Mackenzie Morgan gave a presentation at Ohio LinuxFest 2010 about the Linux security myth. They discussed that while Linux is less vulnerable to viruses than Windows, it can still be affected by malware through email trojans, untrusted software from third-party repositories, and browser-based attacks. However, users can protect themselves by only installing software from trusted software sources, being cautious of launchers from unknown origins, and using browser plugins like NoScript to block malicious scripts.

1. Linux Security Myth
Mackenzie Morgan
Ohio LinuxFest 2010
11 September 2010
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 1 / 35

2. Introduction
Outline
1 Introduction
2 Vocabulary
3 What can still hurt me?
4 What protection is there?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 2 / 35

3. Introduction
Me
Mackenzie Morgan
Computer Science student
Ubuntu Developer
Kubuntu user
http://ubuntulinuxtipstricks.blogspot.com ← find slides here
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 3 / 35

4. Introduction
This Talk
Linux Zealot: Try Linux! It doesn’t get viruses!
Average Person: No viruses? I’m invincible!
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 4 / 35

5. Vocabulary
Outline
1 Introduction
2 Vocabulary
3 What can still hurt me?
4 What protection is there?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 5 / 35

6. Vocabulary
Malware
Malware (or “badware”) is an umbrella term for viruses, trojans, worms,
rootkits, etc.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 6 / 35

7. Vocabulary
Virus
Viruses infect individual files. They spread when people share those files.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 7 / 35

8. Vocabulary
Social Engineering
Social Engineering is tricking people into doing something that is bad for
security.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 8 / 35

9. Vocabulary
Trojan
Trojans are malware that get installed via social engineering. . . or, well,
lying.
“I’m a fun game and totally safe! but not really, I’m actually going to steal your
passwords. . . ”
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 9 / 35

10. Vocabulary
Worm
A worm infects other systems, automatically, usually over a network.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 10 / 35

11. Vocabulary
Botnet
A botnet is a group of systems infected by malware which operate as a
collective and are controlled by a erm. . . jagoff.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 11 / 35

12. Vocabulary
Botnet
A botnet is a group of systems infected by malware which operate as a
collective and are controlled by a erm. . . jagoff.
Yes, I’m from Pittsburgh. How’d you guess?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 11 / 35

13. Vocabulary
Rootkit
A rootkit keeps the activities of an unauthorised user hidden so that you
can’t tell your system has been owned.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 12 / 35

14. Vocabulary
Keylogger
A keylogger tracks everything you type. Yes, including passwords.
It could be hardware (see ThinkGeek), but usually software. There are
legitimate(-ish) uses.
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 13 / 35

15. Vocabulary
Browser-based Attack
A browser-based attack is any attack that takes place inside the web
browser. They are usually not limited to a specific OS.
Examples:
Cross-site Scripting (XSS) – using Javascript on one webpage to steal
data from another
Tracking cookies – harvests the information stored in your browser by
other websites
Cookie jacking – stealing credentials for other websites from your
browser’s cookies
Click jacking – hiding clickable objects on a webpage on top of other
objects so that you’re not clicking what you think you’re clicking
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 14 / 35

16. Vocabulary
Phishing
Phishing is social engineering aimed at making you believe you are
interacting with someone else whom you trust
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 15 / 35

17. What can still hurt me?
Outline
1 Introduction
2 Vocabulary
3 What can still hurt me?
4 What protection is there?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 16 / 35

18. What can still hurt me?
What’s still a problem?
All of those
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 17 / 35

19. What can still hurt me?
But what about no viruses?
Windows ones usually won’t run, even in Wine
Several hundred for Linux
Only ∼30 in the wild ever
No known viruses exploiting current vulnerabilities
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 18 / 35

20. What can still hurt me?
Email Trojans
“Check out this cool new game! http://example.com/foo.desktop”
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 19 / 35

21. What can still hurt me?
Untrusted Software
.deb for “screensaver” on gnome-look.org
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 20 / 35

22. What can still hurt me?
Untrusted Software
.deb for “screensaver” on gnome-look.org
. . . and now you’re on a botnet
http://ubuntuforums.org/showthread.php?t=1349678
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 20 / 35

23. What can still hurt me?
Browser-based attacks
Unless only for Internet Explorer
Firefox? Opera? Chrome?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 21 / 35

24. What can still hurt me?
Phishing
There’s no patch for gullibility
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 22 / 35

25. What can still hurt me?
Rootkits
If any of the previous work, the attacker might install one
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 23 / 35

26. What protection is there?
Outline
1 Introduction
2 Vocabulary
3 What can still hurt me?
4 What protection is there?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 24 / 35

27. What protection is there?
Trusted software sources
Stick to your distro’s repos
Otherwise, source directly from upstream
Avoid non-software in .deb or .rpm format
Heed warnings about failed signature checks
Arch Linux does not sign packages
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 25 / 35

28. What protection is there?
Launchers
You get a .desktop from web/email. . .
Do you know what it’ll run?
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 26 / 35

29. What protection is there?
Launchers
You get a .desktop from web/email. . .
Do you know what it’ll run?
Could be anything
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 26 / 35

30. What protection is there?
Launchers in KDE
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 27 / 35

31. What protection is there?
Launchers in GNOME
Fedora’s & openSUSE’s GNOME:
Ubuntu’s GNOME:
Ubuntu has a policy against “ignore this security warning” buttons
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 28 / 35

32. What protection is there?
Browser - Javascript
Use NoScript
Users might not be equipped to know what to allow, but it blocks
cross-site scripting & click-jacking
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 29 / 35

33. What protection is there?
Browser - Encryption
Don’t send passwords unencrypted!
Lock icon:
Means connection is encrypted and probably no man-in-the-middle
NOT necessarily a sign that all is good!
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 30 / 35

34. What protection is there?
Browser - Phishing
But how do you know it’s the site it claims to be?
Look at everything before the third slash—that’s the domain
Check out this green thing
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 31 / 35

35. What protection is there?
Minimal privileges
Don’t login graphically as root!
Why?
Malware gets full access
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 32 / 35

36. What protection is there?
Don’t need it? Don’t use it!
Don’t login remotely with command line or push files to it?
Uninstall your SSH and S/FTP servers
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 33 / 35

37. What protection is there?
Detecting problems
Find rootkits:
rkhunter
chkrootkit
Warn of changes:
tripwire
Warn of attacks:
snort
These are advanced tools
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 34 / 35

38. What protection is there?
Questions?
Slides will be posted:
http://ubuntulinuxtipstricks.blogspot.com
Mackenzie Morgan (OLF 2010) Linux Security Myth 11 September 2010 35 / 35