Linux Security: Reflections on 2002
by Bob Toxen - Tuesday, 7 January 2003.
Here are my reflections on Linux security in 2002 and predictions for 2003. All statements not otherwise attributed are my opinions.

I think that the major change in 2002 over 2001 in Linux security was that major heavily-deployed subsystems continued to get more hardened. The recent versions of Sendmail, LPD (Line Printer Daemon), and the commercial ( version of SSH suffered no vulnerabilities. This may be a record for these subsystems.

Non-Windows Apache did suffer the first discovered vulnerabilities in five years with Chunk and SSL. DNS suffered one that would be hard to use if one's firewall is properly configured. While OpenSSH suffered a number of problems, I do not yet consider it secure enough to deploy in "Production" environments. The version is free for Linux, more secure, and easier to use - so use it.

Most Linux Distributions moved to automatic security patch download and installation options. This is a most welcome move to reduce the "window of opportunity" and hence risk of breach from days or months down to a few hours. Those with more critical systems still will want to do manual updates. This will allow testing to ensure that nothing is "broken" in the process.

Red Hat, SuSE, and other Distributions still turn on too many insecure unneeded services by default, with NFS, port, and friends heading the list. There were yet more vulnerabilities discovered in 2002 in this set of "weekend kludges" that still is heavily used.

The biggest risk taken by Linux users in 2002 was the failure to harden their systems by turning off unneeded services, using stricter permissions

on files, using good passwords, and failure to offer different services on different boxes. Most people merely answer questions asked by the installation software and have no idea of what is running on their systems. Invoking "netstat -anp | more" and "ps -axlww | more" will reveal what is running.

As problems, recreational hackers are being pushed aside by criminals obtaining credit card numbers and bank account details and by ever-increasing levels of spam.

Turning my crystal ball on 2003

As the worldwide recession continues in 2003, budget pressures will help move the world from expensive SysAdmin-intensive proprietary solutions to Linux. Even the last two holdouts, Sun and Microsoft, have grudgingly started to embrace Linux.

I think that there will be a substantial increase in on-line credit card and bank account fraud, both by thieves exploiting vulnerabilities and by social engineering. There may be some very large crimes accomplished by a cracker quietly accumulating owned systems and credit card or bank account numbers. Then, perhaps on a Friday afternoon before a major holiday, he will drain all of them of credit or money.

The BugBear virus was the first seen that exhibited a disturbing trend that I predicted in early 2001: It did not just scan the disk for information useful to it. Instead, it also collected keystrokes, stored them in an encrypted manner that made this action very hard to detect, and sent them to one of the cracker's system.

Why is this disturbing? This allowed BugBear to collect all of a user's password and passphrases used to protect confidential information. This includes on-line bank account access, on-line shopping sites, etc. This allows BugBear to defeat a user's SSL, SSH, IPSec, GPG, encrypted file system, and any other encryption or security efforts. I am unaware of BugBear actually taking advantage of this very powerful capability. However, expect new viruses to make use of this to harvest passwords.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th