Somehow I don't think I'm going to see this story on slashdot any time soon :)
Michael Howard sent the following news article to one of our internal DL's this morning. For some reason, I don't think it's going to hit the front page of Slashdot any time soon:
Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.
The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.
:
"When we went in and did a further investigation, we found that there was an IRC bot installed on the system," Marshall said.
So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients. Both of which the slashdot crowd claim only happens on "Windoze" machines.
At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue? Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow "windows only". Ubuntu even published a blog post that claimed that they "won" (IMHO they didn't, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows). The reality is that nobody "wins" these contests (except maybe the security researcher who gets a shiny new computer at the end). It's just a matter of time before the machine will get 0wned.
Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers. It's far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.
Edit: Ubunto->Ubuntu (oops :))
Comments
Anonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
Totally agree, and about time somebody said it.Anonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
But it's not just /. -- it's also the non-/.-reading public, the mainstream media, and such. I often point out to people that the reason we hear about people taking advantage of Windows vulnerabilities is that the vast majority of people use Windows -- so it's the most sensible target. If 90% of the world used Linux or Mac systems, most of the attacks would be aimed at Linux, or at Mac systems, and it's guaranteed that they'd find things to exploit there too. But when I point that out, everyone seems to glaze over around the word "vulnerabilities".Anonymous
April 08, 2008
You might want to at least spell "Ubuntu" correctly so there's one fewer thing to pick on.Anonymous
April 08, 2008
Correction: it's Ubuntu, not Ubunto...Anonymous
April 08, 2008
Perhaps if you all stopped worrying about what people on Slashdot think and did some actual security work, maybe people wouldn't have the perceptions they do. My co-workers who run Windows hate Tuesdays, because it means they most likely have to reboot their system due to security flaws. As long as that still happens, you still have a problem. It doesn't matter if "everyone else is doing it to". You guys have the billions of dollars to throw around, we expect more from you.Anonymous
April 08, 2008
@vince: If there is anything you should know about programming, it is that there will never be a 100% unexploitable, completely secure piece of software. It just isn't possible. Frankly, I've been quite happy with the slightly fewer reboots required for patching Vista.
Now, unfortunately, you know everyone is going to turn a blind eye to this... nobody cares about exploits on other systems other than Windows. It just isn't "cool". Even at my work I feel like I'm the only one supporting Microsoft anymore, even though 80% of our network is running Windows and authenticates against Active Directory.
Anonymous
April 08, 2008
Well said. Secure programming is a difficult task. The Slashdot crowd seems predisposed to believe programmers are exempted from these difficulties when developing on a Unix/Linux kernal, which is absurb. It's the mental task that's difficult, not the platform. If they wish to argue whether the general user's familiarity with Windows outweighs the security risks due to hackers' preference to target the dominant platform, or whether the fact that Linux/Unix is less frequently attacked by hackers outweighs the platforms' obscurity- fine, that's a valid discussion. Unfortunately the Slashdot crowd often falls back on idiological claims about the impenetrable security of Linux/Unix as if the open source development community is exempt from the challenges of secure programming and the choice is between total security and insecurity. I don't buy their argument that proprietary development is the cause of security bugs. The mental difficulties of programming is the cause- not whether the development is open or not. And the relative popularity of the software/platform is the determining factor in the number of hacker attacks, and therefore, the number of security issues found.Anonymous
April 08, 2008
Barry, I wish I disagreed with you. And I've got to say that Apple's ad campaigns haven't helped. At least their engineers seem to have figured it out - the most recent security fixes to quicktime opts into a bunch of the security mitigations we have in Windows - DEP, ASLR and /GS. It's a sign that they're starting to understand that they're also not immune to security issues. Now if their marketing people would just figure it out :).Anonymous
April 08, 2008
I agree that there aren't that many Unix viruses. More common in Unix are hackers that do targeted attacks against particular systems.Anonymous
April 08, 2008
"a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach" So this particular breach wasn't even due to a former flaw in a proprietary system, it was due to administrators neglecting to install an existing patch. Open source developers might get patches out 100 times faster than proprietary vendors, but their users can get hacked just as fast when administrators are equally negligent in installing patches. By the way around 5 years ago I read about some company getting infected by Slammer because administrators in that company had neglected to install existing patches. So it doesn't matter whether the source code is open to the world, closed to the world, or available only to that company's self, if the company's system administrators neglect to install their own patches.Anonymous
April 08, 2008
It not Linux vs. Windows. Even for most of the /. readers. It was always been closed vs. open source products. You misinterpret the results from Pwn2Own contest and Shane's words. Even if the guy have "attacked" Ubuntu - the attack vector was again buggy and un-patched on time closed source application. CheersAnonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
That's why a "root kit" isn't called a "BUILTINADMINISTRATOR kit" :)Anonymous
April 08, 2008
"My co-workers who run Windows hate Tuesdays" Funny... On my Ubuntu system at home, it downloads new patches every second day (on average). Once a month is a blessing!Anonymous
April 08, 2008
Isn't it also about scale? If there's a problem in Windows it affects gazillions of people and busineses. If there's a Linux/OSX/Solaris/Whatever problem it doesn't affect as many people or businesses. Thus Linux/OSX/Solaris/Whatever's currently have Immunity from Bad Press. As their popularity increases any exploits etc will have a bigger affect, thus damaging their perceived "goodness". Therefore... what? Microsoft had better get their security in order, because if they don't, they will lose market share, possibly even if they're pereceived to be "equally secure". Oh hang on, that's exactly what they're doing. Someone made a smart decision a few years ago. [I am not a fan of "Your computer was rebooted because of an important update." If it reopened the 26 applications I had running I'd be a little happier].Anonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
Is it only me who turns his Windows machine on when he's going to use it, and back off when he's done with it? I don't mind rebooting for a patch or fix. Maybe people should be using client OS machine (ie XP, Vista) for server work? Rebooting a client Windows machine shouldn't be too much of a problem for anyone.Anonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
Erik:While programmers are NOT exempted from these difficulties when developing on a Unix/Linux kernel, the "safety net" on *nix system when something wrong happened is used to be better than Win9X versions. Unless something serious happened in kernel level, you're not able to bring down the whole system with single badly written user mode program. This has been greatly improved in WinXP and improved more in Vista, but I'd afraid that those ******* are unable to see now and future, just like those ******* who still claim you have to compile the packages one by one yourself in order to run Linux system... better just ignore them.Anonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
The comment has been removedAnonymous
April 08, 2008
After an update, when I get the "Your system needs to be rebooted" message, I open the Services administrator tool and stop the "Automatic Update" service. The messages go away. Next time I restart my computer the Automatic Update service starts up again and everything's back to how it was without the reboot your computer message popping up every 5 minutes.Anonymous
April 08, 2008
This is a great argument for IBM's AIX, which (IIRC) can apply updates and even install an entirely new kernel without any downtime.Anonymous
April 08, 2008
Slashdot crowd = People who speak loudly but know little.Anonymous
April 09, 2008
The comment has been removedAnonymous
April 09, 2008
The comment has been removedAnonymous
April 09, 2008
@Norman: The only problem I see with showing the user about programs that need to be restarted: what if it's a core part of the OS? It's not like you can just stop and start the kernel... though I'd hate to see the logic that tries to identify who's running what. @SteveG & Larry: The problem with the restart manager is that the program needs to register for it and support it in the first place, and people programming for that seem to be quite few. I have yet to actually see a program support it. @Drak: I don't shutdown and startup every day, but I do put my machine into hibernation and turn everything else off while I'm off of work. I try to do what little I can to save energy.Anonymous
April 09, 2008
The comment has been removedAnonymous
April 09, 2008
The comment has been removedAnonymous
April 09, 2008
"Vista is better than previous Microsoft OSs. Maybe in a few decades you'll catch up with *NIX circa 1995." To be honest, in the area of permissions, for example, NT is already better than Unix.Anonymous
April 09, 2008
Yuhong: We could work around that problem actually - the OS loader opens files with FILE_SHARE_DELETE, so they <i>could</i> be deleted and a new version installed. Vince: The last Windows kernel patch security vulnerability was something like a year ago. Fine, the kernel doesn't get patched that much. What about the apps that run on top of the kernel? Why don't they need to be patched? FrankAu: I honestly don't know. I only know what was in the news article. It might have been CAN-2004-0148 though.Anonymous
April 09, 2008
Yuhong: We could work around that problem actually - the OS loader opens files with FILE_SHARE_DELETE, so they <i>could</i> be deleted and a new version installed. Vince: The last Windows kernel patch security vulnerability was something like a year ago. Fine, the kernel doesn't get patched that much. What about the apps that run on top of the kernel? Why don't they need to be patched? FrankAu: I honestly don't know. I only know what was in the news article. It might have been CAN-2004-0148 though.Anonymous
April 09, 2008
Or you can rename the old copy and put the new copy in it's place. Of course, the new copy is not executed until the old one is released.Anonymous
April 09, 2008
The comment has been removedAnonymous
April 09, 2008
Not sure what happens in kernel space, but I was under the impression that user space programs/libraries are also memory-mapped with Unix (file loading being essentially the same as virtual memory). I recall the AIX documentation covering this. When a program is deleted, the OS keeps the physical bytes around until all memory-mapped instances are gone.Anonymous
April 09, 2008
I think I must be the only one who likes patch tuesday - the reboot gives me an excuse to go and make coffee!Anonymous
April 09, 2008
Joshua: "though I'd hate to see the logic that tries to identify who's running what." EnumProcesses and EnumProcessModulesEx. Jon: 'My generation of computer experts (I'm in my mid-20's) formed its opinions of Microsoft based on Windows 95 and 98.' Some previous generations of computer experts (I wish I were in my mid-20's) formed our opinions of Microsoft based partly on Windows 95 and 98 and NT4 SP4 (SP3 was the good one but SP4 made up for it) and XP prior to SP2, etc., AND based partly on other OSes that existed before Microsoft bought QDOS. Actually these aren't the biggest parts of it, but I'll try to avoid wandering further off-topic this time.Anonymous
April 09, 2008
Jon: "My generation of computer experts (I'm in my mid-20's) formed its opinions of Microsoft based on Windows 95 and 98." NT was not very popular back in the 1990s. Only around the beginning of 2000 did Windows 2000 release, and that was when NT really begin to take off, replacing 9x, which is one of the reasons Windows Me did not get popular. XP finally ended the 9x series. Some of the issues caused by this is that many third party apps and even some MS apps, such as Office 95 (search for "Office 95 and Windows NT" to see what I mean), had issues running as non-admin, even though it existed since NT 3.1!Anonymous
April 09, 2008
This is a link about the transition and how NT is not based on 9x http://blogs.msdn.com/because_we_can/archive/2007/04/13/vista-is-not-based-on-a-single-user-pc-operating-system.aspxAnonymous
April 09, 2008
One of the reasons why NT 4 never got popular is because it did not have some of the new hardware-related features in the original Windows 95, such as Plug and Play and Device Manager, let alone OSR2 and Win98. Instead it still have Control Panels like Ports and Devices that were in NT 3.x. Win2000 finally catches NT up to all of the hardware support advances in the 9x series.Anonymous
April 10, 2008
"Users hate rebooting, so reboots are bad." Yes, they are bad. Theoretically, you could patch a system without requiring a reboot. Just figure out the memory and disk map before and after the patch is applied, temporarily stop all other running processes, and move everything around to obtain the desired after-patch layout! It's surely not practical, though, given the nearly-infinite combinations of running software that a user can have.Anonymous
April 10, 2008
The comment has been removedAnonymous
April 10, 2008
"Blaming MS for security vulnerabilities is just the price for success." OK, could be. Now for a completely separate fact: Blaming MS for many years of refusing to fix known security vulnerabilities is just the price for arrogance. Fortunately things have changed most of the time, but as several people have observed here, it will take longer to lose the reputation ... especially when the arrogance is still waiting to be lost.Anonymous
April 11, 2008
Very interesting, and although there are many people who champion Linux endlessly despite the fact that all OSes have their faults, I would like to point out that Linux != Solaris. I find it odd that Larry highlights a Solaris machine and then goes on to bash Ubuntu, which is Linux... there is a difference.Anonymous
April 11, 2008
The comment has been removedAnonymous
April 11, 2008
"the first incarnations of the registry (introduced with Office 4.3, if memory serves well)" I think that was introduced with either Windows 3.1 or OLE 1.0. "Any closed-source OS makes security analysis and debugging harder, just by being closed-source." NT beats any other closed-source software in making at least symbols public, most closed-source developers don't generate symbols with release builds at all, and even if they do they don't make it public, but still... Anyway, even shared source is much better here.Anonymous
April 11, 2008
The comment has been removedAnonymous
April 11, 2008
The comment has been removedAnonymous
April 11, 2008
The comment has been removedAnonymous
April 11, 2008
Igor: According to Shane (the finder), he believes that the same vulnerability will work on Linux and will get the same privilege level (according to several people where were there, you didn't need root to run Pwn2Own, all you had to do was demonstrate RCE).Anonymous
April 12, 2008
The comment has been removedAnonymous
April 13, 2008
Igor, the only way that a Windows Vista user wll be running as root is if they turn of UAC. And that rarely happens (we know, David Cross just gave a presentation where he mentioned the percentages of users that turn off UAC). And in Pwn2Own, you just had to demonstrate RCE, not an EoP to root.Anonymous
April 13, 2008
"But except for the folks at FreeBSD and Firefox folks [...] nobody in the FOSS community seems to be considering security to be a significant problem." What about Debian? (recent http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html)Anonymous
April 16, 2008
ygrek: that's actually great! - debian is finally adding NX protection, ASLR and banning unsafe APIs. But those are ALL bandaids around the design problem. In order to "consider security to be a significant problem", I'd want to see things like mandatory training for contributors to FOSS products, threat analyses being performed on FOSS products, code reviews for security issues, etc. You don't have to do threat models like we do (although I think they're a really good idea); but you DO need to do some level of analysis. And in an FOSS world, I would expect that those analyses be made public - that's why I know they're not being done. In my honest opinion, bandaids are great, but there's no substitute for process. The SDL is Microsoft's version of that process, other companies have adopted their own versions (I believe Oracle has said that they've invested in a security assurance process, for example).Anonymous
April 16, 2008
The comment has been removedAnonymous
April 18, 2008
"Igor, the only way that a Windows Vista user wll be running as root is if they turn of UAC." And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista.Anonymous
April 18, 2008
Igor, according to the articles I've read, 88% of all Vista customers have UAC enabled, and 66% of all Vista "sessions" never encounter a UAC prompt.Anonymous
April 19, 2008
BTW, on the matter of UAC, it is similar enough to sudo that it is basically a clone of sudo.Anonymous
April 19, 2008
>ygrek: that's actually great! - debian is finally adding NX protection, ASLR That all actually existed for years and some other distros had that even before Debian. BTW, on the matter of NX in Linux, from http://blogs.msdn.com/oldnewthing/archive/2008/04/10/8374144.aspx#8398520: "BTW, not all Linux distros provide a PAE kernel, and some provides it only on server kernels, such as Ubuntu. In Linux, with a non-PAE kernel, you could not even use NX!"Anonymous
April 19, 2008
"And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista." That is a little far, in fact I don't turn UAC off on my Vista machine.Anonymous
April 26, 2008
>"And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista." >That is a little far, in fact I don't turn UAC off on my Vista machine. BTW, the class of mistake Igor is making here is called over generalization. Just because geeks do something does not mean that everyone does somethingAnonymous
April 27, 2008
So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients. You don't have any idea what IRC is or what an irc bot usually does do you.. Botnet client? What? Hint: logging, auto-oping known users, providing small tools like "!weather new york"Anonymous
April 27, 2008
nikanj: I know exactly what IRC is and the difference between an IRC bot and a botnet client. Sure, an IRC bot does logging, etc, but a botnet client does a smidge more - it does things like launching DDOS attacks and sending spam emails. And this wasn't an IRC bot that was on those machines. My point was simply that the idea that somehow botnet clients are a uniquely windows phenomenon is simply untrue.