You may retrieve this story by entering QuickLink# 52057

> Return to story


Study: Linux server attacks declining
An unpatched Linux system lasts about three months before it's compromised


News Story by Matthew Broersma






JANUARY 20, 2005 (TECHWORLD.COM) - Attackers are no longer bothering to attack average Linux systems, apparently because there's so much more money to be made from invading Windows, according to security researchers.

The Honeynet Project, which sets up Linux networks in order to observe attack activity, found that the life expectancy of such systems has dramatically increased from two years ago. Its 2004 findings, published recently, found that an unpatched Linux system lasts, on average, three months before it is compromised. That's compared with about 72 hours for 2001-02.

Some of the project's systems were exposed to the Internet for nine months without a successful attack.

The project's "honeynets" -- networks of two or more "honeypots" -- are designed to detect random attacks on the Internet. Such attacks are carried out on targets that are detected through random searching, scanning and hacking systems such as worms and autorooters, rather than particular attacks focused on specific targets. A honeypot is a system set up for the purpose of attracting random attack activity.

Since overall Internet attacks don't seem to be going down, the project's researchers theorized that the focus of hacking activity has shifted to Windows systems, simply because the platform is so widespread that it presents an irresistible target.

"It's now easier to hack the end user than hacking the bank," said Lance Spitzner, president of the Honeynet Project. "Banks are well protected; end users are not. Hack enough end users, and you can make as much, if not more, than hacking the bank."

While the project didn't carry out comparative research using Windows, Spitzner pointed out that research from security organizations such as Symantec Corp. and the Internet Storm Center (ISC) has found no shortage of attacks on Windows honeypots. For example, an ISC project involving Windows systems measures survival time in minutes rather than hours.

The average survival time for the systems the ISC tests has declined from about 55 minutes in the autumn of 2003 to just under 20 minutes at the end of 2004, although those figures are an improvement from a low of 15 minutes in the spring of 2004. Microsoft says survival rates for Windows should decline as Windows XP Service Pack 2 becomes more widely used, because the update is designed to make Windows' default configuration more secure.

The project deliberately focused on average systems that didn't present any particular attraction to attackers -- in the real world, the equivalent would be home networks or small and medium-size businesses. The project deployed 12 honeynets in eight countries -- the U.S., India, the U.K., Pakistan, Greece, Portugal, Brazil and Germany -- consisting of a total of 24 unpatched Unix and Unix-like honeypots. Nineteen of the systems were Linux, mostly Red Hat, including one Red Hat 7.2 system, five Red Hat 7.3 systems, one using Red Hat 8.0, eight using Red Hat 9.0 and two Fedora Core 1 systems. Other deployments included one SUSE 7.2 system, one SUSE 6.3 system, two Solaris Sparc 8 systems, two Solaris Sparc 9 systems and one using Free-BSD 4.4.

Services such as SSH, HTTPS, FTP and SMB were enabled, with inbound connections to these services allowed. Some of the systems also used insecure or easily guessed passwords. The systems weren't registered in the Domain Name System or search engines, so they could be found only by automated means.

The situation for high-value Linux systems, such as company Web servers, CVS (Concurrent Versions System) repositories or research networks, is potentially very different, Spitzner said. "I'm sure these high-value Linux systems are prime targets and are attacked every day, if not every hour. If vulnerable, they would be hacked very soon," he said.

Older Linux systems were more likely to be successfully attacked than newer deployments, probably because more vulnerabilities have been uncovered and attackers have had time to learn which exploits work, the project found. This also reflects the fact that default Linux installations are becoming more secure, the project said.

Once they compromised systems, attackers used them mainly for Internet Relay Chat bouncing, bots and the hosting of phishing scams, the project found. On at least one of the systems, attackers attempted to set up a fake bank in order to harvest bank and credit card information.

The Honeynet Project is a nonprofit research organization supported by a number of security companies, including Foundstone Inc., Counterpane Internet Security Inc., SecurityFocus.com and Sourcefire Inc.


 http://www.computerworld.com/securitytopics/security/story/0,10801,99080,00.html