Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am sure you guys heard the news about that huge hacker attack that locks peoples personal fines and demands ransom. Is Linux secure enough to protect against such attacks? I thought I was safe on Windows in Lithuania where such attacks are very rare but saw this hack also hit Lithuania pretty hard too, so it makes me contemplate Linux again.
Last edited by williambhopal; 11-12-2018 at 12:40 PM.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by williambhopal
I am sure you guys heard the news about that huge hacker attack that locks peoples personal fines and demands ransom. Is Linux secure enough to protect against such attacks? I thought I was safe on Windows in Lithuania where such attacks are very rare but saw this hack also hit Lithuania pretty hard too, so it makes me contemplate Linux again
I think you are thinking about the question with the Windows mentality.
There's at least a couple of points to make here:
* There's no system in the world that is 100% secure - if it's made by us humans, it's probably never going to be perfect.
* Malware exists for all major systems, including Linux distributions. In fact the first virus that was written was a Unix virus.
* The same precautions apply to Linux as much as Windows (or any other system); turn off whatever services you don't need, use strong passwords and this is the important bit: don't goto dodgy websites or download stuff you don't know anything about in terms of it's author.
But once again, there's never a 100% guarantee with ANY system, unless you unplug from any and all networks - particularly the Internet.
I am sure you guys heard the news about that huge hacker attack that locks peoples personal fines and demands ransom. Is Linux secure enough to protect against such attacks? I thought I was safe on Windows in Lithuania where such attacks are very rare but saw this hack also hit Lithuania pretty hard too, so it makes me contemplate Linux again
I'm pretty sure the correct answer is: it can be, but so can Windows.
To pull of these hacks requires someone to actually execute code on the victim's computer. The step to execute it might just be visiting a hacked website and loading an infected ad, but the point is the same. The only files that the malware could do anything to, are the files that that user account have write access to.
If you set up your OS so that each user account's write access permissions are appropriately locked down (say, but not giving a user account write access to anyone else' files, and by using the root account only when you need to,), then you've greatly mitigated your risk from this type of attack.
This is the security model that the designers of *nix had in mind.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Just one more thing, you should remember that a "virus" is still a computer program. Short of AI, the computer does what it's told, it can't think for itself and make it's own decisions. In any Linux distribution I've ever used, files outside of your "home" folder are normally protected with permissions - that you will not have "write" permissions to. You would have to be the "root user" or use "sudo" to get the necessary permissions - so whatever you do, don't run things as root unless it absolutely has to be run under that account.
a ransomware virus wants to reach as many people as possible.
preferably thos that are used to paying for software.
it's essentially still a windows program in most cases, and thus cannot run on linux.
linux is definitely safer. maybe not absolutely safe, but much safer than windows.
Quote:
Originally Posted by williambhopal
I thought I was safe on Windows in Lithuania where such attacks are very rare but saw this hack also hit Lithuania pretty hard too, so it makes me contemplate Linux again
since the internet is global, just like these attacks, i don't really think it matters where you are.
When we think about security, we often speak about technology/technicalities and so on... but one must not forget that an attacker always strikes the *weakest link* and it's very often the human being behind his keyboard. That's called social engineering.
So a very good start in security begins with a good IT hygiene.
Windows 10's kernel is more secure than Linux, at least by default (without additional patches like grsecurity). It has almost as many exploit mitigations built-in and enabled by default as OpenBSD has.
That said, malware won't just magically appear on your computer. The most common backdoor for malware are dumb users clicking on stuff.
* Malware exists for all major systems, including Linux distributions. In fact the first virus that was written was a Unix virus.
* The same precautions apply to Linux as much as Windows (or any other system); turn off whatever services you don't need, use strong passwords and this is the important bit: don't goto dodgy websites or download stuff you don't know anything about in terms of it's author.
There were various examples of malware, trojans specifically, earlier on but the first actual virus appears to have been made in 1986 and that was Brain. It was for -- wait for it -- MS-DOS, an M$ product. So trojans may be older but viruses proper appeared first on M$ products.
As for avoiding "dodgy" sites, that would then include a lot of mainstream sites because they are sometimes spreading malware. It's darn hard to find old articles in the search engines but if you try enough you can go back 10 to 15 years and find it to be the case that major sites been responsible for spreading malware surprisingly often. Many of the more famous cases of non-M$ malware spread via unchanged (or unchangeable) default login credentials.
As for the original question, I'd sum up the answer as "yes", GNU/Linux is much better. Much of the advantage is the layers. However, there is a lot of work needed to be done with X and with sandboxing other applications. The biggest weak point of all is the crappy software we have for browsers. I suppose the strongest option would be to use Brave which is sandboxed already and then make an AppArmor profile for it to confine it to just its own directory and ~/Downloads/ and /tmp/ because just trying to avoid "dodgy" sites won't help much.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by Turbocapitalist
There were various examples of malware, trojans specifically, earlier on but the first actual virus appears to have been made in 1986 and that was Brain. It was for -- wait for it -- MS-DOS, an M$ product. So trojans may be older but viruses proper appeared first on M$ products.
Just because a virus may not actually do damage to the system per se, it doesn't mean it's not malware/a virus. There were "proof-of-concept" viruses well before the more "traditional" virus that wipes the system, etc. The Brain virus appears to be the first one written for MS-DOS, but not the first virus written in general. But yes, it's a bit of a grey area and different "types" of malware too.
As for avoiding "dodgy" sites, that would then include a lot of mainstream sites because they are sometimes spreading malware. It's darn hard to find old articles in the search engines but if you try enough you can go back 10 to 15 years and find it to be the case that major sites been responsible for spreading malware surprisingly often. Many of the more famous cases of non-M$ malware spread via unchanged (or unchangeable) default login credentials.
...
While as I said before, there's no 100% guarantee that nothing (bad) will happen; I've only ever had one problem with a reputable site and it wasn't even my system, and yes, it was running Windows too. I've never had a problem with any other reputable site before, but that doesn't mean that they don't have any links on them that could take you to a dodgy site, and that's a good point to make.
I've never had a problem with any other reputable site before, but that doesn't mean that they don't have any links on them that could take you to a dodgy site, and that's a good point to make.
It is not the sites' links that take you from the "reputable" site to the "dodgy" site. The "reputable" sites themselves can host malware. This happens from time to time even to Fortune 500 companies' sites. Just because a site has a fancy name or respected company behind it does not mean it is clean. Too bad. Again, layered security, also called or defense in depth, helps a bit. There GNU/Linux wins hands down over Windows. However, again, the browsers are not properly isolated and X11 itself needs replacement. Recent developments in OpenBSD are pretty good at isolating the browser but even they still run X11 ...
But on the topic of third-party problems, one fairly common threat would be the advertising. The word to search for on that topic is malvertising, especially if javascript has been enabled. Malware via advertisements happens so frequently it has its own name, "malvertising".
This comes back to the difference (thin line) between local and remote holes.
When you have a massive piece of code, such as a web browser executing javascript on the fly, local holes become important and should not be played down (as they often are).
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by Turbocapitalist
Good articles. Thanks.
You're welcome.
Quote:
It is not the sites' links that take you from the "reputable" site to the "dodgy" site. The "reputable" sites themselves can host malware. This happens from time to time even to Fortune 500 companies' sites. Just because a site has a fancy name or respected company behind it does not mean it is clean. Too bad. Again, layered security, also called or defense in depth, helps a bit. There GNU/Linux wins hands down over Windows. However, again, the browsers are not properly isolated and X11 itself needs replacement. Recent developments in OpenBSD are pretty good at isolating the browser but even they still run X11 ...
I can see what you're saying. I probably could have been more clear in my last post, sorry about that. I do agree with your points.
Quote:
But on the topic of third-party problems, one fairly common threat would be the advertising. The word to search for on that topic is malvertising, especially if javascript has been enabled. Malware via advertisements happens so frequently it has its own name, "malvertising".
Once again, I do agree with you.
I think depending on your definition of "malware" and/or "ransomware", you might be able to almost call some of that advertising itself "malware" or "ransomware". An example would be YouTube, in that: you have to watch/let the ad play before you can actually watch the video you actually wanted to watch in the first place (without having any addons to get around it). Other than it doesn't ask for money in return for playing the video, it still fits the "ransomware" definition. So like with what cynwulf was talking about, there seems to be a very thin line there too.
Perhaps a better is example is the Sony BMG copy protection rootkit scandal, there you had a well known company (as you were saying before) that deliberately put a rootkit onto their media sold to customers.
I think depending on your definition of "malware" and/or "ransomware", you might be able to almost call some of that advertising itself "malware" or "ransomware".
Using another Wired article, malvertising is third party. As long as the ads are allowed to ship with javascript, that kind of attack is going to be too easy for some to avoid the temptation.
I was thinking, rather, more of stuff spread directly by the web sites. The Sony rootkit was a relevant example of a shipped product and there have been a lot of other cases of products shipping pre-infected. However, I recall malware (virus, trojans, worms) spread directly via the "clean" sites. I'm not sure I can dig up some good examples, both my memory and the search engines seem to have gone down hill.
What I do see daily with browsers is many apparent attempts at XSS, coming from sites high and low. I expect that a few are false positives, but not all.
Windows 10's kernel is more secure than Linux, at least by default (without additional patches like grsecurity). It has almost as many exploit mitigations built-in and enabled by default as OpenBSD has.
That said, malware won't just magically appear on your computer. The most common backdoor for malware are dumb users clicking on stuff.
Well, most people don't simply use a Kernel. Your claim however is questionable. Just like my claim to say GNU userland is more secure than Windows userland.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.