viruses/malware etc: Is my Debian GNU/Linux system protected?
 

Reading a current thread from forums.debian.net about multiplatform viruses and malware, I am becoming preoccupied that my Debian system is vulnerable. The problem is accentuated even further because I use Gnu/Linux exclusively for all my computing needs. In other words I access my bank accounts online, I pay my bills online, etc.

The State of My System:
a) I make regular updates to keep up with any security updates
b) I have arno-iptables firewall enabled
c) I have all ports closed
d) I use privoxy to filter unwanted web-content (ie ads, etc.)
e) I use Add Block Plus
f) I use iceweasel aka Firefox.

Is my system protected against multiplatform scumware because the shivers I used to have when I still used MS Windows are starting to haunt me again?

I believe the malware you're referring to is Java related. Of course, you can always install an anti-virus app.

GNU/Linux is different from Windows, I don't imagine it requires the same scanning regimen like Windows. This should mean there are other more suitable solutions.

Paranoia sems to be the biggest problem here don't you think? The thing with "multiplatform" malware is it is exactly that, "multiplatform". If you travel around the internet doing stupid things you will get stung but it will most likely just infect the application that it was designed to enter the system through. If you run as root without need you will allow things to enter your system even easier. The trick is not to do stupid things and only run as root for things like updating etc. Keep your system up to date (daily) and you can be 99% (this is a figure of speech not a gaurantee) that your system is as secure as it can be. There is always more you can do but being careful is the best protection.

I was of the opinion expressed in this post, but a thread in offtopic on forums.debian.net, argued that a compromised executable may lead to an escalation of privileges, and to stress his point, the poster insisted that this should not be very difficult to accomplish. So, definitely, it is not paranoia on my part, but on forums.debian.net, and I am becoming preoccupied because that forum is renowned for good quality threads.

Edbarx, when I say don't do stupid things that also means only use trusted packages. If you go and do the "typical Windows thing" and install packages of unknown quality you can indeed install a compromised package. The thing is with Debian you have everything available that you will most probably need. There is, for the most part, no need (unless of course you want to go beyond a simple Debian system) to install things outside of Debians repositories. There are some repositories that are trustworthy, Debian Multimedia is a good example, but it is always a good idea to only use trusted sources.

Why don't you use a live cd?

If you need to protect the system then don't connect it to the internet and don't use an untested media in it like usb or cd.

Since, the threat, apparently, is java related, an application which monitors, and if necessary blocks java executables from running, should be enough.

I opened this thread because I would like to know how realistic the claim that GNU/Linux can be compromised by malware, viruses and any form of scumware, in reality is. I only install packages from debian.org, from debian-multimedia and from an official debian mirror situated in France. Moreover, I install packages through apt (requiring the root password) and I don't do desktop or window manager root logins. I only have sudo enabled for a single script I created myself placing it in /sbin. I changed the script's permissions to match those of the executables found in /sbin adding the limitation that only root can read and write to the script.

I have a very stringent policy of keeping with reliable sources and I don't judge a source's reliability myself.

If you need antivirus and antimalware tools for Linux, ClamAV and RKHunter are the best tools you can use. Linux isn't as prone to getting malware because it's a minority OS and has hundreds of varied distributions, but that doesn't mean that it's completely invulnerable to being attacked in the future.

Your best bet if you feel the need, is to just get protection tools, run them regularly to scan for problems, and be active in your system's security administration.

Lets give it a less negative spin and say it's a problem of knowing your enemies?


That's only partly true.

Take for instance the cases of compromised sources. Distribution maintainers use upstream sources to create distribution packages. In more than a few cases (tcpdump (2002), Sendmail (2006), Unreal IRCd (2010), ProFTPd (2010), kernel.org (2011)) but excluding the kernel.org case attackers got away with injecting foreign code in source archives. Most of this boils down to a different kind of stupidity: developers, distributors and end-users placing implicit trust in something or somebody or imagining trust relationships where there aren't any. Running Open Source Software means everybody has the chance to examine and validate the source they run. By choosing not to do so or by choosing to defer responsibility to a distribution you should be aware of the potential risk. Still there are developers, distributors and end-users who shrug off providing or mandating source package verification as unnecessary. (And I'm not talking MD5 or SHA1 hashes but GPG signatures.)

Another example. While this should not draw away attention from other distributions having had similar problems, Debian machines got compromised in 2003 and again in 2006 by attackers exploiting kernel bugs. And sure such remotely exploitable vulnerabilities can only lead to a compromise if an attack surface is or remains available, and sure it's stupid if you don't update to a kernel version the moment it's released if it fixes known vulnerabilities but it's got nothing to do with "traveling around the Internet doing stupid things".

Yet another example: centralized advertising distribution services. A lot of sites use them because it takes away the need for individual sites to spend time on configuring for target audiences, acquisition, billing and other administrative tasks. And while scrutiny at reputable distributors is good at most times it has occurred on several occasions bad ads got through. Sure you can defend yourself against this by disabling unnecessary or unwanted browser features, disabling plug-ins, selective filtering and content scrubbing but the point here is you don't have to do "stupid" things to be involuntarily exposed to such risks.

While the final problem currently is more the focus of networked hardware like routers, smartphones and tablets running certain other Operating Systems, nefarious activity doesn't limit itself to easily identifiable, cross-platform attempts at malware like Koobface. Certain Operating Systems harvest information and share it with the vendor without the owner being able to limit or combat this (much?). Applications that are not or appear to be vendor-approved hunt for and siphon off credentials, financial information, Intellectual Property or just run new versions of old dialer scams via SMS, etc, etc. (As for the stupidity part: one of the tenets of common sense, and this lesson unfortunately has to be re-learned again and again on-line and off-line is that if something looks to good to be true then it is too good to be true.)
Sure. The above is a problem with other OSes. And while the Microsoft-induced definition of "malware" may not apply due to OS architecture, what delivery methods like the GNOME "Waterfall" screensaver of 2009 (command execution), Firefox plugins like "Master Filer" (Microsoft only) and various other ones like PDF, Flash, Quicktime have in common (apart from problems due to licensing, laxity wrt distributor responsibilities, scrutiny, hardening and updates, unsafe browsing practices, gullibility) is that when subversion takes place solely in unprivileged user space (maybe just even within a browser, its plugins, Javascript or Flash action script) this may transcend protection offered by some traditional (or traditionally deployed) defenses. (Similar to the shift from rootkits requiring escalation of privileges to web stack-based malware that happily runs as the user the web server runs as.) UNIX-like separation of privileges (capabilities, accounts) provides enough isolation for an unprivileged user to have a dependent library cause a segfault and still be able to use the Desktop Environment, blow up a web browser or file manager and still be able to use X11 / Xorg or blow up X without having to reboot the machine. So a mix of measures like staying secure by updating software (does not thwart social engineering or keep plugins from running), running a Live CD (may lack unprivileged accounts which would mean running software as root), DAC rights (does not protect against browser attacks), using an unprivileged account (protects the system but nothing else), scanning with antivirus (would only work if scanning continuously, with up to date signatures and if it can actively halt activity), scanning with RKH (it's a post-incident tool and not meant for such malware), blocking certain applications from running (so what about the other apps or the ones needing only a browser?) may protect the user from running (into) certain forms of malware but do traditional defenses and listed measures protect the user well enough? And how would one know? And would that still hold true when confronted with new, less easily identifiable malware?..

Ok let's and let's consider the OPs initial post while we are at it. He specifically mentions Windows, I am suggesting there is a WIndows mindset still happening.

In the context of the Windows reference it is pratically 99.9% accurate. However, people who travel around the internet doing stupid things will get stung no matter what type of OS they are on.

Having said that vulnerabilities occur with any system, with Linux it is much harder to introduce them if you follow good security practices. As you mentioned. Yes distros like Debian and some packages have problems but what OS doesn't have that and how many (percentage wise) of Linux machines are compromised compared to the same percentage of Windows machines? I agree with the crux of what you posted but taking the OPs last sentence at face value it seems there is a certain level of fear (a nicer word if you will than paranioa) that is not really justified considering the infection ratio as a % of OS type.

Sure but I'm trying to move beyond infection rate, focus on Linux and explore which security practices would actually help combat malware. Maybe I should have posted what I wrote in a separate post. Mostly I've been using your line just as a hook, everything from "Take for instance .." on isn't really a reply.

There is no secure OS. Some of the main threats are the applications on it. I would assume any system to be vulnerable.

The world is full of automated hackers with nothing to do but steal. Their country won't do anything to stop them and may encourage them. They have turned their attention from Windows systems to unix and linux. Everyday we read about sites that have been hacked. They were both linux and windows sites.

Any OS that has best practices applied to it would be less vulnerable. That doesn't make it secure.

Hardened Gentoo and OpenBSD may be some very secure operating systems but they are FAR from being 100% invulnerable to attacks and malicious software.

Security isn't something you have out of the box, it's something you have to administrate and manage continuously through tests and checks to ensure everything is safe for the time being.