Myths about secure Linux

Chester Wisniewski
Chester Wisniewski
Chester Wisniewski, Senior Security Consultant at Sophos shatters the perception that Linux secure and dispels the myths

We are well into the 21st century, but it is astonishing how people can still believe that Linux-based operating systems are completely secure. Indeed, “Linux” and “security” are two words that you rarely see together. Just as some people believe Macs are immune to viruses, some Linux users have the same misconception – and who can blame them? After all, vendors have been telling them that for years. In 2012, after an exponential rise of OS X malware (such as MacDefender and Flashback), Apple decided to change its homepage by removing sentences like “It doesn’t get PC viruses.”
If PX's dont


It doesn’t get PC viruses.
A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.

Only recently, Red Hat also decided to (finally) remove the label “virus-free” from the feature overview of Fedora Linux.
Fedora


Virus- and Spyware-Free
No more antivirus and spyware hassles. Fedora is Linux-based and secure.

Linux users are not OS X users, although when it comes to security many of them have the same misconception that the latter had a few years ago. So, let’s destroy four common urban legends about Linux security.

1 – Linux is invulnerable and virus-free.
“Linux is virus-free.”What does it even mean? Even if there were no malware for Linux – and that’s not the case (see for example Linux/Rst-B or Troj/SrvInjRk-A) – does this mean it is safe? Unfortunately, no. Nowadays, the number of threats goes way beyond getting a malware infection. Just think about receiving a phishing email or ending up on a phishing website. Does using a Linux-based operating system prevent you from giving up your personal or bank information? Not at all. And what about Heartbleed or Shellshock, or any other vulnerability of your choice? No, no system is invulnerable.

2 – Virus writers do not target Linux because it has a low market share.
Well, if it is true that Linux distributions (distros for short) have a low market share in the desktop landscape, the same cannot be said for other markets. In the server landscape, Linux distros have almost 40% of the market share, while they hold a near-monopoly on supercomputers. Finally, in the mobile landscape, Linux-based Android has the majority of the market share. According to Hugo Barra (Google’s Android VP of product management), in May 2013 there were 900 million Android devices.

3 – Windows malware cannot run on Linux.
Not exactly, truth be told. Although their number is still pretty low, there are more and more cross-platform threats. This is due to the multi-platform frameworks which are available nowadays also under Linux. Frameworks such as: Adobe Flash and Reader, Java, JavaScript, Perl, PHP, Python, Ruby, etc. Just to give an example, in July 2012, we wrote about a multi-platform backdoor named Troj/JavaDl-NJ, which runs also on Linux. Furthermore, Linux servers are often used to harbor Windows malware. When you click on a malicious link, the likelihood is that it directs you to a Linux server.

4 – On Linux you install software from software repositories, which contain only trusted software.
Beside the fact that social engineering is not the only way to get a malware infection, are you completely safe just because you use software repositories? Let’s just take an example and search “How to install Java on Ubuntu.” You will immediately find tens or hundreds of step-by-step guides that suggest you add a particular PPA repository in order to install the latest version of Oracle Java and as with Java, you will see the same pattern for many other software ($ sudo add-apt-repository ppa). But who is the maintainer of those repositories? This clearly depends on the link you opened and on the repository that is suggested. But, in the case of Java, it is not Oracle itself. Which means that you do not really know if it’s a legitimate or a malicious repository.

Linux threats by the numbers
The number of “in the wild” threats for Linux-based operating systems is still way lower than threats for Microsoft Windows or Apple OS X. However, the threats are real. For example, Linux-based web servers are constantly under attack. Just to give you some numbers – at SophosLabs we were seeing an average of 16,000-24,000 compromised websites a day in 2013. The numbers don’t look any better today: during the first week of March 2015, we added detection for almost 190,000 new malicious URLs. Of these new malicious URLs, the number of unique malicious domains was over 70,000. This means that, on average, we were recording around 27,000 new malicious URLs per day and over 10,000 malicious domains per day. Canonical, which is one of the most security-aware Linux companies, is also keeping

Improve your Linux security posture
Most Linux distros come with some advanced security tools (although most of them are often pretty hard to configure – in other words, prone to misconfiguration). So, if you are a tech-savvy Linux user, you should at least look at the basic security guidelines of your Linux distro.