Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Re: Linux Malware / Repository keys (Christopher Horler)
2. Re: 3rd attempt at replying to Chris on the mailing list
(Christopher Horler)
3. Re: Linux distributions and Windows security, etc (Sebastian)
----------------------------------------------------------------------
Message: 1
Date: Wed, 21 Aug 2013 19:30:19 +0100
From: Christopher Horler <cshorler@googlemail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Linux Malware / Repository keys
Message-ID:
<CAAeT8m_-Q3Nc1xpiZdpGJA3QhsNWuXe4XCemN6+GNdYYYhKb3Q@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
On 20 August 2013 18:30, Chris Simmons <cityofbristol@gmail.com> wrote:
> You've probably seen this already, but...
>
> http://www.techrepublic.com/blog/linux-and-open-source/hand-of-thief-
> malware-could-be-dangerous-if-you-install-it/?ftag=TRE475558a&s_cid
> =e011&tag=nl.e011&ttag=e011
>
No actually!
One thing that occurs to me is that what we're perhaps not doing so
much as a community is sharing keys we trust. Myself, I only have my
own to share - but it would be interesting generally to know how we
can best independently establish the authenticity of repository keys
not included in distribution images (or if you want to take it to the
nth degree those in the installation images as well).
Might be worth pointing out that you're duplicating the article text
below... although perhaps it's obvious.
Chris H
> This past week marked one of the first times I've seen the media actually
> present a real "warning" to Linux users. That warning was about the new
> ?Hand of Thief? trojan that targets Linux desktop systems to steal bank
> account information. What this trojan does is use a form grabber to
> steal login credentials of those using Internet banking. The trojan captures
> the URL, username, password, and timestamp of when you logged in. Once
> the information is captured, it's sent to a control server and then sold.
>
> The Hand of Thief trojan is rumored to work on 15 different Linux distributions
> (including Ubuntu, Fedora, and Debian) and attacks all common web browsers.
> The stolen information is currently being sold in closed cybercrime
> communities for $2,000.00 (USD), and that price includes free updates.
>
> What does this mean? First and foremost, it means that Linux has grown
> enough to garner the attention of such malware/virus writers. That's a
> rather backhanded compliment, at best, but it does mean that Linux desktop
> growth cannot be denied. However, there's a far more serious issue here --
> one of application vetting. This applies to distributions that offer
> a single point
> of entry for application installation, such as Ubuntu Software
> Center, Synaptic,
> yum, apt-get... actually, just about any Linux distribution. The good news?
> Distributions like Ubuntu actually do review all packages that are submitted.
> So, if someone attempts to submit a package with the Hand of Thief trojan,
> ready to wreck havoc on unsuspecting users machines, they'll catch it and
> the submitted user will be reported.
>
> But...
>
> There are plenty of instances out there (this is especially true of Ubuntu),
> where you can simply add a PPA to apt-get and install an application without
> benefiting from the vetting process. This means that anyone can roll up an
> appealing software application (complete with Hand of Thief), create a
> repository, and trick people into installing the trojan. The caveat is that
> most Linux users are far more savvy than to just install random packages.
>
> Or are they?
>
> The Linux community has finally reached a point where caution will have to
> be applied. Once upon a time, I would randomly add a repository, based
> on a need I had, and install it with little thought to the consequences of what
> could happen. That time has long since passed. Now, if a package isn't
> found in the official repositories (or a known, safe, repository), I will not
> install said package. There are exceptions, of course. If I need to install a
> package from source, and I know the source is safe, I'll install. Outside of
> that, no way.
>
> I've been using Linux for a long, long time. I never thought I'd see the day
> when I had to actually warn users of trojans such as Hand of Thief, but here
> we are. Of course, main distributions have the means to help protect you
> from such attacks (SELinux, repository/package signing, firewalls, etc),
> but that doesn't mean you can just blindly continue on as you always have.
> It's time to start being a bit more vigilant about how you use your Linux
> desktop. Here are some suggestions:
>
> Do not install unsigned packages
> Do not add unofficial repositories without investigating said repository
> Keep your system up to date at all times
> Keep all browser plugins up to date
> If your distribution has SELinux, use it
> Do not let others install software on your machines
> Use solid passwords
> If asked to enter root user (or sudo) password, always know why
>
> The good news is that Hand of Thief must have the root (or sudo) password in
> order to install. If you don't enter the password, it can't add itself
> to your machine.
> That's the plus side... for now. It's only a matter of time, however, before
> someone figures out a way to get something as sinister as HoT onto your
> machine without you knowing it. I've said this before, and I'll say it again,
> any machine that's plugged into a network connection is vulnerable --
> Windows, Mac, and even Linux.
>
> That doesn't mean you need to unplug your machine and give up. At the moment,
> the only way HoT can get on a machine is either through social engineering or
> ?SUT? (Stupid User Tricks). If you stick with your distribution's
> official repositories
> and keep your machine up to date, you should be okay. There's no need to
> panic, just use a bit of common sense and care.
>
> As the Linux desktop continues to grow in popularity, so will the number of
> attempts to bring it down. Hand of Thief isn't the first trojan to attack Linux,
> and it won't be the last. But like all previous attempts at cracking through
> the Linux desktop security systems, unless the root/sudo password is
> given for installation, that trojan will have a tough time worming its way
> into your machine.
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
Message: 2
Date: Wed, 21 Aug 2013 20:10:20 +0100
From: Christopher Horler <cshorler@googlemail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] 3rd attempt at replying to Chris on the mailing
list
Message-ID:
<CAAeT8m9Yz_+N=FDPny39z4F6LGddG9k=TmFwcf-p0Otgh5bxJQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Please see a few comments below...
On 21 August 2013 00:26, Sebastian <sebsebseb_mageia@gmx.com> wrote:
> Ok my test email went to the mailing list ok, and so below is my 3rd attempt
> at replying to Chris on the mailing list, with the messages of the two
> emails I sent that didn't seem to get through at all. Maybe the name of the
> subject was causing the problems? Re: [bristol] (no subject)
>
> On 21/08/13 00:13, Sebastian wrote:
>>
>> My reply to Chris did not get sent to the mailing list earlier for some
>> reason it seems. I remember in the past sometimes I got issues emailing the
>> mailing list as well, and I think it's annoying when stuff like that
>> happens. Hopefully this one gets sent there ok though :).
>>
>> On 20/08/13 19:52, Sebastian wrote:
>>>
>>> You scared me with all that! Also no I hadn't read that before. Ok you
>>> didn't really scare me with any of that :).
>>>
>>> Linux distributions aren't 100% immune from malware. However when
>>> compared to Windows a major difference is that generally they have been
>>> designed in a more secure way. Where as with Windows security was just a
>>> bolt on really. Also it wasn't really designed with networking/Internet in
>>> mind to begin with.
>>>
>>> In general it's easier to have Windows computers taken over, because of
>>> the OS not having that very good security, but also how most users provide
>>> poor security to it if any.
>>>
>>> Another thing is how most XP users for example will run it as admin which
>>> means full control to the user, but also the malware. Where as most Linux
>>> distribution users don't run one as root for everything for example, and
>>> many users know that's not a very good idea to in general, with the
>>> exception of security penetration distributions for example.
>>>
>>> Linux distributions are good at providing the user with root access for
>>> only the specific task they are doing as well in general, where as XP for
>>> example isn't good at doing this, and so most users run it as admin.
>>>
I am aware of UAC improvements through Vista and 7 and quite a few
other improvements.
XP was also a concrete change in approach (kernel and driver model
changes and integrated / developed from the NT product line)
If you wikipedia Windows_NT I think you'll find it has long had
advanced network and security protocols/capabilities.
(disclaimer - I'm only a Windows user in a corporate environment, and
I'd like to see us using Enterprise Linux not Windows...)
>>> The idea that Linux distributions are so much more secure than Windows,
>>> to the extent that don't need to worry about malware at all when running one
>>> online, is wrong though. Yes Windows malware won't work on a Linux
>>> distribution, with the exception of Wine possibly or inside a Windows
>>> virtual machine, but that doesn't mean there can't be malware made for Linux
>>> distributions specifically, or browser based attacks that are cross platform
>>> as well for example.
>>>
>>> Also unlike Windows users of Linux distributions tend to get their
>>> software from the trusted repositories/repos of the distribution that they
>>> are using. Software isn't just put in there, in most distributions, instead
>>> it's put in by packagers, and tested by Quality Assurance people etc.
>>> Where as with Windows most software for it comes from various different
>>> places on the web or otherwise, and so the chance of malware is much higher,
>>> but also since it's the biggest target as well, since the millions of people
>>> who don't know much about computers at all using it.
>>>
>>> In fact with Linux distributions there is like a special group of people
>>> who know about the zero day exploits from different distributions, and the
>>> fixes become public, and distributions pick up on them. Ideally a
>>> distribution would want their security people to be part of this group, but
>>> if not can follow the security people of other distributions who are part of
>>> that group basically. Or it's basically what I am saying, I know something,
>>> but not sure exactly.
>>>
>>> Sebastian
>>
>>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
Message: 3
Date: Wed, 21 Aug 2013 21:17:55 +0100
From: Sebastian <sebsebseb_mageia@gmx.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>,
Sebastian <sebsebseb_mageia@gmx.com>
Subject: Re: [bristol] Linux distributions and Windows security, etc
Message-ID: <52152073.5010509@gmx.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
On 21/08/13 20:10, Christopher Horler wrote:
> Please see a few comments below...
I assume you know that was a reply to another Chris, but that's fine
that you replied to that :). Are you coming to the LUG meeting this
Saturday :) by the way or not?
I have dropped the subject that was being used by me before: 3rd attempt
at replying to Chris on the mailing list
>
> On 21 August 2013 00:26, Sebastian <sebsebseb_mageia@gmx.com> wrote:
>> Ok my test email went to the mailing list ok, and so below is my 3rd attempt
>> at replying to Chris on the mailing list, with the messages of the two
>> emails I sent that didn't seem to get through at all. Maybe the name of the
>> subject was causing the problems? Re: [bristol] (no subject)
>>
>> On 21/08/13 00:13, Sebastian wrote:
>>> My reply to Chris did not get sent to the mailing list earlier for some
>>> reason it seems. I remember in the past sometimes I got issues emailing the
>>> mailing list as well, and I think it's annoying when stuff like that
>>> happens. Hopefully this one gets sent there ok though :).
>>>
>>> On 20/08/13 19:52, Sebastian wrote:
>>>> You scared me with all that! Also no I hadn't read that before. Ok you
>>>> didn't really scare me with any of that :).
>>>>
>>>> Linux distributions aren't 100% immune from malware. However when
>>>> compared to Windows a major difference is that generally they have been
>>>> designed in a more secure way. Where as with Windows security was just a
>>>> bolt on really. Also it wasn't really designed with networking/Internet in
>>>> mind to begin with.
>>>>
>>>> In general it's easier to have Windows computers taken over, because of
>>>> the OS not having that very good security, but also how most users provide
>>>> poor security to it if any.
>>>>
>>>> Another thing is how most XP users for example will run it as admin which
>>>> means full control to the user, but also the malware. Where as most Linux
>>>> distribution users don't run one as root for everything for example, and
>>>> many users know that's not a very good idea to in general, with the
>>>> exception of security penetration distributions for example.
>>>>
>>>> Linux distributions are good at providing the user with root access for
>>>> only the specific task they are doing as well in general, where as XP for
>>>> example isn't good at doing this, and so most users run it as admin.
>>>>
> I am aware of UAC improvements through Vista and 7 and quite a few
> other improvements.
Yes same here.
> XP was also a concrete change in approach (kernel and driver model
> changes and integrated / developed from the NT product line)
> If you wikipedia Windows_NT I think you'll find it has long had
> advanced network and security protocols/capabilities.
Well yes generally Windows NT is known to be more secure and stable or
better designed than the versions based on or similar to DOS for
example. However generally Microsoft don't seem to actually care that
much about the consumer versions, but do about the server versions. For
example I know a guy online who would run (and probably still does),
Windows Server 2003 as a desktop OS instead of Windows XP etc. Why,
because he thinks it's better than running XP for the kind of reasons I
was on about, as in he thinks it's been designed better etc. XP is a NT
based version, but doesn't really have the same quality put in by
Microsoft as their server versions.
I think it's probably quite true for companies such as Microsoft that in
general they can get away with a product that is usable and good enough
to sell, but not with the same quality as most of the big
opensource/freesoftware products would get. Quality as in people doing
proper code and putting in a proper effort to make sure that code isn't
buggy or that buggy, and generally trying to fix bugs quickly when they
are known about.
I mean what kind of bugs are really in Windows and Microsoft Office for
example that aren't really publically known about, because it's closed
source, that they should have fixed really? However not just Microsoft
any proprietary closed source software. All they generally need is
something that is usable and marketed enough, with vender lock in here
and there, and it sells to many or the masses in general, as in Windows,
Microsoft Office, and even Adobe Photoshop for example. In fact really
most home/consumer computer users don't need Microsoft or Apple or
proprietary software in general, for what they want to use a computer
for, but they don't know that or don't care enough about it, and so
that's a big reason these companies have lots of business still. However
when selling to enterprise for example they generally make products that
are better than what they have made for the home users etc.
If your someone who is reading this that doesn't agree with what I put
above that's fine, and I am interested to know your opinions about this
as well :). In fact I am interested to know other peoples opinions in
general for these kind of subjects :).
>
> (disclaimer - I'm only a Windows user in a corporate environment, and
> I'd like to see us using Enterprise Linux not Windows...)
Disclaimer - I am not all anti proprietary closed source software, and
will use it here and there, Flash etc, I do however believe that most
software should ideally be opensource/freesoftware, with certain
exceptions. Free as in software freedom!
>
>>>> The idea that Linux distributions are so much more secure than Windows,
>>>> to the extent that don't need to worry about malware at all when running one
>>>> online, is wrong though. Yes Windows malware won't work on a Linux
>>>> distribution, with the exception of Wine possibly or inside a Windows
>>>> virtual machine, but that doesn't mean there can't be malware made for Linux
>>>> distributions specifically, or browser based attacks that are cross platform
>>>> as well for example.
>>>>
>>>> Also unlike Windows users of Linux distributions tend to get their
>>>> software from the trusted repositories/repos of the distribution that they
>>>> are using. Software isn't just put in there, in most distributions, instead
>>>> it's put in by packagers, and tested by Quality Assurance people etc.
>>>> Where as with Windows most software for it comes from various different
>>>> places on the web or otherwise, and so the chance of malware is much higher,
>>>> but also since it's the biggest target as well, since the millions of people
>>>> who don't know much about computers at all using it.
>>>>
>>>> In fact with Linux distributions there is like a special group of people
>>>> who know about the zero day exploits from different distributions, and the
>>>> fixes become public, and distributions pick up on them. Ideally a
>>>> distribution would want their security people to be part of this group, but
>>>> if not can follow the security people of other distributions who are part of
>>>> that group basically. Or it's basically what I am saying, I know something,
>>>> but not sure exactly.
>>>>
>>>> Sebastian
>>>
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
End of Bristol Digest, Vol 513, Issue 7
***************************************
Tidak ada komentar:
Posting Komentar