Posted on 12/14/2003 8:24:41 AM PST by Bush2000
December 12, 2003
Linux in the Security Crosshairs
By Jim Wagner
Compared to Windows, Linux has enjoyed a reputation as a stable and secure operating systems (define), thanks in large part to an enthusiastic open source community that plugs holes before they create problems.
But Linux's growing popularity is attracting unwanted attention from virus writers, script kiddies (define) and other criminal elements. In response, Linux advocates are putting a new emphasis on security measures and working to reassure companies that the OS is ready for important business networks.
"There has been a lot of change in the attractiveness of Linux as a target," said Chad Dougherty, an Internet security analyst at the CERT Coordination Center, which tracks OS vulnerabilities. "If you look over time, there has been a consistent level of vulnerabilities."
In recent weeks, two high-profile breaches at popular Linux concerns bear this out. First, the Debian Project had to take their servers down to clean out a remote vulnerability breach. Then, machines at Gentoo were compromised.
In both cases, the perpetrator was able to "sniff" out a password on a developer's unprotected machine, log in and place a remote exploit tool in the kernel, giving them super-user access to the machines. Administrators corrected the problems before damage was done.
Other industry sources also note a rise in Linux attacks. At Zone-H.org, an Internet security site that tracks Web site defacements, the Linux OS platform accounted for 77 percent of the attacks reported, compared to 10.7 percent on Windows servers, Thursday afternoon.
With many large companies thinking of switching from pricey, proprietary software to a lower-cost alternative to Linux, advocates want to short-circuit any perception that the OS is less secure than previously thought.
For example, the Open Source Development Lab (OSDL) recently launched its Linux kernel awareness initiative, a program that explains how the open source technology is developed. The OSDL is the shepherd of the main Linux kernel developed by Linus Torvalds in 1991, who works there as the lead developer.
A critical part of the OSDL's push is the work in the security subsystem of Linux development. The Beaverton, Ore.-based organization, which is readying a new version of its kernel, has been making strides in improving the inherent security of it code.
Several security enhancements will go into this latest version of the Linux kernel: modularization, hardware random number generators and blocking a driver's ability to modify system call-tables. All three give system administrators more configurability options for their servers.
What most CTOs need to understand, said Stacey Quandt, principal analyst at the OSDL, is that most attacks happen when end-users don't protect their passwords, not from an inherent flaw in the kernel that lets attackers get in.
"At the level of the systems administrators, they need to be more careful with their passwords," Quandt said. "Security's easier to do in Linux than what you have in a Microsoft operating system, with some of the remote vulnerabilities that are possible in a Windows system, or at least the remote attacks that are successful."
Linux already has tools that allow admins take more control over the access users have on machines, called Linux Security Modules. The modules are billed as "a lightweight, general purpose framework for access control," and the authors stress the tool are only as good as the technicians administrating them.
Jay Beale, lead developer on the Bastille Linux project and a consultant at JJB Security Consulting & Training, said software will always have flaws, flaws that might one day turn into vulnerabilities.
"There's no real way to avoid the flaws -- it's inherent in human endeavor," he said.
There are steps admins can take, however, Beale said, like reducing the complexity of a system, user training and picking better passwords.
And like Windows, Linux is now suffering because system administrators are not installing security patches to known vulnerabilities or keeping better track of user access, Beale said.
You do realize that attacks against Microsoft OSes happen like this every day and no one bothers to call it a vulnerability?
Also, the article is misleading. Servers at Gentoo were not compromised, and the servers involved were not even neccessarily running Linux. An Rsync daemon was compromised on a third party mirror.
That's from the crackers going after the most popular server platform, right? /sarcasm
What most CTOs need to understand, said Stacey Quandt, principal analyst at the OSDL, is that most attacks happen when end-users don't protect their passwords, not from an inherent flaw in the kernel that lets attackers get in.
Bingo.
"At the level of the systems administrators, they need to be more careful with their passwords," Quandt said. "Security's easier to do in Linux than what you have in a Microsoft operating system, with some of the remote vulnerabilities that are possible in a Windows system, or at least the remote attacks that are successful."
And like Windows, Linux is now suffering because system administrators are not installing security patches to known vulnerabilities or keeping better track of user access...
Linux security problems are more of a human issue rather than fundamental flaws in the software. This won't surprise most Linux geeks.
Wanna be Penguified? Just holla!
Got root?
Nope. Not at all.
As a person who used to work in the computer field, who knows many who still do, Linux or Unix, is an interesting thing to mess with but, if you have to get things done, you have to go with the standard.
Professionals, not geeks who have nights, weekends and holiday with nothing else to do, have to get things done. It is most efficient to use something that works most of the time, with the least amount of downtime. It is pathetic that that for most office and network stuff, that means MS products. This is a bit like using an automobile that functions only 95% of the time. The downtimes for linux/unix are much worse however...unless of course you have some pinheads to mess with the os and applications, most of which were written by amateurs. For graphics, the platform of choice is Apple.
For those who have no life, outside of playing around with some obscure, half-a__ed os and applications, by all means, let them choose linux or some other flavor of unix.
CLUE
Easier? Ease-of-use is a Linux selling point now? Actual strength of security is endlessly debatable, but I don't think you can argue much that Windows ACLs are more powerful, more finely-grained, and easier to use and understand than the traditional Unix permissions model. I think that when ACLs are standard-issue in Linux, ease of use will be markedly improved, but we're not there yet AFAIK.
I thought Windows was the minority server platform. As for the human element in security, all of the recent worm attacks occurred after fixes were available. They would have been prevented by the most minimal firewall.
Amen to that!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.