Linux Servers: Hacked Most?

[InfiniteL00p]

Grabbed a look at this article over at the Inquirer the other day.Mi2G claiming Linux-based servers are the most hacked, in a review conducted in January of over 17,000 "successful" hacks.

We've all seen figures like these before, most notabily regarding economic damage done by piracy and fast-spreading worms, and most rational people have to call these numbers into question.

Does anyone have experience or currently generate any statistics like these? I'd like to get some insight as to how these numbers are generated - possibly even disect the process a bit.

(if you don't want to discuss it on the board, drop me an email ...

l00p

Article follows:

Linux servers "hacked the most", claims specialist

By INQUIRER staff: Tuesday 02 March 2004, 07:17

DIGIRISK SPECIALIST Mi2g is likely to get right up the noses of open source advocates everywhere by claiming that Linux servers are the most breached online servers available.
The London based outfit said that Linux is the worst, Windows servers had got better and BSDs and Mac OSX were the safest.

Mi2g claimed it had analysed 17,074 successful digital attacks against online servers and networks in January 2004, with Linux accounting for 13,654 breaches, and Windows for 2005 followed by BSD and Mac OS X with 555 breaches worldwide.

But, the company is quick to point out that its figures don't take into account the numerous malware attacks against Windows and mass website defacements were counted as multiple attacks.

A spinner for the company said that since the recent global malware epidemics have not caused any economic damage to systems running Open Source including Linux, BSD and Mac OS X, it ignored them.

The company said that mass website attacks were counted as multiple attacks because although there is a single action on the part of the attacker, economic damage is always done to multiple victims.

The firm estimated the overall economic damage from hacker activity worldwide was between $US2.34 billion and $2.86 billion.

But, according to Australian Age, Mi2g's figures have been questioned in the past. It claimed the MyDoom worm cost the world more than $US38.5 billion a figure labelled "absurd" by Rob Rosenberger, the editor of the Vmyths website.

[MrLinus]

There are a couple of things that might be worthwhile to ask:

- is it linux as in the kernel or all the distros? Each distro brings its own views and attitude towards security into their release. Some are better at it than others. The more common distros, SUSE and RedHat, have become commonplace with regular users and the problems that faced Windows now faces Linux: users install but don't RTFM

- are we just more aware of issues? Very similar to other "crimes", sometimes we're just "seeing" more because it's reported more or because the media picks up on it.

- how many of the vulnerabilities led to actual break-ins? These figures they put forward don't indicate from where they got this information, if it was the same machines being attacked and what the scenario of the attack was. Was it a defacement due to poor permissions? bad passwords? not fixing previously well known vulnerabilities? The numbers for Windows seems low given the recent spat of viruses and worms that enabled backdoors and such.

This particular report, IIRC, got slammed because this company has suspect reporting mechanisms and a lack of verifiable statistics.

[owensleftfoot]

Attrition.org dont seem to have much time for them any way.

[CXGJarrod]

You also might want to take into account that according to Netcraft Apache (with a good portion of those Apache servers running on Linux I am guessing) runs 67.38 percent of the total websites in the world.

http://news.netcraft.com/archives/20...er_survey.html

[nihil]

Yep,

"Mig21" do have something of a reputation for sensationalism.

They would also fail a relatively simple statistics exam?

As I have mentioned before, if 99% of automobiles were yellow, then 99% of automobile accidents will involve yellow vehicles? C'mon, it's not that difficult a concept is it. It does not follow that yellow vehicles are less safe!

As for 17000 "linux" servers, I wonder if there are that many in the whole world? "*nix" yes, it is a very popular OS for servers, but actual "linux" Just like Windows, they are targetted because they are plentiful.

Also, I have really noticed "a tendency for corporates to boast about having their systems hacked"...............so the statistical "population" is grossly flawed. To do it properly, you need a representative sample of all servers that reflects their actual population/distribution. You then need to monitor compromises on those systems and analyse the results?

Something like this:

100 OSa......................10 Compromises =10%
1000 OSb.....................30 Compromises = 3%

I guess that I will still buy a yellow car

Just my thoughts

[R0n1n]

mi2g have continously produced rather dubiosu statistics, so far we have lost half the worlds GDP to viruses, if you go by their stats....

One of the factors that could account for the high number is that lots of people are switching to Linux (or at least trying to run it) who realy don`t know how to adminsiter it so leave it an unsecured way making attack much easier.

It would be interesting to see how they are defining a "successful attack"

[InfiniteL00p]

True indeed - I've read that this group may have questionable statistics, so here's what I've done:
1) Emailed them.

I got a quick response, with a pointer to their FAQ. It talks about how they generate their numbers - in terms of economic dammages they take a few cases in across some domains and business types and extrapolate much larger numbers based on those (which is reasonable, considering you can't survey everyone). Unfortuantely, the FAQ is rather vague, and I don't believe they'd answer mre detailed questions unless I purchased one of their reports..

2) I'm asking again anyway.

I'll let you know if I hear anything.

l00p

[HTRegz]

Hey Hey,

On top of the fact that we've seen ridiculous numbers from them in the past, they mentioned counting multiple defacements on the same server as multiple attacks. So in reality how many servers have they included? It's not uncommon to see a hosting company with 500+ websites, 1000+ websites... sometimes even more. Say you go low and say that each server hosted 100 websites, that brings the number down to 1700 already. I know the same can be said about Windows machines, but linux is more common as CXGJarrod pointed out, and most of the time Windows is used more in an enterprise environment hosting only one or two machines. There are hosting companies that provide the option of using a 2k or a 2k3 machine, but if you check them out.. I bet 95% of their business is hosted on *nix boxes. That to me seems like the biggest mistake they made. Each server should have been counted, not the number of sites on it that were defaced.


Peace
HT

[MrLinus]

It talks about how they generate their numbers - in terms of economic dammages they take a few cases in across some domains and business types and extrapolate much larger numbers based on those (which is reasonable, considering you can't survey everyone).

Which is actually unreasonable. It's based then on inaccurate facts. What if the ones they've picked are the worst offenders of the bunch or an industry that has limited need/exposure to the use of security or poor at implementing a specific OS? It would have been better to state explicitly what you have and suggest the possible extrapolation than outright "lie" and state misinformation.

If Attrition.org's statements are correct, I can see why he didn't get his PhD. That's just unethical, IMHO.

[slarty]

The amount something is cracked has nothing to do with its security:

- Perhaps there are more Linux boxes to break into? Did they scale it by hosts? (I think probably not, Windows has about twice as many internet-accessible servers as Linux perhaps?)
- Perhaps Linux boxes are more attractive to attackers, who pass up chances to crack Windows boxes because they make boring targets?
- Perhaps Linux sysadmins are more honest, and hence more likely to report intrusions than Windows sysadmins?
- Perhaps Linux sysadmins are more dilligent and are more likely to detect intrusions, this figure presumably doesn't count boxes which have been penetrated but not discovered to be (How many owned "zombie" windows boxes are there out there?)
- Perhaps the survey was done in countries or companies which skewed it by some factor? Maybe in less Linux-savvy companies, Linux boxes get penetrated more because the staff aren't as well trained?
- Perhaps there are more "skript-kiddie" style exploits which exist for Linux vulnerabilies, hence the "kiddies" who crack most boxes find it easier to get into a badly maintained Linux box than Windows

None of these things has any reflection on the actual security of the system.

Personally I think that the difference between a weak Linux box and a strong Linux box is much more than a weak Linux box and a weak Windows box, which are about the same (i.e. easy to get in in most of the default configurations)

Slarty