Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Exploring the Misconceptions of Linux Security: Focus

Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.

Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.

PUNTA CANA – Several presentations at the Kaspersky Lab Security Analyst Summit focused on vulnerabilities in industrial control systems, point-of-sale systems, and airport security scanners. Considering many of these targeted systems invariably run some form of Windows or Android, it is quite easy for a Linux administrator to feel complacent.

Security isn’t just something only Windows users need to worry about. The past few years have clearly proven that the old assumption about Macs not getting malware was false. Linux users smirking, “Just switch to Linux,” and claiming the operating system is somehow “better” than others have to realize they are just as vulnerable to cyber-attacks as anyone else.

Linux Penguin Security“There is a perception out there that Linux systems don’t need additional security,” said David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab. This is a problem since Linux servers are increasingly coming under attack, he said.

The primary dangers facing Linux systems aren’t zero-day vulnerabilities or malware, but things like Trojanized applications, PHP backdoors, and malicious login attempts over SSH. If the computer has a weak password, or if one of the components, such as the SSH daemon or SSL server is configured incorrectly, then attackers will figure out a way to break in. Administrators can’t rely on network defenses such as intrusion detection systems of Web application firewall to detect when someone uploads an exploit kit or overwrites a file with a backdoored version.

Lest anyone feel inclined to dismiss the threats against Linux machines, especially servers, it’s important to realize that attacks have already happened. Just last year, attackers breached several Web servers and installed a version of the “itsoknoproblembro” toolkit in order to launch a series of powerful distributed denial-of-service attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows, and considering how Linux and Apache dominate the Web server market, it takes simple mathematics to conclude that Linux servers were among the victims.

In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.

A significant portion of the world’s data centers run Linux, and many organizations have some of their most critical applications running on these systems. Yet many of these systems are likely running outdated software. Because most Linux distributions don’t have a scheduled Patch Tuesday release as Windows systems do, updates are frequently applied on an ad hoc schedule. Many patch management systems in the enterprise don’t include Linux systems, which means administrators don’t have an easy way of knowing what versions are running or which ones need to be updated.

When it comes to securing a Linux machine, the answer is not installing an antivirus or some other security software. The key lies in hardening the operating system. The Linux operating system can be very secure, but what people don’t realize is that the default configuration is not secure at all, Jacoby said. For administrators to really benefit, they need to take the extra steps to turn on those security features, he said.

Advertisement. Scroll to continue reading.

“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven’t actually done anything to secure them,” Jacoby said.

For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don’t, Jacoby said.

Another example was the fact that one user could, by default, see the contents of another’s users directory, provided they know the directory name.  Users shouldn’t be able to see the files that belong to other users, but more importantly, they shouldn’t be allowed to execute those files either, Jacoby said. An attacker can just run through a list of common directory names, such as scripts, backup, shared, common, and main, and see which ones succeed. Considering that so many people don’t change the directory names for Web applications, such as their WordPress installation, figuring out the directory path isn’t all that difficult.

Many administrators claim their servers are secure because they installed SELinux, but they forget that SELinux is just a series of policies, which needs to be tweaked, Jacoby warned. For example, SELinux by default restricts SQL client connections from shell, but does not stop attempts from a PHP script, he said.

Instead of just saying the systems are secure because they are running Linux, it’s time for administrators to actually make them secure. “Linux by default is not secure, but if administrators take extra steps, it can be secure,” Jacoby said. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...