Friday 18 May 2007

Is Linux as secure as it used to be?

As a frequent train traveler I have a number of podcast sources to take along to keep me company. One of those is from IT Conversations. Along with a bizarre tendency to stray into fields like biotechnology, there are frequently fascinating podcasts. One such is an interview with Mikko Hypponen on the state of viruses and malware. It's an hour long but worth every minute.

One particularly interesting point is that the source of viruses has changed over recent years. No longer is the anti-M$ script-kiddy the primary source of malware, but instead the issue is with organised crime, building empires of bot-nets with which to extort money or influence. This is an important shift in motivation because they do not have any preconceptions of what target to attack. The only criteria is to create maximum effect, which means targeting the platforms with the greatest market share. In the desktop world, that means Microsoft. Interestingly, in the mobile technology arena, it isn't pocketPC-based devices but instead devices based on the Symbian platform.

But Microsoft's dominance in the desktop world, is of course, Ubuntu's Bug#1, which it intends to fix. With Dell offering Ubuntu to the consumer market a large step towards that fix is taken, and the question arises: how big a market share is needed to make Linux desktops attractive to the malware developers?

But of course Linux is so much more secure than the MS alternatives! Not necessarily. Certainly one prominent Linux figure contends that while the Linux kernel is pretty secure, that cannot be said for many other FLOSS projects, including, of course applications that run on the Linux platform.

But then even if malware strikes a Linux desktop, how much damage can it do? To do any real harm, malware would need elevated priviges, which requires the user to specifically authorise, which of course one would only do for known applications.

But that is a process which Vista has also incorporated. And it can be attacked, and in a way which is easily applied to a Linux desktop. In standard Ubuntu (as an example I tested myself), it is possible for a non-elevated process to replace a menu item in the System...Administration menu with an arbitrary launcher, with an icon to make it look like the original item. If this launcher (lets say one that looked like the "Shared Folders" launcher were to ask for elevated privileges, few (if anyone) would smell a rat or rodent of any description for that matter. After doing some dirty on the system, the malware puts back the original launcher and runs the real "Shared Folders" app. Nobody would know anything was amiss. So once any vulnerability is identified (lets say in one of the desktop games that offer network play mode), and malware is delivered, even in user-mode, the game (as it were) is up.

In this case I'm sure the issue (if there truly is one) will be fixed, probably in Linux distros before it is in Vista, but an attack vector that works so similarly in Windows and Linux is scary.

The day when complacency becomes an issue is close. ClamAV is generally optional in distros - desktop or otherwise. Likewise, IPtables is ineffective without configuration (manually or with a tool like the excellent GuardDog. As it stands, and particularly with many users believing themselves to be in a position of strength, like the song says, there may be trouble ahead. The tools are there, but should be included (and configured) by default for folks who won't (or can't) do that for themselves.

Powered by ScribeFire.

1 comment:

Martin said...

Lots of good details Ubuntu-specific Here