linux security myth

Linux Security Myth

Mackenzie Morgan

Ohio LinuxFest 2010

11 September 2010

Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 1 / 35

Introduction

Outline

1 Introduction

2 Vocabulary

3 What can still hurt me?

4 What protection is there?

Introduction

Mackenzie Morgan

Computer Science student

Ubuntu Developer

Kubuntu user

http://ubuntulinuxtipstricks.blogspot.com ← find slides here

Introduction

This Talk

Linux Zealot: Try Linux! It doesn’t get viruses!

Average Person: No viruses? I’m invincible!

Vocabulary

Outline

1 Introduction

2 Vocabulary

Vocabulary

Malware

Malware (or “badware”) is an umbrella term for viruses, trojans, worms,rootkits, etc.

Vocabulary

Viruses infect individual files. They spread when people share those files.

Vocabulary

Social Engineering

Social Engineering is tricking people into doing something that is bad forsecurity.

Vocabulary

Trojan

Trojans are malware that get installed via social engineering. . . or, well,lying.“I’m a fun game and totally safe! but not really, I’m actually going to steal your

passwords. . . ”

Vocabulary

A worm infects other systems, automatically, usually over a network.

Vocabulary

Botnet

A botnet is a group of systems infected by malware which operate as acollective and are controlled by a erm. . . jagoff.

Yes, I’m from Pittsburgh. How’d you guess?

Vocabulary

Botnet

A botnet is a group of systems infected by malware which operate as acollective and are controlled by a erm. . . jagoff.Yes, I’m from Pittsburgh. How’d you guess?

Vocabulary

Rootkit

A rootkit keeps the activities of an unauthorised user hidden so that youcan’t tell your system has been owned.

Vocabulary

Keylogger

A keylogger tracks everything you type. Yes, including passwords.It could be hardware (see ThinkGeek), but usually software. There arelegitimate(-ish) uses.

Vocabulary

Browser-based Attack

A browser-based attack is any attack that takes place inside the webbrowser. They are usually not limited to a specific OS.Examples:

Cross-site Scripting (XSS) – using Javascript on one webpage to stealdata from another

Tracking cookies – harvests the information stored in your browser byother websites

Cookie jacking – stealing credentials for other websites from yourbrowser’s cookies

Click jacking – hiding clickable objects on a webpage on top of otherobjects so that you’re not clicking what you think you’re clicking

Vocabulary

Phishing

Phishing is social engineering aimed at making you believe you areinteracting with someone else whom you trust

What can still hurt me?

Outline

1 Introduction

2 Vocabulary

What’s still a problem?

All of those

But what about no viruses?

Windows ones usually won’t run, even in Wine

Several hundred for Linux

Only ∼30 in the wild ever

No known viruses exploiting current vulnerabilities

Email Trojans

“Check out this cool new game! http://example.com/foo.desktop”

Untrusted Software

.deb for “screensaver” on gnome-look.org

. . . and now you’re on a botnethttp://ubuntuforums.org/showthread.php?t=1349678

Untrusted Software

.deb for “screensaver” on gnome-look.org

. . . and now you’re on a botnethttp://ubuntuforums.org/showthread.php?t=1349678

Browser-based attacks

Unless only for Internet Explorer

Firefox? Opera? Chrome?

Phishing

There’s no patch for gullibility

Rootkits

If any of the previous work, the attacker might install one

What protection is there?

Outline

1 Introduction

2 Vocabulary

Trusted software sources

Stick to your distro’s repos

Otherwise, source directly from upstream

Avoid non-software in .deb or .rpm format

Heed warnings about failed signature checks

Arch Linux does not sign packages

Launchers

You get a .desktop from web/email. . .Do you know what it’ll run?

Could be anything

Launchers

You get a .desktop from web/email. . .Do you know what it’ll run?Could be anything

Launchers in KDE

Launchers in GNOME

Fedora’s & openSUSE’s GNOME:

Ubuntu’s GNOME:

Ubuntu has a policy against “ignore this security warning” buttons

Browser - Javascript

Use NoScriptUsers might not be equipped to know what to allow, but it blockscross-site scripting & click-jacking

Browser - Encryption

Don’t send passwords unencrypted!Lock icon:Means connection is encrypted and probably no man-in-the-middle

NOT necessarily a sign that all is good!

Browser - Phishing

But how do you know it’s the site it claims to be?Look at everything before the third slash—that’s the domain

Check out this green thing

Minimal privileges

Don’t login graphically as root!Why?Malware gets full access

Don’t need it? Don’t use it!

Don’t login remotely with command line or push files to it?Uninstall your SSH and S/FTP servers

Detecting problems

Find rootkits:

rkhunter

chkrootkit

Warn of changes:

tripwire

Warn of attacks:

These are advanced tools

Questions?

Slides will be posted:http://ubuntulinuxtipstricks.blogspot.com

linux security myth

linux security myth11

desktopmackenzie morgan

orgmackenzie morgan

onemackenzie morgan

trustmackenzie morgan

thosemackenzie morgan

vocabulary botnet

vocabulary rootkit

Technology

introduction to linux and security tools - z. cliffe...

linux kernel security kca09

red hat enterprise linux 6 security-enhanced linux

hardening linux server security

security and linux security

linux’ security haifa linux club 21.10.99 orr dunkelman

linux security zuo

server security for linux and containers...purpose-built,...

lnx200 - fundamentals of linux security · 2020. 7. 27. ·...

linux – choices and security

linux security primer -...

linux security services

security enhanced linux

linux security primer - sissa people personal home...

linux is a windows-killer: myth or reality

the myth of mainframe security - share myth of mainframe...

linux windows security

linux security fundamentals

linux day 2010: linux security demystified

linux: networking & security