Is anything sacred?

[watcharacters]

I thought Linux was equal to or better than Apple for security.

maybe I was wrong.

http://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/?reflink=ATD_yahoo_ticker

[dmsnsa]

I wouldn't call this a new worm, or a new style of attack vector. Picking out system defaults & trying to leverage them doesn't take a great deal of skill. As the article states, "The worm is designed to take advantage of an 18-month-old vulnerability in the OS that presents a Web interface to users for setting it up.", not very innovative. I've been a Sysadmin where Linux and other Open Source operating systems & associated applicaiton software has been the mainstay for almost 20 years & you bet Linux has vulerabilities. You have to update it & configure it properly or it's just as vulerable as any thing else out there. The nice thing about the Open Source community, it's a vibrant community that responds quickly to software bugs & issues fixes quickly. Again anything, improperly configured sitting on the Interent whether it be Linux, MAC, *BSD, or some sort of Microsoft Windows are likely to suffer a cruel fate, though usually it's the hosted applicaiton software that are hacked firsted. Update firmware, run the latest Anti-Virus updates, build tiered operating environments, and zones, implement restrictive group policies, monitor internal network traffic just as much as you do the external traffic & constanly review security advisements from trusted sources, that is my advise.

[dave_boo]

I wouldn't be surprised if that page/article was sponsored by Microsoft.

It is not a vulnerability to present a webpage for setup; it is a stupid decision to not have the machine refuse to initalise its WAN port or allow the user to access any outside traffic until they are forced to change to a non-standard password.

It would be no different if it was a pfsense or a monowall (both based on FreeBSD) or an IOS XR (based on QNX) or a ... presented a webconfigurator and didn't enforce proper security procedures. After all, POSIX compliant OS aren't that hard to write a generic script to own them in totality as certain toolchains are expected; certain paths are followed, etc.

[Richard-BKK]

Not one operating system is secure if the operator / user doesn't take basic security measures. I think that every with a bit knowledge about computer knows its not smart to keep the default password for a ADSL/router connected to the Internet.

With default passwords unchanged, it doesn't matter what operating system the device runs or what security measures you take if a hacker knows your password you've a problem.

I always had the idea that unwanted traffic on a Thai providers IP address was very low, but since a I installed a little server at my home and opened port 80 to be redirected to this server and serve a little website (on which I can track web and visitors traffic) I found out that a lot of visitors come on a daily base and they not come from the Dynamic DNS provider I use to connect my server to the Internet. Which means that people are actually testing IP addresses in Thailand to see if they can hack into something... After I found that I had lots of unwanted visitors I also activated the activity log in my router to see what happens, and I found that about twice a week somebody does a port scan of my IP address (apparently to see if I have any open ports).

At the moment only port 80 is open on the router and that is redirected to my home server... so I not worry to much... but how much people in Thailand still connect to the Internet with a simple ADSL modem or didn't enabled the firewall in the router... or even worse did not changed the default password.