Bridging the Linux security perception gap
Shellshock vulnerabilities exploited in the wild
With the discovery of a zero-day vulnerability in the Linux operating system kernel that could impact all devices including two-thirds of all Android phones, and yet more trouble in the form of Linux.Ekoms.1 malware that captures screenshots every 30 seconds, maybe it's time to ask just how secure is Linux?
The zero-day CVE-2016-0728 was particularly nasty, involving as it does the keyring facility which Linux uses to retain encryption information in the kernel. Discovered by researchers at Israeli security outfit Perception Point this could enable an attacker to gain root and execute arbitrary code on most any impacted device.
And there are plenty that could be impacted when you consider that Linux kernel is the power behind millions of servers and millions of Android smartphones. Worse yet, it has been around since 2012 when it appeared in version 3.8 of the Linux kernel.
No attacks have been seen in the wild, and the flaw has been patched – although that may be of little help to the millions of users of older Android devices with precious little chance of any updates ever hitting their devices.
Throw in the discovery of that screenshot-capturing malware – hardly a new technique but the fact is that it's out there grabbing pictures of login data – and you have a timely reminder that Linux users are not immune to attack.
Indeed, it would be apposite at this point to ask why the myth of Linux being somehow untouched by insecurity issues has managed to survive for so long in the minds of so many?
Josh Bressers, a security strategist at Linux vendor Red Hat, isn't so sure that this was ever actually a myth so much as a gap between the perception and reality of security. "The people who have been involved with security have always known and treated Linux with an appropriate level of security," Bressers told SCMagazineUK.com, insisting that "the key to dealing with security flaws is to have the ability to move quickly, not to make claims about a mythical level of security".
From the end user perspective, however, things have historically been rather different, according to Chris Boyd, a malware intelligence analyst at Malwarebytes. "For many people, finding their feet with Linux is an uphill struggle," he told us. "Feeding the myth that anything is bulletproof tends to result in a lack of care on the part of the device owner, and often leaves them more susceptible to other scams such as social engineering, if not malware itself."
Of course, insecurity is relative and when compared to closed source software there are those who would argue that Linux is inherently more secure courtesy of more eyes on the code base. Michael Kemp, co-founder of Xiphos Research, is one of them. "This can also be a bad thing," Kemp admits, "as maliciously motivated attackers can analyse source code for vulnerabilities, and in doing so create attack vectors that are then targeted."
Kemp continues: "The common misconception is that because Linux has got less market penetration than MS on the desktop front then all is well. The other troubling misconception is that installation of software packages happens via trusted repositories when in many cases this may not be the case."
That said, Kemp is insistent that, by design, Linux is far more granular and open than closed OSs which means that users can review code before installation and can also establish what that code is doing without necessitating reversing. "Given the percentile rates of infection in relation to Linux," Kemp concludes, "the misconception of security still presently stands, and isolated incidences do not indicate a major trend pattern."
However, Chris Boyd reminds us, "Linux malware may not be as common as it is on the Windows platform, but it only takes one successful attack or lapse in judgement to compromise a PC." One wonders if a fresh Linux user assumes everything is secure now and doesn't bother to keep up with security basics such as patching, removing unwanted programs, and even good password management.