Just a month after kernel.org - the nerve centre of Linux kernel development - fell victim to a malware attack, the Penguinista community is reeling from another bout of security breaches. "Linux Foundation infrastructure including LinuxFoundation.org, Linux.com and their subdomains are down for maintenance due to a security …
That's what happens when you use Micro$oft
That's what happens when you use the internet
You have people who want to find some kind of weakness in anything and exploit it for their own gains.
I think AC101's point was that whenever there is a security problem with a Windows based system, a certain subset of the FOSS brigade whoop and holler about MS being rubbish at security, despite the problem usually being with the configuration of the compromised system. They also tend to suggest that while MS is the worst thing ever, Linux is the best thing ever.
Clearly this problem is with configuration/implementation of the security on the Linux systems involved, probably with a little user complacency thrown in for good measure and not a fundamental problem with the quality of Linux. I hope that everyone remembers that when commenting...
@AC, re: @Captain Scarlet
"Clearly this problem is with configuration/implementation of the security on the Linux systems involved, probably with a little user complacency thrown in for good measure and not a fundamental problem with the quality of Linux."
I'm not sure that it is clear. It is clear that a privilege escalation has occured, but I wasn't aware that anyone was saying how it had been accomplished. If it is a kernel problem, then like wow, that's a big deal. An unknown kernel bug allowing such escalation is a big worry for any OS, not just Linux. But even if it is just a config problem, what's going on there? Why are they still offline?
a wikipedia excerpt
"Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008....by January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million."
"Why are they still offline?"
If you're unsure, you likely rebuild all machines.
What's you point?
This was patched years ago.
So your story is, 15 million unpatched machines are infected two years ago?
Or in 2009 there are proberbly as many infected Windows desktops as there are Linux pc's?
Idiots desperate to try and prove a point, get 2 year old information from Wikipedia without doing any sort of research?
the thing there is
"I think AC101's point was that whenever there is a security problem with a Windows based system, a certain subset of the FOSS brigade whoop and holler about MS being rubbish at security, despite the problem usually being with the configuration of the compromised system."
you can run s/FOSS brigade/idiot brigade/ and it works just as well.
extending the famous maxim, 90% of commentators on anything are idiots.
RE: That's what happens when you use Micro$oft
The idea that Linux is fundamentally more secure has always bothered me.
It's often seemed a case of security by obscurity to me. Since, comparatively Windows has a far greater scope and motive for attack. Making the assumption it is less secure based on number of security vulnerabilities is simply comparing Apples and Oranges.
For example, if you didn't know about all the security holes in Windows, you would claim it is secure.
So, actually, Windows could well be the more secure platform because it's been heavily targeted by hackers for longer, and therefore more security holes found and plugged.
As Linux breaks into the world of non-technical home users I would expect it to be as much of a problem as Windows. Perhaps even more so due to the inherently more complex configuration and assumption of technically astute user base by the Linux community which doesn't exist in a home user environment.
@ Lost all faith..., those windie fanboys
When proofs are scarce, insults are the only means left, right ?
If you're not... that unwise and remember two years ago, conficker (since it was a worm, not a virus) hit mostly Win Servers. And there were never more Win servers than Linux servers, now the ratio is smaller than 1/2 (maybe even 1/4 . Unpatched they were hence millions of victims, in the topic case one silly admin was abusing his/her SSH keys (and maybe passwords) and a few servers compromised as a result.
PS. We are not talking about the LOVELETTER that hit 50 miln desktops, nor stuxnet with no way to patch against 4 0-day vuln-ties infected thousands of Windows servers and desktops. What about the recent incident with (a) Windows server compromised in the notorious DigiNotar case? Contrary to the discussed issue there might have been hundreds of thousands users to suffer from it.
There were never more Windows servers than Linux servers?
Really? You may want to think that one over...
...that Linux has been being used very widely for a long time in just about every context _except_ the home desktop, many of which are extremely prone to attack.
Broadly, though, you're correct; it's often the case that issues of configuration and bugs in the wetware are much more significant to your likelihood of being attacked than what OS you're using. Just about every case like this, where a targeted hack on a high-profile organization takes place, it's done by compromising some weak point in the authentication chain, which almost always comes down to poor configuration or social engineering, rather than any particular flaw in the OS code itself.
A case can still be made, though, that Windows is written more to the 'convenience' side of the 'convenience / security' trade-off than the 'security' side, and Linux is slightly more to the 'security' side, and this is more relevant to broad, untargeted attacks than sophisticated, targeted ones. There's no doubt Microsoft has got a lot better at this than they used to be in the days of ActiveX, though.
Ultimately, though, the only secure system is locked in a basement without a network connection and never booted up. Anything less than that and you're always making a compromise between security and usefulness somewhere.
Look at the chart, where does it contradict this statement (esp. top servers data)?
1) There may well be more Linux/Apache based web servers than there are MS/IIS based web servers, I don't doubt that this is the case, what you said however is that there are more Linux servers than Windows servers, which is obviously not the case.
2) Apache doesn't just run on Linux, it also runs on Windows, BSD, Solaris, Mac OS X, Netware and various others.
A few times a similar problem with compromised SSH key occurred to some of the Apache servers running FreeBSD, last one was in 2009, if I remember correctly.
Penguin fans never did like compromises!
Too many years in the desert, Big Guy.... too many years...
Linux users call Windows insecure per definition because well; its Windows (granted; this comes from a time where this was simply true). BSD users call Linux insecure per definition because well; its Linux /and/ (in all fairness:) BSD has a longer record of being secure (esp. OpenBSD). And Apple users call both stupid because well; its not Apple ;-) (ok, ok; No offense; I'm jesting a bit here).
I think this is finally solid proof that its not so much the OS these days but mostly the people using it. Linux can be made just as secure or insecure as you want; the same applies to (modern) Windows environments and BSD.
In the case of linux.com & linuxfoundation.com I've picked up rumors about compromised SSH keys. Which at first I couldn't believe; a good way to secure stuff is using key-based access; this makes sure that only people who have a key can logon using SSH but /also/ ensures that no passwords go over the line.
...then I read the section about people storing their private SSH key on those servers and using those to make other connections.
I doubt it but I hope this will be an eyeopener for the *nix people.
The reason we consider Windows insecure by definition
Is because you run as root by defalt and Microsoft often doesn't notify of security bugs and breaches until the have a fix.
Configured properly Windows isn't that bad and if M$ notified of issues immediatly people could find a work around until the fix is ready but they're to worried about saving face.
Microsoft has been repeatedly busted doing this and earned their rep fairly.
Also Windows users are to blame as they complained so much when M$ required a superviser password in Vista they went back to the old XP run as root default in 7.
@ShellUser: acurate vision
"A straw in the eyes of others vs. the beam in their own"
O.K., an eye opener with a few sites intrusion (without much details so far) vs. an eye blinker at the event of conficker, stuxnet and LOVELETTER? Although the Windows' share on the web is less than 30% (18% IIS) , Linux' is more than 60%, we are not talking about millions ... so far. Or are we?
PS The system that BY DEFAULT uses AutoRun/AutoPlay and a file extension to treat it is insecure by definition. It is not Mac, BSD, GNU/Linux or Android . It is good-ol' Windows, ladies and gentlemen!
That is exactly what I addressed in my post. You're now describing what you experienced on a Windows /client/. But their servers (2k3 & 2k8) are a totally different story.
Firstly, my word! what a provocative tag you have.
Now, regarding "an eye-opener for *nix people"
The problem here is that even quite technical users can be short-sighted when it comes to security. I know any number of very technically able people who regard security as a barrier to work, and quite often do very dangerous things to "work around the imposition of anti-productive security measures".
All the time this mindset persists with people who should know better, we will have the potential for this type of problem.
As a widely used example, ssh is a wonderful tool in the right hands, but allow people who can't be bothered to read the manual, and who use passphrase-less keys and/or distribute a single private key across their entire estate of systems, and you have a disaster waiting to happen. And if some of these people have escalated privileges, or use the same key for their own ID as they do for root, then it is just a case of lighting the blue touchpaper and waiting for the inevitable explosion.
Also, ssh can be used to circumvent many other security systems in ways that range from the constructive to the malicious. This makes it a multi-edged sword that can make magic happen, or can rip carefully thought out security measures to shreds at precisely the same time. How do I know? Because I have used it extensively to do just that (I think constructively, but sysadmins of other systems where I am a mere ordinary user may think differently).
Ssh can be abused on many OSs, including pretty much all UNIX and UNIX-like systems (and this includes BSD for those of you who have been suggesting that as a more secure OS), and there is at least one port of SSH server for Windows systems as well.
In reality, where you have a mechanism for one system to trust another using whatever means, there is scope for an intrusion on the trusted system to spread to the trusting system. And in the modern environment, where you need to manage hundreds or even thousands of systems from a central location, these trusts are essential. I believe that this is an axiom, and applicable to all OSs.
User training, partitioning of management domains, and insisting on adherence to properly thought out security policies, especially amongst the sysadmins and power users, is the only way to limit the damage of such a compromise.
Even if it is a barrier to productivity.
A bit offtopic...
You make some very good points indeed! "The chain is as its weakest link".
As to that tag.. Yeah, you're right. Though I've been roaming El Reg for a while now I do admit that sometimes its best not to tag a post than to go for what seems obvious. Now to remember those wise ideas :-)
Thanks for your response!
Thank you for a great post! I couldn't agree more... when I did lock down a Win2k3/XP nextwork (and got the results to prove it worked) I was constantly battling not simply the classic PHB/secretarial types but people who should have known better-- someone actually had the gall to email me that, as a network admin, he should be exempt from proxy restrictions (mostly social networking/streaming media blocks) and other measures because he and his cronies were the "heart and soul" of the organization... yeah right.
Of course, if you're going to lock down a network, you'd better be ready to run, not walk, to make sure your people do have what they need to do their jobs. And if you use bad passwords or don't restrict access to sensitive information, no OS in the world can save you or protect you.
As far as the Win/*nix debate is concerned-- yes, Windows can be locked down to a reasonably secure level, but it takes a LOT of work and you'll have to be ready to tweak some apps (usually just adjusting permissions on Program Files folders) or they won't work. *nix, on the other hand, is generally much easier to lock down, and very few applications will break, which suggests it's more secure out of the box, and much more amenable to lock down.
Still not convinced? Take two VMs, put Vista or Win7 (with UAC fully enabled) on one and Ubuntu (deliberately choosing one of the least secure *nix variants) and do similar stuff-- how often does the UAC come up vis-a-vis the sudo dialogue on Ubuntu? Yep. Windows is indeed poorly designed and requires far too much user access to sensitive areas of the system.
is it that not different?
Do you include those hit by stuxnet by any chance? Another question to ask, if the Win servers' security is comparable to that of *nix, maybe Microsoft should stop advising their servers' users to run AV, except for clients
You don't close sites for maintenance after they've been compromised. Once the cat is out of the bag you close them for repairs.
All your sites are belong to us
I wonder if just maybe someone is getting seriously worried, and is now attempting to discredit Linux on security grounds. If so, they failed. As usual, it seems to be the wetware that was at fault.
In other news...
...big industry and government adoption rates of Linux is now on a steep rise. Now Linux is demonstrating equivalent security to the commercial OSes, PHBs are flocking towards it!
Seems to me some one was lax during configuration, but two open projects getting issues like this so close together seems a little iffy.
Demon because I am a FreeBSD and OSX user.
reading between the lines...
...it reads like credentials compromised in the kernel.org hack were used for this attack.
which makes sense. I mean, you'd expect a reasonable overlap in sensitive accounts between the two. of course, it means someone screwed up their best practice somewhere, as there has to be a re-used or just plain weak password or passphrase somewhere in that chain.
Perhaps you Linux guys should buy a copy of James Turnbull's book "Hardening Linux" and READ it COVER TO COVER! http://www.theregister.co.uk/Design/graphics/icons/comment/meh_32.png
Please, point us to the "Hardening Windows" book, since it is kind'a interesting in view of the infamous DigiNotar hack being reverberated last few days. That one might have done quite much damage to a lot of users.
I've been ranting and raving to get our users at our smallish non-profit to ditch windows, avoid the cloud and adopt Linux. I hope and pray that the details of the intrusion are openly made public, so that the rest of us can learn from the mistake, in true Open Source fashion. That would make my day. I tend to believe, that in this instance, that the Problem Exists Between the Chair And the Keyboard. Ric
Hopefuly they'll be as open and honest as apache was when they had their problems; those articles were a very interesting read.
Most likely went down like this:
SA for kernel.org downloaded/created malware on their personal machine.
Malware captured their username/password for kernel.org.
Virus creator used stolen username/password to put malware on kernel.org.
Virus creator guessed correctly that some of the captured usernames/passwords from kernel.org would work for linux.com.
Virus creator used the stolen usernames/paswords to "break-in" to linux.com.
It seems more like a social engineering exploit more than a "flaw in the security of Linux".
I hate Android/iPhone/Nokia/Symbian they useless...oh wait, hang on, I've got my rants crossed!
I hate Linux/Windows/BSD/OSX they're all useless what you need is a proper system based on Linux/Windows/BSD/OSX, installed correctly and this wouldn't have happend!
@Shaun: Win7 not back to XP
When I played around with Ubuntu, for various configuration or update tasks the computer would tell me to type the administrative password - so I did. I had no way of knowing (and not the slightest interest in knowing) what I was permitting.
In Vista, for various configuration or update tasks the computer would tell me to type the administrative password - so I did. The only difference in Win7 is that I get the option of clicking a dialog box instead of typing a password.
The principle is exactly the same in Linux as in Windows post-XP: programs can't make system-level changes without the user accepting them. There may be implementation errors in either OS, but the security design is now exactly the same.
And the design has the same flaw in both OSs: ordinary users cannot know (and do not care) what they are approving. If Linux on the desktop ever gets 100 million users, this will matter.
Maybe there are other design features that make Linux more secure than Windows, but running as root by default is no longer one of them.
Because obviously users can't read the dialogue with a clear description of what is required to run as root.
What's worse, the windows API for their privilege escalation prompt allows the name and description to be changed to anything.
What's in name?
'"/etc/fairies/pixydust" wants to essentially modify your systems;'
And this is after some dumb-schmuck has read "pixydust relates the untapped unity of your system with Gaia. Gaia is Earth, earths are metals, link the metals in your CPU to Gaia and release the universal potential of your CPU" and then follows the "chmod +x" steps.
Your security warnings have less import than the scammers, so unless your system is locked-down and can follow a group-policy set-up like ActiveDiretory, it will fail. And this is why Linux servers are now sub-50% and falling. All Lintards assume the users give a crap and wish to be be free. The truth it far worse. All users are idiots and must be protected from themselves (just ask kernel.org).
In the corporate world nothing (and I mean *NOTHING* is more secure than a properly configured AD and correctly-configured clients; any Linux is a threat in such an environment due to the ease of users gaining root). This is why Linux fails and will continue to fail; you are now at least a decade behind the curve in computer security. Get with the program and shape-up or ship-out Linux.
Oh, wait, Linux has already been pushed out - never mind! What was it now? 1% Awww...diddums. Your experiment go "Bye-bye". The adults will deal with your mess, children.
@AC re: Horse-shit
Of course, when it comes to social engineering, UAC and a popup sudo are no different, and are both as easy as each other to subvert.
But most users, and I suspect you as well, probably have never used a Linux system where your ID is not only not root, but is also not in the administrator group. It's just not necessary for most personal systems, and not being able to run sudo or having a root password makes it very, very difficult for an *ordinary user* to become root or touch system files.
But it's all about trust, as I said in a previous comment. If your trusted system is compromised, then this can propagate throughout a whole environment, even if Active Directory is involved. And Active Directory only protects a system while the group policy is available. Although I do not know, I strongly suspect that if you can get into a Windows system configured to use group policy using an OS weakness, like all systems, it will be possible to *TURN OFF* the requirement for the policy, making it just another Windows system with all of the inherent and widely publicised problems that Windows has.
I also read that often the group policy often just turns off the UI to various things. I have found out myself that it is sometimes possible to run the CLI utilities on a locked-down Windows system when the group policy prohibits the windows utility. This makes the security no better than "security by obscurity".
I suspect by your comment of "nothing (and I mean *NOTHING* is more secure than a properly configured AD and correctly-configured clients" (sic) that you have not looked into SELinux or AIX with RBAC, both with Kerberos turned on, which both implement service and object based tokenised remote authentication which is very similar to the Active Directory support of Windows. In fact, Active Directory is really an extended LDAP directory service with Kerberos authentication (if configured) to access to the directory. LDAP and Kerberos were both originally implemented on UNIX.
AIX had a kerborised command authentication system in the SP2 pssp cluster control package called sysctl over 14 years ago, and UNIX systems that implemented them also had a similar features as part of DCE and AFS, well before Microsoft implemented Active Directory.
I often comment that the Owner-Group-World access model in UNIX-like OSs is one of their weaker features. But where this simple model scores is that it is easy to understand, and a well implemented simple security model can be much more secure than a poorly implemented complex model. You probably have never had the opportunity to try to break out of a well implemented Linux system where you are an ordinary user, but I assure you that it is possible to make a system perfectly usable while being very, very difficult to break into.
Most ways that UNIX-like systems are compromised involve the wet-ware that administers the system, and I think that is exactly what has happened at linux.org, and could just as easily happen to a Windows system, even with AD configured.
...I've been being told for years, particularly by unjustifiably smug a*sehats, that Linux is so much more secure and doesn't have any of those 'millions of security problems' that other OS's do...
more to be told
And how many times have you been told to run and antivirus on Linux and not to run it on Windows Including servers)?
There's a reason....
....and that reason is simply that Windows is popular and holds a massive demographic, which means that it's more worthwhile going after the users with viruses, trojans, et al.
What are you going to steal from your typical Linux fanboi (note I didn't say user, so don't act like I did)? I'm sure accessing their vast pools of wealth are really worth the time and effort.....ahahhahahahahh...
Stop whining on as if the Lin-Win ratios on the desktop have any relationship to the server-side. I believe the ratio is close to 50:50 ATM which would make them equally tempting to attack, more tempting historically when the ratio was much more skewed away from Windows servers, yet the attacks were still almost exclusively against Windows, the - then by far - minority server system. Low-hanging-fruit.
- Top Gear Tigers and Bingo Boilers: Farewell then, Phones4U
- Stephen Pie iPhone 6: Most exquisite MOBILE? NO, it's the Most Exquisite THING. EVER
- Updated iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
- Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
- JINGS! Microsoft Bing called Scots indyref RIGHT!