Are we Linux users arrogant about security?

[4CxbqFxVnstmA Veteran]

Hello,

I don't necessarily know if you do need to run anti-malware software on your Linux desktop yet.  Even 11 months later, I'm still not seeing a major uptick in Linux-based malware targeting the desktop.  Overall, I think Linux desktop users tend to be more technical than their Windows counterparts but there are also quite a bit less of them.  I suspect that a good deal of desktop Linux' lack of threats is more attributable to the fact it isn't economically viable for criminals to invest in developing malware for it--they have to go where they'll get the highest return on investment, and right now that's Windows.

If someone makes a Linux distro that truly takes off in the desktop space, we may see the kinds of threats now happening with Linux-derived Android.  Which just goes to show you how something that started out being thought of as secure can be shown as being less secure when enough eyeballs are exposed to it.

Right now, the biggest problem area emerging seems to be with embedded systems.  There are a lot of residential broadband gateway router and modem manufacturers out there who don't do a good job of shipping or providing updates.  And having the device through which all network traffic, both Internet and LAN, flows being compromised is not a good thing.

Regards,

Aryeh Goretsky

 

This makes a lot of sense. A problem related to embedded systems, often complained about here and elsewhere, is with updates to Android. My Samsung Galaxy S3 has not been updated to see off recent threats, and I don't know if they ever will update it. It's as if they are using the threats to encourage people to upgrade their phones or something.

From your security perspective, do you think hosts files are a good defense against malware? I'm thinking about http://winhelp2002.mvps.org/hosts.htm and I don't know to be sure what all the things blocked there are, but lots of them look like dodgy porn sites.

Maybe another reason I don't have problems with Linux is that I keep it updated (and don't use distros without regular security updates). I think I read Microsoft are moving to install security fixes as soon as they are available, which would make a big difference, I think, instead of waiting for Patch Tuesday.

Also, I think the ground-up networking design of Linux must have some security benefits. I know Windows has hardened up considerably in this regard over the years. Does the NSA-designed SELinux additions have benefits here?

[simplezz]

I suspect that a good deal of desktop Linux' lack of threats is more attributable to the fact it isn't economically viable for criminals to invest in developing malware for it--they have to go where they'll get the highest return on investment, and right now that's Windows.

I agree that it isn't economically viable. However, it's not based purely on the fact there are less GNU/Linux desktops than Windows. It's extremely hard to target a broad range of Linux distros/configurations to make it worthwhile. There are still millions of desktop Linux systems out there. A homogeneous environment like Windows is easy to attack, heterogeneous ones like Linux aren't. Of course, that's not the only reason. A built-in Repository and package manager that updates the entire system at once also eliminates a great deal of vectors.

If someone makes a Linux distro that truly takes off in the desktop space, we may see the kinds of threats now happening with Linux-derived Android.  Which just goes to show you how something that started out being thought of as secure can be shown as being less secure when enough eyeballs are exposed to it.

While Android may have more malware targeting it (still nowhere near the amount targeting Windows) than say iOS or Windows Phone, the encounter rates on devices with a curated Store like Play, Amazon, etc, are tiny. Compare that to the encounter rates on desktop Windows (20-50% depending on locale and Windows version). So no, the threats facing a system aren't necessarily proportional to its marketshare, as some would argue.

Right now, the biggest problem area emerging seems to be with embedded systems.  There are a lot of residential broadband gateway router and modem manufacturers out there who don't do a good job of shipping or providing updates.  And having the device through which all network traffic, both Internet and LAN, flows being compromised is not a good thing.

That's a fair assessment. Yet another reason why whole system updates are essential to security. Windows suffers from this problem. Often times, third party software is out of date and vulnerable to attack.

As for routers, they should really automatically update themselves. It's laziness on the part of manufacturers/suppliers that's to blame.

[Circaflex]

Absolutely not.

Linux can't be penetrated. It's like the Virgin Mary.

I hope you understand that is incorrect.

[th3rEsa]

Given that Linux is an important part of large botnets and even Windows has more "enabled by default" exploit mitigation techniques, I find it amazing that Linux forums generally think of Linux as a "more secure" operating system. It's not 1999 anymore, friends.

[Gerowen]

Given that Linux is an important part of large botnets and even Windows has more "enabled by default" exploit mitigation techniques, I find it amazing that Linux forums generally think of Linux as a "more secure" operating system. It's not 1999 anymore, friends.

I would be willing to say that 99% of system security, at least on desktop systems, comes from the behavior of the user.  I could write a script for Linux right now, no longer than 2 lines, that no anti-virus would detect, that would wreck a user's home folder and possibly several other folders higher than that.  All you gotta do is give it a snazzy name, tell them it does something else, and a lot of people, especially Windows users, will never ask to see the source code, they'll never open a plain text script file and see what it does, they just double click it, if UAC pops up click Continue, and hope for the best.  There's not a whole lot software designers can do to fix the stupidity of the average user.

[goretsky Supervisor]

Hello,

The smartphone (and somewhat by extension, the tablet) space is an interesting one.  While there is seemingly a large amount of competition due to the profusion of devices and carriers, in reality consumers' choices are actually quite reduced due to there not being a large number of carriers, each of whom has limitations about which devices will work on their network.  Profit from individual device sales is low and the lack of market competition and consumer choice means that device manufacturers and carriers don't have to do much in terms of providing updates.  It's not like most people are going to quit using cell phones altogether because they got some privacy-invasive app that was spewing ads on it.  There's really little downside/consequence, aside from a very mild and utterly forgettable PR hit, to not providing updates, which, after all, do cost time and money to build, test and deploy.

I think using hosts files blocking (and similar site blacklisting techniques) is a good defense.  But, like anti-malware software, it is only a part of the solution.  User education and having good backups are just as important, if not more so, than anti-malware software.

A year ago, at the [url="https://www.virusbtn.com/conference/vb2014/programme/index"]Virus Bulletin 2014 conference there was a panel discussion at the end discussing the most widespread, severe threats over the past year or so.  There were mentions of Heartbleed on Linux, Flash, Java, PDF files, etc.  What none of the panelists mentioned, and no one seemed to comment on, was that Microsoft wasn't mentioned at all.  I don't think this was simply a matter of threat alert fatigue, but rather the result of Microsoft having done enough security work that there were no highly pervasive threats like those facing these other platforms.  While Microsoft may have (arguably) just been lucky that year, I think this is more like the result of a decade of pervasive security engineering finally beginning to pay off.  Whether the new Microsoft with its  Windows 10 rapid release cadence will be able to continue this remains to be seen, though.

SELinux does offer benefits, but there are also drawbacks to its adoption.  The learning curve is one issue, as are concerns about its provenance. 

Regards,

Aryeh Goretsky

This makes a lot of sense. A problem related to embedded systems, often complained about here and elsewhere, is with updates to Android. My Samsung Galaxy S3 has not been updated to see off recent threats, and I don't know if they ever will update it. It's as if they are using the threats to encourage people to upgrade their phones or something.

From your security perspective, do you think hosts files are a good defense against malware? I'm thinking about http://winhelp2002.mvps.org/hosts.htm and I don't know to be sure what all the things blocked there are, but lots of them look like dodgy porn sites.

Maybe another reason I don't have problems with Linux is that I keep it updated (and don't use distros without regular security updates). I think I read Microsoft are moving to install security fixes as soon as they are available, which would make a big difference, I think, instead of waiting for Patch Tuesday.

Also, I think the ground-up networking design of Linux must have some security benefits. I know Windows has hardened up considerably in this regard over the years. Does the NSA-designed SELinux additions have benefits here?

[Kelxin]

Okay, name a single large botnet running on ordinary GNU/Linux desktop systems.

http://www.pcworld.com/article/2987580/security/a-linux-botnet-is-launching-crippling-ddos-attacks-at-more-than-150gbps.html

Next!

[simplezz]

 

http://www.pcworld.com/article/2987580/security/a-linux-botnet-is-launching-crippling-ddos-attacks-at-more-than-150gbps.html

Next!

SSH brute force attacks against poorly secured routers really? That's the best you can come up with?

The malware behind the botnet is known as XOR DDoS and was first identified in September last year. Attackers install it on Linux systems, including embedded devices such as WiFi routers and network-attached storage devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.

XOR DDoS is one of several malware programs that target Linux systems, and reflects a wider trend of hijacking poorly configured Linux-based systems for use in DDoS attacks. Old and unmaintained routers are especially vulnerable to such attacks, as several incidents have shown over the past two years.

Any system running a poorly passworded SSH-like service can be attacked in this way. It has nothing to do with Linux, and everything to do with securing a box running internet facing services. It should also be noted that the brute force attackers themselves install the malware, not the users.

I ask the question again, name a single large botnet running on GNU/Linux desktop machines, not routers. That's the difference. Windows botnets are running on ordinary desktop machines because it's easy to infect them with malware. Linux on the other hand is far harder.

 

[Kelxin]

 

SSH brute force attacks against poorly secured routers really? That's the best you can come up with?

Any system running a poorly passworded SSH-like service can be attacked in this way. It has nothing to do with Linux, and everything to do with securing a box running internet facing services. It should also be noted that the brute force attackers themselves install the malware, not the users.

I ask the question again, name a single large botnet running on GNU/Linux desktop machines, not routers. That's the difference. Windows botnets are running on ordinary desktop machines because it's easy to infect them with malware. Linux on the other hand is far harder.

 

You said name a single botnet, and I named a single botnet ... Is that not good enough, or did I prove my point too easily for you?

 

[simplezz]

You said name a single botnet, and I named a single botnet ... Is that not good enough, or did I prove my point too easily for you?

 

Sigh..

Okay, name a single large botnet running on ordinary GNU/Linux desktop systems

Notice that part where I said desktop systems? A router isn't a desktop computer, it's often a very specific implementation like Busybox which rarely gets updated and has in a lot of cases poorly secured internet facing services such as SSH running. That's how the hackers get access to them to install the DDOS software.

Compare that to ordinary Windows desktop machines which form the basis of gigantic botnets. Are you starting to see the difference yet?

[goretsky Supervisor]

Hello,

What about large botnets running on Linux (and some BSD and Mac OS X) servers? 

There are a lot more embedded systems and servers running Linux than desktop installs, which is why those are more heavily targeted by attackers with financially-motivated malware schemes.

Windigo affected over 25,000 *NIX servers (each of which was running dozens to thousands of web sites), sent at least 35M spams/day, had its own C&C network and also served up at least 500K malvertisements/day.  Keep in mind that mapping of the criminal activity was only partially done due to the distributed nature of this family of Linux/BSD/OSX malware, so the spams and malvertisements could potentially be a lot higher.  Even just knowing the known numbers, though, points to a sizable amount of infrastructure.

Regards,

Aryeh Goretsky

[Ulyses]

Well, if it comes to newbies, it's not ignorance, it's bliss, Linux does make it harder for them to botch it up. If it comes to seasoned users, Linux is a partner that puts great emphasis on verified trust. Without looking at other OSs, I'd say it's a pretty sweet deal, some arrogance is understandable.

[simplezz]

Hello,

What about large botnets running on Linux (and some BSD and Mac OS X) servers? 

There are a lot more embedded systems and servers running Linux than desktop installs, which is why those are more heavily targeted by attackers with financially-motivated malware schemes.

Windigo affected over 25,000 *NIX servers (each of which was running dozens to thousands of web sites), sent at least 35M spams/day, had its own C&C network and also served up at least 500K malvertisements/day.  Keep in mind that mapping of the criminal activity was only partially done due to the distributed nature of this family of Linux/BSD/OSX malware, so the spams and malvertisements could potentially be a lot higher.  Even just knowing the known numbers, though, points to a sizable amount of infrastructure.

Regards,

Aryeh Goretsky

First of all we need to make a distinction between desktop users, and other categories such as servers and embedded devices like routers. They are completely different classes, with the latter being susceptible to internet facing attacks such as brute forcing (guessing passwords, stolen credentials), SQL injections, and so forth. While it's possible to run internet facing services on desktop machines too, it's not as common. Not only that, but unlike devices like routers, GNU/Linux distros have built-in whole-system automatic updates.

As for numbers, there are still millions of desktop GNU/Linux users. However, because of the diversity involved, as well as limited internet facing services and automatic updates, it's very difficult to exploit them en masse. I don't even run a ssh on my main desktop machine because of the security implications, and even if I did, provided you take the right precautions (such as enforcing non-root ssh permissions), it's still reasonably safe.

It's important to keep in mind that none of the botnets or malware mentioned were installed by users themselves, but by remote brute force attacks aimed at internet facing services like SSH and apache. Funny enough, Windigo hacked machines were actually spreading Windows malware. That's a common objective because of the ease with which Windows desktop machines are infected.

[adrynalyne]

Wow these goalposts have legs and are moving!

[compl3x]

Is it possible to quantify the likelihood of infection/penetration if someone practices sensible precautions on a Windows system? Has this been studied? I feel that when you enlighten people about common threats & explain tactics used by scammers etc. those people have drastically less problems. Even explaining how to choose the "custom install" option and uncheck the 3rd party crap which is often bundled with the "express install" option drastically improves the average users' system.

Advanced user might scoff at some of this stuff, but for the average user which are in the overwhelming majority, it is the difference between a lean machine working well and a system bloated with garbage.

[goretsky Supervisor]

Hello,

From a quick search engine check, I believe there are about 1.2 billion Windows users (which I'm guessing combines desktop and server OS licenses, not just desktops).  Unless you count Android OS as Linux on the desktop, having millions of desktop Linux users (which I interpret to be a single-digit or even double-digit million installed base) is a sub-1% marketshare--essentially a rounding error.  I don't think it is economically viable for organized criminals to go after that small a userbase, especially when you consider the fragmentation effect magnified by all those different distros and alternative package managers.  Now, espionage and surveillance are a different matter.  Let's say for a moment, that there's a hypothetical government that wants to spy on Tibetan activists and Falun Gong members.  That hypothetical government is going to build attack tools targeting those groups' computers, regardless of whether they're running Mac OS X, Windows or Linux on the desktop.  But your run-of-the-mill criminal is interested in making money, not (hypothetically) repressing Tibetan activists and Falun Gong practitioners.

On the embedded and server sides, a lot of brute-forcing does go on, but so does exploitation of old, insecure services (daemons).  There are a lot of old embedded devices out there which are no longer maintained by the vendor or which the customer dropped maintenance for and will never get patched.  Likewise, there are a lot of web hosting firms out there that run outdated distros and software on top of those distros (not just ssh and apache, but things like php, cPanel, WordPress, etc.) and cannot upgrade because they glued together a billing or CRM system on top of it that gets broken by the updates and they don't have the skills to fix things (or the one person that knew how it all worked left).  That's more common than you may think, and a continually recurring source of those Windigo infestations I mentioned earlier.

The Windigo compromised machines were actually spreading copies of its components to other Linux, BSD and Mac OS X servers, but most of the targeting was to the dominant, most successful (in a Darwinian sense) desktop platform, Microsoft Windows.  If desktop Linux standardizes and gets a a few hundred million users, we'll likely see some interesting--and quite possibly, novel--attacks on it as well.  For now, though, its fragmentation and the relative paucity of users "doom" Linux on the desktop to a much smaller, and more secure, fraction of desktop users. 

Regards,

Aryeh Goretsky

First of all we need to make a distinction between desktop users, and other categories such as servers and embedded devices like routers. They are completely different classes, with the latter being susceptible to internet facing attacks such as brute forcing (guessing passwords, stolen credentials), SQL injections, and so forth. While it's possible to run internet facing services on desktop machines too, it's not as common. Not only that, but unlike devices like routers, GNU/Linux distros have built-in whole-system automatic updates.

As for numbers, there are still millions of desktop GNU/Linux users. However, because of the diversity involved, as well as limited internet facing services and automatic updates, it's very difficult to exploit them en masse. I don't even run a ssh on my main desktop machine because of the security implications, and even if I did, provided you take the right precautions (such as enforcing non-root ssh permissions), it's still reasonably safe.

It's important to keep in mind that none of the botnets or malware mentioned were installed by users themselves, but by remote brute force attacks aimed at internet facing services like SSH and apache. Funny enough, Windigo hacked machines were actually spreading Windows malware. That's a common objective because of the ease with which Windows desktop machines are infected.

[Kelxin]

 

Sigh..

Notice that part where I said desktop systems? A router isn't a desktop computer, it's often a very specific implementation like Busybox which rarely gets updated and has in a lot of cases poorly secured internet facing services such as SSH running. That's how the hackers get access to them to install the DDOS software.

Compare that to ordinary Windows desktop machines which form the basis of gigantic botnets. Are you starting to see the difference yet?

Ordinary windows desktop machines DON'T form the basis of gigantic botnets (at least not anymore), which is WHY I sent you that link in the first place.

[binaryzero]

Linux has it's place in the workplace, but at the end of the day it's a Windows world.

Want to make money doing business computing? Learn to use Microsoft products. 

[Solid Knight]

There are certainly some very arrogant Linux users who think that knowing and using Linux somehow elevates their skills and knowledge of everything IT.

[goretsky Supervisor]

Hello,

Actually, they still pretty much do.  It's just that there are a few more options available besides them, such as routers and cable/DSL modems, to choose from (from the attacker's perspective, that is).

Regards,

Aryeh Goretsky

 

Ordinary windows desktop machines DON'T form the basis of gigantic botnets (at least not anymore), which is WHY I sent you that link in the first place.

[goretsky Supervisor]

Hello,

It depends a lot on the work being done, I reckon.  Unix-like operating systems are heavily-adopted in the TOP500 list, but there are still probably many smaller businesses not running 60,000+ CPU cores using Linux as well.

Regards,

Aryeh Goretsky

Linux has it's place in the workplace, but at the end of the day it's a Windows world.

Want to make money doing business computing? Learn to use Microsoft products. 

[simplezz]

 

Ordinary windows desktop machines DON'T form the basis of gigantic botnets (at least not anymore), which is WHY I sent you that link in the first place.

What planet do you live on? All Windows botnets rely on the mass infection of ordinary desktop systems. That was my point all along. Linux users (desktop users) aren't at risk the same way as Windows users because 1) There's little to no self-installable malware out there for GNU/Linux and 2) It's virtually impossible to infect enough machines to make it worthwhile due to variety of setups.

ZeroAccess, also known as Max++ and/or Sirefef, is Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet mostly involved in bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques

The ZeroAccess botnet was discovered at least around May 2011.^[3] The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.^[4] Estimates of the size of the botnet vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.

https://en.wikipedia.org/wiki/ZeroAccess

Yes you read that right, 9 million Windows PC's were infected. And that's just one of many. No other OS even approaches this level of risk.

All of the malware listed in this thread targeting Linux is installed by the hackers themselves after brute forcing their way into a system (often via SSH/Apache/etc). That's not the kind of malware that's infecting ordinary desktop users I'm sorry to say. It's targeting embedded systems like routers and servers. I've yet to see evidence of GNU/Linux desktop users being infected with malware at all, let alone on a scale that affects Windows (millions of PC's). To suggest there's even a comparison is delusional at best, and outright mendacity at worst. The statistics don't lie.

[th3rEsa]

If I was a criminal, I would not go for desktop systems. I'd happily infect servers instead, allowing me to distribute phishing and spyware in combination with a giant internet connection, eventually gaining the same results but much more and faster.

With Linux having ~70 percent of all currently running servers, this sums up rather nicely. No wonders that there are quite a few quite active Linux botnets around.

[simplezz]

If I was a criminal, I would not go for desktop systems. I'd happily infect servers instead, allowing me to distribute phishing and spyware in combination with a giant internet connection, eventually gaining the same results but much more and faster.

While compromised servers can play a role in distributing malware, the end target is almost always the Windows desktop PC. Even in the Windigo botnet, a major goal was to spread malware to Win32 systems.

Servers are hacked, they aren't infected by drive-by downloads or by users installing malware. The whole topic of discussion in this thread is about GNU/Linux user (desktop) security, not servers or routers. The threats facing them are completely different.

[th3rEsa]

the end target is almost always the Windows desktop PC.

Sorry, but that's plain wrong. Please name your source.