[Mac_crypto] Apple OS X Server is most secure system | Hard Copy Version

R. A. Hettinga mac_crypto@vmeng.com
Wed, 10 Mar 2004 09:30:25 -0500


Apple OS X Server is most secure system

 Apple Press Release on ITWeb

 Posted: 9 March 2004

 An independent study by British cyber security firm, mi2g, has found
Apple's OS X Server and the Berkely Software Distribution (BSD) open source
systems on which it is based, to be the most secure online server operating
systems in the world, according to a recent report published at

In what may come as a surprise to many, the study also found that open
source operating system, Linux, is now the "most-breached" server operating
system and that Microsoft's server solution had improved substantially.

The study, which was conducted by mi2g's Intelligence Unit, was based on
the number of successful attacks against UK government and private server
systems in January this year. Together, OS X Server and BSD represented
only 3%, Windows 12%, while Linux was most prone to attack at 80%.

Looking at government security breaches in isolation, it was found that no
Apple OS X or BSD-based systems were compromised, 35% of breaches were
attributed to Windows and 57% to Linux. Only six months ago, mi2g found
that Windows suffered from 51% of security breaches, while Linux was far
less at 14%.

This year's study contrasts with a similar report released by the same
security firm in October 2002. The 2002 report, which included
vulnerabilities associated with worms and viruses, also identified Apple's
OS X operating system as being among the most secure in the world. This
older study identified the number of software vulnerabilities discovered
during the first 10 months of 2002. Of the 1 162 vulnerabilities which were
identified, Microsoft stood out with over 500 while Linux was seen as more
secure with 200. Fewer than 25 were attributed to Apple.

In the most recent report, MacCentral quotes mi2g's DK Matai as saying that
"the swift adoption of Linux last year within the online government and
non-government server community, coupled with inadequate training and
knowledge of how to keep that environment secure when running vulnerable
third-party applications, has contributed to a consistently higher
proportion of compromised Linux servers".

Continuing, Matai said: "Migration to open source can be fool's gold
without adequate training and understanding of the impact that third-party
applications can have on overall safety and security. Windows
administrators deserve some credit for having consistently reduced the
proportion of successful hacker attacks, but the real credit has to go to
the developers and administrators of BSD and Mac OS X for maintaining such
an excellent track record."

"While it's great to see that Apple's OS X is in the spotlight for its
inherent stability and security once again, the report is not clear in
establishing exactly how their statistics have been presented," says the
Core Group's Greg Hill.

"Reading the MacCentral report, one assumes, but it is not stipulated, that
the results of the study are proportional to the number of servers which
are running the various operating systems. That said, it's not the first
time that independent security professionals have identified OS X Server,
which is shipped as standard on all our 64-bit Xserve units, as the most
secure and stable system available," he says. "Interest from system
administrators is steadily increasing in our server products, but it's not
just stability and security which is driving acquisition," he says.

"Matai's comments hint at the importance of ease-of-use and default
security settings. Out the box, an Xserve unit already has advanced
security settings as a default. Perhaps more importantly, it's easy to
increase security levels on a single Xserve unit or a whole cluster - you
don't necessarily need to be a Unix fundi to run a more secure
environment," says Hill.

"In theory, Linux should also gain solid and secure benefits offered by
Unix. However, Matai's comments indicate that either the default security
settings offered by various compilations of Linux are inadequate or that
additional security measures are not easily configurable. It could be a
combination of both," he says.

"It's just too easy to blame the user - and in this case the user is a
system administrator. With all their time taken up by 'soft' support, it's
small wonder that most system administrators lack sufficient training in
securing complicated systems. They simply don't have the many hours needed
to fiddle around researching and configuring mission critical systems,"
says Hill. "Furthermore, guess whose job is on the line if they make a
mistake while trying to run some complicated patch or altering an advanced
security setting and bring down the whole company network?"

"With Xserve, single click security and version updates are offered as
standard - so system administrators can get on with what they really need
to do, not spend sleepless nights wondering whether their servers and jobs,
are secure," Hill concludes.

Article printout from ITWeb courtesy of    Lexmark South Africa.

 Copyright  1996-2003  ITWeb Limited

R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'