GNU/Linux Security: Ubuntu has been Cracked!

[Notice: If you do not like the title, read the article anyway. Otherwise, there is no point in sending me a comment as I will not post comments that state something like, "Your title suxxors! I refused to read your article after I read the first paragraph! You're just trying to boost traffic to your site! You're lame!!" Do you also go around judging books by their covers? 🙂 ]

Okay, I admit I created that title just to get your attention. It worked, you're here. What is the reason for such a provocative title? Other than the obvious tabloid hook, I want to explore the future of GNU/Linux. You know, the time in the near future when "Once 'Linux' is (as|more) popular (as|than) 'Windows' it will start getting all those viruses too."

First off, the problem with that statement is that there is no single homogeneous 'Linux' to be attacked, meaning GNU/Linux of course, as there is a single 'Windows' to be attacked. There are several hundred distributions of GNU/Linux all with differing release versions of software and underlying software libraries. The very heterogeneous nature of the GNU/Linux ecosystem makes creating a far reaching automatic malware attack difficult to unlikely. While one may find a way to automatically attack a large user base of a single distribution, like that of Ubuntu, the attack will not likely work across all or even most other GNU/Linux distributions due to the diverse nature of the versions of included software.

Calls from people without and within the FLOSS community to create a "single Linux" or to standardise all distributions are a danger to the security that is inherent in the healthy heterogeneity of GNU/Linux. No, I do not mean "security through obscurity", I mean security through diversity. Part of the problem with the Microsoft install base is that the Microsoft systems in use are all very similar. An automated attack that works on one of them will more than likely work on most of them. If there ever becomes a single GNU/Linux that contains 80% or more of the market then GNU/Linux will be less secure as a result. (See my correction for the previous sentence in comment #25.) In such a future a theoretical automated attack that could infect one GNU/Linux system would have far reaching consequences. Just as the malware that affects Microsoft systems has today.

We all know the weakest security link in a system is the user. I predict that social engineering attacks will be the most prevalent method of attempting to subvert GNU/Linux users. Even today a naive user running GNU/Linux could still be subverted with a phishing scam. However, since GNU/Linux has traditional Unix privilege separation an automated attack that can take over the computer from an unprivileged user login becomes much more difficult. Under traditional Unix privilege separation a non-root ("root" equals "administrator"), unprivileged user cannot change the system files. Could one overcome this privilege separation? Perhaps on a single distribution one could if one put enough time and effort into it at the time a security flaw that allows privilege escalation[1] is first discovered. But to make such an attack work across the huge diverse GNU/Linux ecosystem would be near to zero. That is, as long as GNU/Linux remains a diverse ecosystem.

What about the users that do not ever update their systems? Yes, this will still be a problem under GNU/Linux in the future of its World Dominance. There will always be users that do not update their systems either through apathy or ignorance. Any update that requires user intervention is unlikely to be installed by these users. Automated updates that are on by default can do much to overcome this problem. There are problems with automated updates too though. In some cases an automated update may cause a system problem. For example an update to the X windowing system that includes a new 3D driver may cause the GUI to not work on some systems. Should a problem like this affect a huge user base it would be a PR disaster. So, turning on automated updates by default is not encouraged in most cases.

What is the answer to the apathetic user problem? I do not have it. Some people just do not care about the security processes they need to know to be secure. There is no way to make them care unless they actually end up with a malware infection. Of course at that point these people are more likely to blame the operating system or the malware authors than themselves.

We can address the ignorant user problem though. Just because a user is ignorant does not mean the user is "stupid". Almost all users that fall in the ignorant category can be taught to protect themselves if they have an opportunity to learn good security processes and know they need to learn them. A local Linux User Group (LUG) can be an excellent source of training for our world full of future GNU/Linux users. If you do not have a LUG near you, then start one. Once you have, or discover, a local LUG then occasionally offer a Security Process Training Day through your LUG that covers the basics of what users need to know to keep their GNU/Linux systems secure and happy. Then encourage everyone you know that uses GNU/Linux near you to attend. You may even be able to get "free" advertising through local media outlets for a non-profit LUG.

The Bottom Line: We in the GNU/Linux community need to be proactive with our family, friends and neighbours that decide to use a GNU/Linux distribution. Since most of us already know and practice good security processes we can pass along our knowledge to the new user that may be ignorant but is willing to learn. For any user we run across that is apathetic about security we can encourage them to stick with Microsoft. After all, the apathetic users are already a drag on the Microsoft user base, let's not encourage them to bring their problems to our platform. Am I blaming these users? Yes, I am in the case of apathy. Sometimes the blame falls squarely in the lap of the user. Apathy about security is one of those "sometimes".

[1] Privilege escalation attacks take advantage of a flaw in a system level service that may be running with higher level privilege than a regular user. Exploiting the flaw gives the attacker a higher level of access which may allow compromising the operating system itself. These types of flaws can be found in any operating system at any time. GNU/Linux is no exception.

Read the next article in this series: GNU/Linux Security: Linux House vs Microsoft House

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

This article has had this many unique views:

Powered by school website.

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Tue Oct 20 13:01:16 CDT 2009: Change "blatant deception" to "provocative title" in the first paragraph. I think some folks are imploding after seeing the words "blatant deception". 🙂


Published by

Gene A.

Gene is a "Unix Guy", network technologist, system trouble-shooter and IT generalist with over 20 years experience in the SOHO and SMB markets. He is familiar with and conversant in eComStation (a.k.a. OS/2), DOS (PC, MS and Free), Unix, Linux and those GUI based systems from Microsoft. Gene is also a follower of Jesus (forgiven, not perfect), and this does inform his world view.

28 thoughts on “GNU/Linux Security: Ubuntu has been Cracked!”

  1. For the record, I do not expect to ever have to worry about an automated attack on my own Mandriva GNU/Linux systems. I keep my systems up to date with security patches for installed software as soon as I see the pop-up notice about them from Mandriva Update. I also do not expose my desktop systems directly to the internet and keep them behind a router that has a firewall enabled. My primary browser, Firefox, has NoScript installed and I only allow scripts to run that let sites I visit work, nothing else is allowed. Of course none of the GNU/Linux applications I use will run some macro or script in the background from a received e-mail without my knowledge. Happily none of the FOSS developers are dumb enough to think that is a good idea. 🙂

    Edit: Yes, I am aware how difficult it would be to create a “virus” for GNU/Linux. Worms and Trojan Horse applications are a different matter. One can avoid Trojan Horse applications by sticking with one’s distribution repositories, presuming the repository is not cracked, and well known software like that from Adobe. Worms can only infect system level software that has unpatched flaws and that is “listening” on an open port. Mandriva’s desktop system has an interactive firewall that is enabled by default and blocks all ports to the outside. So, nothing is “listening” on an exposed port by default.

  2. Step 1: Dual-boot Windows + GNU/Linux
    Step 2: Get a rootkit virus while using Windows (virus attaches to BIOS)
    Step 3: Hard Boot into GNU/Linux
    Step 4: ???
    Step 5: PROFIT

  3. Khalil Fazal (comment #2) thanks for reading and for your comment.

    Answer to that problem: if one needs a Microsoft operating system for something then don’t multi-boot. Run the Microsoft operating system in a sandboxed virtual machine on the GNU/Linux system. Never, never, never let Microsoft touch your bare GNU/Linux hardware. 😉

    I quit multi-booting a while back. Now I only run a Microsoft XP Professional operating system occasionally in Virtualbox. I do this when I need to check something for a client that runs Microsoft systems. I would not even run that if I did not need it to support some of my company’s clients.

  4. Your title is stupid.

    “You know, the time in the near future when ?Once ?Linux? is (as|more) popular (as|than) ?Windows? it will start getting all those viruses too.?

    Ah….no. Viruses exist on Window$ because the OS is overwhelmingly insecure….as you stated here: “since GNU/Linux has traditional Unix privilege separation an automated attack that can take over the computer from an unprivileged user login becomes much more difficult.”

    “Could one overcome this privilege separation? ”
    Yes, it is called privileged escalation. These issues are generally patched as soon as they are found, sometime by Linus himself. As long as admins/users patch there boxes, they are generally safe from these kinds of attacks.

    “I quit multi-booting a while back. Now I only run a Microsoft XP Professional operating system occasionally in Virtualbox. “-Gene

    This is the main reason for your misunderstanding about Linux. The Linux community is a community, not a company. We do not strive for world domination, we wish to be allow to use our OS without M$ making it harder for use to do so.

    We do not hate M$, we just do not have any use for their products. Another way to put it…….
    “I simply don’t use Microsoft products, not because I hate them, but because they aren’t interesting to me. ” -Linus Torvald 2007

  5. Well if your computer is like mine, if you run in a virtualbox, it slows down your computer greatly. But my computer is an older computer now. Perhaps yours is newer and doing a virtualbox is no problem for you.

  6. There are many good reasons /not/ to continually update a system – apathy and ignorance are just two of the bad reasons. Good reasons not to update include user familiarity and IT support (relevant to large updates and new versions), software compatibility, hardware compatibility, and continuity of use (you might not want updates that require reboots).

    Relying on updates for security is not unlike relying on anti-virus scanning to protect your Windows machines from viruses. It’s not entirely the same, in that updates can patch holes before there are any known exploits, but it is still a game of catch-up.

    If you don’t understand computer and network security, then regular updates are a help – just like anti-virus software on Windows. But in a well-designed security process, updates are at most a minor point.

  7. The reason why Linux doesn’t suffer mass worm attacks like Windows has nothing to do with diversity of distributions as Microsoft and the author claims. It has everything to do with the vulnerability of Windows to viruses through the poor security model design of Windows.

    Basically Windows virus vulnerability is a security design flaw which is never fixed – instead anti-virus programs are installed to try to catch the exploits AFTER they have occurred. In Linux, you need a coding error or administrative configuration error to create a vulnerability which can be exploited, and these can be fixed. Compare this with Windows’ virus vulnerability which is a flaw in the security design, not the implementation and therefore cannot be fixed – if Windows is vulnerable to a particular virus today, then it will still be vulnerable to the virus a year from now after the anti-virus companies have issued updated anti-virus files. There is no doubt that Windows is vulnerable to viruses and Linux and Unix aren’t – the numbers speak for themselves: successful Linux viruses = 0 vs successful Windows viruses = several hundred thousand.

    How does virus vulnerability relate to Internet worm attacks? The answer is that both Windows and Linux can have vulnerabilities due to coding errors and misconfiguration, and both are patched from time to time. However the same vulnerabilities that make Windows vulnerable to viruses, makes it easy to automate attacks on Windows in a way that is not possible on Linux. What is more, these automated attacks can proliferate before the anti-virus companies (Windows only line of defense against viruses) can release updated databases. That is the correct explanation why mass worm attacks occur only on Windows and not Linux.

  8. Linux raises the bar enough to require significant effort for a virus or trojan to crack it.

    The newer 64-bit hardware enables OS programmers to mark kernel and application stacks, and all other data areas of memory, as non-executable: ie code cannot be read and executed from these areas at all. This can’t be done on 32-bit hardware. This little change makes the days of the buffer-overflow well and truly numbered. The 64-bit kernels all implement this.

    If you are using 32-bit linux on 32-bit hardware, search for libsafe. Download it, compile it and install it. It is a library which intercepts all the common string functions in the C-library (which is used by both kernel and apps) and replaces them with safe versions. With this in place, a buffer overflow on your 32-bit machine is reduced to a miniscule risk.

    As for the BIOS, Linux only uses it to hoist itself into memory. If you are worried about this vector, check out Linux BIOS :-).


  9. I found the article very interesting, we need more of this on Linux desktops. I think that non-professional (or even some professional) Linux users might think that just because they run Linux their system cannot be harmed. I myself became more concerned about security only when I got more involved in Linux professionally.

    I think one of the most difficult part with Linux security is updates. There is always a huge number of updates available and many of them are marked as security ones. But whether these are critical or not (for Linux, if there is an exploit it is very likely to be a local exploit and not a remote one) is often not shown in the notification. I personally only perform updates that are relevant to my system usage.

    It can also be a risk that options in some distributions’ system settings such as turning on firewall may make us think that “from now on I am protected”. But whether this protection is enough for the particular application of that computer is often unknown for non-professionals. Blocking incoming traffic does not mean, for example, that a worm/backdoor/keylogger or other malware cannot connect to the Internet. Letting only particular applications connect to the net requires other software to be installed and configured.

  10. It may just come down to this, “The problem is between the seat and the keyboard”. If we try to idiot proof to a point where we are down to one distribution, that is like saying we need to be down to one type of car.

  11. cantormath (comment #4) thanks for reading!

    I wonder how a title can be “stupid”. 🙂 It is a tabloid-like hook to get people to read the article. A fairly common occurrence across all media.

    I am aware that “Linux” is not a company. The “World Dominance” phrase is tongue-in-cheek humor. Perhaps I should have made that more clear with a winking emoticon? 😉

  12. Joey Cagle (comment #6) thank you for reading the article.

    I do have a more modern PC now. I recently upgraded to an AMD quad-core with 4GB of RAM. My previous system was barely powerful enough to run a Virtualbox’d XP Professional with 512MB RAM allocated to it.

    You may be able to get yourself a quad-core fairly inexpensively if you shop the parts and build it yourself or go with a local small system builder.

  13. SMP (comment #9) thank you for that comment.

    I did try to state that the GNU/Linux security model is part of what makes it more secure. I apparently did not do that very well. Thank you for your clarifying addition to what I was trying to say.

  14. Cat (comment #10) thank you for reading and for the comment.

    I was unaware of the enhancements you mention. I appreciate your pointing them out.

  15. To those of you who sent me a nasty comment about the tabloid title and then claimed to not have read the article as a result. Your angst over this is … interesting. Grow up. 🙂

  16. Another point or three I should have covered.

    Microsoft’s original flawed design for “Windows” has lowered the bar significantly for attacks on Microsoft’s operating systems. The single user, non-networked model from which all modern “Windows” derive was and is insecure. The attempts to bolt-on multi-user functionality and network functionality without rewriting the base code is what has made Microsoft’s systems so virus friendly. The ease of creating malware for Microsoft’s products is therefore the main reason Microsoft’s systems are so often attacked.

    However, just because it is incredibly more difficult to create malware for Unix-like operating systems does not mean it is totally impossible. There is always a window of opportunity to take advantage of some flaw in a system service like CUPS to propagate a worm. This is where good security practices and keeping system level software patched is still a good idea even if one is running GNU/Linux.

    It is disingenuous for those of us in the GNU/Linux community to scoff at the idea that a wide user base is part of the reason for malware attacks. That is absolutely part of why criminals go after the Microsoft user base. There is some profit in malware that steals information from a large user base. Otherwise, why do it? Once GNU/Linux does have a more noticeable desktop install footprint the criminals will look into how it can be cracked. To state otherwise is to be naive.

    The difficulty of actually writing successful malware for GNU/Linux is why I predict in the article, “I predict that social engineering attacks will be the most prevalent method of attempting to subvert GNU/Linux users.” After all, there will still be gullible humans using GNU/Linux once it takes over the world. 😉

  17. Everyone, I realize I misstated my case here, “If there ever becomes a single GNU/Linux that contains 80% or more of the market then GNU/Linux will be less secure as a result.” What I mean is there will be a more concerted effort by criminals to find flaws to be attacked. While this means there will be more people looking for ways in, I misspoke when I said that GNU/Linux would be less secure. The popularity of an operating system has no impact on its actual security. My stating otherwise in that sentence was a mistake.

    The next article in this series addresses that mistake. You can find the URL for that at the bottom of this article above the comments.

  18. If really any major outbreak of hacks on Linux systems, ubuntu and gang may be the major reason, not because of its popularity but because of

    root = sudo normal_user

    there is no need for privilege escalation in distro’s that defaults to SUDO

    SUDO should be for selected and not ALL task.

    It does not educate but instead chooses the easy way out, choosing to “enhance user experience” and “ease of use” over security.

    Sad !

  19. Gene, instead of saying you “misspoke”(comment 25) which sounds like a well-known politician, I recommend using Shuttleworth’s term “thinko”. It deserves wider adoption.

Comments are closed.