Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.
PUNTA CANA – Several presentations at the Kaspersky Lab Security Analyst Summit focused on vulnerabilities in industrial control systems, point-of-sale systems, and airport security scanners. Considering many of these targeted systems invariably run some form of Windows or Android, it is quite easy for a Linux administrator to feel complacent.
Security isn’t just something only Windows users need to worry about. The past few years have clearly proven that the old assumption about Macs not getting malware was false. Linux users smirking, “Just switch to Linux,” and claiming the operating system is somehow “better” than others have to realize they are just as vulnerable to cyber-attacks as anyone else.
“There is a perception out there that Linux systems don’t need additional security,” said David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab. This is a problem since Linux servers are increasingly coming under attack, he said.
The primary dangers facing Linux systems aren’t zero-day vulnerabilities or malware, but things like Trojanized applications, PHP backdoors, and malicious login attempts over SSH. If the computer has a weak password, or if one of the components, such as the SSH daemon or SSL server is configured incorrectly, then attackers will figure out a way to break in. Administrators can’t rely on network defenses such as intrusion detection systems of Web application firewall to detect when someone uploads an exploit kit or overwrites a file with a backdoored version.
Lest anyone feel inclined to dismiss the threats against Linux machines, especially servers, it’s important to realize that attacks have already happened. Just last year, attackers breached several Web servers and installed a version of the “itsoknoproblembro” toolkit in order to launch a series of powerful distributed denial-of-service attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows, and considering how Linux and Apache dominate the Web server market, it takes simple mathematics to conclude that Linux servers were among the victims.
In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.
A significant portion of the world’s data centers run Linux, and many organizations have some of their most critical applications running on these systems. Yet many of these systems are likely running outdated software. Because most Linux distributions don’t have a scheduled Patch Tuesday release as Windows systems do, updates are frequently applied on an ad hoc schedule. Many patch management systems in the enterprise don’t include Linux systems, which means administrators don’t have an easy way of knowing what versions are running or which ones need to be updated.
When it comes to securing a Linux machine, the answer is not installing an antivirus or some other security software. The key lies in hardening the operating system. The Linux operating system can be very secure, but what people don’t realize is that the default configuration is not secure at all, Jacoby said. For administrators to really benefit, they need to take the extra steps to turn on those security features, he said.
“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven’t actually done anything to secure them,” Jacoby said.
For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don’t, Jacoby said.
Another example was the fact that one user could, by default, see the contents of another’s users directory, provided they know the directory name. Users shouldn’t be able to see the files that belong to other users, but more importantly, they shouldn’t be allowed to execute those files either, Jacoby said. An attacker can just run through a list of common directory names, such as scripts, backup, shared, common, and main, and see which ones succeed. Considering that so many people don’t change the directory names for Web applications, such as their WordPress installation, figuring out the directory path isn’t all that difficult.
Many administrators claim their servers are secure because they installed SELinux, but they forget that SELinux is just a series of policies, which needs to be tweaked, Jacoby warned. For example, SELinux by default restricts SQL client connections from shell, but does not stop attempts from a PHP script, he said.
Instead of just saying the systems are secure because they are running Linux, it’s time for administrators to actually make them secure. “Linux by default is not secure, but if administrators take extra steps, it can be secure,” Jacoby said.