OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] Mi2g, Safe Servers and Secret Data

From: InfoSec News (isnc4i.org)
Date: Fri Mar 19 2004 - 05:41:16 CST


http://www1.commsworld.com.au/NASApp/cs/ContentServer?pagename=commsworld/home&var_el=art&art_id=1067861810188&var_sect=COMMENT&from=home

Richard Chirgwin
01 March 2004

Since I've never encountered Mi2g in any capacity, it's not easy to
assess the company's standing as a security consultant.

Of course, every security company in the world is a market leader of
some kind - the security market seems like a 1,000-way dead heat for
first - but Mi2g is at least punching above its weight in terms of
media strategy.

It's got a press release or a statement or a piece of proprietary
research to cover just about any eventuality.

Still, given the long campaign by Linux advocates to promote open
source software as intrinsically more secure than proprietary
software, and the long campaign by Microsoft to recover its security
credibility, a story which says "Linux is insecure" is a dead-cert to
get at least a few headlines.

Unfortunately, if I tried to do anything more than rehash the same
sketchy details as have already found their way around the IT press, I
would be up against it.

The Facts

The facts that Mi2g has gone to press with are sketchy, to say the
least. It says that more than 17,000 servers on the Internet were
attacked during January; that the most-attacked server operating
system was Linux; and the Mac and BSD are the most secure server
operating systems based on the number of successful breaches.

For those who like numbers, Mi2g is saying that January saw just over
17,000 successful attacks; and that more than 13,600 of those involved
Linux servers versus just over 2,000 for Windows servers.

Well, that's pretty conclusive, isn't it?

No.

Methodology

It's very hard to discuss the raw data, or to analyse the methodology,
because I can't read the source report.

Why not? Because Mi2g requests payment for press releases. In the case
of the January report, it's asking nearly $100.

A sufficiently cynical character - me, for example - might be led to
wonder. Perhaps the media which rate "most favoured status" get to see
a sliver of real data - maybe the executive summary of the report, for
example, or maybe they get the media release for nothing. But Mi2g is
not exposing itself to the wholesale scrutiny of the press.

And I would be surprised if any of the favoured media read the
incredibly onerous license terms Mi2g applies to everything it commits
to a document. If you've received an Mi2g media release, it is (as far
as I can tell from the legalese on the Website) released under
conditions such as the data remaining the property of Mi2g rather than
the media.

The very first clause of the license agreement - from which media
releases are not excluded - says that Mi2g retains "control over the
form and content of the Services" (with services already defined as
everything the company says and/or does).

CommsWorld isn't in Mi2g's "in" crowd, so I can only comment on the
data that's appeared in the public domain. If, for example, one of the
Mac publications, or ZDNet, or anyone else has made an error, it could
render my analysis of the Mi2g data inaccurate.

What's Missing

All of the reports of Mi2g's study - because we can't discuss the
methodology directly - say that Linux was the operating system most
frequently breached in January, but none of them explain Mi2g's
definition of what constitutes a "breach".

If, for example, there is a fundamental vulnerability in Linux which
allows attackers to discover a "backdoor" into a server, bypassing
normal security measures such as access control - then this would be a
serious matter which would put any deployment of Linux in serious
doubt.

But a breach can just as easily (whether the server is Windows, Linux,
or Commodore 64 for that matter) come with no technical prowess
required - if the system administrator is careless or rushed, and has
left a system's default passwords enabled.

An attack of this kind reflects not on the underlying operating
system, but on a lack of administrative and deployment processes among
the user base.

Alternatively, the attack might compromise, or be enabled by, an
application running on top of that operating system. Successfully
breaching an Apache Web server - or some other Web server for that
matter - does not reflect on the security intrinsic to the underlying
operating system.

A third problem is common to both Windows and Linux: how does the
researcher draw the line between a compromised server, and the many
Web presences that server may host? If an attacker walks in through a
default password, in a Web farm hosting 100 Web sites, does that count
as 100 incidents against the operating system, or as one?

Unless the methodology is open to scrutiny, it's impossible to tell.

Finally, there's the matter of correctly identifying the operating
system hosting a particular service. Anyone with curiousity can see,
by using Netcraft to wander around different sites, that there are
often lucenae in OS identification.

This is particularly true when a firewall and a Web server are running
different operating systems; many's the time that I have been told a
Web server was running Microsoft Internet Explorer on the open source
operating system which was actually hosting the firewall.

Sanity Check

What's missing from the reporting is the simple sanity check that a
look at the raw data would afford.

However, there are certain assumptions which seem, from the outside to
be reasonable. Chief among these: that much of the data-gathering is
completely automated, the business of automatic software bots querying
Web sites in much the same way as Netcraft does.

The reason I make this assumption is simple: even if a company had the
resources to conduct 17,000 detailed telephone calls per month - a
task which would take hundreds of staff and hundreds of thousands of
dollars - it's not going to find the phone numbers of 17,000 Web sites
that easily.

However, once again in the business of assessing the information -
deciding whether it's valuable enough to print as "news" - there's no
way to know. The information is obscure, its source is obscure, and to
seek the data at its source would tie my hands and constrain the
reports.

Which leaves me with a conclusion that my peers should have made: the
slender amount of data Mi2g releases is entirely inadequate for
serious news. It's a promotion piece only, supplemented by little
leaks to friends.

Is Linux more insecure than Windows? I don't know - and nor do any of
the IT press, anywhere in the world.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.