linux security myth

Linux Security Myth

Mackenzie Morgan

Ohio LinuxFest 2010

11 September 2010

Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 1 / 35

Introduction

Outline

1 Introduction

2 Vocabulary

3 What can still hurt me?

4 What protection is there?


Introduction

Me

Mackenzie Morgan

Computer Science student

Ubuntu Developer

Kubuntu user

http://ubuntulinuxtipstricks.blogspot.com ← find slides here


Introduction

This Talk

Linux Zealot: Try Linux! It doesn’t get viruses!

Average Person: No viruses? I’m invincible!


Vocabulary

Outline

1 Introduction

2 Vocabulary




Vocabulary

Malware

Malware (or “badware”) is an umbrella term for viruses, trojans, worms,rootkits, etc.


Vocabulary

Virus

Viruses infect individual files. They spread when people share those files.


Vocabulary

Social Engineering

Social Engineering is tricking people into doing something that is bad forsecurity.


Vocabulary

Trojan

Trojans are malware that get installed via social engineering. . . or, well,lying.“I’m a fun game and totally safe! but not really, I’m actually going to steal your

passwords. . . ”


Vocabulary

Worm

A worm infects other systems, automatically, usually over a network.


Vocabulary

Botnet

A botnet is a group of systems infected by malware which operate as acollective and are controlled by a erm. . . jagoff.

Yes, I’m from Pittsburgh. How’d you guess?


Vocabulary

Botnet

A botnet is a group of systems infected by malware which operate as acollective and are controlled by a erm. . . jagoff.Yes, I’m from Pittsburgh. How’d you guess?


Vocabulary

Rootkit

A rootkit keeps the activities of an unauthorised user hidden so that youcan’t tell your system has been owned.


Vocabulary

Keylogger

A keylogger tracks everything you type. Yes, including passwords.It could be hardware (see ThinkGeek), but usually software. There arelegitimate(-ish) uses.


Vocabulary

Browser-based Attack

A browser-based attack is any attack that takes place inside the webbrowser. They are usually not limited to a specific OS.Examples:

Cross-site Scripting (XSS) – using Javascript on one webpage to stealdata from another

Tracking cookies – harvests the information stored in your browser byother websites

Cookie jacking – stealing credentials for other websites from yourbrowser’s cookies

Click jacking – hiding clickable objects on a webpage on top of otherobjects so that you’re not clicking what you think you’re clicking


Vocabulary

Phishing

Phishing is social engineering aimed at making you believe you areinteracting with someone else whom you trust


What can still hurt me?

Outline

1 Introduction

2 Vocabulary





What’s still a problem?

All of those



But what about no viruses?

Windows ones usually won’t run, even in Wine

Several hundred for Linux

Only ∼30 in the wild ever

No known viruses exploiting current vulnerabilities



Email Trojans

“Check out this cool new game! http://example.com/foo.desktop”



Untrusted Software

.deb for “screensaver” on gnome-look.org

. . . and now you’re on a botnethttp://ubuntuforums.org/showthread.php?t=1349678



Browser-based attacks

Unless only for Internet Explorer

Firefox? Opera? Chrome?



Phishing

There’s no patch for gullibility



Rootkits

If any of the previous work, the attacker might install one


What protection is there?

Outline

1 Introduction

2 Vocabulary





Trusted software sources

Stick to your distro’s repos

Otherwise, source directly from upstream

Avoid non-software in .deb or .rpm format

Heed warnings about failed signature checks

Arch Linux does not sign packages



Launchers

You get a .desktop from web/email. . .Do you know what it’ll run?

Could be anything



Launchers

You get a .desktop from web/email. . .Do you know what it’ll run?Could be anything



Launchers in KDE



Launchers in GNOME

Fedora’s & openSUSE’s GNOME:

Ubuntu’s GNOME:

Ubuntu has a policy against “ignore this security warning” buttons



Browser - Javascript

Use NoScriptUsers might not be equipped to know what to allow, but it blockscross-site scripting & click-jacking



Browser - Encryption

Don’t send passwords unencrypted!Lock icon:Means connection is encrypted and probably no man-in-the-middle

NOT necessarily a sign that all is good!



Browser - Phishing

But how do you know it’s the site it claims to be?Look at everything before the third slash—that’s the domain

Check out this green thing



Minimal privileges

Don’t login graphically as root!Why?Malware gets full access



Don’t need it? Don’t use it!

Don’t login remotely with command line or push files to it?Uninstall your SSH and S/FTP servers



Detecting problems

Find rootkits:

rkhunter

chkrootkit

Warn of changes:

tripwire

Warn of attacks:

snort

These are advanced tools



Questions?

Slides will be posted:http://ubuntulinuxtipstricks.blogspot.com


linux security myth

Technology

linux security myth11

desktopmackenzie morgan

orgmackenzie morgan

onemackenzie morgan

trustmackenzie morgan

thosemackenzie morgan

vocabulary botnet

vocabulary rootkit