[ISN] Study claims Linux most hacked but ignores malware

From: InfoSec News (isn@private)
Date: Mon Mar 01 2004 - 03:05:15 PST

  • Next message: InfoSec News: "Re: [ISN] Cyber-terror drama skates on thin Black Ice"

    http://www.smh.com.au/articles/2004/03/01/1077989482304.html
    
    [Funny thing is I used to get the mi2g news alerts all the time, but
    it abruptly stopped because they either got sick of me replying back
    asking where the hell they got their numbers from and mailing again a
    few days later wondering where my answer was, or they figured that I
    wasn't part of the media sheep that took their press releases on its
    face value and printed it as news.
    
    More backround on mi2g at: 
    http://www.attrition.org/errata/charlatan.html#mi2g     - WK]
    
    
    By Sam Varghese 
    March 1, 2004 
    
    In what appears to be an econometric approach to the analysis of 
    server compromises and website defacement, a London-based group is 
    claiming that Linux is the most breached online server and the BSDs 
    and Mac OSX the safest. 
    
    mi2g, which describes itself as a digital risk specialist, claimed 
    that the number of successful attacks against Windows servers had also 
    fallen - but said it had not taken into account the numerous malware 
    attacks against this operating system. Additionally, mass website 
    defacements were counted as multiple attacks - as many as the websites 
    involved. 
    
    As to the reason for leaving out malware as a source of server or 
    website compromise, the group's Intelligence Unit said: "The recent 
    global malware epidemics have targeted the Windows OS and have not 
    caused any significant economic damage to systems running Open Source 
    including Linux, BSD and Mac OS X. Therefore, the mi2g Intelligence 
    Unit study has been limited to overt digital attacks perpetrated by 
    hackers, who target all flavours of Operating Systems." 
    
    The group said it had analysed 17,074 successful digital attacks 
    against online servers and networks in January 2004, with Linux 
    accounting for 13,654 breaches, and Windows for 2005 followed by BSD 
    and Mac OS X with 555 breaches worldwide. 
    
    Asked about the reasoning behind its decision to treat mass website 
    defacements as multiple attacks, a spokesperson said: "Mass website 
    attacks are counted as multiple attacks because although there is a 
    single action on the part of the attacker, economic damage is always 
    done to multiple victims. Where the attack succeeds in reaching 
    connected middle-layer and back end servers then in each attacked 
    website's case, those back end systems are also unique." 
    
    The company estimated the overall economic damage from hacker 
    perpetrated overt, covert and DDoS digital attacks worldwide as being 
    between $US2.34 billion and $2.86 billion worldwide. 
    
    In the past, estimates made by mi2g have been questioned - for 
    example, the figure of $US38.5 billion it advanced as a figure for the 
    damage wrought by the MyDoom worm, was termed "absurd" by Rob 
    Rosenberger, the editor of Vmyths, a site dedicated to the eradication 
    of computer virus hysteria. 
    
    The questions asked of mi2g and the company's answers are given below 
    in full: 
    
    
    
    A total of 17,000-odd "successful digital attacks" are mentioned. From 
    where were the details of these attacks obtained - from Zone-H.org? 
    
    
    "mi2g is principally reliant on data for SIPS and EVEDA from a number 
    of sources: 
    
    "1. Personal relationships at CEO, CFO, CIO, CISO level within the 
    banking, insurance and reinsurance industry in Europe, North America 
    and Asia. We have been involved in pioneering cyber liability 
    insurance cover for Lloyd's of London syndicates which has given us 
    access to case histories since the mid 1990s. 
    
    "2. Monitoring hacker bulletin boards and hacker activity. We have 
    several white hat hackers who we use for penetration testing and 
    developing our Bespoke Security Architecture that feed digital risk 
    information through to us on a continuous basis including 
    vulnerabilities, exploits and the latest serious attacks they are 
    aware of. 
    
    "3. We maintain anonymous communication channels with a large number 
    of black hat hacker groups. 
    
    "Cases of systems attacked are systematically screened by Intelligence 
    Unit personnel to ascertain hacker motivation and country of origin. 
    Domain specific knowledge such as hacker contact details and the 
    relationships between hacker groups are extracted automatically. 
    
    "EVEDA collects its information from a variety of open sources and 
    calculates the economic damage associated with a particular digital 
    attack based on a unique set of algorithms developed by the mi2g SIPS 
    team in conjunction with risk analysts and economists." 
    
    
    
    If a mass defacement of a server occurs - and by this I mean if a 
    single server hosting 100 websites is penetrated due to a 
    vulnerability in a Perl or PHP script for example - how many digital 
    attacks does that comprise according to your intelligence unit? 
    
    
    "Mass website attacks are counted as multiple attacks because although 
    there is a single action on the part of the attacker, economic damage 
    is always done to multiple victims. Where the attack succeeds in 
    reaching connected middle-layer and back end servers then in each 
    attacked web site's case, those back end systems are also unique. 
    
    "When insurance cover for cyber liability was pioneered it was 
    originally conceived around single IP addresses. Later on, technology 
    allowed multiple domain hosting to be achieved with the same IP 
    address, to the point that "1000's" of sites can all now be located on 
    the same IP. 
    
    "An insurance company has to pay those "1000" companies when a denial 
    of service, business interruption, customer or supplier liability 
    insurance claim is invoked as a direct result of vandalism or other 
    criminal activities. 
    
    "These days insurance policies are structured around profit centres 
    and domains rather than just on IP addresses. Each attack incident, if 
    verified, is classed as a unique attack regardless of whether it 
    occurred repeatedly, ie, once every two days or once every month and 
    regardless of whether it was part of a mass attack or not. 
    
    "The liabilities for each of the "1000" attacks will tend to spread 
    across the customers and suppliers of each profit centre entity. So, 
    it is inconceivable that it can be treated as one single attack from 
    an insurance customer perspective." 
    
    
    
    How can a study on operating system safety exclude malware attacks 
    when they are a major source of security breaches and practically all 
    occur due to a high level of integration between applications and the 
    core operating system? 
    
    
    "With most of these malware attacks the main points of vulnerability 
    that are exploited are social engineering based, ie, targeting the 
    gullible users who may open executable attachments. That coupled with 
    the dominance of a particular operating system can lead to very 
    damaging malware epidemics. 
    
    "The security of an operating system itself however, is best measured 
    in terms of the use of remote exploits to control that operating 
    system, which are rarely used by most of the email borne malware that 
    has caused most of the damage in January and August, the months that 
    were referenced in the specific study you mention."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 05:31:37 PST