Linux: security through obscurity?
Talk about "security through obscurity"! The only thing keeping these scourges off of Linux and the Mac OS is that it's not worth the work to get such business. The exact same thing is true of spyware and adware. Of course you could write such things for the Mac and Linux and they would work.
So, it seems, the only reason that Linux does not suffer a constant series of worms, and that Linux users are not continually trying to fight off spyware and related nastiness, is that we are such a backwater that nobody even feels a wish to attack us. We're not actually more secure; we're just too boring to bother messing with.
We don't buy it. The "not popular enough" argument may help make victims feel better and make them feel that they need not worry about perhaps changing operating systems, but it does not stand up to scrutiny.
Attackers have numerous reasons for doing the things they do. One of them is simply attracting attention and becoming in some way famous, even if that fame, such as it is, only attaches to a pseudonym somewhere. If you are trying to show your 31337 credentials by compromising Windows systems, you'll find that the barriers to entry are fairly high: there are, shall we say, a lot of people playing in that space. Certainly, one would think, at least one malware author would be attracted by the relatively green, uncrowded pastures of the Linux world? If nothing else, it would make a nice break while somebody else's worm is ravishing corporate networks worldwide.
Along these lines, it's worth noting that the white-hat security researchers certainly do not find free software to be too obscure to merit their attention. One need not read Bugtraq for long to see that there is a steady stream of issues with free software being reported there.
Another reason to attack systems is monetary gain. Access to zombie networks can now be bought and sold, as can information stolen by spyware or advertisements delivered by adware. There are millions of Linux systems attached to the net; many of them are in prominent locations with access to high-bandwidth network connections. They would make delightful spam relays or denial-of-service attackers. If an attacker could compromise 1000 of those millions of systems, he or she would have a nice little corral full of zombies which, one thinks, would be worth the trouble.
Spammers seem to think that getting around SpamAssassin's tests is worth the extra effort. Certainly, one might think, being able to dump ads into Linux browsers, or direct them to unwanted pages, would merit a few minutes of somebody's time. The ultimate payoff might be smaller, but an attacker could have the entire field to himself.
There are, in other words, incentives to compromise Linux systems on a wide scale. Compromises do happen, but the sort of widespread trouble experienced by others has, so far, been absent from the Linux world. The idea that nobody with the requisite skills has even tried to create such an incident is hard to believe. One can only assume that such attempts have been made, but that they have not succeeded.
Linux systems are not immune from the ills of modern computing. There will almost certainly be some unpleasant episodes in the future. Recent reports have made it clear that Linux-based browsers are not free of exploitable bugs. As the free mail clients become increasingly complex and powerful, somebody will certainly find a way to compromise them. Last week's Red Hat security update phishing attempt was clumsy in the extreme - social engineering attacks that assume a victim simultaneously smart enough to untar and build an attack program and dumb enough to actually do it are unlikely to go far. As long as our mail clients do not allow programs in incoming mail to be run, these attacks will be relatively hard - but somebody, somewhere will probably figure out how to do it.
Third-party applications could turn out to be an area worthy of special concern in the future. More home users could lead to more people who will, without question, install that "cool music download utility" found, without source, on some obscure web site. Eventually those users will learn the error of their ways - through hard experience. In the mean time, this risk can be mitigated by insisting on free applications, and by having the bulk of interesting applications be available directly from the network of distribution mirrors. There have been several attempts to put trojan horses into programs downloaded by free software users, but these attempts have always been detected quickly, and they have affected very few people.
Our security is insufficient, and, eventually, somebody is going to
demonstrate that to the world. There will, beyond doubt, be lots of snide
columns posted when that happens. We must continue to work to prevent this
occurrence, and to minimize the damage when it happens. In the mean time,
however, we need not accept claims that only obscurity keeps attackers away
from Linux.
Posted Nov 4, 2004 3:54 UTC (Thu)
by mab (guest, #314)
[Link] (1 responses)
Posted Nov 4, 2004 10:27 UTC (Thu)
by hppnq (guest, #14462)
[Link]
Oh, and check out their research methods: what a joke.
Posted Nov 4, 2004 8:16 UTC (Thu)
by grahammm (guest, #773)
[Link]
Posted Nov 4, 2004 10:13 UTC (Thu)
by james (subscriber, #1325)
[Link] (1 responses)
"not popular enough" but according to this artical Linux is the most breached 24/7 online system out there. I don't know if this report was paid for by Apple but it makes an interesting read.
Linux: security through obscurity?
mi2g explicilty claim they have no business relationship with Apple. They have added an "Important note" which says, basically, that criticism regarding mi2g's studies might have been "clandestinely funded". Googling for mi2g will show you why they saw the need for such a remark.
Linux: security through obscurity?
It is also interesting, on the server front, that there seem to be more attacks to Windows IIS than there are for Apache even though Apache is the more popular product.Linux: security through obscurity?
Linux: security through obscurity?
Our security is insufficient, and, eventually, somebody is going to demonstrate that to the world.
I don't know about you, but I think it unlikely that we're going to see a "big bang", a sudden appearance of a brand-new threat. It hasn't happened that way in the past: the scum have tried a new approach, if they're lucky it's sort-of worked, then they refine it.
But we get to see the new approaches, and craft our responses at the same time. At the moment, the community seems to be moving fast enough to keep up with the scum, and often to cut off complete approaches for attack.
As the author hinted, the big potential problem is users with root (which home users do need) but without a clue. I suspect that a lot of the security engineering is going to have to be usability engineering: making the easy way the safe way, and the safe way the easy way.
James
Posted Nov 11, 2004 16:55 UTC (Thu)
by rgmoore (✭ supporter ✭, #75)
[Link]
And I think that the author has the correct general approach to that problem, too; ensure that there are enough Free Software alternatives included with the distribution. Comprehensive distributions like Debian and Gentoo have enormous libraries of software available, and it's probably easier to install that software through apt or emerge than it is to download and install a package from a third party site. It's always possible that the distro will make a mistake and include a malicious package, but it does provide a much higher barrier to trojan-type malware than if users are installing random programs off the net.
Posted Nov 4, 2004 16:24 UTC (Thu)
by pflugstad (subscriber, #224)
[Link]
Where one attack on one version of Windows may hit the vast majority of installed Windows systems, the same cannot be said of Linux. While an attack may work on say Red Hat 7.3 or some specific version, it usually doesn't work on Red Hat 8 or 9, much less any version of Mandrake or Debian or any other distro.
The reasons for this are many and varied: different libc versions, different installed applications, different defaults, etc. And each one of these differences makes it all that much harder for an attacker to write a single attack on Linux systems.
This diversity drastically limits the amount of damage any single attack can do to the "Linux" community.
Posted Nov 5, 2004 10:06 UTC (Fri)
by dps (guest, #5725)
[Link] (2 responses)
1. There is no easy way of executing an attatchment within any MUA I
2. My normal user identity, which is all a email worm is likely to get,
Similar remarks apply to web browsers, which simply lack priledge and
Posted Nov 5, 2004 15:32 UTC (Fri)
by jaclu (guest, #7280)
[Link] (1 responses)
Simply not true.
If I could get Joe User to run a malware, it could install itself to be
Since he propably will login when he starts his system, the evil-daemon will be started, then it runs until machine is shutdown regardles if user is stil logged in.
So if you can get your malware to be run with or without userintervention, a daemon can an will be installed.
Posted Nov 5, 2004 16:59 UTC (Fri)
by oak (guest, #2786)
[Link]
Posted Nov 5, 2004 17:05 UTC (Fri)
by oak (guest, #2786)
[Link]
Posted Nov 8, 2004 18:53 UTC (Mon)
by rickmoen (subscriber, #6943)
[Link]
Just for context and perspective:
1. Those include DoS attacks (certainly not a good thing, but should not be confused with system compromise), and a huge number of speculative, possible, theoretical vulnerabilities for which no exploit is available and maybe never will be. 2. And many of those would be exploitable only in improbable system configurations, or involve software rarely installed or seldom enabled. 3. And almost all of those turn out to be vulnerabilities at an access level lacking system privilege. 4. And, the way Linux/BSD systems have tended to be maintained over the last few years (apt-get, urpmi, cvsup for BSD ports skeleton update, up2date, etc.), the time-windows of vulnerability have tended to either be incredibly narrow or (more typically) nonexistent.
And you know what? The next time someone unleashes an unexpected, impossible-to-plan-for global attack on a popular Linux/BSD system daemon (and, mind you, even the Morris worm involved a known hole in sendmail configuration) — or on a Web browser, or on a mail client — it'll be a two-day wonder: After OS-reloading where necessary (obviously not required unless there's been root compromise), people would just switch to one of the alternatives to that daemon or userland app not sharing the same failure mode, while waiting for a patched version of the affected one — because, unlike some communities, we seldom either get trapped by non-modular, inflexible systems or make ourselves dependent on Hobson's Choice take-it-or-leave-it system-wide "security packs".
And yes, stupid behaviour like installing untrustworthy apps from dubious sources with root authority (or ditto "security fixes" like the "Red Hat security update phishing attempt") will always subvert and defeat the measures we've implemented to make it difficult for the hapless to hurt themselves.
About that "phishing attempt": I've listed almost much all of the innumerable reasons why only someone both mindbogglingly gullible and also extremely adept with building and installing software with root authority could have fallen for it.
Meanwhile, if you want to be constructively paranoid about something, keep looking over those mailcap entries — and install/configure a proper IDS.
Best Regards,
Posted Nov 12, 2004 23:40 UTC (Fri)
by drtr1 (guest, #26002)
[Link]
From an epidemiological point of view, if a certain fraction of the
For example, many virus use email and addressbooks - if only 1 in 100
Of course, this doesn't quite apply if Linux users group together in
Linux: security through obscurity?
I suspect that a lot of the security engineering is going to have to be usability engineering: making the easy way the safe way, and the safe way the easy way.
I think this article also misses another HUGE reason why Linux hasn't been attacked - it's way to diverse. It's about diversity
Linux does win *some* security thorugh obsucrity. However most of the lack of worm I think is something else, with the most proninent beingLinux: security through obscurity?
am aware of those. At least 99% of the people that can bypass this
problem are smart enough not to do it.
does not have write permission to the system binaries, boot scripts
and other things commonly targeted by windows virii and worms.
the misdesign of IE, for malware to apply. Multiuser systems in general
are not plagued by worms for similar reasons. although NT is getting some
attention because enough people routinely use administator (the windows
NT superuser).
>2. My normal user identity, which is all a email worm is likely to get,Linux: security through obscurity?
>does not have write permission to the system binaries, boot scripts
>and other things commonly targeted by windows virii and worms.
run from .bashrc or similar each time user logs in, and by binding to a high port a listening daemon could be started without root privs.
yes, and then the user daemon can output somewhere in the net system Linux: security through obscurity?
information and fetch back a root exploit specific to that version of
kernel etc. Or listen to requests from network to test latest root
exploits until one is found that gains the root rights...
Having source code is no quarantee against trojans. While it might be Linux: security through obscurity?
possible for normal people to manually check C-code against trojans, I
don't think anybody does that to 100KB configure and other GNU Autotools
generated scripts coming nowadays with most of the source code.
Configure scripts are obscure, use lot of scripting facilities (shell,
awk, perl etc) and with scripting it would be pretty easy to add some
trojan somewhere in users login stuff (.bashrc, .xsession, gnome/kde
config stuff). In C-code being compiled from source that's much harder.
Jon wrote:
Along these lines, it's worth noting that the white-hat security researchers certainly do not find free software to be too obscure to merit their attention. One need not read Bugtraq for long to see that there is a steady stream of issues with free software being reported there.
Linux: security through obscurity?
Rick Moen
rick@linuxmafia.com
I believe that the eWeek article is making a relevant point, which theLinux: security through obscurity?
author here may have missed.
individuals (computers) within a population (the Internet) are suceptible
to infection (a Linux virus), then the success of that infection will
depend critically on what that fraction is, in addition to how infectious
the virus is.
contacts are other Linux machines, then the virus will spread much more
slowly (and be much less succcessful) than a similar Windows virus.
cliques; then they form monoculture populations which are more susceptible
to infection. Although, as has been pointed out, diversity in the gene
pool (i.e. different distributions) provides infection resistance to the
whole population.