Linux Security Myth
1 [02:01] <ClassBot> Logs for this session will be available at http://irclogs.ubuntu.com/2011/01/30/%23ubuntu-classroom.html following the conclusion of the session.
2 [02:06] <nigelb> Folks, maco will be here in a few minutes :)
3 [02:09] <maco> Hi!
4 [02:09] <maco> Sorry, I'm at a LinuxChix meetup at a teahouse and lost track of time, but now I'm online, yay
5 [02:10] <maco> Anyway, I'm Mackenzie, and I did a thing earlier on GNOME & KDE with pleia2 doing the Xfce side of things. I'm a MOTU and work for a security company now
6 [02:10] <maco> So catching up.... I have slides from when I gave this presentation at Southeast LinuxFest and Ohio LinuxFest which you can follow along with here http://bazaar.launchpad.net/~maco.m/presentations/security/view/head:/OLF2010_security_myth.pdf
7 [02:11] <maco> So, the idea for this presentation happened after one of those conversations with my brother where I realise he thinks all bad things on the internet are covered by "virus" and with a friend who didn't know how to tell phishing by looking at a URL
8 [02:13] <maco> Some folks hear that "there are no viruses for linux" and assume it's a magic bullet and nothing bad can ever happen. The first chunk of slides dispells that. There are lots of bad things that can happen!
9 [02:14] <maco> So, the actual word for all the bad software that hurts you is malware.
10 [02:15] <maco> You can flip through the vocab at your leisure. I'm going to get into the explaining
11 [02:15] <maco> So, first off: there have been viruses for Linux. Wikipedia has a list of about thirty
12 [02:16] <maco> These were the ones that made it into the wild that are known. They won't hurt you if you are using a current system.
13 [02:17] <maco> Several hundred more have existed as proof of concept (ie, "we need to patch this, and here's why") but those were not in the wild.
14 [02:17] <maco> However existence of past ones should be taken as a hint that more could happen in the future.
15 [02:18] <maco> The most recent virus I remember that affected Linux systems was a macro virus for OpenOffice.org and worked cross-platform. That was maybe 3 years ago
16 [02:18] <maco> So, other than viruses, there are trojans. I think these are what affects people in general more often and what have the best chance of getting you as a Linux user
17 [02:19] <maco> The name trojan comes from trojan horse. "Hi! I'm an awesome game and you should install me!"
18 [02:19] <maco> ...and then you're pwned
19 [02:20] <maco> A little while back someone posted a "screensaver" in deb form on gnome-look.org
20 [02:20] <maco> Some folks installed it. One got suspicious when no new screensavers were listed in the configuration tool.
21 [02:21] <maco> Turns out, it started a script which checked for a script online, downloaded, and ran it. The person running the webserver could change that script to do whatever they want whenever they want.
22 [02:21] <maco> When someone controls a bunch of computers and uses them to do their bidding, that's a botnet. This deb made a botnet.
23 [02:21] <maco> Thankfully it was found quickly and removed from gnome-look.org
24 [02:22] <maco> Now, this isn't a "omg gnome-look is evil" -- It's full of user-uploaded stuff. The important thing to take from this is: do not use what you do not have reason to trust
25 [02:22] <ClassBot> taves asked: whats linuxchix?
26 [02:23] <maco> This is off-topic but just in case someone sees the logs and wants to join in: see http://linuxchix.org
27 [02:23] <ClassBot> sebsebseb asked: Many people think that Linux distros won't get targeted by a lot of malware unless they gain the kind of market share Mac OS X or Windows have. What do you think about that?
28 [02:23] <maco> I'm sure that as it becomes a more lucrative target attempts will increase. And I also suspect that as we get complacent and gain a false sense of security, our hubris will bite us in the rear
29 [02:24] <maco> So, how do you know who to trust?
30 [02:25] <maco> (I know this is out of order of slides, oh well. This bit would be around slide 27)
31 [02:27] <maco> Packages uploaded to the Ubuntu archives are made by Ubuntu or Debian developers. They sign them cryptographically to prove it's coming from them. Before getting permission to upload packages, trust is established by a long while of sending patches to the other developers to demonstrate knowledge and lack of evil intent. Their application is voted on. So, there is a vetting process
32 [02:28] <maco> The packages you download are built on Ubuntu build servers which then sign them. Your package manager on your system checks the signature. If it doesn't match there are a couple reasons
33 [02:28] <maco> 1. You need to run "sudo apt-get update" because a new version has been uploaded since you last checked for updates
34 [02:29] <maco> 2. The package has been altered or is being pulled from an alternative not-right server (man in the middle attack)
35 [02:29] <ClassBot> palhmbs asked: Can you secure your data any better other than using the encrypt personal folder option at install?
36 [02:29] <maco> That's fine protection if you just don't want anyone knowing what's there but are ok with them knowing that *something* is there
37 [02:30] <maco> There's a field related to encryption called stegonagraphy that's about making it so you can't tell something's there. Truecrypt lets you have hidden *and* encrypted partitions
38 [02:30] <ClassBot> palhmbs asked: If known bugs in the kernel can be fixed then regressed / rolled back and allow expliots with root privileges - do the ubuntu team track these bad and patch the kernel to fix these for just us ubuntu users?
39 [02:31] <maco> Yes, the Ubuntu Security Team keeps track of CVEs (I forget what it stands for. V = Vulnerability) and prepares fixes for such regressions. Which are fixed first depends on how bad they are. A local exploit isn't nearly as worrisome as a remote one, for example
40 [02:32] <maco> If you are aware of a security bug, you can report it in Launchpad and mark it to be a security issue. This will make the bug private and viewable only by the security team so that not-nice people can't learn how to break things by poking around there
41 [02:32] <ClassBot> palhmbs asked: Is it much safer not to install devel PPAs?
42 [02:33] <maco> I'd say it depends who is running the PPA. Is it upstream developers? Well, you trust the code anyway... Is it an Ubuntu developer? Well you trust the rest of their packages anyway... Is it a random person on the internet? Uhhhh.....
43 [02:33] <maco> You can find this out by clicking on their name and looking at all the little icons listed on their page. If they're in ~ubuntu-dev, they're an Ubuntu developer. If the project is hosted on Launchpad, you can see from their Code page whether they're actually working directly on it
44 [02:34] <maco> <rww> CVE = Common Vulnerabilities and Exposures <--- thank you
45 [02:34] <ClassBot> sebsebseb asked: What would your description be of a secure password?
46 [02:35] <maco> Long and complicated! Personally, I take sentences, titles, lines of poetry or lyrics.... things with lots of words.. and either mash the words together (if it's like 3-4 words) or take the first letter of each and throw in some punctuation and ch4ng3 l3tt3r5 ... ok too hard to type that way... change letters to numbers
47 [02:35] <maco> It makes them easier to remember
48 [02:36] <maco> You can write them down if you want. I know, "but what if someone reads it?" Look, if someone has already broken into your house and so able to snoop around post-its under your keyboard...you've got bigger problems
49 [02:36] <ClassBot> palhmbs asked: Is Tor the best method for securing network & your anonymity online?
50 [02:37] <maco> It was really interesting to learn that there are governments using Tor as their sole source of internet protection. That is, without encryption. I learned this from someone who ran a Tor node and snooped
51 [02:38] <maco> For anonymity, yes, go for it. But still use basic protections like https. SSL may be somewhat broken, but it's better than nothing and at least makes them have to put in effort
52 [02:38] <ClassBot> LeGambitteur asked: What about hacking passwords using cloud ?
53 [02:39] <maco> Spinning up many many cloud instances to crack passwords in parallel in a few hours makes things a lot cheaper than buying massive amounts of hardware. This does change the playing field a bit. IMO, it makes it more important that you don't use 123456 as your password
54 [02:41] <maco> Oh, so something new that happened in the DEs a little bit ago (a year or so) is that now you can't run .desktop launchers from inside /home unless they are marked as executable
55 [02:41] <maco> This is because it is conceivable that you get a "hot pix!!!!1!!" email with a .desktop file that runs "rm -rf *" (DO NOT RUN. YOU WILL LOSE ALL DATA) and that would be BAD
56 [02:42] <maco> So this way you have to take another step other than "click the thingy in my email that gives me hot pix"
57 [02:42] <maco> I really like that in KDE it shows you the command that will be run so you can make an informed decision
58 [02:42] <maco> (see slides 30-31)
59 [02:42] <ClassBot> sebsebseb asked: Maybe not so much on topic, but how do you think educational establishments can teach computer security better? Since most say about antivirus if anything and that's about it.
60 [02:43] <maco> Oh they could do a lot better. I was very disappointed to find that my computer security professor was learning things for the first time as he read the slides (which he got from the previous professor) to the class.
61 [02:43] <maco> Like this: *reading* "huh!"
62 [02:44] <ClassBot> palhmbs asked: Does Ubuntu have built in exploits for government dept use - NSA / CIA whatever?
63 [02:44] <maco> I work for neither of those agencies, and if I did, I wouldn't be allowed to answer that
64 [02:44] <ClassBot> palhmbs asked: Is security excellent on a distro that is only read-only live-cd / dvd based?
65 [02:45] <maco> While nothing can persist beyond reboot (unless you get a BIOS virus...), you could still end up with something affecting you just for that run. But if you intend to attend DEFCON or Black Hat, running from a live cd and not typing in your valuable passwords would be a good plan
66 [02:46] <maco> Oh here's something important since everything lives in the web browser now
67 [02:46] <maco> Browsers like Firefox are cross platform. They are a big target.
68 [02:46] <maco> Cross-site scripting tends to work regardless of the OS or browser. It's a matter of bad coding on the website. You are still vulnerable.
69 [02:47] <maco> If you want to be paranoid, install No Script to at least limit what Javascript can run. I don't expect you to know what domains to trust. The important thing is that it alerts on cross site scripting attacks
70 [02:47] <maco> Cross site scripting is when one site steals data from another, basically
71 [02:47] <maco> The other valuable thing NoScript does is alert on click jacking
72 [02:47] <maco> That's when there's an invisible button covering a chunk of the page so when you go to click on something good, you click on something bad
73 [02:48] <ClassBot> txomon asked: what about firesheep and those?
74 [02:48] <maco> Oh good a segue for HTTPS/SSL!
75 [02:48] <maco> You've probably hear to look for the lock and everything is good
76 [02:49] <maco> The lock means your connection to the site is encrypted. Firesheep lets anyone on the network manipulate the sites you are on and eavesdrop if you do not use SSL
77 [02:49] <maco> Please set your GMail to force SSL in the settings
78 [02:49] <maco> Please pester websites which default to insecure. Facebook finally took the hint and is adding SSL
79 [02:49] <maco> (Note to self: pester dreamwidth)
80 [02:50] <maco> The lock is NOT a magic bullet either though!
81 [02:50] <maco> You can have an SSL connection to the wrong site
82 [02:50] <maco> If you see http://mybank.com.iamnotevil.hax.info
83 [02:50] <maco> You should read all the way to the end
84 [02:50] <maco> Maybe that's http://mybank.com.iamnotevil.hax.info/blahblah.asp
85 [02:50] <maco> You should read to the slash before blahblah
86 [02:51] <maco> These are not the same as mybank.com I was surprised to learn a friend did not know this
87 [02:51] <ClassBot> There are 10 minutes remaining in the current session.
88 [02:51] <maco> If you are at such a site, you could become a phishing victim
89 [02:51] <maco> Banks in the US at least now use Extended Validation certificates (EV)
90 [02:52] <maco> These validate not just that the domain name & its encryption key go together, but that the domain name and who you think it is go together
91 [02:52] <maco> Take a look at http://paypal.com in Firefox
92 [02:52] <maco> There's a green bar. You click, and it tells you what the legal entity is that owns this website and who verified it. Financial institutions should tend to have these.
93 [02:53] <ClassBot> palhmbs asked: In your opinion / experience, which browser do you feel is safest / the most secure?
94 [02:53] <maco> One with Javascript turned off? lynx? I don't know. On the one hand, Firefox has lots of eyeballs looking at it. On the other, it's a huge target.
95 [02:53] <ClassBot> sebsebseb asked: When do you think security updates should be installed into Ubuntu or other distros? I mean a few weeks not up to date at the moment, and probably still going to be ok right?
96 [02:54] <maco> I'd at least check in update manager to see what it says the thing is fixing
97 [02:54] <maco> And check Ubuntu's security page
98 [02:54] <maco> http://security.ubuntu.com I think
99 [02:54] <maco> If it's a remote exploit, I'd install pretty quickly. If not, then a few weeks...if you're not in a financial or governmental institution...meh sure
100 [02:54] <ClassBot> taves asked: i have a router do i need a firewall?
101 [02:55] <maco> Most consumer routers have firewalls built in. In the enterprise these are normally separate pieces of hardware.
102 [02:55] <maco> Keep in mind you don't really need to configure your firewall (using iptables or ufw) unless you have services running
103 [02:55] <maco> Ubuntu has none by default
104 [02:55] <maco> <rww> There's also a mailing list for security update announcements: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
105 [02:56] <ClassBot> palhmbs asked: What things can we learn from Sourceforge getting hit and are we likely to see a huge increase in cyber-warfare attacks in the future?
106 [02:56] <ClassBot> There are 5 minutes remaining in the current session.
107 [02:56] <maco> That you shouldn't use the same password everywhere. Same lesson we learned from Gawker.
108 [02:56] <maco> Password managers are your friend
109 [02:57] <ClassBot> txomon asked: about linux passwords security... the password is just generated from the passphrase or it is a combination of passphrase and system variables? and how can we protect a system from phisical accesS?
110 [02:57] <maco> Your password is your password, period.
111 [02:57] <maco> Or do you mean your home dir encryption from ecryptfs? If that, then it's that the key is encrypted using your password
112 [02:57] <maco> (Also the case with your ssh & encryption keys)
113 [02:57] <ClassBot> taves asked: what is this keyring popping up in ubuntu?
114 [02:58] <maco> Keyring stores passwords for you. It is encrypted with a password. By default this is the same as your login password so it is automatically unlocked by you logging in
115 [02:58] <maco> If you use autologin, it can't unlock automatically and you have to type it in
116 [02:58] <maco> You could change it to empty password and it would not ask, but the passwords would be stored on disk in the clear
117 [02:59] <maco> Ok, time's up I think
118 [02:59] <jcastro> \o/
119 [02:59] <jcastro> Nice job maco!
120 [03:00] <maco> Thanks jcastro. Good luck with yours :)
UserDays/01302011/Linux Security Myth (last edited 2011-01-30 03:48:05 by ptr)