Study claimed Linux most hacked but ignores malware
Study claimed Linux most hacked but ignores malware
In what appears to be an econometric approach to the analysis of
server compromises and website defacement, a London-based group is
claiming that Linux is the most breached online server and the BSDs
and Mac OSX the safest.
mi2g, which describes itself as a digital risk specialist, claimed
that the number of successful attacks against Windows servers had also
fallen - but said it had not taken into account the numerous malware
attacks against this operating system. Additionally, mass website
defacements were counted as multiple attacks - as many as the websites
involved.
As to the reason for leaving out malware as a source of server or
website compromise, the group's Intelligence Unit said: "The recent
global malware epidemics have targeted the Windows OS and have not
caused any significant economic damage to systems running Open Source
including Linux, BSD and Mac OS X. Therefore, the mi2g Intelligence
Unit study has been limited to overt digital attacks perpetrated by
hackers, who target all flavours of Operating Systems."
The group said it had analysed 17,074 successful digital attacks
against online servers and networks in January 2004, with Linux
accounting for 13,654 breaches, and Windows for 2005 followed by BSD
and Mac OS X with 555 breaches worldwide.
Asked about the reasoning behind its decision to treat mass website
defacements as multiple attacks, a spokesperson said: "Mass website
attacks are counted as multiple attacks because although there is a
single action on the part of the attacker, economic damage is always
done to multiple victims. Where the attack succeeds in reaching
connected middle-layer and back end servers then in each attacked
website's case, those back end systems are also unique."
The company estimated the overall economic damage from hacker
perpetrated overt, covert and DDoS digital attacks worldwide as being
between $US2.34 billion and $2.86 billion worldwide.
In the past, estimates made by mi2g have been questioned - for
example, the figure of $US38.5 billion it advanced as a figure for the
damage wrought by the MyDoom worm, was termed "absurd" by Rob
Rosenberger, the editor of Vmyths, a site dedicated to the eradication
of computer virus hysteria.
The questions asked of mi2g and the company's answers are given below
in full:
A total of 17,000-odd "successful digital attacks" are mentioned. From
where were the details of these attacks obtained - from Zone-H.org?
"mi2g is principally reliant on data for SIPS and EVEDA from a number
of sources:
"1. Personal relationships at CEO, CFO, CIO, CISO level within the
banking, insurance and reinsurance industry in Europe, North America
and Asia. We have been involved in pioneering cyber liability
insurance cover for Lloyd's of London syndicates which has given us
access to case histories since the mid 1990s.
"2. Monitoring hacker bulletin boards and hacker activity. We have
several white hat hackers who we use for penetration testing and
developing our Bespoke Security Architecture that feed digital risk
information through to us on a continuous basis including
vulnerabilities, exploits and the latest serious attacks they are
aware of.
"3. We maintain anonymous communication channels with a large number
of black hat hacker groups.
"Cases of systems attacked are systematically screened by Intelligence
Unit personnel to ascertain hacker motivation and country of origin.
Domain specific knowledge such as hacker contact details and the
relationships between hacker groups are extracted automatically.
"EVEDA collects its information from a variety of open sources and
calculates the economic damage associated with a particular digital
attack based on a unique set of algorithms developed by the mi2g SIPS
team in conjunction with risk analysts and economists."
If a mass defacement of a server occurs - and by this I mean if a
single server hosting 100 websites is penetrated due to a
vulnerability in a Perl or PHP script for example - how many digital
attacks does that comprise according to your intelligence unit?
"Mass website attacks are counted as multiple attacks because although
there is a single action on the part of the attacker, economic damage
is always done to multiple victims. Where the attack succeeds in
reaching connected middle-layer and back end servers then in each
attacked web site's case, those back end systems are also unique.
"When insurance cover for cyber liability was pioneered it was
originally conceived around single IP addresses. Later on, technology
allowed multiple domain hosting to be achieved with the same IP
address, to the point that "1000's" of sites can all now be located on
the same IP.
"An insurance company has to pay those "1000" companies when a denial
of service, business interruption, customer or supplier liability
insurance claim is invoked as a direct result of vandalism or other
criminal activities.
"These days insurance policies are structured around profit centres
and domains rather than just on IP addresses. Each attack incident, if
verified, is classed as a unique attack regardless of whether it
occurred repeatedly, ie, once every two days or once every month and
regardless of whether it was part of a mass attack or not.
"The liabilities for each of the "1000" attacks will tend to spread
across the customers and suppliers of each profit centre entity. So,
it is inconceivable that it can be treated as one single attack from
an insurance customer perspective."
How can a study on operating system safety exclude malware attacks
when they are a major source of security breaches and practically all
occur due to a high level of integration between applications and the
core operating system?
"With most of these malware attacks the main points of vulnerability
that are exploited are social engineering based, ie, targeting the
gullible users who may open executable attachments. That coupled with
the dominance of a particular operating system can lead to very
damaging malware epidemics.
"The security of an operating system itself however, is best measured
in terms of the use of remote exploits to control that operating
system, which are rarely used by most of the email borne malware that
has caused most of the damage in January and August, the months that
were referenced in the specific study you mention."
