Gostev's forum digest

[Gostev]

Btw, is there any "official" feedback channel if there is something really important regarding the digest? Or is this thread the right place?

Normally, readers just create the new topic to discuss the particular news. While this topics is for digest love/hate type of feedback

[ottl05]

In the last weeks, i‘m not receiving the mail with the digest anymore
I checked my preferences and all checked, but no mail for my monday morning coffee

[Nick-SAC]

FWIW I received mine last night: Sent Sun 1/5/2020 7:38 PM EST

Spam filter maybe?

[Gostev]

@ottl05 it would appear the email was erroneously rejected by your email server (despite that it contains valid signature and the server is present in SPF). I will DM your the log. Thanks!

[lasseoe]

Yet more Linux b.s. from Gostev in today's forum digest.

"Microsoft has released Sysmon for Linux last week and this is a big deal. Many security experts agree that Linux is a security visibility blackhole, which is something smart hackers know and leverage in their attacks. It's too easy to hack some unpatched and/or poorly secured 3rd party virtual or physical appliance and use that box as the "forward base" to study the entire environment while remaining undetected for as long as needed. Compare that with Windows, where detection capabilities are very strong and every worthwhile admin knows how to use Sysinternals tools to ensure their systems are clean from malicious inhabitants."

Who are these alleged security experts?

"It's too easy to hack some unpatched and/or poorly secured 3rd party virtual or physical appliance"
Doesn't matter which operating system it is - if the vendor is a muppet then you may have an issue. Also, just because it's an appliance doesn't mean it's poorly patched, unsecured or unable to be patched easily. From previous forum threads it's obvious Veeam struggles to build Linux appliances, but it's really not that complicated.

Using eBPF to monitor your Linux system in terms of security is nothing new, there are lots of products and companies using eBPF for this purpose. Hopefully Microsofts Sysinternals for Linux will have less security holes than their Azure OMI agents.
That being said, if people would use SELinux instead of disabling it, you have a VERY secure system, it doesn't help that Veeam themselves literally tell their customers that it's ok to disable SELinux https://www.veeam.com/kb2986 .

It may be that detection capability in Windows are strong, but it hardly matters because the average Windows admin has no clue so it goes unsused and unnoticed. And yes I agree that "worthwhile admin knows how to use Sysinternals tools", it's just a shame there are so few of them.

[marksf]

Hearing that the most popular cheap NAS has issues with data loss, would this be Synology by any chance? Don't want to not know when we have some of those units out there holding backups!

[DonZoomik]

Probably Gostev is referring to this tweet: https://twitter.com/GossiTheDog/status/ ... 79489?s=20
I think you missed the point a bit. Or to add a bit to your last paragraph:
Windows has pretty user/admin friendly detection tools. eBPF is a cool but hard to approach without some kind of intermediate tool to simplify the interface. Tools exist but aren't that well known and IMHO much less used than similar interfaces on Windows. Often Linux is blindly assumed to be safe by default, regardless of how it's configured - Windows is known target for threat actors so it's often better defended.

[soncscy]

> Windows is known target for threat actors so it's often better defended.

I'd argue this I guess. Constantly with clients, we inherit Windows environments that don't even have rudimentary security practices or monitoring in place, and even after implementing them in a hardening series, my team comes back a month or two later to find all the changes reverted because "it was too difficult to use Windows like this."

Windows' permissions handling is a mess and not even Microsoft themselves seems to fully understand their model well. Combine this with opaque GPOs, and it's no wonder people just turn a lot of this stuff off. For workstations, it's mostly enough to lock it down since the users aren't running infrastructure anyways and don't need wide permissions, but for servers, System Admins themselves often cannot figure out a balance of usability and security. I think this is further stressed by licensing and too many multipurpose servers, with IT teams trying to squeeze as much out of every Windows license they can to keep costs down. When this happens, you end ups with far too many competing security levels from the different roles for a server, it becomes a nightmare to manage, and eventually people just give up trying to make it work.

With Linux at least, you can more easily isolate systems since there isn't an inherent license cost in just spinning up another linux box (in most cases). That proper linux security and linux admins are pretty rare is another story entirely.

But I would not say that Windows is better defended; quite the opposite. I think in general it ends up pretty open just because security in Windows makes it inoperable for a lot of people.

[DonZoomik]

Yeah... can't argue with that. But I guess our prespectives are different. Most small shops do squeeze everything into one box, no so much in larger enterprises (Datacenter licensing etc). IMHO enterprise Windows systems are far more often closely monitored and guarded than Linux ones. In my experience there's a minimum company size threshold when you start caring about security at all and when you do, focus is mostly on Windows. Smaller shops may also use Linux but these systems are IMHO basically neglected.
In context of original argument: I know quite a few places that run Sysmon on clients and/or servers, however I know no place that would run anything similar on Linux (even much larger places than those running Sysmon).

[alesovodvojce]

Gostev said

"So if this does not convince you to finally stop deploying low-end NAS for your backup storage, then I don't know what else will. Honestly, I don't even know why they are still on the table after so many years of us recommending against using them... especially when our users admit that the cost difference of going with a general-purpose server is negligible but the benefits go well beyond just having a storage you can trust"

But mentioned the data losses seems unrelated to backup role. Or are they? And if not, is low-end NAS evil for any data storage, because it corrupts stored data?

[Gostev]

Of course. However, on most of the file formats low-end NAS typically store, these silent data corruptions are completely unnoticeable.

[alesovodvojce]

This is disturbing as such info really changes the general way how to look on lowend NASes. I used to look on their RAID with trust. Thanks