I’ve spent so many years hearing Linux fans claim it is totally secure that I just had to post this one. Duqu, the most sophisticated and mysterious Trojan since Stuxnet (and perhaps related to it) compromised Linux servers to create its Command and Control infrastructure. “Many of the servers that had been hacked to become part of Duqu’s infrastructure were running Linux, namely CentOS 5.2, 5.4 or 5.5, a community version very similar to Red Hat Enterprise Linux.” Now obviously Windows was compromised by Duqu as well, so I’m not trying to claim Windows is more secure than Linux. I’m just reiterating a message that ALL operating systems are vulnerable and to claim otherwise is irresponsible (and one of the all time great security myths). Other recent examples include the targeting of MAC OS by fake Anti-Malware attacks, the massive growth in malware targeting Android, and even a researcher demonstrating that you can download malware into printers! The difference is that after years of attacks everyone in the Windows ecosystem recognizes the threat and most are actively working to confront it, while the Linux, Apple, Android, etc. ecosystems still largely have their heads buried in the sand.
-
Recent Posts
Archives
- February 2022
- September 2021
- August 2021
- May 2020
- April 2020
- March 2020
- February 2020
- December 2019
- August 2019
- May 2019
- March 2019
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- April 2017
- April 2016
- March 2015
- February 2015
- November 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- September 2010
- July 2009
- March 2009
- January 2009
- December 2008
- September 2008
- May 2008
- April 2008
- December 2007
- November 2007
- September 2007
Categories
Meta
Hal's (Im)Perfect Vision 
in duqu story, the exploit is based on a vulnerability with openssh prior to version 5.1 (which was released in july 2008). If sysadmin use out of the box outdated software (version 4.3 was released in feb 2006) and neglect security updates, shame on them.
Funny to see your conclusion though, as if security was an option linux and to an extent open source projects ignored so far. Amazing.
The same is almost always true of Windows as well. Nearly all of the attacks are on Windows XP, which was released in 2001! And very frequently you see attacks succeed because people haven’t patched their software (e.g., particularly a problem with Java and other non-Microsoft software these days) even though patches for the issue have been available for years.
Actually I’m not saying that Linux has ignored security, I think it is quite the opposite. I’m saying that the ecosystem built around it, including customers, sometimes think it is invulnerable and thus don’t take proper precautions. Windows customers have to go out of their way to not have patches automatically applied. Linux customers may think they don’t have to patch, or patching is still way too fragile (which is what others report), to be practical. The use of anti-malware software on Windows is relatively high. How many Linux machines run anti-malware software? And how good is it (e.g., my experiences with ClamAV not being so positive)? There are just too many people in the Linux (and Mac and Android) community who see an attack on Windows and say “See, you shouldn’t be using Windows; That could never happen to my Linux system” for me to believe they understand how vulnerable they are.
Linux has really had only three things going for it over the years. First, it inherited from an inherently multi-user system (Unix) and thus users generally did not need to use root or other administrator privileged accounts for normal usage. While this was technically true for Windows NT and later, from a practical (compatibility with the pre-NT single user kernel) standpoint all users on client machines ran as administrators until Windows Vista. And even on servers people were sloppy about requiring or granting accounts minimal privileges until relatively recently. Second, because Linux was so customizable it was possible to eliminate components you didn’t actually need and this allowed for a reduced attack surface. This is something Windows Server has been focused on as well, particularly from Windows Server 2008 forward. At this point I don’t believe their are any inherent security advantages of Linux over Windows. So now it comes down to how easy is it to manage configuration and update processes, avalability and use of mitigation techniques (e.g., anti-Malware), and perhaps most importantly how paranoid are the system administrators and other users.
Forgot the third thing: It just hasn’t been the subject of as much interest from the bad guys as Windows. That’s mostly a client thing obviously, since even poorly managed server environments are generally better managed than any client environment. And Linux just doesn’t have a big enough client footprint for the bad guys to care.
Reblogged this on João Rui Alveirinho Correia and commented:
im not the olnly one thinking…