They reference Cisco blog post http://blogs.cisco.com/security/mass-compromise-of-the-obsolete/
In addition to the articles, I found many of the comments on the Ars article worth reading, though I suggest reading all of them, I have quoted a few of the best ones IMVHO.
Note I use brackets [] to indicate comments or links I have have inserted in original quote:
"Not updating systems is bad practice that too many admins still go by. When I came onboard with my current employer it took a great culture shift to get everybody to understand why security updates are so important. One year later and are update cycle is nearly perfected.~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483315#comment-26483315
There is no excuse for this anymore. Virtualize your servers, snapshot VMs before making changes, update and revert if a problem occurs. Clone a VM and build a test environment to check before doing it in production. For every excuse there are established best practices and mitigation techniques to deal with them."
"I'm a Linux fan. Glad its around.~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483323#comment-26483323
But, Linux made lots of headway as a cheap secure alternative to Microsoft. If I had a penny for every time someone said, "We'll be fine, it's a Linux box we're deploying on the internet and not a Microsoft server" ....
The thing is, like the Mac, Linux has been viewed as bulletproof. In 2007, I was working through the SANS 560 course and we utilized a publicly available kernel exploit for 2.6 to gain root. It was beautiful, just compile, run and BOOM, you were root. Linux was never bulletproof.
This is simply more (unnecessary) evidence that when we decide a platform is secure, we become complacent and end up in this situation. Anything with software should be treated as vulnerable as long as it has power and network connectivity."
SunnyD posted:
~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483235#comment-26483235"Here's the problem when it comes to updating infrastructure systems like these for system administrators:
It's not a matter of security, it's a matter of "If it ain't broke, don't you even dare try to fix it."
If history as sysadmins has taught us nothing it's that the constant cycle of updates, especially on mission-critical machines, puts our job security on the lines. Especially when a lot of these machines are running custom code with dependencies that end up being the very security liabilities that get patched."
Responding directly to SunnyD's comment:
There is a concept for this, it's called "technical debt"[Cliff: Wikipedia Technical Debt]. I'm not saying it's any one person's fault, but it is a flawed system. Keeping pushing off the problem until you're painted into a corner."~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483329#comment-26483329
There are also many comments from people that cover some of the real world limitations with implementing the best practices.
Though I am a long way from being an expert on computer & internet security, at best I'd consider myself an apprentice.
I think these exploits & the comments quoted above clearly illustrate that Linux has vulnerabilities like any OS, something I have been certain was true for some time.
But still felt troubled when I would see the oft repeated "Linux is more secure".
That always felt like simple security through obscurity, which we know is no security at all.
There are certainly different tradeoffs between operating systems, not sure more can be objectively claimed.
Except perhaps, that certain OS tend to be better fit for certain types of applications, but IMO that is just a restatement of the differing tradeoffs.
Should also be realized that smart hackers can certainly look at Best Practices as a starting point for attacks, so defenders certainly should as well.
Some Best Practices resources:
- http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html
- http://www.redhat.com/f/pdf/rhn/WHP0008US_RHN.pdf
- http://technet.microsoft.com/en-us/library/cc750076.aspx
- http://www.seas.upenn.edu/cets/answers/linux-best-practices.html
- http://www.its.virginia.edu/unixsys/sec/
- http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf
