Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Exploring the Misconceptions of Linux Security: Focus

Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.

Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.

PUNTA CANA – Several presentations at the Kaspersky Lab Security Analyst Summit focused on vulnerabilities in industrial control systems, point-of-sale systems, and airport security scanners. Considering many of these targeted systems invariably run some form of Windows or Android, it is quite easy for a Linux administrator to feel complacent.

Security isn’t just something only Windows users need to worry about. The past few years have clearly proven that the old assumption about Macs not getting malware was false. Linux users smirking, “Just switch to Linux,” and claiming the operating system is somehow “better” than others have to realize they are just as vulnerable to cyber-attacks as anyone else.

Linux Penguin Security“There is a perception out there that Linux systems don’t need additional security,” said David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab. This is a problem since Linux servers are increasingly coming under attack, he said.

The primary dangers facing Linux systems aren’t zero-day vulnerabilities or malware, but things like Trojanized applications, PHP backdoors, and malicious login attempts over SSH. If the computer has a weak password, or if one of the components, such as the SSH daemon or SSL server is configured incorrectly, then attackers will figure out a way to break in. Administrators can’t rely on network defenses such as intrusion detection systems of Web application firewall to detect when someone uploads an exploit kit or overwrites a file with a backdoored version.

Lest anyone feel inclined to dismiss the threats against Linux machines, especially servers, it’s important to realize that attacks have already happened. Just last year, attackers breached several Web servers and installed a version of the “itsoknoproblembro” toolkit in order to launch a series of powerful distributed denial-of-service attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows, and considering how Linux and Apache dominate the Web server market, it takes simple mathematics to conclude that Linux servers were among the victims.

In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.

A significant portion of the world’s data centers run Linux, and many organizations have some of their most critical applications running on these systems. Yet many of these systems are likely running outdated software. Because most Linux distributions don’t have a scheduled Patch Tuesday release as Windows systems do, updates are frequently applied on an ad hoc schedule. Many patch management systems in the enterprise don’t include Linux systems, which means administrators don’t have an easy way of knowing what versions are running or which ones need to be updated.

When it comes to securing a Linux machine, the answer is not installing an antivirus or some other security software. The key lies in hardening the operating system. The Linux operating system can be very secure, but what people don’t realize is that the default configuration is not secure at all, Jacoby said. For administrators to really benefit, they need to take the extra steps to turn on those security features, he said.

Advertisement. Scroll to continue reading.

“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven’t actually done anything to secure them,” Jacoby said.

For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don’t, Jacoby said.

Another example was the fact that one user could, by default, see the contents of another’s users directory, provided they know the directory name.  Users shouldn’t be able to see the files that belong to other users, but more importantly, they shouldn’t be allowed to execute those files either, Jacoby said. An attacker can just run through a list of common directory names, such as scripts, backup, shared, common, and main, and see which ones succeed. Considering that so many people don’t change the directory names for Web applications, such as their WordPress installation, figuring out the directory path isn’t all that difficult.

Many administrators claim their servers are secure because they installed SELinux, but they forget that SELinux is just a series of policies, which needs to be tweaked, Jacoby warned. For example, SELinux by default restricts SQL client connections from shell, but does not stop attempts from a PHP script, he said.

Instead of just saying the systems are secure because they are running Linux, it’s time for administrators to actually make them secure. “Linux by default is not secure, but if administrators take extra steps, it can be secure,” Jacoby said. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.