Re: Short List of Security Questions
- From: "BC" <callmebc@xxxxxxxxx>
- Date: 15 Jul 2006 16:05:49 -0700
karl levinson, mvp wrote:
"BC" wrote:
Right. Linux gets hacked when people start enabling features, like
trying
to use it as a web server. IIS 6 on Windows Server 2003 is hacked far
less
frequently than Apache on Linux. A significant problem in Linux and
Windows
security is the user not knowing how to safely configure and use their
OS.
No: http://www.dgl.com/itinfo/2001/it010723.html
That article is from 2001, before the release of IIS6 which I was
discussing. "Near weekly security patches" doesn't happen, and there are
automated methods to ease pushing patches, including to critical servers.
Instead of opinion, you need to check out the statistics at www.zone-h.org
in their defacements archive section. Oh, and the top story on the home
page is about the debian.org development server getting hacked, again.
I found this more interesting:
http://www.zone-h.org/component/option,com_attacks/Itemid,44
Look, absolutely Windows has security problems, and I'm critical of them.
It just irks me when people criticize Windows security for the wrong
reasons, or try to suggest that Linux, its file system, etc. is perfect and
superior in every way, ignoring limitations like lack of granularity in role
based ACLs on files.
Nobody is saying that Linux is perfect -- the main concern
is with how inexcusably imperfect Microsoft's stuff is. How
do you feel about one-way firewalls, blank Administrator
passwords, ActiveX controls, to name but a few?
The defaults in Windows XP SP2 and 2003 are pretty secure.
No: http://www.security.duke.edu/securepc-xp.html
http://tech.msn.com/guides/itdecision/article.aspx?cp-documentid=103175&HTTP_HOST=tech.msn.com&url=/guides/955450.armx
What does that link have to do with "defaults"?
Again, those articles predate XP SP2 and they don't address 2003, so you
haven't contradicted what I said. How are those short list of
recommendations any different from any other OS? Windows isn't going to
automatically pick a good password for you, that's your job. Even OpenBSD
has a recommended installation checklist, and there are a variety of them
for Linux as well.
There is no excuse for letting someone take home a PC
from the store, set it up, and then not have Windows force
some sort of basic security to be configured, either
automatically through the activation process or guided.
Windows XP was
released in 2001 and programmed in the years before that, so for a true
apples to apples comparison, you would have to compare its default
settings
to a *nix distro from five years ago. A lot of the threats we're seeing
today weren't really around back then.
You should go by what you can get *today* rather than 5
years ago.
Which is what I did by mentioning XP SP2. You're the one going back five
years ago for your articles.
I was doing some quick Googles for applicable articles and
didn't note the date on that Apache/IIS article -- not "articles"
plural. Some were actually from within the past week.
The most secure thing you can do
in Windows is immediately download and install Firefox
and/or Opera and avoid the blue "e" as much as possible,
as well as other programs that use it, like Outlook and
Outlook Express.
People are rarely hacked via web browsers.
No:
http://www.pcadvisor.co.uk/blogs/index.cfm?entryid=237&blogid=4
http://www.ciol.com/EnterpriseConnect/content/article.asp?artId=86344&secId=1345
Once you get a number of infections, you let me know what that number is.
?? You said people are rarely hacked via web browsers.
Your second article mentions the same download.ject Trojan I mentioned.
Trend Micro counted about 750 people infected worldwide by download.ject
ever, despite the fact there was no Microsoft patch for about a month. Wow,
750 whole people infected. That is a huge number.
Again, you said people are rarely hacked via web browsers.
And why are you picking on a particular bug?
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FJECT%2EA&VSect=S
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FPSYME%2EB&VSect=S
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FSCOB%2EA&VSect=S
It doesn't matter -- the XP Home Administrator account
is blank as the default; and I have had good luck fixing
problem XP PC's with a password-resetting Linux boot
floppy and stuff like Bart PE. Either it prevents you
from accessing stuff or it doesn't. Some of those old
Win3.11/95/98 did a far better job of locking out access
from alternative boot devices.
If you have physical access to any computer running any OS and any partition
format, you can access the hard drive. Linux, Windows, it doesn't matter.
No. Some of those old security programs modified the file
structure so that you wouldn't see even see a formatted
hard drive if you booted off a floppy
Within just the past couple of days, I had to use
Bart PE to fix a system that wouldn't boot up thanks
to some bad spots on the hard drive. And twice
recently before that I had to use a 3rd party NTFS
data recovery app to recover hard drive files. You
compare that to something like Novell's old server
file system which could almost take a bullet. But
compare NTFS to even poor old FAT32:
http://cquirke.blogspot.com/2006/01/bad-file-system-or-incompetent-os.html
FAT [and various flavors of Linux and Solaris] had/have a much bigger
problem where being shut down in the middle of a write operation could make
the entire partition difficult to rescue. Both FAT and NTFS can become
unbootable if a physcially bad sector makes a critical system file
inconsistent. But that is far easier to fix than an entirely bad partition.
This makes FAT a vulnerable and entirely inappropriate file system for
mission critical servers, and pretty much no one uses FAT for servers
nowadays when NTFS is an option.
No. There is no discernable difference in reliability
between FAT and NTFS for general file access,
server or otherwise, and NTFS is morem problematic
to recover from, in part to its proprietary, poorly
documented nature. Its main advantage over Fat32
is large file and huge hard drive handling.
File systems, including NTFS and ext2, can protect you when there's a write
operation to a file. I really don't know how you could expect a file system
to keep a system bootable when a system file, just sitting there, without
any write operations, suddenly experiences a physical bad sector. The only
way you could avoid that is to use some form of RAID, which NTFS can do.
Ya think?
http://www.backupbook.com/03Freezes_and_Crashes/02Journaling.html
"DropMyRights" is no more than another privilege control:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
"DropMyRights is a very simple application to help users
who must run as an administrator run applications in a
much-safer context-that of a non-administrator. It does
this by taking the current user's token, removing various
privileges and SIDs from the token, and then using that
token to start another process, such as Internet Explorer
or Outlook. This tool works just as well with Mozilla's
Firefox, Eudora, or Lotus Notes e-mail."
As I said, it's just another privilege control for the user.
It's better than nothing, but doesn't at all compare with
the fine grain control that Linux offers
Such as?
http://docs.linux.com/article.pl?sid=04/04/15/1913248&tid=2
http://docs.linux.com/article.pl?sid=04/04/15/1918219&tid=2
http://docs.linux.com/article.pl?sid=04/04/15/1923224&tid=2
And it that wasn't enough, Novell has a nice little freebie app:
http://www.novell.com/linux/security/apparmor
If you go by what system allows for easy security without
a lot of hard work and gotcha's, Windows loses every time.
So you can mention free add-ons like using Novell / SUSE's apparmor, but
you're not allowing consideration of free add-ons for Windows?
The Novell thing was only mentioned in the normally self-
explanatory context of "And it that wasn't enough."
By that same
token, you probably consider third-party plugins for Firefox part of
Firefox, but Microsoft's add-ons for IE like the one that enables tabbed
browsing aren't part of IE.
You're mixing two things: inherent security & features;
and add-ons.
People who can't take basic measures to secure their Windows systems would
also have problems securing their Linux systems.
Ya think?
http://www.techworld.com/security/news/index.cfm?NewsID=5535
That's an excellent point. No matter how you secure your OS, and
whatever
OS you choose, it's still generally reliant on and vulnerable to the
shortcomings of the aging TCP/IP suite, such as threats like DNS
spoofing,
ARP spoofing, man in the middle session hijacking, SSL, SSH, etc.
True, but Linux has a huge amount of TCP/IP security
built in, which is why Linux boxes make such dandy
firewalls (just ask Microsoft:
http://www.newsfactor.com/perl/story/22171.html)
Microsoft using Akamai's services is hardly Microsoft using Linux for a
firewall. I don't believe Microsoft uses firewalls in front of their public
web servers. Why do those Akamai Linux web servers need firewalls? Are
they that insecure?
That's an "interesting" way to word matters. I prefer this though:
http://news.zdnet.co.uk/software/linuxunix/0,39020390,39115920,00.htm
If Microsoft was truly serious about security, they would
have long ago rewritten IE to be a standard, standalone
application with no artificially elevated privileges
What artificially elevated privileges does IE have?
!!!!
Unless you use
DropMyRights, IE by default runs in the context of the logged in user,
only
with a variety of restrictions, so that IE can't do a lot of things the
user
can do.
See: http://www.eweek.com/article2/0,1895,1826269,00.asp
That article doesn't prove your point over mine. You haven't proven that IE
has any greater privileges than the user that's running it. Furthermore,
depending on the security zone the page is coming from, IE is unable to do
certain things the user can do. A prime example is Outlook and Outlook
Express, which use the exact same "IE" code for HTML rendering, but use the
Restricted Sites zone for doing so. This has prevented a lot of IE vulns
from also being Outlook vulns. Also, it's not true that users cannot run IE
with reduced privileges, as your article states. Users can use DropMyRights
if they wish, for example. I never do, though, and I've never been infected
via IE.
http://redmondmag.com/columns/article.asp?editorialsid=1215
"The majority of IE's notorious security flaws stem from
its pervasive integration with Windows. That is a feature
no other Web browser offers -- and an ability that Vista's
Protected Mode intends to mitigate. IE 7 obviously won't
remove all of that tight integration."
If you meant to say that IE has way more privileges than it should have, I
agree totally with that. Those privileges are not exactly "escalated,"
though, because IE under normal conditions has fewer privileges than the
locally logged in user, and under exploit / security bypass conditions has
the same privileges as the locally logged in user. If you were going to say
that Windows and software programmed for Windows could make it easier for
users to run Windows and surf with non-administrator privileges, I might
agree there too.
It needs to be uncoupled from the OS and be an
application that talks to the OS just the same as
any non-MS app.
Microsoft wholly artificial bundling of IE to Windows essentially
gives IE the guys to the system -- exploit IE and you exploit
Windows.
No, when you exploit IE via an unpatched vuln, you get the privileges of the
locally logged in user, not access to the entire system. If a user is
browsing the Internet while logged in as administrator or root, that's only
partially the fault of the OS, and partly user error.
See my previous link. And "guys" was a typo -- that
should have been "keys".
Vulns in Winzip, MS Office, etc. are just
as dangerous as IE vulns, because those apps can do just about anything
IE
can do, without being integrated into Windows.
No. Microsoft apps have always been in a special category
when it comes to risk since they too have excessive
privileges, often via their use of IE.
http://secunia.com/product/23
http://secunia.com/product/2276
Actually, the Trend Micro statistics for download.ject, which was huge news
in the media, shows that the risk of IE vulns are highly overrated compared
to actual risk.
Look, absolutely Windows has security problems, and I'm critical of them.
It just irks me when people criticize Windows security for the wrong
reasons, or try to suggest that Linux, its file system, etc. is perfect and
superior in every way, ignoring limitations like lack of granularity in role
based ACLs on files.
As I stated earlier, nobody is saying that Linux is perfect --
the main concern is with how inexcusably imperfect Microsoft's
stuff is. Especially when it comes to security.
-BC
.
- Follow-Ups:
- Re: Short List of Security Questions
- From: karl levinson, mvp
- Re: Short List of Security Questions
- References:
- Short List of Security Questions
- From: dw85745
- Re: Short List of Security Questions
- From: BC
- Re: Short List of Security Questions
- From: Karl Levinson, mvp
- Re: Short List of Security Questions
- From: BC
- Re: Short List of Security Questions
- From: karl levinson, mvp
- Short List of Security Questions
- Prev by Date: Re: Short List of Security Questions
- Next by Date: Re: Short List of Security Questions
- Previous by thread: Re: Short List of Security Questions
- Next by thread: Re: Short List of Security Questions
- Index(es):
Relevant Pages
|
