You'll be lucky.... But full marks for at least trying
Hackers have brewed up a new variant of the IoT/Linux botnet "Tsunami" that exploits a year-old but as yet unresolved vulnerability. The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over …
Linux *can* be made very secure, and most mainline desktop distros do a decent job of that.
Now, when you talk about stripped down versions made to fit in dirt-cheap hardware, that leave out various things to save money (space), and add various debug hooks, to save programmer time...we have a different situation.
If you think of linux as just the kernel...well, the kernel, assuming (wrongly) that they're using a newer one, is fairly decent. If you're talking about the entire environment (which some would call GNU/Linux) it' a matter of implementation and setup. These manufacturers are trying to make it easy for themselves, and sometimes, the user, by skipping all that bothersome real security.
For whatever reason, the various debug hooks are often left in the product, whether it be they are just forgotten, laziness, the idea that the manuf could support the product better (yes, I'm laughing too), and most of the things we see as issues are due to those. Maybe the developer found them hard to configure in the first place and left them in for later...again, to save time/money in the short term (which is all most of them consider - because that's all they are paid for).
Any operating system that allows developers to write applications can be brought to its knees this way, if the app or configuration can say "let someone in to do things". Good security is hard, and the average developer hasn't a clue how to balance that with ease of use - or even have it at all.
Windows is unlikely to be used (or other opsys) as being closed source and full fat, it's hard to make anything small work with them at all, not to mention the other costs. So if you can find a windows IoT thing, it's probably safe!
Its simple really, if you take any OS and put in hard-coded passwords, or have badly configured web servers running with administrator rights, you have a cluster-fsk coming.
As for Winnows vs. Linux on the desktop it is, as usual, a complex question. If one is configured and used by a competent person and the other by a total muppet, you can guess what the outcome is without knowing which OS is which.
If compared on equal terms the two kernels have roughly the same number of serious flaws at any point in time, but Windows "enjoys" a much richer ecosystem of malware to exploit it and sadly many of the past MS decisions to make it easier to use (e.g. hiding file extensions, making execution rights part of the file name, etc) only serve to make matters worse for the average user.
It looks like an advert for Unit 42. If you go to their "report", there's no actionable info there. They claim 70 vendors DVR's have this vulnerability, but they don't name them nor the models affected. So basically, it's just saying "There's a bogey man someplace, but we don't know or won't tell you where."
"If you go to their report, there's no actionable info there"...
You mean other than:
a list of IoCs,
a link to the blog that lists all the affected vendors,
links to the related Shodan and Censys searches,
a detailed breakdown of the C2 communications...
Biting the hand that feeds IT © 1998–2019