LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-19-2012, 08:39 PM   #16
JaseP
Senior Member
 
Registered: Jun 2002
Location: Eastern PA, USA
Distribution: K/Ubuntu 10.04/12.04, Scientific Linux 6.3, Android-x86, Maemo
Posts: 1,658

Rep: Reputation: 138Reputation: 138

If you are using the term "virus," it usually refers to a piece of code that can be made to run on your machine by virtue of simply being exposed to it. A "trojan" is a program that is required to be installed by the user, using some form of social engineering. Linux is relatively immune to the former, less so to the latter. However, it is worth noting that NO malware attack on Linux environments has ever reached the epidemic proportions of an attack on Windows.

Usually, attacks on Linux systems are hacker attacks. They are specifically targeted at those systems.
 
2 members found this post helpful.
Old 09-20-2012, 07:19 AM   #17
glene77is
LQ Newbie
 
Registered: Sep 2012
Location: Memphis, TN, USA
Distribution: Puppy Linux
Posts: 4

Rep: Reputation: Disabled
hello,

How about a comment on Barry Kauer's Puppy Linux (5.x).
Have run this from CD, HD, PenDrive for five years, seven versions/distros.
Am not a Linux engineer, just an educated & curious geek type.

Background for Puppy OS (as best I can figure it):
* OS can be run from a Live-CD, with OS residing only on CD.
* OS usually is copied to HD or PenDrive at the /home level.

* OS files are extracted from 4 squash files, which are read-only.
* OS files are RAM loaded at runtime.
* OS files are NEVER written to, at any time.
* User changes to the virtual/RAM OS runtime
are saved in a special 'savefile'
and the 'savefile' is layered on top of the RAM-loaded OS.
* The password is defaulted, running as 'root' normally.
* The Kauer group suggests that booting from a Live-CD on each bootup, and having the 'savefile' residing on the HD as a 'best methods' approach.


My method of restore:
* Have a copy of the 4 OS squash files, on different media.
* Have a daily backup of the 'savefile', incrementally dated, on different media.

This is an interesting subject, and your comments above
go into the good point of OS security.
So, I Welcome your comments, critiques, etc.

Last edited by glene77is; 09-20-2012 at 07:22 AM. Reason: long wirds
 
Old 09-20-2012, 08:16 AM   #18
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
The live-CD approach has some unique advantages and disadvantages. Oftentimes, the live-CD method is recommended for applications like banking where a critical exploit would be something like a Trojan key logging application(*). With the live-CD, assuming one starts with a signed and verified source distribution, non writable media has the advantage of ensuring that nothing can modify the binary applications, such as the web browser. This means that a key logger or counterfeit SSL certificate can not be introduced into the system. Additionally, if any form of malware were picked up, it would be removed with a power down or reset as it would be confined to RAM. On the downside, write only media has the disadvantage of not being able to update which means you may be susceptible to known exploits that have been patched in subsequent releases. Therefore, the user has a higher degree of responsibility to monitor for critical updates and rebuild their platform when appropriate.
 
1 members found this post helpful.
Old 09-20-2012, 08:44 AM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by Noway2 View Post
On the downside, write only media has the disadvantage of not being able to update which means you may be susceptible to known exploits that have been patched in subsequent releases.
Unfortunately that is not the only downside, see this post.

Last edited by unSpawn; 11-08-2012 at 12:16 PM. Reason: //r/s/
 
Old 09-20-2012, 08:55 AM   #20
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,381

Rep: Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109
Quote:
Originally Posted by JaseP View Post
However, it is worth noting that NO malware attack on Linux environments has ever reached the epidemic proportions of an attack on Windows.

Usually, attacks on Linux systems are hacker attacks. They are specifically targeted at those systems.
But it is also very important to understand why this is so. Literally millions of Windows machines on the Internet are "Home Edition" boxes, run by administrators with no passwords. Most of the system administration tools needed to properly secure the system are omitted. There is no knowledge-transfer about what to do. But the "anti-virus" stuff is very prominent, encouraging a false sense of security. When the system's defenses are disabled(!), you don't even have to "attack" it.

It's really a matter of percentages: you shoot for the easiest target, knowing that the odds are in your favor that you'll find it. Meaningful protection is simply a matter sometimes of locking your door.

The story of the "pizza-box thief" is actually not an urban legend: walking through expensive neighborhoods with a pizza-box (and a pizza!), trying the front door and, frequently, finding it unlocked and the alarm turned off. Step inside, grab a handful of jewelry off the dresser, drop it into the box. The missus is likely as not to imagine that she "lost" it. Strictly an opportunistic strategy.
 
Old 09-20-2012, 09:25 AM   #21
JaseP
Senior Member
 
Registered: Jun 2002
Location: Eastern PA, USA
Distribution: K/Ubuntu 10.04/12.04, Scientific Linux 6.3, Android-x86, Maemo
Posts: 1,658

Rep: Reputation: 138Reputation: 138
You can update read only media by using a "secure" bootloader to change it to a read/write mount state,... That's how Android and other embedded devices do it...

That's not going to save you from a local attack or an attack vector based on cracking any keys issued for an update process. It's also not going to save you from attacks to the user space, where all the important data resides, anyway.

You can build a better fortress,... but if a thing can be built, it can be torn down. I am often reminded of a quote from one of the experienced members of my Linux users' group (back in the day when I attended those),... "Security is a process, not a product." You can't engineer a perfect system. It's impossible.

That said,... 99.999% safe is better than 99.9%, 95% or 85% safe...
 
Old 09-20-2012, 06:59 PM   #22
glene77is
LQ Newbie
 
Registered: Sep 2012
Location: Memphis, TN, USA
Distribution: Puppy Linux
Posts: 4

Rep: Reputation: Disabled
Thanks.
It appears that the Live-CD, virtually in RAM, with a "change-save-file" on the HD
is a good way to go. I have one computer booting off a Live-CD (Puppy 525) , running with NO hard-drive, and having a pendrive (micro USB) plugged in for storage. This works OK.
Jasp said it very well
"Security is a process, not a product."

My regular computer runs Puppy Linux, from a Pendrive,
with grub4dos options to reboot into XP, Parted-Magic, and TinyCore.
Backup/Restore is extremely easy and quick,
so I backup the "change-save-file" daily to a different partition hard-drive.

My only problem thus far,
is that I must allow extra 'write-time' for the USB hard-drives,
even after I think the write is finished.
Calling for a "Un-Mount" is one way to let the system check for any write activity.

Thanks again for discussing this subject.
After 30 years from CP/M through DOS and then M$ Windows
I can really say
that "Puppy Linux is more fun than a barrel of M$ monkeys ! "

Last edited by glene77is; 09-20-2012 at 07:00 PM.
 
Old 09-20-2012, 07:39 PM   #23
jefro
Guru
 
Registered: Mar 2008
Posts: 11,590

Rep: Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419
The major issue with live cd's is that they are not secure by design. Live cd's are meant to be useful and not secure. Just because you can't write to the cd (usually but not always true) it doesn't mean that your use is secure. It also doesn't prevent a hacker from mounting your local disks. There are a few more secure live cd's out there. Generally live cd's are totally open and running on root user.
 
Old 09-21-2012, 08:30 AM   #24
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
One thing that I wanted to add to my earlier post, that I forgot, and why I put a * by Trojan Key Logging is to relate an experience I recently had. The reason I believe that this is pertinent is that it cuts to a lot of the discussion points raised by Sundialsvcs with regards to Windows security. Based upon my recent experience, I find that I have to disagree that Windows has satisfactorily addressed their vulnerability issues and that the problems can be attributed to user negligence. While I am certain that there is a fair degree of this to be found, it doesn't explain my recent troubles.

Using a fully patched, routinely updated copy of XP-SP3, with commercial antivirus, Firefox web browser with ad block (didn't go with no script because of the hassle factor) and running as a non privileged user, while visiting sites that I routinely view (no dirty places), I picked up a key logging Trojan that installed itself into a privileged location, registered as a Firefox plugin that scanned for URLs associated with a known list of banks, would activate upon visiting these sites, record the credentials and email home. Somehow this nasty was able to write itself down into the privileged section of the application data as well as some other hidden location that allowed replication and restoration. Antivirus software would remove the local copy, but it would recure. Combofix ultimately killed the nasty, but several key Windows components, such as the updater and remote desktop had been destroyed. The ultimate answer required a complete wipe and rebuild of the OS.

Again, to emphasize, this all occurred while operating as a low privilege user, but somehow the malware was able to elevate privilege through an exploit on an up to date system. You don't normally hear of this sort of thing happening on Linux.
 
Old 09-21-2012, 09:40 AM   #25
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,592
Blog Entries: 2

Rep: Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047
Quote:
Originally Posted by glene77is View Post
Thanks.
It appears that the Live-CD, virtually in RAM, with a "change-save-file" on the HD
is a good way to go. I have one computer booting off a Live-CD (Puppy 525) , running with NO hard-drive, and having a pendrive (micro USB) plugged in for storage. This works OK.
Jasp said it very well
"Security is a process, not a product."

My regular computer runs Puppy Linux, from a Pendrive,
with grub4dos options to reboot into XP, Parted-Magic, and TinyCore.
Backup/Restore is extremely easy and quick,
so I backup the "change-save-file" daily to a different partition hard-drive.

My only problem thus far,
is that I must allow extra 'write-time' for the USB hard-drives,
even after I think the write is finished.
Calling for a "Un-Mount" is one way to let the system check for any write activity.

Thanks again for discussing this subject.
After 30 years from CP/M through DOS and then M$ Windows
I can really say
that "Puppy Linux is more fun than a barrel of M$ monkeys ! "
Problems with that approach:
1. Puppy 5.2.5 is outdated, the latest versions are 5.2.8 (Lucid) and 5.3.3 (Slacko). The version you run probably has known security holes that can be used to compromise your system. When running a live-system you have constantly to check for the newest version if you are doing it for security reasons.
2. In Puppy you are root by default, which makes possible attacks even easier.
3. The use of a save-file negates all possible security advantages of running a live system, since it can be used to install software, which includes all kinds of malware.
 
Old 09-21-2012, 09:41 AM   #26
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Quote:
Originally Posted by Noway2 View Post
One thing that I wanted to add to my earlier post, that I forgot, and why I put a * by Trojan Key Logging is to relate an experience I recently had. The reason I believe that this is pertinent is that it cuts to a lot of the discussion points raised by Sundialsvcs with regards to Windows security. Based upon my recent experience, I find that I have to disagree that Windows has satisfactorily addressed their vulnerability issues and that the problems can be attributed to user negligence. While I am certain that there is a fair degree of this to be found, it doesn't explain my recent troubles.

Using a fully patched, routinely updated copy of XP-SP3, with commercial antivirus, Firefox web browser with ad block (didn't go with no script because of the hassle factor) and running as a non privileged user, while visiting sites that I routinely view (no dirty places), I picked up a key logging Trojan that installed itself into a privileged location, registered as a Firefox plugin that scanned for URLs associated with a known list of banks, would activate upon visiting these sites, record the credentials and email home. Somehow this nasty was able to write itself down into the privileged section of the application data as well as some other hidden location that allowed replication and restoration. Antivirus software would remove the local copy, but it would recure. Combofix ultimately killed the nasty, but several key Windows components, such as the updater and remote desktop had been destroyed. The ultimate answer required a complete wipe and rebuild of the OS.

Again, to emphasize, this all occurred while operating as a low privilege user, but somehow the malware was able to elevate privilege through an exploit on an up to date system. You don't normally hear of this sort of thing happening on Linux.
To be fair, the problems with Linux have historically been with usability, and for Windows it has been security. So using an outdated Windows OS from 2001 as an example of Windows poor security is like using a version of Linux from 2001 as an example of Linux's poor usability. Not really fair.

There have been quite a few improvements to Windows since XP.

AppLocker
User Account Control
Mandatory Integrity Control
Kernel Patch Protection
Windows Resource Protection
Service Hardening
Volume Shadow Copy
BitLocker
...

That's for Windows 7. Here's some Windows 8 security improvements. MS has given people some effective tools to resist malware, but it's up to the users to take advantage of them.


BTW With all the 3rd party applications (Java, Qucktime, Adobe Reader, Flash, etc.) that run within modern web browsers now, web browsers are pretty much a secondary OS. So it's entirely possible that both Windows and Firefox were full patched, but some third party browser plugin wasn't, so it may have not been the fault of MS.

Last edited by OlRoy; 09-21-2012 at 10:03 AM.
 
Old 09-21-2012, 10:22 AM   #27
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,381

Rep: Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109Reputation: 1109
Yes, so-called "privilege escalation" attacks do exist, and I am of a mind to say that neither Windows nor Linux nor any other system is demonstrably "more or less vulnerable" to such things. But I am of the opinion that most crimes are crimes of opportunity ... simply because they are by far easiest to do. You walk through the neighborhood with your pizza box in hand, and you don't have to defeat the door-lock or the burglar alarm because, although both exist, both are turned-off. You can have millions of replicas of that sort of thing going on in the time that it would take you to engineer one privilege escalation attack.

I had a commercial (hosting center) Linux box get thoroughly "root-kitted," and the root (ahem...) cause of the problem was simply that I was too-lazy and too-hurried to reformat the drive to one of the "minimal Linux" configurations that the company did offer. I just used the Plesk-based system that was their default. I should have known better, and in fact did know better than to let anything-of-value get within one hundred miles of Plesk, so it's my own damm fault but I just didn't consider that it could really happen to me. There was nothing to be done but to move the data out of the way and then rebuild the system like I should have done it in the first place. So ... security is, indeed "a process."

And that's the key point that all of us just have to keep hammering home: no system is "magically protected" just by virtue of what it is.

Most of us, I daresay, routinely work in "mixed" environments in which Windows, Linux, and gawd-knows what else must all work seamlessly together. Since "the chain is only as strong as its weakest link," that means that we have to approach system security with a very broad brush and a very clear head.

Last edited by sundialsvcs; 09-21-2012 at 10:24 AM.
 
Old 09-21-2012, 10:59 AM   #28
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,101

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
Quote:
Originally Posted by frieza View Post
i think another big difference between *Nix and windows is greater separation of executable data (software) and NON executable data, often via the execute bit, which in the case of Internet downloads is per default OFF (thus requiring the execute bit be manually set before the program can run, or the program be forcibly run via some other means) whereas windows, via activex and other similar avenues, programs can be executed WITHOUT first asking the user (or even telling the user for that matter), do that while running as an admin and the entire machine gets compromised, running something as a limited user (as per default in *nix) and the user's home directory gets torched, maybe, but not the system as a whole.
i would add to my previous comment, that on single user systems, the difference between the entire system being compromised vs just the home directory is relatively negligible, the difference being malware in a home directory can be more easily cleaned out (yes you can still be used as a spam factory to some degree if your home directory is compromised, but not as easily, and more easy to detect and undo the damage)
the difference however comes on multi-user systems where re-building one profile is much easier than re-building a system, THEN re-building SEVERAL profiles.
 
Old 09-24-2012, 10:46 AM   #29
glene77is
LQ Newbie
 
Registered: Sep 2012
Location: Memphis, TN, USA
Distribution: Puppy Linux
Posts: 4

Rep: Reputation: Disabled
Guys,
As SunDial wrote:
" no system is "magically protected" just by virtue of what it is. "

I have always been interested building "Restorability" into my system installs.
Having dealt with relational database systems most of my career, I see it as important.

An OS install that is designed to be "Restorable" is a real plus !
This is just a major part of the "Process of Security"

Very important and well-balanced thread.
 
Old 09-24-2012, 10:59 AM   #30
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by glene77is View Post
Guys,
As SunDial wrote:
" no system is "magically protected" just by virtue of what it is. "
As is clear from the responses in this thread the real difference is in using that argument as a reason to succumb to a defeatist attitude or to use it as impulse to keep looking for security improvements...
 
  


Reply

Tags
linux, operating system, solaris, unix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
viruses/malware etc: Is my Debian GNU/Linux system protected? edbarx Linux - Laptop and Netbook 44 09-07-2012 06:27 AM
How to collect malwares by using nepenthes lee_can Linux - Networking 4 07-08-2012 12:58 PM
LXer: Security: Linux, OS X, Unix and Malware (Viruses) LXer Syndicated Linux News 0 12-01-2011 08:00 AM
Restoring usernames & passwords to a protected directory under Debian & Plesk CP ppcw Linux - Newbie 2 02-16-2008 04:11 PM
Wine & MS Windows viruses Blood Stream Linux - Security 6 08-15-2006 03:29 AM


All times are GMT -5. The time now is 09:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration