WannaCrypt Makes an Easy Case for Linux

[Megalith]

This guy admits that it’s a tired argument but is using the recent/current ransomware fiasco to raise awareness for Linux and its security benefits again. Yes, you’ve heard most of it before: businesses should all switch from Windows, as it is a huge target for exploits, but he does try to make a novel point by noting that more and more companies are switching to Software as a Service (SaaS) or the cloud (meaning that work is increasingly done through a web browser), making Linux deployment more practical and sensible now. Er, wouldn’t Linux just become as vulnerable as Windows if its usage were to rise to the same level…

Don't get me wrong, I'm not saying Linux is perfect. Any system connected to a network can fall victim to something. But the truth of the matter is, by design, Linux is far less susceptible to the likes of WannaCrypt than is Windows. How do I know this? I've been using Linux as my only operating system (on servers and desktops) since 1997 and have only encountered one instance of malicious code (a rootkit on a poorly administered mail server). Those are some pretty good odds there. Imagine, if you will, you have deployed Linux as a desktop OS for your company and those machines work like champs from the day you set them up to the day the hardware finally fails. Doesn't that sound like a win your company could use?

 

[Zarathustra[H]]

Er, wouldn’t Linux just become as vulnerable as Windows if its usage were to rise to the same level…

Certainly, obscurity is a part of the advantage Linux holds over windows, but it is far from the only advantage.

Even if Linux had a user base similar in size to Windows, it's fundamental design elements and fast easy updates of not just the OS itself, but all installed applications mean that it would still hold a significant advantage over Windows even if it lost its advantage by relative obscurity.

 

[lcpiper]

Certainly, obscurity is a part of the advantage Linux holds over windows, but it is far from the only advantage.

Even if Linux had a user base similar in size to Windows, it's fundamental design elements and fast easy updates of not just the OS itself, but all installed applications mean that it would still hold a significant advantage over Windows even if it lost its advantage by relative obscurity.

i can't fucking resist.

I'm sorry


So now, Linux is better because so few people use it....

It'll be fucking great when no one uses it

 

[Daeron]

Guess I gotta put on my boots to read this one...

 

[otherweeb]

pfft!

Currently reading this on my un-hackable abucus.

 

[dgingeri]

I've worked with both. Linux has its place, but file server is NOT one of them. Linux file shares and file systems simply do NOT have the flexibility businesses need, mostly in assigning rights to folders and files. Linux is great for web servers, web proxies, and databases, but NOT for file services.

 

[Vader1975]

Linux has always been a somewhat fragmented community but there are definitely some business friendly distributions with full business support available. There have been basic business software applications for linux for many years and I have seen more companies running thinbooks and ultrabooks with Linux connecting to cloud services. I have also seen some chromebooks and an increasing number of macbooks. As OSX is an offshoot of BSD (long story), it also has plenty of software for business available as well. If a company truly would like to leave Microsoft behind... they absolutely could do so. They can also get high-quality professional support and virtual server and services support and mail server support etc. Now while I am definitely seeing more use of non-microsoft OS's, I am also seeing a lot of windows 10 penetration and am hearing the typical banter about Microsoft updates breaking software. Then they start trying to block updates to keep business working smoothly due to Microsofts rather horrible update testing. I have seen 4 different updates from Microsoft in the last year disrupt millions of dollars in business. So I fully understand why businesses start blocking Microsofts half-baked updates. Then I see a new virus or ransomware come out and everyone screams about people not taking Microsofts updates. I then laugh because Microsoft causes this. They don't test them enough and cause too much disruption. I do not hear about these types of issues from the Linux and OSX users from their software side on a regular basis, but I have heard some grumblings from Mac users about some hardware having issues after a OSX update. I assume a major Linux kernel update could also cause such a thing, but the ram down your throat before its ready mentality of Microsoft doesn't seem to be the norm in professional linux distros. I could see linux coming under more serious attack if it gained significant marketshare.

 

[Cyraxx]

The security is a direct reflection of the user base.

Which would you rather.... Hack a system and have access to 300 users, none of which are more likely to have money than the other... Or would you rather have 300,000?

 

[Galvin]

Windows 10 has linux built in, if anything people will just stick with windows.

 

[vegeta535]

Also Linux is hackers baby and they wouldn't do anything to make it look bad. Not too mention Linux is open source. Wouldn't it be a lot easier to find vulnerabilities or push compromised builds?

 

[lcpiper]

Also Linux is hackers baby and they wouldn't do anything to make it look bad. Not too mention Linux is open source. Wouldn't it be a lot easier to find vulnerabilities or push compromised builds?

You bring up an excellent point. When Red Hat first showed up I was confused, "why would anyone pay for a Red Hat when Linux in general was free?"

Then I got into the real working world and realized that businesses don't want free. They can't bill for free, they can't justify costs for free, how do you go to a customer and tell him you want to charge him for something that you got for free?

What's more is, businesses use their clout as paying customers to promote change. I need this so change up the next release and add support for what I need. If you are paying someone then you have leverage, but if it's free what leverage do you have? Nothing at all.

This is why businesses don't support free, and why Red Hat was able to make a go of a business model built on something that was free. Red Hat said "I'm going to charge you for our Linux OS and because you are paying, we'll be listening".

Just thought this was a good time to bring that up.

 

[webdev511]

If One Billion people used Linux on personal computers, then One Billion people would still be the target of criminals.

 

[Zarathustra[H]]

I've worked with both. Linux has its place, but file server is NOT one of them. Linux file shares and file systems simply do NOT have the flexibility businesses need, mostly in assigning rights to folders and files. Linux is great for web servers, web proxies, and databases, but NOT for file services.

I can see that. It can be a bit difficult to get the file and user permissions right, but once you figure it out it's not bad.

I run my file server at home under Linux, and wouldn't even consider a windows box for that role, but I don't have to continually add and remove users.

If you are experienced enough you can set up a Linux install to communicate with Active directory, and run scripts to setup new user permissions and remove old ones, but I've never done it, as I've never needed to.

 

[Ur_Mom]

How do I know this? I've been using Linux as my only operating system (on servers and desktops) since 1997 and have only encountered one instance of malicious code (a rootkit on a poorly administered mail server). Those are some pretty good odds there.

This bugs me. I've been using Windows since Windows 2. I've only personally encountered a couple instances of malicious code. I do know there is a shit ton out there, though. This guy may have only encountered one instance, but there have been many more. Personally, for me, the odds are great for me to continue to use Windows. I'm a safe, protected, good computer user. I'm sure if I downloaded and clicked on everything in Linux, I'd be more susceptible to infections, too. Not as high as Windows (which is the major target as you're getting grandma, execs, 90+% of computer users), but it's still a possibility.

I still like Linux, though. I just don't think his experience should dictate the odds. Just because he has only personally experienced the one instance doesn't mean others don't exist. Just make sure all the info is on the table.

If I told people to not run anti-virus, that'd be dumb. But, some people don't run it and just don't click on anything or download anything questionable and have never had an issue.

 

[jkw]

(Disclaimer: I'm a Linux fanboy)

Linux is only *seemingly* more secure because it is targeted less AND because Linux users are typically more security savvy. If you replaced every Windows install with Red Hat or Ubuntu or whatever other popular Linux OS, we'd see a dramatic increase in compromises and malware. Why? Because Linux is full of vulnerable code, and because endlusers would break it and make it less secure. The average endluser is not security savvy and will definitely fuck up something as complex and powerful and Linux (complex to them, but simple and beautiful to me). If you don't believe that Linux is more vulnerable, then go count the # of Windows vulnerabilities and compare it to Linux vulnerabilities. Check CVE, NVD, Red Hat Security, Linux Kernel and Ubuntu websites for proof.

Also, it's worthy noting that Windows can be locked down and made VERY secure. Linux can too ... if we lock it down so the endluser can't break it and make it insecure. Some Linux distros are pretty well locked down, but the 3rd party software packages they distribute are not. Mac OS has the same issues as Linux, but Apple has a head start because they have locked down OS X while still allowing power users to do their thing.

 

[Chuklr]

The best way to ensure one never finds a virus, trojan, malware, or other nasty is to never look for it.

 

[jkw]

The best way to ensure one never finds a virus, trojan, malware, or other nasty is to use ScriptSafe, ad blocker, and AV web protection when searching for midget porn.

Fixed that for you.

 

[Chuklr]

Are you spying on me!!!???

 

[jkw]

Data to support my crazy claim about Linux being less secure:
https://betanews.com/2015/02/22/os-x-ios-and-linux-have-more-vulnerabilities-than-windows/
https://www.lifehacker.com.au/2017/01/which-software-had-the-most-vulnerabilities-in-2016/

Important Caveat: Virtually every published Microsoft vulnerability gets a CVE, and a smaller percentage of Linux vulns do.

 

[Simmonz]

Not surprised, the NHS are already thinking of moving to Ubuntu.

 

[DukenukemX]

i can't fucking resist.

I'm sorry


So now, Linux is better because so few people use it....

It'll be fucking great when no one uses it

That depends on what you think people are using? For example, Android is linux. Most routers are linux. Good amount of web servers run linux. Google's entire business runs linux. I think they use Ubuntu or something.

But yea we're talking about desktop OS's here. But otherwise there's plenty of incentive to write Linux ransomware. It's just not easy to do.

I've worked with both. Linux has its place, but file server is NOT one of them. Linux file shares and file systems simply do NOT have the flexibility businesses need, mostly in assigning rights to folders and files. Linux is great for web servers, web proxies, and databases, but NOT for file services.

That's odd, since Linux is superior to Windows in performance when it comes to file services. And Linux has a plethora of file systems to choose from. Nearly all NAS's run Linux.

 

[DukenukemX]

Windows 10 has linux built in, if anything people will just stick with windows.

Bash isn't Linux, it's just a small part of it.

 

[leezard]

Certainly, obscurity is a part of the advantage Linux holds over windows, but it is far from the only advantage.

it's fundamental design elements and fast easy updates of not just the OS itself, but all installed applications mean that it would still hold a significant advantage over Windows even if it lost its advantage by relative obscurity.

Until people start disabling updates...

 

[BHenry]

Coming from the security scanning side of things, we get a ton of vulnerabilities that have to be fixed on Linux also. Also, who the hell names the vulnerabilities? Dirty Cow, Eternal Blue, logjam, so on...

 

[prime2515102]

I tried several times to run Linux but the learning curve was well beyond my attention span. I reckon I should bite the bullet and finally educate myself. My gaming days are just about over anyway (I was killed by a tree the other day in Crysis fer corn sakes!) so it's probably a good idea.

 

[lcpiper]

...
But yea we're talking about desktop OS's here. But otherwise there's plenty of incentive to write Linux ransomware. It's just not easy to do.....[/MEDIA]

It's no harder to write code to hammer a Linux box over a Windows box other than you might have to learn other ways to exploit things. The issue isn't difficulty, it's payoff. There's little incentive in it and businesses and such that use Linux have solid DR capabilities.

We have Linux servers on our network, sure you could hurt one, (if you could get on our network that is, we aren't connected to the internet or outside the building for that matter), but the systems are certainly vulnerable to something. But they are also VMs, if the VM can't be restored the datastore that holds it can be restored. Of course any business that protects itself in this way is immune to any lasting and serious attack. No the individual user doesn't have such resources available so they are much more vulnerable. But it's not because of the OS involved, it's about what kind of resources you have.

 

[heatlesssun]

Bash isn't Linux, it's just a small part of it.

The Windows Linux Subsystem is far more than Bash, it's essentially Linux running on top of Windows, essentially it's the reverse of Wine.

 

[heatlesssun]

Also, who the hell names the vulnerabilities? Dirty Cow, Eternal Blue, logjam, so on...

Porn script writers?

 

[Lakados]

This is a Cyclic argument at best, if Linux had the same user base as Windows it would be a much more lucrative target, and people trying to break it would increase dramatically. WannaCrypt is an example of why you should do your damned updates and Linux servers are just as likely if not more so to go without updates longer than a Windows PC or Server. At the end of the day it is the user on the computer and who set the hardware up that is responsible for 99% of a systems security, Microsoft tried to implement a more Linux like security with UAC and I think we all know how that turned out.

 

[andrewaggb]

meh - linux won't help. It has most of the same issues. I've seen plenty of linux boxes hacked. And almost always because they aren't kept up to date and more services and ports are open to the world than necessary.

 

[dgingeri]

That depends on what you think people are using? For example, Android is linux. Most routers are linux. Good amount of web servers run linux. Google's entire business runs linux. I think they use Ubuntu or something.

But yea we're talking about desktop OS's here. But otherwise there's plenty of incentive to write Linux ransomware. It's just not easy to do.


That's odd, since Linux is superior to Windows in performance when it comes to file services. And Linux has a plethora of file systems to choose from. Nearly all NAS's run Linux.

Linux file rights are simply read, write, and execute for the owner of the file, the members of the group owners of the file, and all others. There aren't really any directory level rights, and nothing inherits. It's just not flexible enough. Performance means little if the files can't be secured down or can't be adjusted tot he needs of the company. And, yes, Linux has a bunch of different file systems and runs a bunch of NAS devices. Whoop-dee-doo. Those devices are for when half a dozen people need access to the files, not a department of 40 or a company of 300. Those NAS devices are horrible for security and even worse for flexibility. The file systems are great for flexibility for drive configuration and redundancy, but can't do a tenth of what NTFS can do for security and sharing flexibility, and Windows has made lightyears of progress in drive configuration flexibility with Storage Spaces, more than enough to leave all of Linux behind in that area. With Storage Spaces, I can put together a group of 12 drives and make one virtual drive on it with mirroring redundancy, one with dual parity redundancy, and one with just basic striping across all the same drives, all with hot spares and hot swapping drives all handled by software. Linux has nothing to match that. Performance was pretty bad with the first version, but that has improved with the second version, and will likely improve as it becomes more developed.

What about user security on Linux? Linux can't even do that natively. Any user level security is done through Samba, NFS only has security in restricting certain IPs from accessing the share, and what use is that? It wouldn't take any half competent script monkey a minute to bypass that security. Samba and CIFS might be a little better, but it still pales in comparison to Windows user level security and control. I could (and do) have a file share that a whole department could log into while one group has access to 14 folders within it, but only a certain subgroup has access to 3 more folders on that share. I have one share for home folders where everyone has access to the root, but all the subfolders are only accessible to their owners and the domain admins. Plus, proper 'best practices' can be done with Windows in assigning rights to folders and shares only done by groups, and then add users to the group to control who gets what access. That simply can't be done in any means with Linux.

 

[WorldExclusive]

Will those Linux machines still be connected to the Internet?
These experts still think the OS/machine is the problem.

 

[heatlesssun]

This is a Cyclic argument at best, if Linux had the same user base as Windows it would be a much more lucrative target, and people trying to break it would increase dramatically. WannaCrypt is an example of why you should do your damned updates and Linux servers are just as likely if not more so to go without updates longer than a Windows PC or Server. At the end of the day it is the user on the computer and who set the hardware up that is responsible for 99% of a systems security, Microsoft tried to implement a more Linux like security with UAC and I think we all know how that turned out.

I don't think any organization that has a good update process got hit with this, we didn't. But we have an excellent update process.

 

[lcpiper]

Exactly correct

If there is an argument to be made regarding this malware, it's that organizations and individuals need to keep their shit patched regardless of what OS or update method they choose to employ. They will either be effective or they will not but the proof is in the pudding.

 

[Zarathustra[H]]

meh - linux won't help. It has most of the same issues. I've seen plenty of linux boxes hacked. And almost always because they aren't kept up to date and more services and ports are open to the world than necessary.

More often than not, when I see Linux boxes compromised, it's because the person who set it up left the default passwords in place.

Sure, there are privilege escalation exploits on *nix systems as well, but they are much rarer, and when they are discovered, they are typically patched much more quickly.

Certainly, if Linux saw the userbase that Windows currently ha, more malware would be written for it, but they still wouldn't be even remotely close to equal.

 

[heatlesssun]

Certainly, if Linux saw the userbase that Windows currently ha, more malware would be written for it, but they still wouldn't be even remotely close to equal.

Perhaps not but ultimately if one doesn't properly maintain their systems, shit will happen. We're talking about people who didn't even have decent anti-virus or IDS setup. Maybe Linux would prevent them these kinds of attacks but the quality of the IT management that people who got hit with this is a pretty clear sign that they're easily hackable folks, the OS wouldn't really help them that much if they are that bad at managing their IT infrastructure.

 

[Zarathustra[H]]

Perhaps not but ultimately if one doesn't properly maintain their systems, shit will happen. We're talking about people who didn't even have decent anti-virus or IDS setup. Maybe Linux would prevent them these kinds of attacks but the quality of the IT management that people who got hit with this is a pretty clear sign that they're easily hackable folks, the OS wouldn't really help them that much if they are that bad at managing their IT infrastructure.

That's a fair assessment

 

[Zarathustra[H]]

Windows 10 has linux built in, if anything people will just stick with windows.

What good does running Linux as a guest do you, if the host it's running on top of gets pwnt?

 

[heatlesssun]

Exactly correct

If there is an argument to be made regarding this malware, it's that organizations and individuals need to keep their shit patched regardless of what OS or update method they choose to employ. They will either be effective or they will not but the proof is in the pudding.

There's absolutely nothing new about WannaCry. Use a well documented remote execution flaw in Windows that's been patched or can be mitigate several ways and deliver a payload. The only reason why these kinds of attacks work is because some people just refuse to learn and do the most basic stuff.

 

[heatlesssun]

What good does running Linux as a guest do you, if the host it's running on top of gets pwnt?

True, fortunately Windows 10 wasn't even targeted by this worm which I thought was interesting though Shadow Brokers did mention that they had specs on attacks for Windows 10 and mentioned 10 by name, the only OS they mentioned by name. Though this SMB flaw was in 10 as well.