Saturday, April 10, 2010

A word (or two) about Linux desktop security

When I wrote my Windows 7 vs. Ubuntu 10.04 Beta ARTICLE several days ago, I rated Ubuntu higher than Windows in terms of security. In hindsight, I think I was perhaps assuming certain bits and pieces, as well as maybe not thoroughly explaining why I thought that was the case.

Thanks to some of the posts from readers, I started thinking I should cover this subject in more depth. Moreover, I could see that there were certain areas that were lacking consensus, even among very skilled and knowledgeable people. Since then, I have been doing some research on certain things I was not 100% clear on, as well as carefully thinking about those potentially weak spots certain posts were raising. I would like to use this article to share my views on this subject.

First off, even if some posts claimed to expose irrefutable facts, I have to say I believe there no such thing, for all arguments were ultimately linked to personal opinions. In fact, the biggest disagreements came from different interpretations of three main questions:

- What is standard home desktop usage?
- What threats pose a risk to the Linux home desktop?
- What is currently missing security wise?


Answers to these questions did eventually shape another answer to yet another key question:

- What should end users do to close the gap?

Before I move on and share my own point of view, I would like to list a few things that may provide some context:

- There seems to be a tendency to interconect our data across an ever increasing amount of devices. Smartphones, iPods and the like, iPad and similar devices, netbooks... The list goes on and on.

- The media through which we interchange data is also changing and evolving very quickly. 3G (many countries have already incorporated 3.5G and a few already offer 4G), ADSL, Cable, High speed internet, etc.

- The evolution towards a cloud computing model keeps reducing the scope of the traditional home desktop as the primary means of storing data for the average user. Certain services, like Dropbox, offer users a cheap solution to keep data safe and available from different sources and locations.

- Corporations store critical data that may be a target for third parties for many reasons, thus justifying the huge investments they put in place to keep it private and safe. When they implement desktop security practices, they do so in a controlled environment, where each link of the chain gets just as much attention as the desktop.

- A home desktop OS should sport a balance between many features, among which security is just one. It is unreasonable to expect a standard user to spend hours partitioning a drive so that optimum security is achieved when, for all we know, s/he may never store anything worth securing.

What this means to me:

- The home desktop is not the only, maybe not even the main device whose security should concern us. In fact, we can make our desktop more secure than fort knox, but that means nothing if we don't encrypt our wireless connection, or if we have mobile devices with bluetooth fully open, or if our 3G connection is compromised, etc.

- In my opinion, trying to draw any comparisons between corporate and home desktop security is beyond the point. It is unreasonable to expect a standard user will have the ability or even the possibility to implement a fully secure environment.

On a different note, corporations implement security policies in accordance to the criticality of their information, which is directly related to how much of a target that information may become. I think those are concerns the average Joe does not share for obvious reasons.

- Security must be balanced with other elements that are equally important for the end user, such as ease of use.

With all that said, let me share my perspective on...

LINUX DESKTOP SECURITY

Since Windows is currently the most popular home desktop operating system, and whether we like it or not, the standard by which most keep judging the Linux desktop, I will continue to draw comparisons to the Microsoft OS. After all, it was this very comparison that created all the noise.

FIREWALL

If you have read about the Linux desktop firewall on forums, or even in the posts from this blog, chances are you probably are confused about it. I know I was.

The most popular Linux desktops include a firewall from the get go, that much is clear, but there was little consensus on whether it was enabled or disabled by default. Things may vary slightly depending on the distro, but here's how it goes in Ubuntu:

The firewall policies are all set to ACCEPT by default, which effectively means all ports are open. However, none of them is listening, so in practical terms, they are all closed.


Zenmap's intense scan found no open ports in my Ubuntu 9.04 desktop.

As you can see from the screenshot above, a scan on one of my machines shows no ports are open by default, which is the result of having no ports listening. However, if I installed a mail server, a MySQL server, or maybe even just a printer, that would open one or more ports. That could be a potential threat, but if you are behind a router, as I am, you should be perfectly safe as long as you don't forward any port(s).

The best thing you could do, though, is install one of the visual interfaces available. GUFW and Firestarter are both available from pretty much any Linux distro repository and install very easily. When they are first setup during installation, a default configuration is put in place that should keep things very much secure (policies default to DROP). It is important to understand that once those rules have been setup, you should not need to run GUFW or firestarter all the time to stay safe. In fact, you should not need to run them unless you want to modify any of the rules or monitor IPTABLES activity.

Long story short, if you are using Ubuntu at home and you are behind a router, you are pretty much safe from attacks with the default setup. Having said so, I would still recommend installing one of the visual interfaces available. As far as I know, the Windows installation does include firewall support and is enabled by default, so I believe both are pretty even on this one.

If anything, I think Linux distros should make an effort to provide better information about this subject as part of the desktop experience, so the end user can understand the level of protection provided, the risks (if any), etc.

VIRUSES

As we have seen in a previous ARTICLE, Linux is virus free. Now, I consider this a critical element and was surprised to see some posts claiming that all you need as a Windows user to be safe is to "install an antivirus".

Just like with pretty much anything in computing, the subject of viruses and antivirus software can get as deep and complex as you want to make it, so I will stick with a few concepts I consider relevant to our home desktop security discussion:

- Even if Windows users are asked to install an antivirus, it is still very much down to user choice. I have heard people I know say that they are not paying $30 a year for an antivirus. They either end up downloading a pirate copy (which may very well be infected already, be a trojan, etc.), downloading one of the few free antivirus applications available, or simply installing no antivirus at all.

- I recently heard a radio interview with a senior member of one of the leading Antivirus developing companies and he was claiming they were finding a significant number of malware entities created every day. Here is a quote from Wikipedia's entry for computer virus:

"The Sophos Company experts say about 40,000 computer viruses are now known to exist, with about 200 new computer viruses being released into the Internet each month"

Now, I think it is clear that such estimations are based on what these companies actually detect, which is not necessarily the grand total. In addition, that rate of detection varies depending on the quality of the antivirus at hand. My experience is that standard users tend to like better those antivirus applications which offer an easy to use interface, are not overly intrusive and don't add too much drag to overall performance. Quite honestly, I am yet to find a Windows user who consciously makes an effort to research antivirus benchmarking and buys the most effective antivirus based solely on security. My point being, if only 1% of viruses is not detected that means hundreds of thousands of users have absolutely no protection against 2 new viruses every month. That is assuming each and every Windows user has a current and valid antivirus license, which is no trivial assumption.

This is a significant advantage Linux desktop users can benefit from.

ROOTKITS, TROJANS AND SOCIAL ENGINEERING

Both rootkits and trojans require user interaction to be effective. In other words, for any of these pieces of malware to have significant impact in the system, a user must be tricked into taking a number of technical steps potentially involving administrative access. This concept, along with that of an extremely fragmented packaging system and that of a fairly small community have helped in keeping Linux as safe as it has been so far.

Let's not misinterpret what that means or rest on our laurels. Linux is far from being immune to this kind of attack. Here are some recommendations that should keep you fairly safe.

1.- Do not download or execute scripts from any untrusted source. This is a bit of a tough one, as the Linux community has a history of sharing scripts, putting together tutorials which new comers blindly execute without asking, etc. Certain scripts can be obtained from trustworthy sources, but as a rule of thumb, do not run anything you don't fully understand.

2.- Stick to official repositories when installing applications. If you can't afford to do so because you are using a distro with a limited catalog of applications available, then consider using a different one. Arch Linux is a distro with an immense amount of applications available from its official repositories. The same applies if your distro of choice is too conservative when adding new releases of applications. Fedora is a good example of a distro that does a very good job at making new versions of applications available very quickly.

Obviously, I am not asking you to move to a different distro just because of a few extra repository sources. However, if your current distro of choice forces you to keep a large sources.list file, you should consider switching to a different one. As always, use common sense and stay away from repositories you have no solid reasons to trust.

3.- Avoid downloading and installing applications from .DEB or .RPM packages as much as possible. If you follow the recommendation from item 2 above, then you are not likely to use this installation method much, but I still think it is worth stressing out. Don't get me wrong, many software vendors do package their software using this method and sometimes it is the only way for users to get an up to date version. OpenOffice, Dropbox, Skype and VirtualBox are examples of software that can be safely downloaded and installed this way.

Once again, use common sense and stay away from packages that are not easily distinguishable as trustworthy.

4.- Do not run any untrusted launcher. Both GNOME and KDE allow launchers to be executed with a simple double click, even if they do not have executable rights. To be fair, I have to say that both of them raise warning messages, but I still believe this poses a real threat. Best thing you can do is to never run any launcher that was not originated by your own machine processes.

5.- Make it a habit to use a standard user profile (as opposed to an administror one). Different distros handle it differently, but many grant admin rights (read sudo access) to the account that is created on installation. Ubuntu is a good example.

If you are using a Linux distro which provides default sudo access, I recommend you create an alternative user account for day to day activities. Think about it: Browsing the web, listening to music, watching movies, playing games, etc., all doable without admin privileges. Why risk it unnecessarily?

CONCLUSION

All things considered, I still believe that Linux desktop security is superior to that of Windows in a home environment. Here's why:

- The default firewall setup offers a very safe configuration off the bat.

- The software repository model is safer.

- Viruses are no concern.

- Social engineering is definitely a threat, but following a few simple guidelines should keep it safe.

Some have raised a very valid concern about the lack of reactive security in the Linux Desktop. Unlike Windows users, we have nothing to fix or even detect the situation once security is compromised. While I agree with such concerns, in my opinion all that means is that Linux users need to approach security differently to Windows users. Windows users have grown accostumed to a reactive model. They have a wide variety of tools to detect a security threat and kill it. The key to Linux desktop security is to take a proactive approach: Preventing over healing.

To me, it boils down to this: Linux desktop users are safe as long as they follow a few best practices, which is more than what Windows users can say today, even with the help of an antivirus. In addition, in the event of security being compromised, the severity of damage is generally much more limited.

Thanks for reading!

5 comments:

  1. It is incorrect to state that there are no viruses for Linux, because there are a few. Otherwise it's a good read. I think in conclusion I disagree that Linux is safer than Windows because the Windows market has a very robust security product line made just for keeping end users safer (though it isn't 100% safe either, as 0-days will always exist.). It was good to read your newly formed (better researched) opinion after having read your previous article.

    ReplyDelete
  2. Hi, fewt,

    Thanks for your comments.

    I am sorry, but I disagree with your virus comment. The wikipedia virus definition:

    "A computer virus is a computer program that can copy itself and infect a computer"

    As I explained in my article on Linux viruses, there are a number of technical reasons why that just doesn´t work in a UNIX derivative environment as of today. For the trick to work, there must be user interaction, which immediately makes that piece of malware NOT a virus.

    In any case, please name those few viruses that (according to you) can copy themselves and infect computers automatically, with no user intervention. I am curious, because I and other people I know have tried to run some of those so called "Linux viruses" on dummy machines and they simply don´t work. The "bash" virus just didn´t work, could not infect anything. Another popular one that got lots of press required the TMP folder to be mounted on a separate, FAT partition (WTF?)...

    Believe me, I am not just taking things for granted here. I have taken a critical approach, learnt about the x86 architecture and how Linux implements it, how Linux manages memory, etc. It is theoretically feasible (although quite challenging) to create a Linux virus, but in practical terms, it´s just not happening.

    As for my newly formed opinion, that´s really your interpretation. I still believe Linux security is superior, but obviously not immune to any and all security threats. The bits and pieces I learnt about IPTables don´t make any sifnificant difference. I think I was not really able to explain my perspective in the Windows 7 vs. Ubuntu 10.04 comparison article, mostly due to space and subject constraints.

    To be honest, I find the way you compare both OS a bit funny: "Windows + antivirus is better". That says quite some already, but I never said I was comparing an OS + antivirus. It was solely an OS comparison, and Windows is simply vulnerable without the aid of external tools. It is more vulnerable to rootkits and trojans as well, for they are far easier to create and far more likely to massively succeed.

    Last but not least, Windows maintains a never ending process of patching (often shameful) vulnerabilities... What was that about several countries issuing an official warning on Internet Explorer 8 security? (LINK) France and Germany must surely be inventing this stuff, I guess?

    I don´t know, man, I can agree with you that a Linux user is screwed once deceived into running malicious code, but so is a Windows user. The use of antimalware tools makes up for it, but that´s really beyond the point, for we are comparing operating systems here. That´s a bit like saying "I can run faster than Usain Bolt, I just need to stuff myself with enough steroids and that should do it!"

    P.s.: Btw, the Windows 7 or even the Windows Vista user community is still tiny compared to that of Windows XP, which, as you know, is far more vulnerable. That has to be taken into account when talking about Windows users in general. We can´t just assume Windows users share the Windows 7 security enhancements... And let´s not forget that antivirus protection in Windows is just a recommendation for now, nothing prevents users from running their OS as is.

    Again, thanks for reading and posting!

    ReplyDelete
  3. Here is a list of Linux viruses. I don't believe any of them are active today, but they still do exist which was all I was saying.

    http://en.wikipedia.org/wiki/Linux_malware#Threats

    The reason I think Windows 7 + AV is greater is that AV programs on Windows 7 intercept system calls (active scanning) and inspect them for potential threats, and Windows 7 was developed using a much better security model than all other versions of Windows (which is why it is incompatible with a lot of software). I don't think any earlier version of Windows is safe, please don't misunderstand my implication, I'm the furthest thing from a Windows advocate. ;)

    Its OK to agree to disagree about that though. As for it being my opinion that you are better informed, well based on the slight change in what you have said in this article I think you are. That is my opinion, and a compliment.. ;)

    ReplyDelete
  4. Hi again,

    Hey, sorry if that sounded harsh, I do agree that there were things I didn't completely understand before. It's just that after researching on them, I still believe Linux desktop security is tighter overall. That's why I made such comment.

    Actually, not sure if you heard about it, but I think this application might be a step in closing the gap you rightly pointed out. (LINK). It is called NINJA, and seems to provide active detection of privilege escalation. I haven't installed it myself, but sounds like a good idea. Have you used it? If so, what's your take on it?

    And yeah, it is perfectly fine that each of us has a personal view around the subject. Actually, I think that is down to both being fairly matched on average.

    What's most exciting is that an OS that was born in 1991, primarily developed by a community without revenue in mind, can actually match the industry standard in so many aspects. I don't know about you, but I find that truly amazing.

    As usual, a pleasure discussing with you!

    Thanks

    ReplyDelete
  5. nice discussing

    I tried linux Sabily Badr (based on Ubuntu Natty)and I really love it much. no need a driver (VGA and sound), no need install aplication (for standard), no viruses.

    I hate to repeate installing OS, and to cleaning it from viruses, and to receive its pop up message that there is an errors just several minutes after instalation before i have installed any aplication,
    (maybe my hardwares too old)

    when i tried ubuntu 8.04 its ok but have several problem for me (newbie), so i change to Sabily (Ubuntu Muslim Edition) and found everything there.

    now i try PClinuxOs and I find your blog. reading your articles and write this comment.

    forgive me for my bad english
    thanks for your review.

    ReplyDelete