2004 started off on shaky ground with a flaw found in mremap(), a piece of kernel code that controls virtual memory. It affected versions 2.2, 2.4, and 2.6. It was later discovered that the same vulnerability was used to exploit several high-profile Linux development sites in November 2003. Patches were released in early January by each of the major distributions. The flaw was fixed in further kernel releases. In February, a second mremap vulnerability was discovered by the Polish security consulting firm ISec. The second mremap flaw was unrelated, but just as serious as the first. In theory, it could result in a denial of service or privilege escalation to root. Vendors responded much more quickly in this second instance. Fixes for 2.4 and 2.6 were released only in a matter of hours this second time. In March, Paul Starzetz of ISec released proof-of-concept exploit code for the second mremap flaw that was released in February. Several news sites failed to accurately read the report released in March and reported that a third kernel flaw as found. This was wrong, but it sparked a lot of interest in rumors. Many were relieved to find out that the "third vulnerability" was in fact a misinterpretation. It was beginning to look like the "year of the kernel flaw," but luckily things quieted down in second quarter. The remaining portion of the year was scattered with other kernel vulnerabilities, but non received as much press as mremap. Another notable one was discovered in 2.6 last October. It was claimed that the vulnerability could be used to shut down 2.6-based systems remotely. It only affected those systems using iptables based firewalls, because the flaw had to do with the way 2.6 handled firewall logging. Patches were released and the problem was resolved.
The volume of press generated by kernel vulnerabilities is ever increasing. With the growing number of a major enterprises adopting Linux as an operational component, trade magazines are dedicating a greater percentage of their editorial scope to it. From a journalist's perspective, flaws in the kernel make great news items. It invokes fear, causing people to pay attention. While news of the mremap vulnerability may not sway the opinion of you or me, it has great potential to make a CIO reluctant to adopt that long-term Linux project all of his techs have been begging for. This year though, the Linux community has stepped up, fixed its problems, and walked away with a lot of class. Instead of headlines reading, "Is Linux Ready for the Enterprise?," journalist were writing pieces about the efficiency of open source leading to a quick resolution. Rather than criticizing Linux because of its flaws, it was praised because of its ability to work through issues. Finally, people were starting to realize that large proprietary software companies often deny that vulnerabilities exist and sneak in security patches during upgrades. Linux is about openness and full-disclosure, a great benefit to all of its users.
The flip-side is that full-disclosure can be very overwhelming. For example, 35 Linux vendor security advisories were released last week alone. One can easily see this by taking a few minutes to walk through our Linux security advisory archive. Roughly 35 advisories a week for an entire year is 1,820. When other proprietary operating system vendors release a much small number of advisories per year, people make quick and inaccurate conclusions. For example, suppose Microsoft released 50 advisories, and Linux vendors released 2000 in a given time period. 50 is less than 2000; therefore Windows must be more secure. Of course it is flawed logic, but in previous years people believed such numbers. Often, people failed to realized that Linux advisories are released for each individual package, for each distribution, and in many cases for very minor theoretical problems. In previous years, the full picture was not taken into account. Now, the public as well as many journalist are starting to realize that severity of vulnerability is also an important factor. Rather than the discovery of a vulnerability considered another failure for Linux, it is now seen as a success by many because it is one less unknown flaw. This year particularly, I have seen a shift in the IT community's way of thinking. Rather than ignoring vulnerabilities until they're a much bigger problem, much more emphasis is being placed on proactive resolution. In my opinion this is a major step in the right direction.
While the question of Linux security vs.Windows security has always been around, 2004 has been plagued with groups of analysts, independent researchers, and analyst trying to authoritatively answer that question. British based mi2g called Linux the "most breached" OS, while Linux security experts considered the findings false because the virus/worm threat was not factored into their analysis. Windows advocates claim that Windows systems are breached more because they are a much more attractive target, Linux administrators claim that Windows systems are compromised more because they're impossible to secure. It has been a year of dueling reports. One month "Linux is less secure," the next, "Windows is less secure." In the midst of all the swirling FUD, some truth did come out. Security depends on the administrator. Although I strongly believe that Linux has the potential to be more secure, I won't claim that it always is. The security of any system depends greatly on it's administrator. Lazy operating practices lead to stupid mistakes that can be exploited. Although high-profile vulnerabilities exist, many are only theoretical, or exploit code is not widespread. A significant number of compromises are still caused by poor configuration practices, or majorly outdated software. A proactive administrator greatly reduces the likelihood of major compromise regardless of the operating system. However, an open source operating system such as Linux provides an unmatched level of flexibility that allows a willing administrator to secure a system to any level he/she desires.
One of the more interesting announcements in 2004 was the Mozilla Foundation offering a $500 bounty to those who discover bugs in its software. As I wrote previously, proactive measures are becoming common practice, not just a vague concept in an information security professional's dreamland. Other projects such as ethereal and several other open source projects announced updates to vulnerabilities found during a code audits. I see this as great progress.
Like clockwork, SANS/FBI released its Top-20 vulnerability list. Some of the most significant Unix vulnerabilities outlined include BIND, webservers, authentication, version control systems, SNMP, SSL, misconfigured services, databases, and the kernel. (SANS/FBI Top-20)
The projects that we've been working on at Guardian Digital are close to my heart. 2004 has been a record year in many ways. We've announced the release of two new monthly newsletters, released new versions of EnGarde Secure Professional, the Intrusion Detection and Defense System, Secure Mail Suite, proactively protected customers from Linux kernel flaws, created and announced a worldwide partner division, continued to increase our customer base, and create a program to help companies address Sarbanes Oxley compliance. In the past month, Guardian Digital's major announcement has been the launch of the new LinuxSecurity.com. We updated the site to include all the old features many have grown to depend on while adding additional ones to better serve our readership. From a completely operational perspective this includes implementing an open source content management system, upgrading servers, as well as increasing bandwidth capacity. It has been an amazing year for us at Guardian Digital. Without your support, none of this would be possible.
2004 has been a year of increased statistics. As predicted, security attacks are on the rise, the volume of spam has increased, viruses/worms continue to increase in severity, and security continues to grow as a concern. In the corporate world, this is mostly due to Sarbanes-Oxley. Because there are now strict penalties for negligence, executive management in most corporations are starting to get the picture and call for drastic improvements in security.
From a home-user's perspective security is also playing a larger role. Windows users are adopting 'personal firewalls' at an increased rate, and others are getting disgusted by a continuously hijacked browser and increasing number of spyware applications. This constant nuisance has lead many to look for alternatives, which has fueled greater interest in Linux and Firefox. Although 2004 has been an active year in security, it has not been revolutionary. From a technological perspective the year has been semi-quiet. This past year, many have focused on improving the process of security, rather than looking for a magic bullet. Again, I think this is a sign of InfoSec's growing maturity. However, in my opinion it is mostly due to the fact that most have been working on a tightly constrained budget. While there have been reports suggesting several terrorist organizations have been taking a much closer look into information security, viruses continue to run rampant in the Windows world, and DDoS attacks continue to be a major problem, I have not lost all confidence in the IT industry's ability to improve overall security.
In my opinion, the single most significant factor holding back progress is user education. While companies can implement security awareness and training programs, the average home user does not stand a chance. New hacks and scams are invented each day. Unless a user is proactively aware, sooner or later they will be fooled. Although phishing attacks have existed for quite some time, they have become mainstream in 2004. I'm not sure a day goes by when I don't receive at least one email asking me to 'verify my PayPal information' or 'reactivate my Ebay account.' Although I have not fallen for any of these scams, countless others have. It is just another form of social engineering that is difficult to solve (if not impossible) purely with technology. User knowledge is as important as ever.
In the Linux community, security continues to be a major concern and priority. Security is now viewed as a differentiator rather than a nuisance. While distributions like EnGarde Secure Linux, Trustix, and others have taken security seriously from the beginning, others such as Red Hat and Gentoo are looking to make SELinux an integral part of its structure. Implementation of security may differ between distributions, but everyone's goal is the same. Some users prefer greater security, other prefer ease of use. It is up to you to find the distribution which best fits your needs and goals. Also, it is important to stay informed and make implementation changes whenever necessary. Security is a road to be traveled, not a destination.