Page 1 of 5 123 ... LastLast
Results 1 to 10 of 47

Thread: Why an Ubuntu desktop is just as insecure as a Windows desktop

  1. #1
    Join Date
    Jul 2008
    Location
    Alabama, USA
    Beans
    906
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Why an Ubuntu desktop is just as insecure as a Windows desktop

    Since my previous thread was jailed quite some time ago, and I have yet to know its status, I'm starting this one, and leaving out the part that caused the last one to get jailed.

    I'll start this post with a simple assertion that I will argue: In its current state, if Ubuntu (or Linux in general) were as popular as Windows and had a similar user base, more Ubuntu machines would have malware than Windows machines.

    Allow me to explain.

    Some time ago, while my internet connection was spotty and I had nothing better to do, I spent about 3 hours (2 of which was actually testing) writing, as a proof of concept, a small bash script. I won't reproduce it here, because that's what got my last thread jailed. I hosted the script on a website and crafted a few small seemingly innocent commands that would download and run the script, which would alias the sudo command. When run as sudo, the script runs itself as root, executes the command the user expects to run, creates the file "/etc/undecimwashere" (as proof of root access) and cleans up (i.e. fix the sudo alias and deleted itself)

    That was just one man and a few hours of time. And most of that was just making sure it was impossible for the script to leave the sudo command broken.

    The point I want to make with such a script is that desktop Linux distributions are NOT secure from malware. Right now malware isn't a problem only because:

    1) most Linux users are smart enough to figure out what a command does before running it

    2) Desktop Linux isn't very popular on the desktop yet.

    However, we want reason #2 to change. And when that begins to change, so will reason #1. Hence, if we're lucky, Linux desktop security will soon become a problem.

    The point that Linux separates the user from root means nothing.

    First of all, most malware will not require root privileges on a Linux system. There is no need to gain privileges to open a port (above 1024), to use slowloris, or to attack an SSH server.

    Second, even if a piece of malware did require root privileges (e.g. to be a more efficient node in a botnet), it is easy to acquire it when you are a user that has the ability to run commands as root, especially if the actual user has already been ignorant enough to download a trojan.

    Moreover, since software on nearly every Linux distribution is open source, it is currently trivial to perfectly mimic something such as the upgrade dialogue. Personally (and I guarantee this will apply to most users, especially as Ubuntu gains popularity), I don't know any person who would think twice about entering their password to upgrade their Ubuntu system when prompted. Even if you use the CLI to upgrade, It would only take about 5 minutes to add an alias for apt-get to a trojan, or to prepend the PATH variable with with a directory full of malicious binaries.

    Many of you at this point will note that most of this requires some degree of social engineering, and dismiss the problems as unsolvable because the human element will always be a security hole. However, it is because of this fact that individuals and groups who write malware for profit rely on social engineering. It's not a fool-proof method to attack a single target, but it does yield a high number of infections by targeting the most ignorant of an operating system's user base.

    If Ubuntu will equal Windows in market share, it is necessary to protect these users from their own actions in order to both reduce the number of machines that will become infected in the future, and consequently make Linux malware creation less lucrative.

    Windows (and available third-party applications) already implements many countermeasures to trojans, such as informing the user (e.g., the warning box that appears when you download a .exe file), blocking the most prevalent trojans with on-download virus scans, and forcing any useful malware to acquire system privileges (which is currently trivial on most Windows OSs and easy to do on any OS where the user is ignorant enough to have run a trojan in the first place)

    Ubuntu does none of those things. As a Linux system, it has the potential to be secure, but as a Desktop distribution, it's ignoring the most prevalent security hole: user error.

    How soon before this becomes a problem?

  2. #2
    Join Date
    Dec 2005
    Beans
    697

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    Quote Originally Posted by undecim View Post
    When run as sudo...
    Well, your argument falls apart right there. The user has to enter a password to run your script. There are tons of Windows malware that install just because you navigated to a webpage.

  3. #3
    Join Date
    May 2007
    Location
    albuquerque
    Beans
    565
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    Quote Originally Posted by undecim View Post
    How soon before this becomes a problem?
    It isn't a problem right now, so I'm not worried.

  4. #4
    Join Date
    Oct 2005
    Location
    WI, USA
    Beans
    30
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    The process you used in testing your proof of concept is flawed. You've bypassed at least two steps.

    Example:

    Step #1: Get malware onto computer
    Step #2: Get system/user to run malware
    Step #3: Trick user into compromising system

    You started at step #3.

    As far as your later point... Ubuntu has countermeasures against attacks, like UFW/AppArmor, etc, but I've always been of the opinion that every Operating System should include all protections (Including AntiVirus/AntiMalware software) by default.

  5. #5
    Join Date
    Aug 2009
    Location
    Under the stairs.
    Beans
    1,408
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    Quote Originally Posted by hhh View Post
    Well, your argument falls apart right there. The user has to enter a password to run your script. There are tons of Windows malware that install just because you navigated to a webpage.
    I agree. Everything else following this is moot. You're argument is based on mis-information and not understanding exactly the difference between User and Root. Fail.
    Dell Inspiron 1764 Laptop, Intel CoreTM i5 520M), 4GB Shared Dual Channel DDR3 at 1066MHz, 512MB ATI Mobility RadeonTM HD4330 Integrated Intel HD.

  6. #6
    Join Date
    Feb 2009
    Location
    USA
    Beans
    3,187

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    A piece of software requires your password, if you then give the password then there is nothing the system can do. The only way to prevent you from doing damage with a sudo password is to restrict you on what you can and cannot do.

    This is not "system malware" it is "social malware". There will always be people unsavvy enough to fall for the "social malware" and if Ubuntu were more popular then there would be more such crap floating around. The only defense to "social malware" is education and computer literacy.

    The difference between Linux and Windows comes on the resistance to "system malware". That is if you do nothing wrong and still get infected. Without AV program, on Windows, you can get malware even without typing a password, just opening a .pdf for example, or just visiting a web-page. It is true that both systems have flaws, but the Unix architecture is build bottom up with top level of security in mind. It is generally much harder to crack as things are far more restrictive.

    The BIGGEST difference between Linux and Windows is how security flaws are addressed. In an open community, as soon as a problem is found, it is fixed by a patch. Keep your Linux updated and you are safe. On the other hand, when it comes to fixing security issues, MS is useless. That is why people have to rely on third party AV software to patch the issues with Windows (issues that MS just wouldn't address).

  7. #7
    Join Date
    Feb 2009
    Location
    USA
    Beans
    3,187

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    Quote Originally Posted by Munk3y View Post
    As far as your later point... Ubuntu has countermeasures against attacks, like UFW/AppArmor, etc, but I've always been of the opinion that every Operating System should include all protections (Including AntiVirus/AntiMalware software) by default.
    Linux does not and will not ever need AV software. There is no AV software to catch "Ubuntu viruses" and there will never be such software. Only windows and windows viruses need AV software. See earlier post.

    You already mentioned AppArmor in included as "Anti-Malware".

    Here is something to read:

    https://help.ubuntu.com/community/Antivirus

  8. #8
    Join Date
    Dec 2005
    Location
    The Netherlands
    Beans
    682
    Distro
    Ubuntu Development Release

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    When run as sudo, the script runs itself as root
    Here you shall fail...

    Thing is... you need to convince me and any other person to start your script with sudo. You may find 1, 2 of 3 people willing to do that. BUT you -will- run into a person that will scan you script, see what is wrong and post about it on these forums here education those people that did execute the script.

    In the end you hacked into a couple of systems en need to start again with another script and another attempt to convince people to start you script.

    We all learn using Linux by making mistakes (like running you script). If in the end people are educated about what your script does I say you are doing a GOOD job with that script.


    With windows you do not even need to convince people. All you need is for them to visit your website and they are toast. Plus there is no-one telling them what they did wrong and how to avoid it next time. Since the only answer you get is: ah just re-install your windows system. Windows users are kept dumb because MS wants you to spent money. You having a perfect OS comes 2nd.


    Malware is effective when it can be executed on large amounts of systems without interaction by the targets. This will never happen in a Linux system.
    Even with the less secure 'root' method Fedora/SUSE uses.
    Last edited by Rinzwind; April 11th, 2011 at 06:14 PM.
    Hello, all my posts come without warranty

  9. #9
    Join Date
    Jan 2008
    Beans
    4,324

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    Create a non-admin user for day to day work. That works like a charm. You can always trick a user to break their system, however if a user knows to only trust the repository they will not install any random software.

    Edit: + some clever Apparmor wizardry could make this even less of a problem.

  10. #10
    Join Date
    Dec 2005
    Location
    The Netherlands
    Beans
    682
    Distro
    Ubuntu Development Release

    Re: Why an Ubuntu desktop is just as insecure as a Windows desktop

    Quote Originally Posted by Munk3y View Post
    The process you used in testing your proof of concept is flawed. You've bypassed at least two steps.

    Example:

    Step #1: Get malware onto computer
    Step #2: Get system/user to run malware
    Step #3: Trick user into compromising system

    You started at step #3.
    Good explanation!
    As far as your later point... Ubuntu has countermeasures against attacks, like UFW/AppArmor, etc, but I've always been of the opinion that every Operating System should include all protections (Including AntiVirus/AntiMalware software) by default.
    But here you are wrong.
    We need 2 things!
    1. a router so you can keep people outside your system;
    2. common sense.

    There is only 1 need for AV software in Linux: if you need to scan incomming/outgoing data that is passed onto Windows(!) systems.
    Hello, all my posts come without warranty

Page 1 of 5 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •