Linux Security: Reflections on 2002

Here are my reflections on Linux security in 2002 and predictions for 2003. All statements not otherwise attributed are my opinions.

I think that the major change in 2002 over 2001 in Linux security was that major heavily-deployed subsystems continued to get more hardened. The recent versions of Sendmail, LPD (Line Printer Daemon), and the commercial (ssh.com) version of SSH suffered no vulnerabilities. This may be a record for these subsystems.

Non-Windows Apache did suffer the first discovered vulnerabilities in five years with Chunk and SSL. DNS suffered one that would be hard to use if one’s firewall is properly configured. While OpenSSH suffered a number of problems, I do not yet consider it secure enough to deploy in “Production” environments. The ssh.com version is free for Linux, more secure, and easier to use – so use it.

Most Linux Distributions moved to automatic security patch download and installation options. This is a most welcome move to reduce the “window of opportunity” and hence risk of breach from days or months down to a few hours. Those with more critical systems still will want to do manual updates. This will allow testing to ensure that nothing is “broken” in the process.

Red Hat, SuSE, and other Distributions still turn on too many insecure unneeded services by default, with NFS, port, and friends heading the list. There were yet more vulnerabilities discovered in 2002 in this set of “weekend kludges” that still is heavily used.

The biggest risk taken by Linux users in 2002 was the failure to harden their systems by turning off unneeded services, using stricter permissions
on files, using good passwords, and failure to offer different services on different boxes. Most people merely answer questions asked by the installation software and have no idea of what is running on their systems. Invoking “netstat -anp | more” and “ps -axlww | more” will reveal what is running.

As problems, recreational hackers are being pushed aside by criminals obtaining credit card numbers and bank account details and by ever-increasing levels of spam.

Turning my crystal ball on 2003

As the worldwide recession continues in 2003, budget pressures will help move the world from expensive SysAdmin-intensive proprietary solutions to Linux. Even the last two holdouts, Sun and Microsoft, have grudgingly started to embrace Linux.

I think that there will be a substantial increase in on-line credit card and bank account fraud, both by thieves exploiting vulnerabilities and by social engineering. There may be some very large crimes accomplished by a cracker quietly accumulating owned systems and credit card or bank account numbers. Then, perhaps on a Friday afternoon before a major holiday, he will drain all of them of credit or money.

The BugBear virus was the first seen that exhibited a disturbing trend that I predicted in early 2001: It did not just scan the disk for information useful to it. Instead, it also collected keystrokes, stored them in an encrypted manner that made this action very hard to detect, and sent them to one of the cracker’s system.

Why is this disturbing? This allowed BugBear to collect all of a user’s password and passphrases used to protect confidential information. This includes on-line bank account access, on-line shopping sites, etc. This allows BugBear to defeat a user’s SSL, SSH, IPSec, GPG, encrypted file system, and any other encryption or security efforts. I am unaware of BugBear actually taking advantage of this very powerful capability. However, expect new viruses to make use of this to harvest passwords.

Even those Linux users with good security are at risk if they make on-line purchases from sites with poor security. Almost all large e-commerce
sites use hardened Linux or Unix servers. Unfortunately, a fair number of “Mom and Pop” sites use IIS, though a surprisingly high percentage
do use Linux. For this reason, before giving my credit card to a new web merchant I always do:

nmap -O -sS -F -P0 -T Aggressive newguy.com

and require that all ports show as closed or filtered except for 80, 443, and, possibly, 25 and 22, and that the Operating System is not Windows.

Other ways to protect yourself are to use only a single credit card for all on-line transactions, preferably one with a small limit. Have a different card for large purchases, such as airline tickets and hotel rooms. Never, but never, use a debit card for on-line purchases or with any merchant other than one you trust highly. Remember that “possession is nine tenths of the law”. With a credit card problem, you still have your money and only a successful law suit will take it from you. With a debit card problem, your money already is gone, making it much harder to get back.

A reasonably secure web server is not all that is needed for a web merchant. It is critical to secure the database in a way that makes it exceptionally hard for a cracker to download the entire database. Most small companies (and even many large ones) keep the database on the web server itself. Thus, a single vulnerability will allow a cracker to get the credit card numbers and expiration dates of every customer. Solutions include not saving this information, my “One-way credit card data path”, and separate encryption keys for each customer. Perhaps Underwriters Laboratories will start rating the security of various techniques similarly to the way they rate how hard different safes are to crack.

I expect to see greater use of encryption and digital signing of email and documents. The GNU Privacy guard is a wonderful tool for this and is compatible with PGP. GPG or PGP is supported in most Linux mail user agents. Whether one is sending or storing a love letter or a trade secret, encryption keeps it secret. Even if someone breaks into someone’s system or steals its disk, without the keys, encrypted information remains secret for all time. Hopefully, encrypted file systems will become popular on laptop computers since these are stolen so frequently.

We may see a major Cyberterrorism event in 2003, causing major loss of Internet connectivity. Even those in countries not directly involved may suffer from backbones in the United States and elsewhere being “taken out”, causing their systems or their customers’ systems being “knocked off the web”. With an anticipated 23 million homes in the U.S. alone expected to have broadband in 2003, the potential for massive Distributed Denial of Service (DDoS) attacks is huge. With so many of these being unprotected Windows systems, this DDoS will be easy to do.

Sadly, the U.S. Government’s draft Cybersecurity proposal can most kindly be described as naive and ineffective. Its reliance on voluntary good practices, if it was the basis for criminal law, would be called anarchism. An excellent opportunity to make organizations and individuals and ISPs responsible for their problems was lost. Sheesh. The penalties for not stopping one’s dog from barking are more severe in most jurisdictions.

The growth of wireless networks will continue. With current wireless technology lacking decent security, many networks will be compromised. While many organizations do have a firewall, they fail to harden systems behind them. Thus, a single weak point such as a wireless component will allow many systems to be compromised. I advised the use of firewalls between different parts of large companies to limit the spread of a compromise in the first edition of “Real World Linux Security” back in 2000. Unfortunately, many organizations fail to do this.

I predict a major Linux virus in 2003, perhaps through Netscape via email or through Instant Messaging. A vulnerability in Java or the RealAudio or RealVideo player could be a vector for the spread of a virus. If Microsoft starts offering products for Linux in 2003, as far as security is concerned, good luck.

A blended attack is a distinct possibility. This might be a large truck bomb taking out a large building at the same time an Internet attack takes out “911” emergency switchboards and the city’s traffic light system. This would prevent rescue workers from helping the victims and increase the terror.

The current copyright and licensing battles will get much nastier as the greed of Hollywood and Microsoft leads to even more onerous restrictions on users. The U.S. FBI recently allowing Microsoft goons to come along on a “raid” is a most scary trend. At least the California Supreme Court had the sense to rule that California law does not apply to someone in another state. The dismissal of DMCA prosecution of Adobe’s complaint against Elcomsoft is a bit of light.

Despite Adobe claiming that the decryption code will allow massive violations of their copyright, not a single case of this was found. What makes this case especially absurd yet scary is that Adobe did not really encrypt its eBook data. It used a scheme similar to “ROT1”. This is where each letter “A” is replaced with “B”, “B” replaced with “C”, and “Z” replaced with “A”. This is such a weak algorithm that their claim that they used encryption and thus DMCA applied is debatable. I suspect that had the jury not laughed the case out of court, an appeals judge would have dismissed it.

I predict a serious U.S. Constitutional test of DMCA, with a reasonable chance of it being thrown out as unconstitutional. U.S. copyright law gives the purchaser of copyrighted material the right to use it as much as he wants so long as he does not make copies of it. In other words, you can play your CD or read your book as much as you want or sell your copy to whomever will buy it for whatever price you can get.

DMCA allows a vendor to take these rights away from someone who has purchased something. It even allows the creator to restrict when and where or how many times something may be heard or viewed. Hopefully, these constitutionally granted rights will be restored. Hollywood’s lobbyists attempting to further stretch the concept of a “reasonable period of time” for copyright protection may cause a Supreme Court rollback of the duration of copyright protection. There are similar battles around the world, though I must admit to not being familiar with them.

The current interest of everyone and his brother in forensics and honeypots will die down. For other than those doing serious research in computer security, I find its only value is demonstrating to management that insecure systems will be breached.

Biography

Bob Toxen is author of the new book “Real World Linux Security: Intrusion Prevention, Detection, and Recovery, 2/e“, the first edition (available in English, Chinese, and Japanese), one of the 162 official developers of Berkeley Unix, and one of the four programmers who first ported Unix to the Silicon Graphics workstation. The book’s web site is www.realworldlinuxsecurity.com. An interview with Bob is available here.

Bob has his own consulting company specializing in inexpensive Linux solutions for network security, helping clients around the world. These solutions include Firewalls, VPNs, virus and spam filters, backup software, security audits, and security consulting.