Michael Howard sent the following news article to one of our internal DL’s this morning. For some reason, I don’t think it’s going to hit the front page of Slashdot any time soon:
Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.
The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.
“When we went in and did a further investigation, we found that there was an IRC bot installed on the system,” Marshall said.
So Antioch’s Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients. Both of which the slashdot crowd claim only happens on “Windoze” machines.
At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue? Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow “windows only”. Ubuntu even published a blog post that claimed that they “won” (IMHO they didn’t, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows). The reality is that nobody “wins” these contests (except maybe the security researcher who gets a shiny new computer at the end). It’s just a matter of time before the machine will get 0wned.
Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers. It’s far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.
Edit: Ubunto->Ubuntu (oops :))