Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   security (malware) issues in Linux bases OSes (http://www.linux-archive.org/debian-user/245950-security-malware-issues-linux-bases-oses.html)

"H.S." 02-15-2009 05:25 PM

security (malware) issues in Linux bases OSes
 
Hello,

In the last some weeks I recall reading in one of the mailing lists that
it is just a matter of popularity that we are not seeing bad intentioned
debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become
sufficiently popular, the claim is that it would be just as easy and
popular to infect these OSes by making a user install something like
NakedBrittany.deb as is now the case with Windows users.

I realize that a clueless user is always going to be weakest link in the
fence against malware infection.

Just wanted to throw this question out here to see what opinions various
people have. What if such malicious deb or rpm is made available? How
bad it would be for the same user as compared to similar malware in
Windows case? Let us assume that the user has sudo access in Linux and
has admin privileges in Windows.


--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

T o n g 02-15-2009 06:11 PM

security (malware) issues in Linux bases OSes
 
On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote:

> In the last some weeks I recall reading in one of the mailing lists that
> it is just a matter of popularity that we are not seeing bad intentioned
> debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become
> sufficiently popular, the claim is that it would be just as easy and
> popular to infect these OSes by making a user install something like
> NakedBrittany.deb as is now the case with Windows users.

Don't know where you get it from, but seem to me the person who made such claims is a clueless Linux
newbie himself. Debian have package signature signing and checking years ago, even for non-official repos.

--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/techdocs/
http://xpt.sourceforge.net/tools/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Eduardo M KALINOWSKI 02-15-2009 06:22 PM

security (malware) issues in Linux bases OSes
 
T o n g wrote:
> On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote:
>
>
>> In the last some weeks I recall reading in one of the mailing lists that
>> it is just a matter of popularity that we are not seeing bad intentioned
>> debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become
>> sufficiently popular, the claim is that it would be just as easy and
>> popular to infect these OSes by making a user install something like
>> NakedBrittany.deb as is now the case with Windows users.
>>
>
> Don't know where you get it from, but seem to me the person who made such claims is a clueless Linux
> newbie himself. Debian have package signature signing and checking years ago, even for non-official repos.
>

But neither of these help in case a stupid user receives an e-mail saying:

Run 'sudo dpkg -i FreePornPics.deb to see <insert celebrity name here>'s
secret sex tape'.

(Or some variation thereof.)

I think, however, this will only become a problem if Linux gets really
popular, especially along newbie users. And the variety of distributions
will make this kind of attacks harder: a .deb virus will not work on RPM
distros, and vice-versa.

For now, I see no reason to worry.


--
Out of sight is out of mind.
-- Arthur Clough

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
http://move.to/hpkb


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Tzafrir Cohen 02-15-2009 06:31 PM

security (malware) issues in Linux bases OSes
 
On Sun, Feb 15, 2009 at 04:22:37PM -0300, Eduardo M KALINOWSKI wrote:
> T o n g wrote:
> > On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote:
> >
> >
> >> In the last some weeks I recall reading in one of the mailing lists that
> >> it is just a matter of popularity that we are not seeing bad intentioned
> >> debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become
> >> sufficiently popular, the claim is that it would be just as easy and
> >> popular to infect these OSes by making a user install something like
> >> NakedBrittany.deb as is now the case with Windows users.
> >>
> >
> > Don't know where you get it from, but seem to me the person who made such claims is a clueless Linux
> > newbie himself. Debian have package signature signing and checking years ago, even for non-official repos.
> >
>
> But neither of these help in case a stupid user receives an e-mail saying:
>
> Run 'sudo dpkg -i FreePornPics.deb to see <insert celebrity name here>'s
> secret sex tape'.
>
> (Or some variation thereof.)

A Debian user should not be expected to install just any .deb file. This
why this procedure should be relatively complicated (and it is, IIRC).

But you're missing the real fun: http://lwn.net/Articles/319072/

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Eduardo M KALINOWSKI 02-15-2009 06:33 PM

security (malware) issues in Linux bases OSes
 
Tzafrir Cohen wrote:
> A Debian user should not be expected to install just any .deb file.
>

Ideally speaking, I'd say this holds for any OS: Users should not just
install (or click, or run) everything they see.

In practice things happen differently, especially in the Windows world.


--
A language that doesn't have everything is actually easier to program
in than some that do.
-- Dennis M. Ritchie

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
http://move.to/hpkb


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Tzafrir Cohen 02-15-2009 06:51 PM

security (malware) issues in Linux bases OSes
 
On Sun, Feb 15, 2009 at 04:33:53PM -0300, Eduardo M KALINOWSKI wrote:
> Tzafrir Cohen wrote:
> > A Debian user should not be expected to install just any .deb file.
> >
>
> Ideally speaking, I'd say this holds for any OS: Users should not just
> install (or click, or run) everything they see.
>
> In practice things happen differently, especially in the Windows world.

As I have pointed out, there's no real reason for the user interface to
make that operation too simple. After all, you're not really guaranteed
that you'll actually be able to install that package, as you may not
have its dependencies.

The easy way to install packages is through apt.
https://launchpad.net/apturl/

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ron Johnson 02-15-2009 08:48 PM

security (malware) issues in Linux bases OSes
 
On 02/15/2009 01:11 PM, T o n g wrote:

On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote:


In the last some weeks I recall reading in one of the mailing lists that
it is just a matter of popularity that we are not seeing bad intentioned
debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become
sufficiently popular, the claim is that it would be just as easy and
popular to infect these OSes by making a user install something like
NakedBrittany.deb as is now the case with Windows users.


Don't know where you get it from, but seem to me the person who

> made such claims is a clueless Linux newbie himself. Debian have
> package signature signing and checking years ago, even for
> non-official repos.




*Maybe* not on Debian, since Debian users *tend* to be more
sophisticated, but what's to stop Joe Wannabe from doing this?


$ sudo dpkg -i NakedBrittany.deb


Anyway, twice in the past few years, Debian servers have been
compromised. One time it was thru a weak DD user password, and the
other thru a poorly-working (official) Debian patch to ssh. (Or was
it SSL?) That last one caused more than a minor ruckus.


--
Ron Johnson, Jr.
Jefferson LA USA

Supporting World Peace Through Nuclear Pacification


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Boyd Stephen Smith Jr." 02-15-2009 10:26 PM

security (malware) issues in Linux bases OSes
 
On Sunday 15 February 2009 15:48:37 Ron Johnson wrote:
> [W]hat's to stop Joe Wannabe from doing this?
>
> $ sudo dpkg -i NakedBrittany.deb

What's to stop Joe Wannabe from doing this?
sudo rm -rf The Great American Novell / Movie

Neither is an actual security issue.

> and the
> other thru a poorly-working (official) Debian patch to ssh. (Or was
> it SSL?)

I don't recall this actually causing the Debian servers to be compromised.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/

Ron Johnson 02-15-2009 11:24 PM

security (malware) issues in Linux bases OSes
 
On 02/15/2009 05:26 PM, Boyd Stephen Smith Jr. wrote:

On Sunday 15 February 2009 15:48:37 Ron Johnson wrote:

[W]hat's to stop Joe Wannabe from doing this?

$ sudo dpkg -i NakedBrittany.deb


What's to stop Joe Wannabe from doing this?
sudo rm -rf The Great American Novell / Movie

Neither is an actual security issue.


Depends, I guess, on your definition of "security". Both require
user interaction, and while the "sudo rm" certainly would be a
disaster, installing NakedBrittany.deb would/could install a
rootkit, keystroke logger, etc, etc.



and the
other thru a poorly-working (official) Debian patch to ssh. (Or was
it SSL?)


I don't recall this actually causing the Debian servers to be compromised.


Ah, you're right. It was back in July 2006 that gluck got compromised.

--
Ron Johnson, Jr.
Jefferson LA USA

Supporting World Peace Through Nuclear Pacification


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"H.S." 02-16-2009 12:12 AM

security (malware) issues in Linux bases OSes
 
Ron Johnson wrote:

>
> *Maybe* not on Debian, since Debian users *tend* to be more

Yup, I agree.

> sophisticated, but what's to stop Joe Wannabe from doing this?
>
> $ sudo dpkg -i NakedBrittany.deb

This is more likely since some of the present day popular packages are
commonly downloaded as debs and installed (Skype, brand new versions of
Openoffice.org).

To me, it looks like the only viable solution is to go for only open
source stuff which is hosted on the distro's official mirrors (Debian,
Ubuntu) where the packages are signed. Any departure from this is just
inviting Average Joe to cause trouble.


>
> Anyway, twice in the past few years, Debian servers have been
> compromised. One time it was thru a weak DD user password, and the
> other thru a poorly-working (official) Debian patch to ssh. (Or was it
> SSL?) That last one caused more than a minor ruckus.
>

It was SSL. I think it is described here:
http://www.debian.org/security/2008/dsa-1571

--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 02:06 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.