Linked by Igor Ljubuncic on Mon 21st Jun 2010 09:35 UTC
Privacy, Security, Encryption I've bored the readers of my personal website to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I haven't yet discussed even a single program that you can use on your Linux machine to gauge your security. For my inaugural article for OSNews, I'll leave the conceptual stuff behind, and focus on specific vectors of security, within the world of reason and moderation that I've created and show you how you can bolster a healthy strategy with some tactical polish, namely software.
Thread beginning with comment 430919
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Don't need anti-virus?
by wirespot on Mon 21st Jun 2010 15:43 UTC in reply to "Don't need anti-virus?"
wirespot
Member since:
2006-06-21

Viruses aren't really interested in gaining root access. They can do nearly anything as the user anyway - key-logging, sending spam, DDoS, and so on.


Note: don't call them viruses, call them worms. Viruses are a different beast (they don't use networking as a vector).

Second, it's not that easy. As an unpriviledged user you can NOT snoop on other users or open ports under 1024 (which is where most legitimate servers like to reside). But yes, you have network access so spam and DoS are valid points.

Besides once you have access to a user's account it is trivial to gain root - just change their path to point to a fake 'sudo' program which logs their password.


It's NOT trivial to gain root, if it was trivial the whole UNIX security would be worthless. The particular method you described is not really practical.

I think you mean social engineering -- tricking the user with a sudo window. Which can work (if the user doesn't bother to think why there's a sudo window all of a sudden).

But the point is moot. If there's malicious stuff running on your machine you're pretty much screwed. This is the 1st major vector of computer security: remote break-ins without user intervention. This is a very important important thing and THIS is why Linux is more secure than Windows: on Linux, everybody makes every effort so that the break-in doesn't happen. On Windows they let it happen and deal with it afterwards.

I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.


Granted, the dependence of the repositories is a weak link. But the repositories are distributed and closely watched by many people. I'd say they do a much better job than, say, Apple does with the AppStore. Not to mention they have the source code too.

As for installing stuff from other sources... this is the 2nd big vector: users bringing malware in themselves. And there's not much anybody can do about it. Unless the user understands not to install stuff from unofficial sources, all bets are off.

BTW, a Linux distro can easily close 99% of this vector by only allowing certain repositories and disallowing direct installation of package files (deb, rpm etc.) But it's not practical.

Most viruses work either by buffer overflow type exploits, or by tricking the user into running a program. File permissions aren't going to help in either case. By the way, you can easily execute non-'executable' binaries like this:

/lib/ld-linux-x86-64.so.2 ./a_file


For that to happen you need to already be able to run code. If you managed that you don't need that trick. On the rest, you're right.

But let me point out that when you're trying to trick someone into running malware, it's one thing if all it takes is to double-click (a universal action used for everything) or if you need to go into file properties and change some stuff. You have to admit that executable status in metadata is better than executable status as part of the file name.

Although I'd wager Ubuntu is becoming popular enough to count as a single target.

The real reason you don't need anti-virus on linux is because there are a very very small number of linux viruses. And that is almost certainly due to the fact that it has a 1% market share (and probably the diversity and skill factors to some extent).


That point of view is wrong.

Some people like to say that once a platform is more popular there's more (or more motivated) people attacking it so chances for break-in increase. That's bull. Remember that most of the servers of the world run some form of UNIX or Linux and that has NOT made them more vulnerable. There's no direct link between popularity and security.

There is an indirect one. Some of the installations are old and not updated. If you have lots and lots of installations, statistically the chances increase for running into an old one. It's a numbers' game. No relation to actual security.

The reason there is so much Windows malware is because it's easy for it to exist: lots of vulnerabilities, bad underlying security models (fixed with Windows 7, hopefully), unpatched machines, many propagation vectors. There's next to none for Linux because vulnerabilities get patched fast, almost all installations update by default and propagation vectors are few.

Well evidently not, otherwise there wouldn't be any need for security updates.


Not sure how you mean that. Since there are security updates, obviously somebody DID see the vulnerability (and fixed it). Ok, they didn't see it the first time, but second time is better than never. Between a platform with 1000 vulnerabilities which has updates for all 1000 and a platform with 2 vulnerabilities which leaves 1 open, I'll take the first.

Linux users are more skillfull.

True, I suppose.


Don't count on it. Educating users will not work in the long run. Most users are not skilled enough, and security is a highly skilled game.

The most you can teach them is not to install software from anywhere else but the official distros. The rest of the security job needs to be done by the OS and software with no user intervention.

Which will always leave social engineering as a backdoor. But that's valid anywhere.

Edited 2010-06-21 15:53 UTC

Reply Parent Score: 7

RE[2]: Don't need anti-virus?
by fewt on Mon 21st Jun 2010 15:50 in reply to "RE: Don't need anti-virus?"
fewt Member since:
2010-06-09

[q]It's NOT trivial to gain root, if it was trivial the whole UNIX security would be worthless. The particular method you described is not really practical.

I think you mean social engineering -- tricking the user with a sudo window. Which can work (if the user doesn't bother to think why there's a sudo window all of a sudden).


echo alias sudo='sudo do bad stuff >/dev/null 2>&1;sudo' >>~/.bashrc

I agree with pretty much everything else you said though. Malicious people that want in don't necessarily need in "right now", they wait patiently for it.

Edited 2010-06-21 15:54 UTC

Reply Parent Score: 1

RE[3]: Don't need anti-virus?
by WereCatf on Tue 22nd Jun 2010 02:55 in reply to "RE[2]: Don't need anti-virus?"
WereCatf Member since:
2006-02-15

echo alias sudo='sudo do bad stuff >/dev/null 2>&1;sudo' >>~/.bashrc

I agree with pretty much everything else you said though. Malicious people that want in don't necessarily need in "right now", they wait patiently for it.


In order for that to work the malware app in question would either have to be root in order to put the fake sudo in a location mentioned in $PATH, or it would have to place it somewhere in the user's own home directory and modify $PATH.

The problem? Well, atleast some distros use the Tomoyo/SELinux framework to disable running applications from the user's own home directory if they have the same name as a common system application, and sudo often belongs in that list.

Some shell providers even completely disable the ability for one to run executable code from the home directories or /tmp and it might actually be a good idea for home-user oriented distros too; a common home user does not have the need to execute stuff from their home directory, they'll most likely just install what they need system-wide using the package manager. Executing stuff from your own home dir is more likely a power-user feature, including programmers et al, not Joe Sixpack.

Reply Parent Score: 2

RE[3]: Don't need anti-virus?
by wirespot on Tue 22nd Jun 2010 09:11 in reply to "RE[2]: Don't need anti-virus?"
wirespot Member since:
2006-06-21

echo alias sudo='sudo do bad stuff >/dev/null 2>&1;sudo' >>~/.bashrc


That works. It can be countered with some extra safety measures in the shell.

But it's awkward; it may give false positives and impact legitimate uses; it can still be circumvented; it uses a blacklist, which is usually a bad idea in security; and most importantly, it misses the main point: once malware executes on your machine, you're screwed.

There's a [url=http://ubuntuforums.org/showthread.php?t=504740]lengthy discussion[/url] on this exact topic on the Ubuntu forums, if you care to read it.

Personally, I'd rather have most effort put into plugging app vulnerabilities than in mitigating the aftermath of a break-in. I find the casual attitude about break-ins on Windows terrible. If a Linux user found a single piece of malware crawling inside their machine, they'd be horrified. A Windows user just assumes it's natural to have piles of that stuff. Terrible.

Granted, good security means layers upon layers and not relying on a single barricade, lest you find yourself in trouble when that barricade is breached. sudo calls could probably use better guarding and closing some of the more "creative" ways of plugging into it.

I agree with pretty much everything else you said though. Malicious people that want in don't necessarily need in "right now", they wait patiently for it.


Let's not assume there's an actual person behind every break-in. Most break-ins into personal computers are done by bots, the worms that cruise the net and blindly try every address with every trick they know. They don't rest, they don't stop, they don't think, they don't have personal likes or dislikes or reasons to do something. They just do what they were told to do, forever. Like I said, a numbers' game. That's the main threat we're trying to protect against: dumb repetitive robots.

I'd wager that if an actual highly skilled hacker wants in your computer, they will manage that. Then again, even an unskilled person can manage that, with a hammer and your fingers. But that's another ball game entirely.

Reply Parent Score: 2