Reminder: Social engineering still works on Linux

[conphara]

I just searched for some of the latest Ubuntu clips on Youtube and this one caught my eye.

http://www.youtube.com/watch?v=9HxFGQ8OpYw

This guy shows a demo of successfully getting hold of a user's personal data from Firefox (by saving an attached file from a mail in Evolution to the desktop and clicking on it) and later getting root access to delete everything on the partition all done in a Virtualbox session.

The title for this video is: The Linux desktop is not much more secure than Windows

The morale of the story is easy. Producing malware for Linux is apparently possible. Avoiding it comes down to the user himself. Don't download and run anything that you shouldn't. But how can you know?

[Eisenwinter]

Yeah, I can only see an Ubuntu user getting infected like that, haha.

(given the fact that the user himself has to save the strange attachment, then run it, in this particular case)

[dasunst3r]

There are people out there who will do ANYTHING and make up ANYTHING in their attempt to discredit something they don't like (e.g. conspiracy theorists, people who think President Obama is Muslim, etc.). I'd start asking questions: What Firefox version is this person using? Is this person fully patched? Can this be reproduced in a similarly-configured version of Windows (same Firefox version, fully patched)? Ultimately, the user is the weakest link as that worm required user intervention to trigger. Still, I've seen worms in Windows that did not require user intervention. What does that say about security in Windows compared to Linux? QED

[samjh]

The morale of the story is easy. Producing malware for Linux is apparently possible. Avoiding it comes down to the user himself. Don't download and run anything that you shouldn't. But how can you know?

"The price of freedom is eternal vigilance." - Thomas Jefferson

Linux users would do well to remember it. Don't get complacent. Linux is not magically more secure than Windows. It has weaknesses like any operating system, and the biggest weakness is a complacent user.

[SomeGuyDude]

Guys, deal with it. Ubuntu isn't invincible, nor Linux at large. If it's a computer, it can be broken. Linux may be harder, but let's not kid ourselves: we're benefiting from Linux's relative lack of popularity and "computer geek" image right now. The people who make worms that are built to steal personal info know that if they want it to work it'll be better to write one for 85% of the user base than the <5% that are likely very computer savvy.

[Barrucadu]

Isn't it common sense to not just run any file you get via email?

[Skripka]

Isn't it common sense to not just run any file you get via email?

If common sense is so uncommon that we are always asking where it went, why do we call it "common sense"?

[samjh]

Isn't it common sense to not just run any file you get via email?

Only for security-savvy users, which 99% of computer users are NOT.

Common sense is not common.

[TheLions]

There are people out there who will do ANYTHING and make up ANYTHING in their attempt to discredit something they don't like (e.g. conspiracy theorists, people who think President Obama is Muslim, etc.). I'd start asking questions: What Firefox version is this person using? Is this person fully patched? Can this be reproduced in a similarly-configured version of Windows (same Firefox version, fully patched)? Ultimately, the user is the weakest link as that worm required user intervention to trigger. Still, I've seen worms in Windows that did not require user intervention. What does that say about security in Windows compared to Linux? QED

Someone should fix this...

Don't fix security holes as MS! (if there is a hole, don't fix it just sell some AV software)

[bekind2thenoob]

How does this get around AppArmour?