A large number of opinions about security

[1clue]

Prelude: This thread was split off of another discussion by a moderator, and without any sort of explanation. I'm responding to a query about anti-malware software for Linux. So this didn't just pop up out of the blue like it seems to.


ALL anti-malware software for Linux I've used has false positives. You need to investigate them and mark them as such.

I've heard of LMD but never used it.

Before anyone gives you a false sense of security, if Linux or Ubuntu were "secure enough" with a basic installation and no extra anti-malware or security software on it, I'm betting the forum would never have been hacked. I've been preaching active anti-malware security for years, and yes I'm capitalizing on Ubuntu Forum's unfortunate incident to illustrate my point.

I'm NOT an expert at this, but I do it to the best of my ability.

I've been owned a few times, including when I thought I was bullet proof. Had I not been running software to detect malware AND watched the logs obsessively, AND periodically looked things over myself, I would never have known I had been owned. Most of the serious malware is designed to be available to the black hat hacker for a long time without ever being detected. Trashing your box dramatically does nothing for them. Having your computer as a tool does much for them.

Start here: https://wiki.ubuntu.com/BasicSecurity

I get seriously bent when people claim that Linux is not susceptible. Yes, linux as Ubuntu sets it up is probably better than most desktops you get, but that in no way means you need not worry about it.

How much effort you put into this is up to you. You can't possibly KNOW you haven't been owned. You CAN, however, KNOW that you HAVE been. The problem is the vast number of possibilities in the middle where you have been owned and don't know about it.

[SeijiSensei]

Before anyone gives you a false sense of security, if Linux or Ubuntu were "secure enough" with a basic installation and no extra anti-malware or security software on it, I'm betting the forum would never have been hacked.

You'd lose your bet. Have you read the descriptions of how the forum was hacked? It had nothing to do with the security of Linux.

[1clue]

Yes, I read it.

Which just illustrates my point.

If you listen to a whole lot of forum posters, if you're running Linux you have absolutely nothing to worry about.

Security is ONLY about the weakest link. In this case, that was either a weak password (It's a forum, so probably almost all of the passwords are the user's last name or maybe the name of their cat) and the forum COULD have made a more stringent password policy -- or a shared password or a password stored in plain text somewhere. But that doesn't really matter. My point is, it's always either something that was overlooked or something that was deliberately compromised in order to facilitate ease of use.

What's the password policy like on Ubuntu? Does that password policy extend to forum software? Does it extend to EVERY piece of software in the repository that might need security?

Now, the forum was vulnerable to a cross-site scripting attack, because that's what it was. So again, a vulnerability on Linux.

Before you claim that forum software is not Linux, I'm going to remind you that technically the only thing that IS Linux is the Linux Kernel. The system loggers, the window managers, the boot scripts, the network configuration -- all that is just some open source software that runs on Linux and probably a few other operating systems. So where do you draw the line?

You might draw it at the point where the install CD stops. So a bare installation. But who stops there? By asserting that Linux is secure, you're implying that anything in the software provided by Canonical in the Ubuntu Repository is secure. It's almost certainly not, even if there are no known vulnerabilities.

You can waffle about it all you want. By any reasonable standard, Linux can be vulnerable, and it has ALWAYS been vulnerable. Any security expert you ask will say exactly that.

You CAN make Linux secure enough to handle credit cards and auction sites and bank transfers Edit: for a commercial site, not just for handling your personal banking, but it does not come that way, and there are LOTS of things a user can do to breach that security. If you ever have to set up a server for compliance to a standard fit for credit card transfers, and have to be audited for that, you're going to have your eyes opened. Especially if you hire an expert to test for vulnerabilities.

How many times have you heard "As long as you update regularly and pay attention to vulnerability announcements you don't have to worry about it." or something similar? I'll bet you that the Ubuntu Forums staff was doing more than that. There are so many pieces of software on any real-world system that it's extremely difficult to keep up with it, and to test from every angle you can imagine.

[SeijiSensei]

Before you claim that forum software is not Linux, I'm going to remind you that technically the only thing that IS Linux is the Linux Kernel. The system loggers, the window managers, the boot scripts, the network configuration -- all that is just some open source software that runs on Linux and probably a few other operating systems. So where do you draw the line?

You can run vBulletin on Windows servers, too. To say that a vulnerability in a web application written in PHP is somehow equivalent to a buffer-overflow exploit in a server daemon or, worse, a security problem in the kernel itself runs into the usual "apples-and-oranges" problem. These are all different issues and have different consequences. Except in the last case they also are not intrinsic to Linux itself in either the narrow kernel definition, or the broader "GNU/Linux" definition that includes the usual array of system tools.

If you read what informed people say about vulnerabilities here, you'll see most commentators are quite circumspect about Linux security. Most of us recognize that any operating system will have vulnerabilities, Linux included. If I can get you to run a script as an ordinary user that installs a keylogger, you're in trouble. Is that the fault of Linux or the fault of the person sitting in the chair?

[1clue]

You can run vBulletin on Windows servers, too. To say that a vulnerability in a web application written in PHP is somehow equivalent to a buffer-overflow exploit in a server daemon or, worse, a security problem in the kernel itself runs into the usual "apples-and-oranges" problem. These are all different issues and have different consequences. Except in the last case they also are not intrinsic to Linux itself in either the narrow kernel definition, or the broader "GNU/Linux" definition that includes the usual array of system tools.

If you read what informed people say about vulnerabilities here, you'll see most commentators are quite circumspect about Linux security. Most of us recognize that any operating system will have vulnerabilities, Linux included. If I can get you to run a script as an ordinary user that installs a keylogger, you're in trouble. Is that the fault of Linux or the fault of the person sitting in the chair?

You are exactly correct. The short answer to all of my ranting is that you have to be careful, you have to be educated and you have to be vigilant.

My angst is aimed at the people who insist that once you install Linux, nothing more need be done for security.

A Windows users who doesn't really know what an operating system is, or that there's any difference between that and a web browser, typically comes in and asks a question similar to the OP here.

For the record, THIS thread's OP is more informed than that.

Anyway back to the point. It happens over and over, there's always several somebodies on the forum who cannot be convinced that any sort of malware would ever land on their system. They might acknowledge that there's a theoretical possibility, but insist it's so unlikely as to not worry about it.

Back in the 90's when I got started on Linux, I heard the same guys and believed them. Then I got owned, and then I learned something, and got owned again. Then learned some more. The cycle continues.

For years I sat back and quietly disagreed with the misinformed and loudly ignorant. I know the difference between bad PHP and a buffer overflow exploit. The problem is, the new guy who's asking legitimate questions rarely knows about this. I've decided to dummy up my language a bit to try and drive the point home. I figure more people on this site might relate to the business aspects of it than the programming aspects. I can talk to that too. I can pretend the other guy is my sister, and speak to the concept of the entire machine as a single piece. Whatever gets the job done.

On any level, the "system" is vulnerable if any piece of it is vulnerable, and therefore you have to be careful. If you buy a million dollar safe that can't be cracked, it doesn't keep your money safe if you left the door open.

The absolute truth about Linux security and any other security for that matter is education and vigilance. There is no shortcut. Start reading, start learning and start practicing.

Sorry about the rant. This isn't so much about you guys as my angst at the @$$#0735 who told me I was secure years ago, and the perpetual tsunami of ignorance it started. People (me) rant about how secure it is, then we get owned, and then we rant at the new guys who insist how secure it is.

[cariboo]

The Forum hack really had nothing to do with Linux, one of the Loco mods that had more privileges than he should have, which is a forum operator problem, had his account compromised by social engineering, which is a user problem. Once the bad guy gained access to the Forum backend he exploited some php hooks in the vBulletin php scripts, created by former Forum operators, to gain access to mysql. He did't have enough access privileges to change anything in the database, but we admins did have the ability to do a database dump.

Notice I haven't mentioned the underlying operating system, as vBulletin runs on Windows as well as on a Linux distribution. As we well know apache, php and mysql are all cross platform applications, and the exploit could have just as well happend no matter what operating system we were running, be it Linux, BSD, OSX or Windows.

[1clue]

The Forum hack really had nothing to do with Linux, one of the Loco mods that had more privileges than he should have, which is a forum operator problem, had his account compromised by social engineering, which is a user problem. Once the bad guy gained access to the Forum backend he exploited some php hooks in the vBulletin php scripts, created by former Forum operators, to gain access to mysql. He did't have enough access privileges to change anything in the database, but we admins did have the ability to do a database dump.

Notice I haven't mentioned the underlying operating system, as vBulletin runs on Windows as well as on a Linux distribution. As we well know apache, php and mysql are all cross platform applications, and the exploit could have just as well happend no matter what operating system we were running, be it Linux, BSD, OSX or Windows.

Yes. That's been repeatedly stated, and I understood that when I originally got my account back when the forum came back up.

Rewind, Joe User is a freshly converted Windows guy who didn't really understand Windows either. He wants to know if somebody can hack into his system. Can they, or can't they? To Joe, it's black and white. He doesn't care if it's Linux itself, he wants to know if his pictures are still going to be there, if his music collection is going to be there. He doesn't want his credit card information stolen.

A Linux system can be cracked by cracking anything on the system that can give you something you want. Did the forum get hacked? Yes. Did somebody get data they shouldn't have had access to? Yes.

I don't remember the figures anymore, but most security breaches are to some extent an inside job. Some of them are social engineering based on somebody who knows somebody and guesses correctly.

As well, if you're going to insist that anything that can be run on Windows can't count as a Linux hack, glibc compiles and works on Windows too. So that's not a valid line. How much of what most people call Linux would be compromised if somebody injected malicious code into glibc?

[samiux]

About a year ago, I replied one of the threads here about anti-malware/virus for Linux/Ubuntu. Later, I began a debate with other users (including admins of Ubuntu Forums) as I suggested to use anti-malware like software to protect Linux/Ubuntu. In addition, I also pointed out that Linux is not secure at all. We then debated about the definition of malware/virus as well as worm. I also provided the PoC (Proof-of-Concept) video to proof my words. Admins of the Ubuntu Forums got angry as they disagreed with me as well as other users. Finally, Admins closed the thread.

Today, when I am browsing Security Discussion sub-forum, I seldom answer the thread. When I want to answer, I will say "yes, Linux/Ubuntu is very secure and she do not need any protection as security is by born". "Don't worry, it is a false positive." and so on. Then, you will have less change to be attacked by other users and admins. If yes, there are only one or two who suggest/agree to use anti-malware/virus. That is, he is on my side.

So, why I answer this thread? It is because I agree with 1clue. I want to support him.

Almost all users and admins in this sub-forum are minded blocked. They will not accept truth and new things that do not match their mind or desire. In my opinion, Windows is as secure as Linux; Linux is as vulnerable as Windows.

Most of them say that the vulnerable is to the application software but not Linux, so, Linux is not counted as vulnerable. But I want to say, Linux distributions are consisting of a lot of application software, including desktop and server version. If not the kernel vulnerability, it is not counted as Linux vulnerability? If yes, RPC vulnerability of Windows XP is not kernel vulnerability. So, Windows is not vulnerability to this attack. So as web application. Right?

Most of them say Social Engineering exploit is not counted as vulnerabilities. It is users fault only. However, BlackHats count these kind of exploit as vulnerabilities. So, there is a different mindset between you all and the BlackHats.

Some professionals or experts here say that they never been attacked or infected. For real? I think most of them do not know that they are intruded or infected as there are no sign of the intrusion or infection at all. For most malware/virus, they are not detected by any anti-malware/virus.

Some professionals or experts here also say that the malware/virus need root rights to run and they also cannot run themselves automatically. Really? You all think about it in more deeply. You will know that it is not impossible to do so.

Some professionals or experts here may say that there are no open port for Ubuntu Desktop version. Or, you behind NAT/router. So, you are safe. For real? Any BlackHat can pivot any system very easily.

Okay, I should not talk anymore or this thread may be closed.

Samiux

Edit : The latest news. In 2011, developer of vsftpd find that vsftpd legit source code is injected backdoor. Almost all Linux distributions (including Ubuntu 11.04) collect it as repos. So, rkhunter or chkrootkit will not detected that as it is official repos and you will whitelist it after update. Any idea?

[cariboo]

@samiux , all you have been doing, is to try to spread FUD, show us some case studies, prove what you are saying.

I'm by no means a security exert, and I know one of my accounts was exploited, wouldn't it be better to help us recognize things like this when they happen, instead of just posting veiled warnings?

[samiux]

@samiux , all you have been doing, is to try to spread FUD, show us some case studies, prove what you are saying.

I'm by no means a security exert, and I know one of my accounts was exploited, wouldn't it be better to help us recognize things like this when they happen, instead of just posting veiled warnings?

So, you agreed that I had provided the proof that it is not impossible and it is also FUD (Fully Un-Detected). So, why the thread was closed.

Samiux