Study claims Linux most hacked but ignores malware

[InfoSec News <isn () c4i org>]

http://www.smh.com.au/articles/2004/03/01/1077989482304.html

[Funny thing is I used to get the mi2g news alerts all the time, but
it abruptly stopped because they either got sick of me replying back
asking where the hell they got their numbers from and mailing again a
few days later wondering where my answer was, or they figured that I
wasn't part of the media sheep that took their press releases on its
face value and printed it as news.

More backround on mi2g at: 
http://www.attrition.org/errata/charlatan.html#mi2g     - WK]


By Sam Varghese 
March 1, 2004 

In what appears to be an econometric approach to the analysis of 
server compromises and website defacement, a London-based group is 
claiming that Linux is the most breached online server and the BSDs 
and Mac OSX the safest. 

mi2g, which describes itself as a digital risk specialist, claimed 
that the number of successful attacks against Windows servers had also 
fallen - but said it had not taken into account the numerous malware 
attacks against this operating system. Additionally, mass website 
defacements were counted as multiple attacks - as many as the websites 
involved. 

As to the reason for leaving out malware as a source of server or 
website compromise, the group's Intelligence Unit said: "The recent 
global malware epidemics have targeted the Windows OS and have not 
caused any significant economic damage to systems running Open Source 
including Linux, BSD and Mac OS X. Therefore, the mi2g Intelligence 
Unit study has been limited to overt digital attacks perpetrated by 
hackers, who target all flavours of Operating Systems." 

The group said it had analysed 17,074 successful digital attacks 
against online servers and networks in January 2004, with Linux 
accounting for 13,654 breaches, and Windows for 2005 followed by BSD 
and Mac OS X with 555 breaches worldwide. 

Asked about the reasoning behind its decision to treat mass website 
defacements as multiple attacks, a spokesperson said: "Mass website 
attacks are counted as multiple attacks because although there is a 
single action on the part of the attacker, economic damage is always 
done to multiple victims. Where the attack succeeds in reaching 
connected middle-layer and back end servers then in each attacked 
website's case, those back end systems are also unique." 

The company estimated the overall economic damage from hacker 
perpetrated overt, covert and DDoS digital attacks worldwide as being 
between $US2.34 billion and $2.86 billion worldwide. 

In the past, estimates made by mi2g have been questioned - for 
example, the figure of $US38.5 billion it advanced as a figure for the 
damage wrought by the MyDoom worm, was termed "absurd" by Rob 
Rosenberger, the editor of Vmyths, a site dedicated to the eradication 
of computer virus hysteria. 

The questions asked of mi2g and the company's answers are given below 
in full: 



A total of 17,000-odd "successful digital attacks" are mentioned. From 
where were the details of these attacks obtained - from Zone-H.org? 


"mi2g is principally reliant on data for SIPS and EVEDA from a number 
of sources: 

"1. Personal relationships at CEO, CFO, CIO, CISO level within the 
banking, insurance and reinsurance industry in Europe, North America 
and Asia. We have been involved in pioneering cyber liability 
insurance cover for Lloyd's of London syndicates which has given us 
access to case histories since the mid 1990s. 

"2. Monitoring hacker bulletin boards and hacker activity. We have 
several white hat hackers who we use for penetration testing and 
developing our Bespoke Security Architecture that feed digital risk 
information through to us on a continuous basis including 
vulnerabilities, exploits and the latest serious attacks they are 
aware of. 

"3. We maintain anonymous communication channels with a large number 
of black hat hacker groups. 

"Cases of systems attacked are systematically screened by Intelligence 
Unit personnel to ascertain hacker motivation and country of origin. 
Domain specific knowledge such as hacker contact details and the 
relationships between hacker groups are extracted automatically. 

"EVEDA collects its information from a variety of open sources and 
calculates the economic damage associated with a particular digital 
attack based on a unique set of algorithms developed by the mi2g SIPS 
team in conjunction with risk analysts and economists." 



If a mass defacement of a server occurs - and by this I mean if a 
single server hosting 100 websites is penetrated due to a 
vulnerability in a Perl or PHP script for example - how many digital 
attacks does that comprise according to your intelligence unit? 


"Mass website attacks are counted as multiple attacks because although 
there is a single action on the part of the attacker, economic damage 
is always done to multiple victims. Where the attack succeeds in 
reaching connected middle-layer and back end servers then in each 
attacked web site's case, those back end systems are also unique. 

"When insurance cover for cyber liability was pioneered it was 
originally conceived around single IP addresses. Later on, technology 
allowed multiple domain hosting to be achieved with the same IP 
address, to the point that "1000's" of sites can all now be located on 
the same IP. 

"An insurance company has to pay those "1000" companies when a denial 
of service, business interruption, customer or supplier liability 
insurance claim is invoked as a direct result of vandalism or other 
criminal activities. 

"These days insurance policies are structured around profit centres 
and domains rather than just on IP addresses. Each attack incident, if 
verified, is classed as a unique attack regardless of whether it 
occurred repeatedly, ie, once every two days or once every month and 
regardless of whether it was part of a mass attack or not. 

"The liabilities for each of the "1000" attacks will tend to spread 
across the customers and suppliers of each profit centre entity. So, 
it is inconceivable that it can be treated as one single attack from 
an insurance customer perspective." 



How can a study on operating system safety exclude malware attacks 
when they are a major source of security breaches and practically all 
occur due to a high level of integration between applications and the 
core operating system? 


"With most of these malware attacks the main points of vulnerability 
that are exploited are social engineering based, ie, targeting the 
gullible users who may open executable attachments. That coupled with 
the dominance of a particular operating system can lead to very 
damaging malware epidemics. 

"The security of an operating system itself however, is best measured 
in terms of the use of remote exploits to control that operating 
system, which are rarely used by most of the email borne malware that 
has caused most of the damage in January and August, the months that 
were referenced in the specific study you mention."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.