A Skeptical Look At The Linux Server Botnet
When The Register ran news of a "Linux botnet" out in the wild, the bloviation did fly: See? Linux really isn't that secure! But odds are this has nothing to do with Linux security <em>per se</em>, and everything to do with the biggest and most notorious security hole of all: bad system administration.</p>
When The Register ran news of a "Linux botnet" out in the wild, the bloviation did fly: See? Linux really isn't that secure! But odds are this has nothing to do with Linux security per se, and everything to do with the biggest and most notorious security hole of all: bad system administration.
Last year a friend of mine sent me some then-early details about a similar-sounding Linux server exploit. The whole thing seemed fishy, especially the bit about how the problem persisted after a complete system scrape-and-reinstall. My guess was that it was not so much an extant vulnerability as a security hole being left open by the admin -- e.g., a default root password was being reused, and was someone's way to get back in even after a full nuke-and-pave. My friend concurred. The real problem, as he saw it, was compromised user credentials, which make most anything possible in its wake.
The "botnet" in this case sounds like something quite similar: an infection that, according to one researcher, looks for machines (which just happen to be running Linux) with compromised/sniffed passwords, and which then uses them to further spread its payloads. If that's true, there's nothing that requires this to be a Linux-specific exploit. It's an opportunistic infection, as it were.
The noise on both sides of this issue has been irritating. On one side, there's people bashing Linux with the "see, I told you so" hammer. Linux is insecure -- you just get a pass because it isn't attacked as broadly! Just you wait! And on the other side we have the apologists, who fume and bite their lips and insists there's nothing to see here, move along. Both parties miss the point.
I don't think Linux is immune from attack any more than I think Windows is inherently insecure. Security is a process, not an artifact: it's a product of the way you do things. If your approach to security is haphazard and inconsistent, and you don't do things like rotate passwords or use secure connections to transmit them, guess what -- you've created your own weakest links. (And yes, open source makes it easier to find problems, but that only matters if competent people are actually looking for them.)
One could argue that the way most Linux distributions are built and shipped insures a bit more security than the competition, whether that competition is Windows, BSD, Solaris, or what have you. Fine. But that doesn't change the fact that someone has to set that stuff up and put it to use -- and that they have to know what they're doing.
In this day and age, the odds are you're your own worst security threat, no matter what you run. And neither Linux nor open source will automatically render you immune to your own incompetence.
[Postscript: I should point out that my reaction wasn't to the Register article itself, which did in fact note that the most likely culprit was bad system administration. My gripe has been with people who picked up on this as a way to indiscriminately bash Linux out of hand.]
InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).
Follow me and the rest of InformationWeek on Twitter.
About the Author
You May Also Like