The BugBear virus was the first seen that exhibited a disturbing trend that I predicted in early 2001: It did not just scan the disk for information useful to it. Instead, it also collected keystrokes, stored them in an encrypted manner that made this action very hard to detect, and sent them to one of the cracker's system.
Why is this disturbing? This allowed BugBear to collect all of a user's password and passphrases used to protect confidential information. This includes on-line bank account access, on-line shopping sites, etc. This allows BugBear to defeat a user's SSL, SSH, IPSec, GPG, encrypted file system, and any other encryption or security efforts. I am unaware of BugBear actually taking advantage of this very powerful capability. However, expect new viruses to make use of this to harvest passwords.
Even those Linux users with good security are at risk if they make on-line purchases from sites with poor security. Almost all large e-commerce
sites use hardened Linux or Unix servers. Unfortunately, a fair number of "Mom and Pop" sites use IIS, though a surprisingly high percentage
do use Linux. For this reason, before giving my credit card to a new web merchant I always do:
nmap -O -sS -F -P0 -T Aggressive newguy.com
and require that all ports show as closed or filtered except for 80, 443, and, possibly, 25 and 22, and that the Operating System is not Windows.
Other ways to protect yourself are to use only a single credit card for all on-line transactions, preferably one with a small limit. Have a different card for large purchases, such as airline tickets and hotel rooms. Never, but never, use a debit card for on-line purchases or with any merchant other than one you trust highly. Remember that "possession is nine tenths of the law". With a credit card problem, you still have your money and only a successful law suit will take it from you. With a debit card problem, your money already is gone, making it much harder to get back.
A reasonably secure web server is not all that is needed for a web merchant. It is critical to secure the database in a way that makes it exceptionally hard for a cracker to download the entire database. Most small companies (and even many large ones) keep the database on the web server itself. Thus, a single vulnerability will allow a cracker to get the credit card numbers and expiration dates of every customer. Solutions include not saving this information, my "One-way credit card data path", and separate encryption keys for each customer. Perhaps Underwriters Laboratories will start rating the security of various techniques similarly to the way they rate how hard different safes are to crack.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.