[LINK] server security

[Chirgwin, Richard]

I think I've remarked on Mi2g in the past, but...

While there are some nice warm feelings to be had out of the story (it was
also covered in Australia - ZDNet?), much of the methodology is out of reach
of scrutiny. If you're not in Mi2g's "circle", even the media release has to
be paid for (went and checked the site; 30 pounds to click on the media
release).

It's easy to get into a religious argument, and I don't want to do that! But
from the very thin data that's actually released to the media, some
questions occur to me:

What was Mi2g's definition of "breached"? 
This is important because a cracker successfully (say) defacing a Website
does not *necessarily* constitute breaking the underlying operating system.
It can just as easily mean that X number of system administrators left the
default passwords running. 

What was breached?
Saying that "this site" was breached could mean that the attackers
compromised the Web server software (eg Apache) but not the "operating
system". Without data, you can't safely draw a conclusion.

Correlating to what?
Without any correlation between "number of servers attacked" and "total
proportion of systems exposed to the Internet" there is no relative measure
of security. Mind you, BSD would I guess be sufficiently common to attract a
higher proportion of attacks.

Another important point regarding correlation: did Mi2g "de-dupe" its
figures for an attack at a server farm which in one breach compromised many
servers?

Data gathering?
Finally, there's the question of how to confirm the two legs of the data:
"This site was successfully attacked, and was running this operating
system." Assume for a moment that Mi2g did not make 17,000+ telephone calls
in January to putative "successfully attacked" sites to confirm the
information. In other words, it got its server OS identity from automated
sources. Without a reality check, the data itself has to be considered, at
best, a rough guideline rather than a firm conclusion.

It's the sort of media release which makes a nice, low-effort filler, but as
information, it's got too many weaknesses for my taste; its sole purpose was
to generate Mi2g stories.

Richard Chirgwin

> -----Original Message-----
> From: Stephen Loosley [mailto:stephen at melbpc.org.au] 
> Sent: Monday, March 01, 2004 1:13 AM
> To: link at www.anu.edu.au
> Subject: [LINK] server security
> 
> 
> Study shows Mac OS X Server among most secure in world
> By Brad Cook
> 
> British cyber security firm mi2g <http://www.mi2g.net/>  
> recently announced
> the results of a study that names Mac OS X one of the most 
> secure online
> server operating systems in the world, alongside the Berkeley Software
> Distribution (BSD) family of Open Source systems. 
> 
> The study also showed that Linux is currently the most-breached online
> server OS.
> 
> The study was conducted by mi2g's Intelligence Unit, which 
> looked at the
> overall number of attacks against government and private sector online
> servers, as well as the percentage of successful attacks, for 
> the month of
> January. Linux bore the brunt of 80 percent of the overall attacks,
> followed by Microsoft Windows at 12 percent and BSD and Mac OS X at 3
> percent, together.
> 
> The total number of successful attacks, according to mi2g, 
> was 17,074, of
> which Linux accounted for 13,654, Windows 2,005, and BSD and 
> Mac OS X 555. 
> 
> Looking strictly at successful attacks against government 
> servers, Linux
> comprised 57 percent of those, followed by Windows at 35 
> percent and BSD
> and Mac OS X at 0 percent, which the company notes is a first for that
> category. <snip> mi2g noted that the numbers exclude attacks caused by
> viruses, worms and Trojan Horses.
> 
> 
> 
http://maccentral.macworld.com/news/2004/02/20/osxserver/index.php?redirect
=1077285308000

--
regards all 
Stephen Loosley
Melbourne Australia




_______________________________________________
Link mailing list
Link at mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link