What is the worst a browser exploit could do in Ubuntu?

[Hungry Man]

Sure, you can dump accounts etc. I know more about that on Windows than Linux like /repair/SAM and /regback/SAM etc. But on Linux I'm assuming that using something like Apparmor would solve that easily whereas there is no solution (other than SELinux -x, which is way less than ideal) for X keylogging.

Same goes for the browser having more access than it needs - that's a permissions issue with tools already available to solve it.

And, again, following the Linux security model (users/groups) you can run your Firefox as a separate user and mitigate a lot of those attacks. But X-Keylogging remains, breaking the user/group model.

Lots of the information being entered into the browser is sensitive, but I don't see how that makes it *less* dangerous that an attacker can view the rest of your input such as into a terminal, gksudo, or sensitive files.

[OpSecShellshock]

It's less about danger than risk to the user's data and passwords. For home users having an attacker gain full control of their computer is certainly annoying and inconvenient, but the most it's going to cost them is the time they spend recovering. Which is good, because there always comes a point at which there's nothing you can do to stop it (even if a lot of other things have to go wrong before you get there).

Cleaning up after having accounts with other providers/sites/services/whatever compromised is more of a pain. But resetting passwords is easy and disputing fraudulent charges (in the US) is getting easier and easier because it happens so often now. About the most destructive thing an attacker could do from a life-ruining standpoint is use someone's system for storage of Very Bad Files.

All of which is just a complicated way of saying users should prepare for recovery as their primary strategy. Even though the likelihood of an attacker gaining control of a system is low, assume it's going to happen and just always be ready to recover from it. This has the extra benefit of also preparing users for catastrophic hardware failure.

Back around to the topic, there are things people can do to stop exploits from triggering in the first place, such as blocking scripts, advertisements, and embedded objects. If that fails, then there's going to be an attempt at file access or code execution, which can be constrained with AppArmor or whatever MAC solution you prefer. If that fails then you're into an area where there's nothing you can do to stop an attack, so there's no sense in worrying too much. You can protect sensitive data to an extent by having it inside an encrypted volume separate from the day to day stuff, but that's only a solution if it isn't mounted or in use at the time of attack. But once things have gone wrong to the point you can't stop say a shell or a keystroke logger, you're going to rebuild your system anyway, so just concentrate on recovery.

[Ms. Daisy]

+1

Backups are not sexy but they're extremely effective for a quick recovery.

[Hungry Man]

Backups necessitate the ability to determine when we're compromised. Really useful and effective, but oftentimes the damage is already done if we're talking about attacks involving keyloggers. Unlike ransomware/ trojans a keylogger isn't necessarily going to announce itself.

To be honest, I'm not gonna rely on a bank to say "Oh, I understand" when it comes to these things and I've worked for banks.

I agree that prevention is key but we can't rely on it. It would be nice to see UI isolation considering how trivial this makes something as serious as keylogging.

I'm not trying to sound like I'm spreading fear or anything, an attack on a Linux desktop is incredibly unlikely; even though keylogging is trivial you could hit 100% of the userbase and still not get as many users as a windows attack that hit a small percentage. But I think this vulnerability should be taken seriously.

[Ms. Daisy]

I understand wanting to prevent vs. recover. If you want real defense you have to have a plan for both, though. Hence backups are fantastic advice for recovery. Full stop.

There are people (not just Hungry Man) who seem to be overly-concerned with keyloggers. So I decided to dig for some stats on what percentage of malware includes keyloggers. (if you find some better stats please share!)

http://blogs.mcafee.com/mcafee-labs/...alware-samples

So a year ago roughly 10% of the day's malware were keyloggers. (The study didn't include the popularity of each malware, so that could skew the results I suppose.) Therefore keyloggers are nothing to ignore, but they're certainly not the vast majority of threats out there either. I think that's why OpSecShellshock was saying he couldn't see anyone putting the work into creating a better mandatory access control solution for keyloggers.

[Hungry Man]

I thought it was closer to 4%. Based on a study I trust to be accurate, though outdated. It could be 10% now. For Linux home users it's quite likely <1% (of the scope of malware out there).

If we were concerned with what malware actually resides in the real world this forum would be nothing but posts about locking down servers. I'm assuming that if we're talking about a browser we're talking about a user and if we're talking about a user the conversation can go in two ways:

1) We inform that that Linux users don't have to worry about malware because malware for Linux is virtually nonexistent.

2) We indulge the concept that security has to do with possibilities and every vulnerability isn't exploited until the day that it is.

I think going into both makes the most sense. I also think people like to tout Linux as secure but you bring up security holes and they go "Well no one attacks Linux anyways". This is probably the biggest issue with Linux security because it's so ingrained into upstream, I think Linus was at one point 'awarded' one of those yearly "biggest security screwups" for his constant missing-the-point statements about security ("a bug is a bug").

For the most part that's what X-Keylogging is met with - immediate downplaying of the issue when it's pretty damn gaping. And this is true of a lot of things, there are a number of mislabeled bugs as DOS or vague 'overrun' when they're clearly exploitable.

In terms of what the browser can do when compromised I would say keylogging is likely the most dangerous outside of local exploitation; in fact I would say it's more dangerous than local exploitation because there exist methods to prevent that and there exists no method to prevent keylogging on Linux.

OT: I don't consider recovery security. I remember in my Security class we learned about recovery, it was interesting because whereas everything else we'd learned about was about prevention and detection recovery was given its own section and it revolved entirely around things like cost analysis etc. and had very little to do with security.

I've probably gone very OT at this point haha but I do like to indulge.

[OpSecShellshock]

Yeah and detection is really just not there on Linux desktops, to the point where I suggest folks don't bother trying. Management of risk is a big driver of security improvements, and the risk isn't enough to justify development of solid heuristic detection. Even if someone did develop such a thing, it may not be worth the expenditure of system resources for such a low risk. But I guess that brings it back around to costs. Now, if someone decided to port Android malware over to other distributions things might get interesting.

I do think management of risk is a discussion worth having in these threads, because otherwise I'd have to choose between telling people not to worry or telling them to be constantly anxious about what could happen even if it probably won't. I can't really do either.

And I don't mean to downplay the issue of code execution and input interception across graphical applications, because it is an issue and there's a lot of real risk there if anyone wants to take advantage of it. I also don't think it's likely the developers are going to fix it, so I tend to base my advice around things people can do themselves, immediately.

[Hungry Man]

Heuristic detection for Linux would have to be really different since you don't have malware to create signatures. You'd either have to guess or come up with a new way to detect.

If the DalvikVM gets ported to Ubuntu we may see Android malware on it - that would be interesting, yeah.

Anyways, I agree with you - it's just a matter of discussion but being realistic is important and we both agree the developers aren't going to fix it. This issue isn't new by any means.

[jrog]

I haven't seen anybody mention Qubes in this thread. Are any of you aware of it? I believe it is supposed to (among other things) prevent the sort of keylogging between X applications being discussed here. Here's a link to the Qubes website: http://qubes-os.org/Home.html. Here's a link to a blog post where one of the Qubes developers discusses keylogging between X applications specifically: http://theinvisiblethings.blogspot.c...isolation.html.

[Stonecold1995]

I haven't seen anybody mention Qubes in this thread. Are any of you aware of it? I believe it is supposed to (among other things) prevent the sort of keylogging between X applications being discussed here. Here's a link to the Qubes website: http://qubes-os.org/Home.html. Here's a link to a blog post where one of the Qubes developers discusses keylogging between X applications specifically: http://theinvisiblethings.blogspot.c...isolation.html.

I think if you wanted a really secure operating system Hardened Gentoo would be a better idea. Or maybe FreeBSD but that's not Linux.