Security Question

[scorp123]

if you get an infection, the fix is usually simply re-install your browser

Your browser lives in /usr/... .. And there is no way how it could get infected there with anything unless you were so incredibly stupid and were browsing the web as "root". Your normal user simply lacks the abilities to do anything about the binaries over there in /usr and other critical locations, and any nasty program would run under the account of the user that triggered it. So if your user cannot do any harm to the binaries in /usr neither could any "virus" or anything similar. Re-installing your browser is thus absolutely pointless.

I'd be more worried about the profile settings in your /home directory ... e.g. /home/youraccount/.mozilla/* ... It's those settings that would be executed again even under a new browser installation

I use Linux since 1996 and have not ever encountered any Windows-like virus outside of some highly experimental lab environments ... And even those viruses I have seen in the labs either needed to be compiled into the kernel by "root" (so what's the point? You already need to be "root" in the first place in order to install this thing!) or you need to trick "root" into executing a certain binary to get the infection started (simple: never ever execute any unknown binaries as "root" ... ) ... how pathetic.

Running a Linux server is a different story however: there is a certain risk that a hacker might find a flaw somewhere and hack his way into your system. That's the real danger here: intelligent human beings who know a great deal about network protocols and got too much time on their hands ... not stupid viruses.

or first completely un-install it then re-install it,

See above. Pointless exercise in my opinion. If any "infection" of any sorts would occur, then in your /home directory and all the "dot" files and sub-directories there (.gnome, .kde, .profile, .mozilla, .config, .bashrc .... ) and not in an area where your user account doesn't even have write access to

Yes there are sites that have malware that will attack Linux, of this I'm certain,

SHOW ME. (Linux user since 1996 ... Internet user since 1992 .... never ever seen such a thing ... )

the worst is are the torrents where one can download all kinds of seemingly nice stuff, but beware many are laced with naughty surprises.

The worst surprise you can get is this: you think you download Hollywood's newest blockbuster movie but then it turns out that some moron faked a file and you've in fact downloaded some silly p0rn movie ... and not what you thought.

That's it. Everything else is just FUD

So if you are downloading programs from sites you know nothing about

Why would you do that in the first place? Everything is in your apt repos, you never ever even have to surf the web and hunt for programs ... This ain't Windows

Grisoft AVG for linux is available as well as clamV
I use AVG to scan things I download before and after install of packages that I'm not sure of the source.

OK, better cautious than sorry .... But I honestly never used such a program on Linux. Because I simply don't have to. Most of those virus scanners serve the purpose to protect Windows, e.g. when you use your Linux as a file server for Windows clients. So this anti-virus scanner would make sense: it scans the files the Windows clients upload and thus stops Windows viruses from spreading .... it doesn't stop Linux viruses simply because there are almost none

[marcus0263]

if you get an infection, the fix is usually simply re-install your browser

Your browser lives in /usr/... .. And there is no way how it could get infected there with anything unless you were so incredibly stupid and were browsing the web as "root". Your normal user simply lacks the abilities to do anything about the binaries over there in /usr and other critical locations, and any nasty program would run under the account of the user that triggered it. So if your user cannot do any harm to the binaries in /usr neither could any "virus" or anything similar. Re-installing your browser is thus absolutely pointless.

I'd be more worried about the profile settings in your /home directory ... e.g. /home/youraccount/.mozilla/* ... It's those settings that would be executed again even under a new browser installation

I use Linux since 1996 and have not ever encountered any Windows-like virus outside of some highly experimental lab environments ... And even those viruses I have seen in the labs either needed to be compiled into the kernel by "root" (so what's the point? You already need to be "root" in the first place in order to install this thing!) or you need to trick "root" into executing a certain binary to get the infection started (simple: never ever execute any unknown binaries as "root" ... ) ... how pathetic.

Running a Linux server is a different story however: there is a certain risk that a hacker might find a flaw somewhere and hack his way into your system. That's the real danger here: intelligent human beings who know a great deal about network protocols and got too much time on their hands ... not stupid viruses.

or first completely un-install it then re-install it,

See above. Pointless exercise in my opinion. If any "infection" of any sorts would occur, then in your /home directory and all the "dot" files and sub-directories there (.gnome, .kde, .profile, .mozilla, .config, .bashrc .... ) and not in an area where your user account doesn't even have write access to

Yes there are sites that have malware that will attack Linux, of this I'm certain,

SHOW ME. (Linux user since 1996 ... Internet user since 1992 .... never ever seen such a thing ... )

the worst is are the torrents where one can download all kinds of seemingly nice stuff, but beware many are laced with naughty surprises.

The worst surprise you can get is this: you think you download Hollywood's newest blockbuster movie but then it turns out that some moron faked a file and you've in fact downloaded some silly p0rn movie ... and not what you thought.

That's it. Everything else is just FUD

So if you are downloading programs from sites you know nothing about

Why would you do that in the first place? Everything is in your apt repos, you never ever even have to surf the web and hunt for programs ... This ain't Windows

Grisoft AVG for linux is available as well as clamV
I use AVG to scan things I download before and after install of packages that I'm not sure of the source.

OK, better cautious than sorry .... But I honestly never used such a program on Linux. Because I simply don't have to. Most of those virus scanners serve the purpose to protect Windows, e.g. when you use your Linux as a file server for Windows clients. So this anti-virus scanner would make sense: it scans the files the Windows clients upload and thus stops Windows viruses from spreading .... it doesn't stop Linux viruses simply because there are almost none

I Agree

And to the claim of mailware infecting a *nx system by just browsing Show Me

I could see this if browsing as root, but any fool who browses the internet as root deserves it.

[marcus0263]

Yes there are sites that have malware that will attack Linux, of this I'm certain,

You made a pretty bold claim here and both Scorp and I disagree, we're just asking you to substantiate your claim. No one is being a "riot brigade" we just disagree.

Also anyone not only who browses the Internet as root but installs software for unknown sources deserves what they get. Basically use some common sense.

[marcus0263]

To follow up, you continually hear the "well the market share isn't there for Linux virus's". Well truth being is it's 1000+ times easier to create virus's, trojans, rootkits, worms for windows than any *nix system. The fundamental design of *nix systems with being modular and having "user" land makes it architecturally more difficult. For Microsoft a 1/2 page of code created by VB (Virus Basic) will tear up 1/2 the worlds M$ Systems, won't see that in the *nx world.

So that argument about it just not being popular enough is basically FUD.

[marcus0263]

Actually attacking the browser whether your visting with windows Mac or Linux

When say linux that includes everthing running under it, just like windows.
I know if you want to nit-oick it Linux is not an operating system, but to most it is so considered

Scorp123 was the one that mentioned browsing as root not I.

as Scorp123 pointed out servers are less secure, but many desktop users install servers on them regularly.

most problems are do to loose social computer behavior, and it is generally the operators lack of judgment that is the heart of most of these problems.

I'm sure you or Scorp123 and many in this community are *oops) NOT guilty of mindless dl and installing from unknown sites. But by not cautioning newbies that there are dangers, and if they have in the past been quilty of this, is to potentionally more harmful, than stating that Linux is so much better at security you can do what you please without consequences.

http://www.conntact.com/article_page.lasso?id=40980
http://www.scmagazine.com/uk/news/artic ... mac-linux/

What you posted was "proof of concept", not in the wild, nor does it infect anything outside of the specific user unless they have "root" privileges. So it's displaying a jpg, apples and oranges compared to rootkits. Also it's executed when opening a Open Office Draw file, not browsing.

If for some remote chance the user is infected with something very nasty just remove the users home directory if you can't remove it. The OS has not been compromised.

Also with open source the proof of concept being published how long do you think before it's fixed?

So again back up this claim you made

Yes there are sites that have malware that will attack Linux, of this I'm certain,

I know of nothing out there that will infect a *nx system by just browsing the site as in M$.

[marcus0263]

I think what we have is a difference of opinion,

you are not going to change my mindset and I will not change those that disagree

Just asking you to back up that very bold claim

I and most people that boot something do not care if it is a component or the whole,

You say that now, but *nix users don't have to fdisk because of just merely browsing a website.

beside with bugs like this
https://bugs.launchpad.net/ubuntu/+sour ... +bug/89853

who needs viruses

how many linux ATI and Nvidia problems this ine alone caused days of lost time

At least with Linux all I have to do is edit one file and add one line

And Microsoft never has problems with drivers?

ROTFL ..............................

[marcus0263]

proof of concept, proves the vulnerability,
the bug mentioned earler, is proof, that 1 digruntle person on adevelopemnt team could easily sabotage a project.

Make sent ipods with viruses
Ibm shipped flash memory with viruses in them for 2 years before they were discovered, back in the early 90's a video card manufacrure put a virus in the companys master driver disk, the reasin for the link was simply to illustrate how easy it would be to slip in malicious or faulty code.

And if you examthe forum you'll see a few minters here with recent repartition issues formating problems

Still apples and oranges from your very bold claim

Yes there are sites that have malware that will attack Linux, of this I'm certain,

And again nothing has deterred from the fact it's 1000+ more difficult to create malware on any *nix system than M$, M$ just makes it too easy.

[marcus0263]

http://www.viruslist.com/en/viruslistfi ... nux&page=1
list 1224 viruses/keylogers/backdoor/trojans that are displayed when searching for Linux

Sophos
http://www.sophos.com/security/analyses ... ubmit.x=54&
submit.y=9&action=search
22 oages @ about 10 per page

SYmantec
http://searchg.symantec.com/search?q=linux&charset=
utf-8&proxystylesheet=symc_en_US&client=symc_en_US&hitsceil=100&site=symc_en_US_vir&output=
xml_no_dtd&context=gbh&x=0&y=0

Still nothing that infects Linux by simply browsing as a normal user website as with M$ as you claimed.

Also listed are security vulnerabilities that are quickly fixed 100x faster than M$'s vulnerabilities. Keeping up with security patches are standard common sense.

[Husse]

Hm - a little war going on?
Perhaps this could be boiled down to
D1Wayne claiming that nasty things could happen if you work on it (not at the beginning though)
marcus0263 and scorp123 stating that you really have to work so hard to achieve the bad things that they really don't happen

[marcus0263]

Hm - a little war going on?
Perhaps this could be boiled down to
D1Wayne claiming that nasty things could happen if you work on it (not at the beginning though)
marcus0263 and scorp123 stating that you really have to work so hard to achieve the bad things that they really don't happen

Yes you have to really work on it

The point being put across is no *nix's are not immune but it is 10000+ more difficult to create nasties to break into a *nix system. Unlike M$ were all you need is basic VB skills to code a 1/2 page to down 1/2 the M$ systems in the globe. Also nothing replaces basic common sense like not cruising the internet as root.

It's like this, you can drive your car down the road every day with a fire suit and helmet, but do you really need to?

As for the argument about "*nix's just not being popular", well what do the big banks, government defense systems etc. critical and financial systems run?

[scorp123]

proof of concept, proves they vulnerability,

It proves a theory ... but putting a this into practice & reality is a different thing altogether. As I wrote in my earlier posting: Yes, there can be Linux viruses. But are they in the wild? NO. There once was some stupid worm that would attack PHP pages, but that hardly doesn't count as "virus" as this thing no matter what it did could never ever compromise the entire OS.

The real danger for a Linux system comes in the form of human hackers ... not virues. Different OS'es, different weaknesses.

And human hackers are very much a reality and a real threat to anyone running a UNIX-like system (be that Linux, BSD, HP-UX, Solaris, whatever.... ). But not viruses ...

the bug mentioned earler, is proof, that 1 digruntle person on adevelopemnt team could easily sabotage a project.

Totally harmless compared to what a real hacker can do to your network if he finds a way in ...

All this virus talk is just FUD and nonsense, sorry to say so

the link was simply to illustrate how easy it would be to slip in malicious or faulty code.

Or it rather illustrates that certain companies better check their procedures again and how the hell infected Windows machines were allowed to access a critical production area

Most likely some idiot with a Laptop ... maybe a sales guy? They travel around, travel from sales show to sales show, and don't always have enough bandwidth so that they could update their anti-virus definitions. They go home over the weekend, their kid takes the laptop for a ride, installs some games or other software of unknown origin, maybe even a "trainer" or "cheat", or maybe even a "key generator" ... and whhhhooooops!!!!! Laptop catches an infection and the sales guy doesn't realise it yet. So he comes back into corporate HQ, plugs in his laptop into the corporate network ... and whhhhoooops!! We have a virus spreading through the corporate LAN's ... Too bad if it reaches the factories and even gets hard-pressed onto driver CD's and USB-keys ...

That's how it works ... on Windows

And here is UNIX / Linux:

You have a lazy admin who keeps that one "not so important" web server unpatched and unguarded for too long ... "Ya know, it's just holding some boring marketing material, nobody is going to look at that anyway, so we need not hurry with those stupid patches ... Let's patch our 'high-profile' systems first, OK?"... Yeah right. Been there, heard this BS before ...

But a human hacker has been paying close attention: He's been port scanning your web site for the past few weeks and knows pretty much which TCP/IP and UDP ports are open, and he almost has an orgasm when he finds that your stupid admin still hasn't patched that old and obsolete application server version: It's time for a remote buffer overflow! He will send so many bogus signals until the application server dies, leaving a wide open root shell behind ...

So our hacker waits until the darkness of the night puts a shroud over everything. Like a vampire he's been sleeping all day long, just for this one night when he will strike.

And then he prepares his attack: One final portscan with "nmap" in stealth mode, just to make sure one last time that nobody has fixed the security holes in the meantime. Better cautious than sorry, he triggers a few more scans, activates a few "packet generators" and generates some fake traffic, just to make sure he isn't running into a trap or "honeypot".

He keeps his eyes glued to the console ... everything silent. The target is real, it's clear, and it's darkest night: The admin must be sleeping now. It is time ...

And then he strikes: He activates a few C programs and shell scripts that generate the necessary traffic that will kill the application server he's been observing so long ... a few "packet generators" in the background keep the routers busy with fake IP headers so that it will be very hard to trace the origin of this attack back to our hacker ...

Target down! The application server dies a miserable death after receiving this punishment of bogus IP packets, and because the admin was so stupid and never put the server process into a root jail or a virtual machine (e.g. Xen) the application server's death leaves a root shell behind ... Our hacker is in Heaven! He's the "King of the World" ...

Quick! He opens a connection to his underground IRC channel and tells his hacker buddies about his new system that he just got into. "0wn3d" as some people would say ... real hackers don't talk like that though

Two or three of his buddies get onto the party and also connect to the now compromised system.

Now the real work begins .... Scan the internal network without any of the admins or the "Intrusion Detecion System" noticing! And of course: Place backdoors, keyloggers and trojans somewhere ... Chances are that the admins will patch the application server now that it crashed under "unknown circumstances", so our hacker friends need a new way in. So they place a few backdoors: They are already "root", so nothing is stopping them from modifying a few system binaries and adding "more features" to them. The "postfix" mail daemon gets modified so that it will silenty open a backdoor once it's active. And the "apache" web server gets "patched" too and now will sniff the network for interesting traffic and send the results to a bogus e-mail address on Hotmail.com ...

Uh oh ... it's morning. Time to disconnect.

A few nights later our hackers are back. And with great amusement they see that this lazy stupid admin indeed patched the application server, but he obviously didn't notice anything else; especially he hasn't noticed yet the presence of those unwanted hacker guests and their "special" binary versions they installed.

Armed with the log files their sniffers produced in the past few nights they are now armed with usernames and passwords of several system user and mail accounts; and they find more vulnerabilities further inside the network. They compromise more systems .... And then they find the "holy grail": The database server which hosts all the credit card transactions and which keeps a record of all those precious credit card numbers ...

The next morning you can read this in the newspaper: Hackers stole 300'000 credit card numbers from company XYZ ...

That's what can happen on UNIX / Linux and if you are too lazy and/or too stupid to properly take care of your servers ....

But viruses?? No. Definitely no.

[scorp123]

As for the argument about "*nix's just not being popular", well what do the big banks, government defense systems etc. critical and financial systems run?

Bingo!! But what most (Ex- ?) Windows people don't get is that *nix has it's fair share of vulnerabilities ... of course it has, it would be foolish to claim the opposite. But those vulnerabilities just ain't viruses

Let's talk about foolish UNIX admins not placing their servers behind properly configured firewalls, let's talk about stupid wannabe admins never taking care of patching their systems, let's talk about running some wacky and ugly hacks on your web server that a third-party company developed for your company -- your boss insists that this piece of cow dung has to be installed on your server despite the fact that this thing is opening too many TCP ports and yet nobody could so far really tell you why precisely those ports have to be open, let's talk about buffer overflows, stupid admins running root shells in "screen" and leaving those shells open for months ... let's talk about stupid users running unknown software that does funny things such as firewall hole punching (Hamachi anyone? Or Skype? ) ... Let's talk about reverse SSH tunnels that could be easily used as backdoors, let's discuss manipulated daemons that do a lot more than what they're supposed to do, let's touch the topic of angry ex-employees who know too much about your corporate network's topology and all the daemons that run on each of your servers and who got too many unsettled scores to settle .... Let's talk about all this and the tune suddenly changes: *This* is the stuff UNIX people like marcus or me are afraid of ... if there is any such thing, then it's stuff like *THIS* .... But not "viruses"

[marcus0263]

As for the argument about "*nix's just not being popular", well what do the big banks, government defense systems etc. critical and financial systems run?

Bingo!! But what most (Ex- ?) Windows people don't get is that *nix has it's fair share of vulnerabilities ... of course it has, it would be foolish to claim the opposite. But those vulnerabilities just ain't viruses

Let's talk about foolish UNIX admins not placing their servers behind properly configured firewalls, let's talk about stupid wannabe admins never taking care of patching their systems, let's talk about running some wacky and ugly hacks on your web server that a third-party company developed for your company -- your boss insists that this piece of cow dung has to be installed on your server despite the fact that this thing is opening too many TCP ports and yet nobody could so far really tell you why precisely those ports have to be open, let's talk about buffer overflows, stupid admins running root shells in "screen" and leaving those shells open for months ... let's talk about stupid users running unknown software that does funny things such as firewall hole punching (Hamachi anyone? Or Skype? Very Happy ) ... Let's talk about reverse SSH tunnels that could be easily used as backdoors, let's discuss manipulated daemons that do a lot more than what they're supposed to do, let's touch the topic of angry ex-employees who know too much about your corporate network's topology and all the daemons that run on each of your servers and who got too many unsettled scores to settle .... Let's talk about all this and the tune suddenly changes: *This* is the stuff UNIX people like marcus or me are afraid of ... if there is any such thing, then it's stuff like *THIS* .... But not "viruses"

Yep big difference between stupidity and normal everyday browsing and operations. Hence issues with like with M$ going to a website that has their banner ads being served up from an infected server. M$ you will infect and compromise you entire OS, doesn't happen with *nix. Why? It's called ActiveX, the *nix world doesn't have that security nightmare.

[scorp123]

"Detected hit from 192.168.1.42"

There are ranges that never ever could originate from anywhere but from your own internal network because they are regarded as "Private Ranges" according to RFC 1918 (as sysadmin I know that stupid number by heart ...). All the details are here:
http://www.faqs.org/rfcs/rfc1918.html

Wikipedia's article on this (easier to understand):
http://en.wikipedia.org/wiki/Private_network

Therefore: IP addresses that start with 10.* something (10.0.0.0 – 10.255.255.255), 172.16.* something up to 172.31.255.255, and last but not least 192.168.* something can never ever originate from anywhere but from your own internal network.

These addresses don't even get routed on the internet (you don't get anywhere!), e.g. no ISP on this planet and in this universe can use these address ranges on the Internet or give any such address to any customer. You have to use some form of address translation between such a private range address and the official IP address(es) you got from your ISP.

The only thing you really need to be worried about is if you use WLAN and you see such private IP addresses that are definitely not used by any of your PC's or Laptops .... In that case it could be that someone cracked your WLAN-keys and broke into your network ...

Too bad if that hacker / cracker does something illegal and you are being held liable (after all it was your ISP subscription, and your IP address out there, right? ...) ... So in case you use WLAN it's always a good idea to keep an eye on such things.

I myself use WPA2 encryption and I only allow specific MAC-addresses into my network, just to be on the safe side.

[Husse]

Scorp is right about these address ranges, but
some ISPs may use them and put their customers on one of this nets, the 10.xxx one the most like candidate or sometimes even 192.168.x.x.
Telia, the large swedish operator that is active in many parts of the world, used the 10 range, don't know if they still do.
The nameservers I used the first years on the internet was 10.0.0.1 and 10.0.0.10 ....
But if your ISP does not use this "half illegal" method, it's from your own network

[clem]

I use no encryption, no filtering, I have DHCP enabled, my essid is broadcasted, I don't even monitor accesses to my router.

My secret? I live in the middle of nowhere. Best security ever

10.xxx.xxx.xxx should only be used by companies, individuals within their own networks. It's not made for ISPs to use (and if they do, certainly not as public IP addresses). But Husse is right as well, it's only a standard after all, and like all standards it all depends how much people decide to follow it.

Clem

[Husse]

what about javascript exploits?
Is linux still safe from that?

Short answer yes.
It could probably (not sure) be used to do something to your /home but for anything else it would need sudo....

[scorp123]

Sorry to bump this but what about javascript exploits? Is linux still safe from that?

Long answer: ...it depends.

There was once (two years ago?) some bug in Firefox that would allow a web page to access your clipboard ... Too bad if the clipboard contained the root password or your credit card number ...

Such rare and exotic bugs aside, JavaScript normally can't do much to your system as "a whole". Your user account however is a different question. Depending on what sort of nasty exploit we are talking about it could maybe try to kidnap your bookmarks, or try to steal stored passwords (that's why everybody is taking "phishing" so seriously these days). But usually such bugs and security holes get fixed really quick -- that's the true beauty of open source software.

Out of the very same reasons you should never ever run a web browser as superuser "root"

Another thing making things really hard for writers of malware is a law coming from genetics and biology: The more diverse a life form is, the less susceptible it is to a virus attack.

The same is true for software. Monocultures such as Windows are vulnerable to malware and viruses because "it's all the same". Linux however is different: Every Linux distro is a slight bit different from the rest ... and this is good! It makes it really really hard for malware to attack a Linux system as it cannot know in advance what distro it will encounter ....

Attacks from human hackers are a different story: they are a real threat, especially to web and database servers facing the Internet.