|
Security Pipeline Newsletter www.SecurityPipeline.com Thursday, March 31, 2005 In This Issue: - Microsoft Releases Major Windows Server 2003 Update - CoolWebSearch, Dubbed Adware's "Ebola," Tops Spyware Threat List - Internet Music Theft Likely To Survive Supreme Court Decision - More News... - The 10 Worst Security Practices - Wayne Rash: VoIP 911 Problems Could Kill You - Rob Enderle: Let's Avoid A Spyware Witch-Hunt - More Picks... Join InformationWeek for a FREE, on-demand TechWebCast on Wily J2EE Application Performance Series 2005, Part 1: Understanding the Application Crisis Lifecycle. The first of the 2005 Wily series on application performance management. Register and view now: http://www.techweb.com/today/j2ee012505 ----------------------------------------- Editor's Note: Windows More Secure Than Linux? Like Heck! Readers were pretty skeptical of a recent study that found Microsoft Windows to be more secure than Linux. They said the study was unfair because it compared Red Hat Linux — a relatively unsecured distro — to Windows. Readers cited their own experience finding far more problems with Windows than Linux. And they said the fact that Microsoft funded the study guaranteed a pro-Windows outcome. The original articles: - Report: Linux Vulnerabilities More Numerous And Severe Than Windows - Controversial Report Finds Windows More Secure Than Linux - Blog: Perfectly Good Rants Gone To Waste - Blog: Earthquakes, Fire, Mudslides, Riots In an e-mail with the subject line "poor journalism and M$ bias," reader Chris Updegrove, of Sacramento, Calif., wrote: "A significant flaw in the title of your March 22, 2005 article 'Report: Windows Security Beats Linux' is that Red Hat Enterprise server is not Linux, but a Linux distribution. The title of the article calls the bias of InformationWeek into question." Updegrove read the article on our sister site, InformationWeek.com. "An unbiased title would read something like 'Microsoft-Funded Report Claims Windows Security Beats Red Hat Linux.' An unbiased journalist would have asked tougher questions about the testing criteria, and would have made a point of informing the reader that more secure Linux distributions like Slackware and Gentoo were not part of the comparison. "Over 40 Linux distributions are available for comparison, yet only one commercial version of a Linux distribution was used for the security comparison. Marketing-communications firm AvanteGarde recently published the results of a penetration test which examined the security of Microsoft Windows, Macintosh OS X, and Linspire's distribution of Linux. The Windows boxes were compromised within four minutes, while the Linspire and Mac OS X boxes were not compromised at all. To make the conclusion 'Windows security beats Linux' without first clarifying what Linux is, without scrutinizing the testing criteria, or comparing the report to similar reports is misleading and inaccurate. "Many Windows security vulnerabilities are reported in security forums, newsgroups, and in IRC channels months, if not a year or more before Microsoft acknowledges the vulnerability and makes it 'public.' The average number of days of risk per vulnerability reported in your article is not accurate if that number is based on the date Microsoft acknowledges the vulnerability. You may want to attend Defcon 13 this year, where you will learn about the Windows security vulnerabilities you will write about next year (when they are made 'public')." Updegrove raises a point made by several readers: that Red Hat is only one Linux distro, and not the most secure one, and a more fair comparison would have pitted Windows against other distros. Eric Wagner (no relation to me) wrote: "I think the problem is comparing Red Hat to Windows. We run 30+ Debian boxes and two Red Hat boxes. I'll give you one guess as to the only ones we've had problems with." Brandon Bohannon: "There are more secure Linux distributions. I subscribe to a Linux security newsletter and every Friday they have a list of vulnerabilities by distribution, and Red Hat and Fedora almost always have the most vulnerabilities. Researchers need to run one of their studies on Windows vs. EnGarde Secure Linux, or Slackware. EnGarde hasn't had a vulnerability reported since July 2004, and Slackware hasn't had one reported since November 2004. Researchers probably pick Red Hat because it's the most commercialized." Dave Nelson, information security officer for the City of Virginia Beach, Virginia, said a skilled systems administrator is more important to security than which operating system is used. ""The system being secured by the most talented admin is the one I'll take every day of the week," he said. "Operating systems come and go but knowledge is here to stay. Find yourself an admin who knows your system inside and out, then tell everyone else to take a leap." He added that most security problems come not from software vulnerability, but from user error. Joseph S. Vislocky, chief information officer for Wilmac Corporation, said: "As to whether Linux is more secure than Windows, I can only judge by real-life experience. I have Linux in use as firewall/router at all Internet interface points in my organization. During the evolution of our security scheme, we have been attacked regularly via Internet attacks, viruses and spyware. Some of the attacks have been marginally successful on both the Linux and Windows machines. I have found that successful attacks on Windows are more numerous and onerous to cleanse. Ultimately, I believe that with the proper level of expertise, Linux can be made far more punch-proof than Windows can be. There are just too many things that Microsoft doesn't document well (or at all) that can hurt you." Steve Ellison, technical analyst II at the University of Pitt-Bradford, said Linux is designed to be more secure than Windows. "Case in point is user creation. Linux has you create and log in with a standard (read: non-privileged) user account. When you need the extra privileges you can su to root. Windows, on the other hand, creates your primary account as an administrator. Conveniently enough, it also leaves the account wide open by not making you specify a password." He added: "In the end, the level of security of any system is proportionate to the skill and knowledge of its user. I think that everyone would agree with me that the average Linux user is more knowledgeable then the average Windows user. So, one can infer that Linux is more secure because it is in the right hands." Readers said that the study's funding from Microsoft guaranteed a pro-Microsoft outcome. A reader signing his name as "Tony" said: "Have you ever heard of a case where Microsoft funded an study, the study determined that Linux was more secure, and the study was published?" Peter Spearing with the Akron Municipal Court Data Processing Department said: "Anyone who is old enough to have quit believing in the tooth fairy knows that nobody funds a report that is going to come up with conclusions that are against their interests. If Red Hat or Novell/SuSE funded a report on the subject I'd feel exactly the same way. I also think the whole subject is essentially a religious argument. Any networkable operating system can be attacked via said network. Use good sense, stay aware of the threats, and make backups." Patrick Durling: "You said 'In the end, the researchers note rightly, what's important is not who funded the study, but rather how the study was conducted.' You would be more correct to say, 'what's important is not who funded the study, but rather how the results of the study were interpreted.' Since it's possible the results were interpreted subjectively, it's important to understand the motivations of those who conducted the study. It is then logical that the person who funded the study would have an effect on the way the results would be interpreted. To believe this is not so is naive." Readers also commented on my criticisms of New York and New Yorkers. Jody Cody: "Aahhh, stuff it in your keister!!" Jody was one of several readers to use the word "keister," which is a fine word that should be used more often. Pat Babcock: "Don't be too hard on the New Yorkers. You'd be cranky, too, if you had to live with the realization that the light at the end of the tunnel was New Jersey." More Noteworthy Articles Microsoft Releases Major Windows Server 2003 Update: The first service pack for the server software includes numerous security fixes, as well as application updates to Internet Explorer and Outlook Express -- all meant to "reduce customer pain centered on server security." The 10 Worst Security Practices: Sometimes one whopper of a mistake can be more instructive than a binder's worth of best practices. We interviewed more than a dozen security consultants to arrive at our list. See which ones apply to you, and then learn how to do things better. Wayne Rash: VoIP 911 Problems Could Kill You: Voice over IP and cell service can't be relied on for 911 calls. That means that ripping out your conventional phone service could be a dangerous -- even deadly -- proposition. CoolWebSearch, Dubbed Adware's "Ebola," Tops Spyware Threat List: CoolWebSearch, adware that generates more than $300 million a year for its maker, is the "Ebola" of adware, and easily the most significant spyware threat on the Internet, an anti-spyware security firm says. Macs Becoming More Attractive Target For Attacks: As the Mac regains popularity, more vulnerabilities will likely surface. Mac users should watch out for spyware in particular. For more opinions, links, and humor about security, technology, and the Internet, see Wagner's Weblog. This week: Longhorn could be a tough sell for Microsoft; a LiveJournal user describes how he did his own detective work and, with a little luck, tracked the guys who stole his credit card; battlefield robo-docs; and links to anti-spyware resources elsewhere on the Internet. That's it for this week. Watch your keisters.
Mitch Wagner
Don't let future editions of Security Pipeline Newsletter go missing. Take a moment to add the newsletter's address to your anti-spam whitelist: secured@techwire.com If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. Thanks. Top Security News Microsoft Releases Major Windows Server 2003 Update The first service pack for the server software includes numerous security fixes, as well as application updates to Internet Explorer and Outlook Express -- all meant to "reduce customer pain centered on server security."
CoolWebSearch, Dubbed Adware's "Ebola," Tops Spyware Threat List
Internet Music Theft Likely To Survive Supreme Court Decision
IPods Attract Sticky Fingers
Supreme Court Kicks Off Arguments In Grokster Suit
New Technology Reveals Invisible Fingerprints
Pixalert Provides Porn Protection
Macs Becoming More Attractive Target For Attacks
Symantec's AntiVirus Vulnerable To Denial-Of-Service Attacks
Stolen Laptop Exposes Data of 100,000
PC Tools Upgrades Anti-Spyware With Improved Keylogger Protection
TSA Passenger Screening Program Not Ready For Takeoff
Security Flaw Found In Trillian IM Client
IE 'Unsafe' 98 Percent Of 2004, Say Consultants
Feds Rule Banks Must Tell Customers Of Security Gaffes
First IM Phishing Attack Hits Yahoo
Identity Theft Scaring Off Online Consumers
GAO: SEC Data Controls Not Strong Enough
Despite Latest Patches, Firefox Still Beats IE On Security
Symantec Rolls Out Hosted E-Mail Security Editor's Picks The 10 Worst Security Practices Sometimes one whopper of a mistake can be more instructive than a binder's worth of best practices. We interviewed more than a dozen security consultants to arrive at our list. See which ones apply to you, and then learn how to do things better.
Wayne Rash: VoIP 911 Problems Could Kill You
Rob Enderle: Let's Avoid A Spyware Witch-Hunt
Blog: There's Nothing More Fun Than A Bad Example
Prospective Harvard Students Tossed For Hacking Admissions System
A User's Guide To 802.1x Access Control And Authorization
ABCs Of Remote Access
Q&A With Allstate Security Boss Kim Van Nostern
How To Defend Yourself Against An "Evil Twin" Wi-Fi Attack
Opinion: IM Users Need Better Education About Phishing Dangers
Via Desktop Pipeline: Last Minute Tax Choices: PC or CPA?
Via Advanced IP Pipeline: 'Net Freedoms' Face Challenges
Via Advanced IP Pipeline: Cinderella Story Is Over For VoIP
Via Network Computing: Desktop Management: Wrangle Your PC Into Submission
Via InformationWeek: Langa Letter: Little-Known Options For Syncing Files In
Windows
Cast Your Vote Now! Which operating system is more secure? Answer, or we'll subject you to a marathon viewing of the 1983 TV series "Manimal."
Poll Results: Staying Informed On IT Topics Like I said last week: I was surprised by the relatively low performance of e-mail newsletters (27 percent of respondents), given that the overwhelming majority of respondents to our polls come from the newsletter. It's not too surprising that print magazines should score low (15%) in a poll conducted by a Webzine. I was surprised by the relatively low results for RSS (9 percent); other studies of our readers have ranked RSS as being more popular. But maybe I shouldn't have been surprised, after all, this is an e-mail newsletter, and my gut feeling is that people who use RSS don't like e-mail newsletters, and vice-versa. Finally, the relative popularity of our two joke answers — "the Psychic Friends Network" and "I'd rather not read about IT topics" — makes me take the whole poll with a grain of salt. This poll ran roughly concurrently across the entire line of TechWeb Pipeline sites; we'll bring you the overall results in an upcoming newsletter. And, finally, if you have anything to say about Windows security vs. other platforms, staying informed on IT topics, or any other subject, give me a shout-out at: mwagner@cmp.com. We'll publish the best of your responses. Try Security Pipeline's RSS Feed Security Pipeline's content is available via RSS feed: Get RSS link. The feed is also auto-discoverable to many RSS readers from the Security Pipeline home page. Note: RSS feeds are not viewable in most Web browsers. You need an RSS reader, Web-based service, or plug-in to view RSS. Find out which RSS readers the Pipeline editors recommend.
Check Out Our Security Product Finder
Discover All The Pipelines
Recommend This Newsletter To A Friend
Join InformationWeek for a FREE, on-demand TechWebCast on Wily J2EE Application Performance Series 2005, Part 1: Understanding the Application Crisis Lifecycle. The first of the 2005 Wily series on application performance management. Register and view now: http://www.techweb.com/today/j2ee012505 ----------------------------------------- Manage Your Newsletter Subscription We take your privacy very seriously. Please review our Privacy Policy.
Security Pipeline Newsletter
|