft, provides alternative points of view from that of the ebay-guy, and Microsoft doesn’t control the web sites that have made topics regarding the article?
You’re finding the bogey man where he ain’t.
“Oh, and “slashdotters are agreeing with this?” This is at least the third time that you use this particular logical fallacy here.”
At least the third time? I’d have guessed that I’ve used that argument well more than that. LOL
I cite slashdot comments because:
A. I frequent the site.
B. Slashdotters know way more about linux than I.
C. Slashdotters are linx and open source advocates.
D. Most slashdotters despise Microsoft.
What this means is that I can readily cite slashdotters opinions as “expert” opinions on a particular subject (i.e. Linux usage) and know that such opinions might have some credibility among linux advoactes and Microsoft haters that overwhelm OSNews, since they generally have the same outlook (loving linux, hating Microsoft). Normally slashdotters agree with the linux-advocates and/or Microsoft haters on OSNews, but when they go against their own “conventional wisdom”, I find it interesting to post on that.
But here’s the much more important thing regarding my citing slashdot comments:
There’s no “logical fallacy” at work here, as I didn’t say that the fact that slashdotters said something was in itself proof of anything. Rather than just saying, “well slashdotters said …”, I provided the actual link to the slashdot thread on this story so that readers here could actually read the comments, and see that the statments made by the ebay guy are backed up by technical arguments and personal experience presented by many linux users, and indeed, many linux *advocates*.
Since you didn’t refute any of the evidence presented in the slashdot thread, and instead searched for a reason to dismiss that evidence (just as, much to your relief, you found a reason to dismiss anything anyone said at this symposium), I’m going to make the assumption that you didn’t bother to read the slashdot comments (probably too scared, preferring blissful ignorance).
Linux and/or the services that people run on it, ain’t “perfect”. Know that. You ain’t doing Linux any favors by living in denial about that.
BTW, I’m curious about something. You’ve yet again referred to my posts as “PR-worthy”.
I have a couple of questions about hat. First, Is that a meant to be a compliment or an insult (or both)? Second, what are your criteria for posts to be “PR-wotrhy”? Just out of curiosity. 
Edited 2007-10-08 17:07
(Just wanted to say that MollyC’s post here was very good.)
I haven’t insulted you. I’ve asked you if you were working for a PR company that has MS as one of its clients, and when you didn’t answer I took that as an admission of guilt. Now you’re being oversensitive, though I suspect it’s just an act to avoid actually having a reasonable debate – you don’t really feel insulted, but you claim to be in order to give you some advantage in this particular debate.
That still doens’t change the fact that you ascribed me a position I did not have in this particular debate.
Where did I insult you? I simply stated that you *always* defend MS – and indeed, you always do. Since when is telling the truth insulting?
No, I don’t believe the eBay guy was paid to do this. That doesn’t mean that there isn’t a strategic incentive for him to help Microsoft. Even then, the PR work is not necessarily what he said – he could be simply mistaken – but rather the fact that people are trying to spin this into a negative report card for Linux (when there is no real indication that hacked Linux boxes form an important proportion of botnets). *That’s* the spin that sickens me – and it doesn’t matter if someone is paid by MS or not, they are doing its PR work when they spread this misinformation.
You should stop, because that’s not a valid argument, but rather a variation of Argumentum ad populum:
http://en.wikipedia.org/wiki/Argumentum_ad_populum
B, C and D are nowhere near as true today as they used to be. Many Slashdot readers are MS users and pro-MS posters. I know, because I frequent the site as well.
“Overwhelm” OSNews? Hardly. I, for example, do not hate Microsoft – I just don’t feel the need to defend them all the time.
Anyway, you’ve just summed up why you shouldn’t make these kinds of arguments – because it’s not arguments at all. Rather, it’s your *own* appraisal of what *some* people on Slashdot think. Combine that to the fact that popularity of an opinion does not make it more or less valid, and you’ve got a very weak position to stand on. So rather than claim that “Slashdotters agree” (which would require some hard numbers anyway, which you have failed to provide), instead address the actual declaration by Cullinane and its misrepresentation by anti-Linux advocates.
Then why mention it at all, then. If you saw a good. *on-topic* argument on the slashdot thread, then why not reprint it here, rather than sending us to the comment section of another web site (which is a bit rude to the OSNews editors)?
I’m sorry, but I’m not going to read a whole thread just to humor your. You want to bring an argument, bring one.
Scared? Why would I be scared? Contrary to what you claim (in your usual dishonest way) I do not think that Linux is invulnerable. I simply stated that what Cullenane said was dubious and led to easy misinterpretation.
I didn’t bother to read the Slashdot thread, because a thread isn’t an argument. If you want to present arguments, go ahead, but don’t expect me to sift through an entire thread on another site – I don’t have that kind of time to waste.
Again, you dishonestly misrepresent my position. Strawman argument, Argumentum ad Populum, Appeal to Authority – you really like logical fallacies, don’t you?
I know Linux isn’t perfect. I know insecure server installs exist. I believe I know a *lot* more about Linux (and Windows) security than you do. That is *not* the point. The point is the ambivalence in Cullinane’s declaration, and how it is recuperated by anti-Linux advocates doing MS’ PR work for it, free of charge.
When I say that you’ve continued to insult me personally, I don’t refer to your nonsense about asking me if I was that other mollyc. I refer to comments you made about me for months, that yes, include insinuations that I’m a paid shill (long before that mollyc malarky), suggesting that I’m lying, or unscrupulous, blah blah, which you continue to do even in this thread.
“Where did I insult you? I simply stated that you *always* defend MS – and indeed, you always do. Since when is telling the truth insulting?”
Bull. Read what you wrote again.
You said, and I quote “No, I am certainly not saying this at all, and I resent you insinuating this, though I’m not surprised, considering how low you’re usually willing to go to defend Microsoft.”
Do you get it now? Telling someone that they are “going low” is an insult. And you insult me all the time here.
You insulted me yet again in the very post I’m replying to now, with your “in your usual dishonest way” attack. Tell me, do you actually get along with anyone in real life? Or is it only on the net that you insult anyone that dares to disagree with you? Do you even have the ability to debate with someone that disagrees with you without insulting them?
Back to the topic, it appears that you admit that what you label as “MS PR Machine” is nothing of the sort, as you admit that you can’t demonstrate MS involvment in any of the “spin” you talk of. Random people reading the article in question and “spinning” it as a negative for Linux do not constitute “MS PR Machine”.
BTW, your talk of “logical fallacies” is nothing more than a cheap way to dismiss what I have to say. Just as your frequent accusations that people are doing “MS PR work” (free of charge or not), is used to dismiss arguments you don’t like. And even you can’t deny that you use that tactic all the time here.
Edited 2007-10-10 03:31
Oh, cry me a freakin river. I already accepted your statement that you weren’t that other mollyc, thus that you are not a paid shill. As to suggesting that you’re lying or unscrupulous, that’s simply a reflection of some of your statements, which I find misleading and incredibly one-sided.
No, it’s not. If you believe it is you really need to grow a thicker skin, pal.
In my opinion you are dishonest in the way you tried to misrepresent my position with regards to this issue, and you have done that repeatedly before, therefore my comment is justified.
Ah, we’re going for the psychological angle now. Cute. Someone stands up to your crap and your response is to question their emotional state and/or social skills. The first time someone tried that trick on me was back in the days of the BBSes, before the WWW existed. You’re going to have to do better than that: I get along great with people in real life, I have many good friends, and I’m generally a happy person.
Again you misrepresent me. This is *exactly* what I’m talking about when I say you are dishonest: implying that I am incapable of civil discourse online. Thanks for proving my point. I do *not* insult those I disagree with (and in fact, since you stated that you weren’t a PR person, I have not called you a shill, the only real name I called you). However I will call BS when I see it, and that includes misrepresenting what I say. Try to put words into my mouth and I’ll react swiftly, to be sure. Best to just stop making up strawman arguments about what I supposedly think or stand for.
No, it’s not. It’s simply pointing out the logical fallacies in your argument. If you don’t like it, make logically sound arguments, period.
If someone is constantly defending Microsoft and pushing their talking points AND they don’t actually work for MS, then they in fact *are* doing MS’s PR work for them. There’s nothing wrong with pointing this out.
As for whether MS is involved in spinning the Cullinane statement (or if indeed Cullinane made the statement with the express purpose of spinning), we can’t obviously know for sure, but we can certainly suspect it. As it is, considering that we have yet to see *any* proof that the majority of phishing threats come from compromised Linux boxes, there’s good reason to be suspicious.
The issue is how we handle a problem like this, that means the way we respond, our comment’s, who we blame, who’s really at fault, IS my issue.
Deny it all, the usual ‘it must be MS trying to destroy us again’ bs really is getting old. It seems that we may never get away from being the ‘anti MS OS’ and stand on our own two feet. That means being able to sort out these type of problems with some intelligence, honesty and move forward.
One glimmer of hope is that some(including posts here), are taking the right approach and using this opportunity to teach others on how to secure there systems, posting links to resources, etc, and admitting that Linux is NOT invulnerable to attacks.
And it’s not dishonest to ‘put the spotlight on the Linux community for not responding well’, this shows us that we need to improve how we respond and who we need to get rid of. Like all the Linux trolls!
You didn’t understand my question. What is, exactly, the actual *security* issue with Linux that we can conclude from the article? Shouldn’t we make sure there’s an actual issue before we point fingers, as you seem so eager to do?
So I’m asking you: after reading the article, can you conclude that there is a rampant problem with Linux boxes being hacked into bots? Yes or no, that’s all I’m asking.
It’s not about getting old or not, it’s about how accurate it is. People have been saying that the sky is blue since time immemorial, it’s not any less true today.
In this case, it seems obvious that the statement from the eBay guy was made to detract from the fact that the actual bots in botnets are still exclusively Windows machines. *That* is the real problem which should be tackled.
We would get away from this stance if MS actually stopped trying to undermine Linux by continually spreading falsehoods about it, in addition to trying to divide the FOSS community with stunts such as OOXML and the MS/PL.
The day MS actually accepts to coexist with Linux and FOSS, then we’ll stop being defensive towards the software giant, and not a moment before.
There are two logical fallacies in this sentence. The first is that it implies that its one or the other, i.e. that you somehow cannot give people tips on how to secure their Linux boxes AND be skeptical about the eBay guy’s claims. In fact, you *can* very well do both, so insinuating that you can’t (as you do) is simply wrong.
Second, I and others who have expessed skepticism with the eBay guy’s claim do NOT thing that Linux is invulnerable to attacks. That’s a textbook “Strawman Argument” fallacy. Linux *is* vulnerable to hacking – the question is whether this is relevant to the issues regarding Phishing and botnets. *That’s* my issue with the statement – it’s not clear at all that *hacked* Linux boxes are an issue, but it rather seems that phishers are using Linux to control Windows bots (something they could do with needing to hack a system).
I’m sorry, but if you’re going to continue to use logical fallacies to support your arguments, we’re gonna get nowhere fast.
It is when we have yet to establish that there is an issue with Linux boxes being hacked to be used as part of Phishing botnets. It is when the distinction isn’t made between LAMP web servers and people’s home Linux PCs – it’s irrelevant to point out that distro X may or may not be secure, if you’re into the web server business it’s your job to make sure your servers are secure.
Again, there’s no indication that we have the same situation as Windows-based bots, i.e. the millions of home Windows PCs that have been hacked into bots. *That’s* the real issue
Oh, you want to “get rid of” those who disagree with you, now? How open, how democratic.
Listen, kiddo, I’ve been around this Internet thingy (and this particualr web site) for a looong time now. I’ve used – and still use – Windows, Macs, Unix and Linux PCs and servers. Just because I find that what some eBay guy has said to be questionable doesn’t automatically make me a “Linux troll”. So work on making arguments that are logically sound, and try to understand what it is that I’m actually saying, and then we’ll talk.
Being a ‘linux troll’ has to do with attitude, and quite frankly, trying to shout me down with all this bs just reinforces my view.
Shout you down? I didn’t write a single word in all caps. Sorry if you feel that my arguments are tantamount to badgering, but I am not trying to intimidate you or anything. If you have valid counter-arguments I’d be happy to hear them – though calling me a Linux troll is rather insulting, considering how long I’ve been posting here…
I’m a Linux advocate. That doesn’t mean I don’t recognize its flaws, but that also doesn’t mean I’m not going to argue with someone when they say something I don’t agree with…
think about it ,there’s more than 90% windows machines out there waiting to be had and the hackers are gonna spend their time hacking linux machines that are only less than 1%, now you can call me a linux zealot if you want but hackers do what they do for money,they are not interested on such small portion of the pc market.
this sound like microsoft sponsored BS,if you ask me.
Ironically they are hacking the Linux machines for exactly what makes them popular. They are cheap, unattended and have great uptime. That “just works” goodness translates into poor administration and ignoring patches and such because they’re rarely necessary for the product to function. As long as they crackers are careful not to break the running system they can go on undetected. Using Linux for the controller makes sense because it could be a long time before somebody finds your bot-net head and cuts it off, getting bots is easy, a stable point of control (that you don’t own) is not.
Wirespot,
Unfortunately, my customers don’t let me take their gigabytes’ worth of log files home with me. If I did that, I’d be in jail, or worse, Gitmo.
However, I’ve seen this same scenario multiple times, with the same variants of these worms hitting even iis servers sometimes hundreds of times a day from multiple web hosting farms.
I’ve had to document this.
If I am lying, then why do eeye retina and ibm iss siteprotector have signatures for these vulns?
You, sir, do not see the big picture.
Browser: BlackBerry8700/4.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.0.0.0
Wirespot,
One other question,,,,how many servers do you maintain? One server is not a representative sample. Over 100 publicly accessible sites and servers is
.
When you get some “popular” sites, you see a lot of this. My biggest customer happens to be that popular.
The reason why ebay isn’t saying more is because certain us gov agencies (fbi, secret service) have prob. told them to shut up.
Browser: BlackBerry8700/4.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.0.0.0
I recently had the privilege of tracking down a rootkit on a web server that a customer of mine acquired when he bought a small web hosting company. It was a plesk server that a customer was running PHPBB on. Evidently it was an older build, but the attackers basically exploited an admin file, replacing the phpbb library root with php code from another site. This gave the attackers a web console and ability to run code on the web server. It wasn’t a real rootkit though, the processes ran as apache, but the entire web server slowed down and the network resources were pretty much taken all to the apps the script kiddies were running. Essentially they were irc bots, connecting to sni-labs…myspace obsessed morons…
Anyway, it’s not a linux security issue, but a really crappy PHP application that allowed this server to essentially become part of a botnet. Before people call the security of an operating system poor, maybe they should consider something simpler, nonexistant security and qa for applications. PHPBB isn’t the only one and it most certainly isn’t a case of open source apps being more or less secure. There’s plenty of crappy applications out there.
Addendum: If anyone wants to know more about this, send me an osnews message. I’m not a security researcher, I just happened to luck out and was checking processes when I noticed something that allowed me to really track down this process. A shared hosting server with 100+ customers is really difficult to debug when you can only go on “it’s connecting to irc for some reason…”. It was a clever script and it worked fairly well.
Edited 2007-10-08 04:22 UTC
Part of the problem is the influx of ‘easy to use’ Linux distributions that aren’t necessarily secure by design (Linspire anyone?). Ubuntu isn’t going to escape my scathing eyes either, sudo has a long and sordid history of security issues.
To add to the woes, several factors are causing this issue:
1. People want to host their own websites. That usually means Apache and ssh, usually not secured properly. Add to that, many people still use ftp, instead of sftp.
2. Many Linux distributions do not ship with a active firewall, scary, especially given the huge uptake in broadband connections.
3. This is the main issue – we have dumb users coming from Windows, who are too tight to pay for Windows, so they go for the freebies like Linux. The problem isn’t that they’re not paying, far from it. The problem is that these people can barely run Windows, and usually their computer skills are sub par. Linux is a inherently more complex operating system to administistrate, and administrate properly. They usually don’t know they’re doing something wrong, or not securing something correctly. And the sad thing, the really sad thing, is that they usually don’t give a f–k either.
4. Despite SELinux being ‘mainstream’ for several years now, very few distributions ship with it – sad. It makes a potentially safer operating system even safer. I’m not saying you can ignore locking down the system etc as appropriate, far from it. Every bit of security helps.
5. The Linux community itself for many years saying ‘Linux is unhackable’. This is a load of crock. Serious, experienced users know this, idiotic newbies just spread this wrong propaganda.
6. Simply far too many options for desktop environments, applications, and so forth. The more packages on your system, the higher the odds that one can be cracked. All it takes is one cracked package…
7. People are now compiling from src more than they used to, and this is where problems can develop, with embedded rootkits etc. Stick to your distributions signed packages, check the md5sums to ensure that they’re legit. If you want to use src, make sure you can read the language in question and understand it. I know I sound hard, but it will cut off potential issues with embedded rootkits if you take this advice.
8. Increased numbers of users – aka the Windows effect. The more users, the more the blackhats will look at the operating system as having potential numbers for ‘milking’. There’s nothing you can do about this.
This isn’t going to get any better btw.
Dave
Edited 2007-10-08 04:37
Linux boxes sitting on public ip addresses running default installs of any distribution are probably at risk. If they are a LAMP box all the more so. These are well known targets and surely have holes.
Linux desktop distributions would hopefully be more protected and not on public address space for most users. Although the .gov .edu people are often. So what more precisely might have been said is that Linux servers are often compromised as are windows desktops.
These targets are then used together to make money attaching the rest of us.
If fact I am sure there where rootkits for Linux before there where root kit for windows. Remember Linux/Unix boxes are almost always on the the net and have always been so. That is the point. Where as windows and it’s like have only been on the scene for 10-15 years.
For along time the only exploits where for Unix boxes. While things are fixed the nature of online apps and C code in general seems to lead to holes.
I got a clearly suspicious email, some time ago. I tried to forward it to Ebay Italy so that they could take action, but it came back to me, saying that the service had been discontinued. So much for service to your customers!
Should be better for this, as it is more secure. And it is open and free to use.
eBay’s chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University. “The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,” he said.
The bit in bold tells you all you need to know.
If anything, it just shows how much in denial Microsoft still is about security. A security symposium is not supposed to be something where you all get together and start reassuring yourself that the competition is worse. You look at your own problems.
I’m just tired of this bullshit from Microsoft. It’s so transparent now it isn’t worthy of comment.
I just ran chkrootkit on my gentoo linux PC. Guess what? No problems found! Of course that could be because the home router has a built-in (and enabled!) firewall, despite having Two PCs running WindowsXP (one under the control of my clueless Son), along with the gentoo PC. My biggest problem with the home network is getting consistent AC Power out of the wall sockets.
I join the crowd of those who call “spin doctoring”.
I hope the article badly mangled Cullinane’s speak, unfortunatly there are no copies of Cullinane’s speak available, so I can’t check.
It begins with the article’s headline suggesting that statements of Cullinane regarding his time at Washington Mutual refer to the current situation at eBay.
This claim is not substantiated during the article. The following passage refers to Cullinane’s time at Washington Mutual:
Bold by me. However, Cullinane has been with eBay for the last two years, so we are looking at alleged data that already is at least two years old. Now claiming it’s a trend suggests that the situation aggravated till then, but the article says nothing about that.
The quote also suggests a 1:1 relation between threats and compromised boxes by saying a threat is a rootkitted Linux-box. I believe this is an inaccurate representation of Cullinane, but it would raise the question what a threat is in this context.
If each compromised box is a threat, than we have to ask the question, how can an operating system that has a market penetration of about 3% be used for the majority, i. e. at least 51%, of threats against Washington Mutual, when the “Botnets are almost uniformly Windows-based” (FTA)? MS Windows is, like it or not, the majority platform with over 90% market penetration and to become a bot, the machine has to be compromised (i.e. becomes a threat).
Since all explanations I can come up with for the original scenario have to make other (often insulting) assumptions or exclusions, I just wonder if “a threat is a compromised box” is really what was said. It just makes little sense.
I think we all agree that, of course, there are compromised GNU/Linux boxes out there, probably thousands of the cheap VServers and rooties are insecure, and I guess that a compromised vanilla GNU/Linux machine can pose a more serious threat than a vanilla MS Windows XP machine, but are we talking numbers or severity here?
The article suggests we are talking numbers and refuses to give us the benchmarks. What to think of this?
According to the headline:“The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,”
But at the same time somewhere at the bottom of the article they say:“We see a lot of Linux machines used in phishing,” said Alfred Huger, vice president for Symantec Security Response. “We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots.
Then where is the rootkit installed? On their own boxen?
craptastic article.
1. ISPs are starting to block inbound traffic on their own. Case in point: Verizon FiOS. They do it extensively. I have heard of other ISPs at least partially implementing this, such as Comcast (they do it for SMTP). It’s against the AUP of almost every major consumer ISP out there to run servers. Verizon’s been enforcing it. Therefore, Linux boxes at web hosts make sense.
2. Many companies outright block entire Class B’s or Class C’s for certain traffic. Many of these cheap web hosting companies are on the same Class B or Class C as Akamai, Hotmail, or some other major site that companies cannot block without causing loss of business. Therefore, the boxes at web hosting farms make perfect targets as proxies, phishing sites, or DDOS zombies. This is a known way around many corporate firewall blocks.
And yes, these scripts are standardized, and setting /tmp to noexec can be bypassed (I’ve seen this on Google and Slashdot
). Many of these scripts do the following:
1. Use CMS Vuln to inject shell script or bad SQL.
2. Shell script or bad SQL does the following:
2a. cd /tmp
2b. Run wget to get the rest of the code and put it in /tmp
2c. Run code from /tmp that sets up a remote shell or reverse shell you can control, with a built-in default password
.
2d. Run phishing site, ddos zombie, bounce proxy, or other bad program of your choice.
3. Profit!
There’s also one other reason to target Linux boxes at an ISP. These are the types of machines which aren’t as monitored or well-maintained as a corporate web server. You’re not going to usually have an admin that knows what /var/log, a remote syslog server, Tripwire/AIDE, or httpd.log is. If they do, they’re probably not paid enough to care. ISPs run on razor-thin profit margins (I know, my friend runs a large one), and usually pay a lot less than corporate sysadmin jobs.
You’re also going to have an admin that will probably set logs to overwrite themselves, and won’t know what an egress filter on a firewall is or how to get one set up.
Your average Windows box, on the other hand, is used by someone who has a 200GB HD and uses about 20 of it. Windows and NTFS also have the very undesirable characteristic of writing many things to disk that they shouldn’t, and not overwriting those sectors. Pop an NTFS-formatted drive into Encase or Autopsy and you’ll see lots of things in the slack space that you didn’t know were there, and you thought were gone for years.
In other words, Linux boxes also make sense because the bottom of the barrel admins won’t implement the security controls required, and because the Linux file systems don’t store as much cool info as NTFS and Windows do
. Esp. when you have a box with 100 shared web sites, and /var/log/http/httpd.log set to overwrite when /var/log gets close to full. In other words, when the FBI, Secret Service, and local PD come knocking at the ISPs door (assuming said ISP is in a country that cooperates with US law enforcement), they won’t find as much as they would on a Windows box.
Face it. It’s not a Linux problem. It’s a human problem due to improper implementations of software that happens to sit on Linux. Due to many correlating environmental factors (ISP bandwidth, some ISP’s blocking HTTP and SMTP), these machines happen to be the biggest target out there, and provide the most bang for the buck.
These people don’t get rich by being dumb. Some of them are probably ex-intel folks from the former Soviet Union and its satellite republics
.
True even though I think its amazingly dumb. It’s also usually not done for any security reasons but as a service differentiator. If you want to run services you need a “business” account which is usually a lot more expensive. There’s a horrible flaw in the logic that if you can pay more you know what you’re doing.
Blocking inbound connections also breaks a lot of applications and services, like inbound VOIP calls and P2P, but maybe that’s just another reason for them to do it.
And if the malware is delivered by other means, such as browser exploits or trojans, blocking inbound connections is pointless.
I disagree. In my experience corporate admins are just as clueless as, or more than, ISP admins and corporate servers just as ill-maintained. I’ve seen so many corporate admins who’s main network understanding seems to have come from playing Counter Strike on a LAN. Obviously that’s not sufficient.
My experience with ISP people while still bad has not been nearly as disastrous.
So a terrible design flaw is a good thing?
Uhm, I’d say it’s a good thing they (and by extension the “bad” guys) cant find things I don’t want them to find. It’s called “security”
And not just on Linux. Rampant incompetence is the curse of the entire industry. It’s no coincidence that “enterprisey” is a derogatory term.
Heya,
Verizon does have the motive to block incoming traffic and break VOIP and other services. After all, they compete with FIOS, and they are Ma Bell with a different name
.
The corporate admins I have worked with fall into two categories…clueless and clueful. The latter usually gets assigned to work on the revenue generating side of the house. The clueless one usually get put on the internal apps that the outside world doesn’t see or interact with (think business intelligence, reporting, and the like). Clueless usually happens to know a lot about games, I agree. Clueful at least understands LDAP, UNIX, and lots of other acronyms
. Clueful also understands interoperability and security.
ISP admins usually have a significantly higher server/admin ratio.
And I agree, rampant incompetence is omnipresent in IT. I’ve seen way too much of it myself, esp. in large enterprise projects
.
How the hell could ebay know by a linux computer coming to there website, that they are infected with a rootkit? They would have to compromise the linux box that is infected in order to find out if it has a rootkit, and rootkits are supposedly very, very hard to detect. Without details this is fud
when the people who say this is MS-sponsored anti-Linux FUD from eBay, that eBay can’t provide the evidence because they don’t have any have proven themselves so incapable of reading an article that they can’t even grasp the fact the guy was talking about his time at Washington Mutual, they have no high ground to stand on when it comes to credibility vs. FUD.
In fact they are creating FUD-FUD, if that word can exist. 🙂
I believe this is a somewhat relevant post. This link points to a very interesting article that I would suggest people read.
http://blog.gnist.org/article.php?story=HollidayCracking
Interesting link, thankyou!
1.)”speaking at a Microsoft-sponsored security symposium”
2.)”and while the company is not releasing the results of this analysis”
While this fud……errr “news” may be plausable it is to be taken with the two above sentences in mind.
Quote
Last week eBay said data on 1,200 eBay members had probably been stolen via an phishing scam. The members’ data was posted to the company’s Trust & Safety discussion forum.
And
“The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,” he said.
The two don’t really go well together. I could have my account hacked because I fell for a phishing scam on any platform. And if my Linux or Vista boxes had a rootkit installed they may just want to log my keystrokes or scan my email boxes in the hope to find something private instead.
Can anyone confirm whether…
1. The Linux users fell for the scam in ignorance.
Or
2. The Linux boxes are Rootkitted and ran a website that users fell for.
Or
3. This all does not make sense because its FUB.
Or
4. I need educating to what’s happening.
Does anyone know of a case study or any kind of aggregate report regarding methods of rootkit infection? By now, I am sure most of us here know all of the potential vulnerabilities (weak passwords, SQL injection, whatever).
But does anyone have any kind of case study of what the most common vulnerabilities on Linux boxes are? I am dramatically less interested in how this story bodes for Linux’s reputation and way, way, more interested in what they know about how these machines were infected – which rootkits, etc?
Alternately I would be interested to know something like, “top 10 specific ways Linux boxes have been rooted.” I’d like to know if there are trends, and what they are (phpBB comes up a lot – I wonder if that is one).
I have made the point in the past that hackers, by and large, don’t impress me much for this reason: I assume that anything so large and complex (and even byzantine) as an operating system, is full of potential vulnerabilities, the same way a large office building or mall is full of potential ingress (intrusion) points simply by virtue of its size or complexity. I have never gloated about security because I believe everything to be a calculated risk once you expose it to the net. Yeah, I run Linux and love it, but not because I have ever believed it was bulletproof (though I’ve had no security problems yet).
Further, anyone with the drive and time could probably figure these out. I don’t have either. Those who do are, I am hoping, either getting paid for it as security professionals, or alternately they’re kids with a lot of free time on their hands. That certain OSes are less vulnerable relative to others is certainly a fair (maybe the most important) way of assessing them. To me, hacking a box is like climbing Mount Everest – if that’s your thing, fine, but it’s been done so many times already, I don’t see much glory in it. This makes security no less important, of course, but aside for the profit-driven, I’m not sure where the romance is in it anymore.
I am curious what these specific exploits are, have been in the past, so we can have a lockdown checklist that goes beyond the theoretical (use keys for ssh if possible rather than passwords, etc.) weaknesses. I am also curious what, historically, the most vulnerable apps have been (bind comes up a lot in this discussion but I don’t know it fares relative to others).
Speaking of which, is anyone here on a cable or other “semi-static IP” connection who has limited SSH logins to one IP or another, and been locked out of their system due to an IP reassignment? This is what makes me a little paranoid as I have a few boxes out in remote datacenters, who will charge me for a reboot or any kind of intervention on that server.
Speaking of which, is anyone here on a cable or other “semi-static IP” connection who has limited SSH logins to one IP or another, and been locked out of their system due to an IP reassignment? This is what makes me a little paranoid as I have a few boxes out in remote datacenters, who will charge me for a reboot or any kind of intervention on that server.
I don’t really know what would be the best way to do this as I don’t limit SSH logins to a certain IP on my machines. But if you know the range of IP addresses your machine could obtain from DHCP then you could just allow that IP address range to make an SSH connection? Or set the server periodically look for “myexamplemachine.ath.cx” on dyndns.com servers and if the IP address there doesn’t correspond with the one enabled then use the new IP address and restart the SSH service? That way the theoretical attacker would still have to guess what name the server is looking for, would have to obtain your username and password for dyndns and only then could he have a shot at trying to break into your server. Those are just two proposals out of my head. Anyway, if you don’t have password logins disabled then I’d suggest installing denyhosts (or similar) so that it blocks the IP address of the person trying to log in after 3 (I use this number, yours may vary) failed login attempts. I just calculated yesterday that if someone wanted to bruteforce my password he would need around 3400 billion different IP addresses.. (and given my upload bandwidth it would take about 7000 years
)
This article on ArsTechnica reports that a server “forgotten” by eBay was successfully attacked by a known malicious user:
http://arstechnica.com/news.ars/post/20071009-hacker-exploits-forgo…
The first question that comes to mind is “How do you forget about a server?”, especially an administrative server? I know things happen, but where is their Configuration and Asset Management at?
Maybe eBay’s security woes are not so much them being hacked as much as them doing apparently stupid things and being taken advantage of.