Open Source

Open source phishing: A call to arms


Recently, consumer auction giant eBay announced that nearly 1,200 registered eBay users' information was stolen via phishing attacks. That's not shocking. What's shocking is that it's very likely the phishers were using rootkitted Linux boxes. They expected the attacks to come from Microsoft boxes. This time that's not the case.

It was only a matter of time. As Linux becomes more and more popular, the spread of more nefarious uses for the operating system will only grow. And grow. And grow. And what will more than likely happen is the threats will only get worse. Because of the flexibility and power of the OS, the criminals creating the attacks will be able to push the boundaries even farther than what we've seen when the Windows OS is used. The mere thought of this should make those in the business of security quake in their boots. But ultimately what it should do is open the eyes of the Linux developers.

Say, those who develop Sendmail.

There are well-known holes in Sendmail. These holes can be used for many purposes - most of them bad. I would like to think that the developers of such applications would diligently be plugging away at their projects to close all of the known issues before such phishing attacks grow out of control. And it will. And all those fingers that used to point at Microsoft will soon be pointing at Linux.

I myself have had many mail servers set up only to quickly find out they have been blacklisted on Spamhaus or another blacklist. Why? Because Sendmail was not secure. I would think the developers of Sendmail would know this and secure it out of the box. And those configuration options that are site (or domain) specific, why not issue warnings at installation? I have installed numerous applications that, during installation, will give me very specific instructions on locking down the installation. For example, why not, during installation, have Sendmail say something like:

#####################WARNING#######################

PLEASE MAKE SURE TO CONFIGURE YOUR DOMAIN MASKING NAME IN /etc/mail/sendmail.cf. TO DO THIS CONFIGURE THE FOLLOWING AT (OR AROUND) LINE 94:

DjYOURDOMAIN.COM

#####################END WARNING##################

How simple is that? Very.

Of course that's just the tip of the iceberg. It's time for Linux developers to stop thinking, "Linux isn't vulnerable." It is — and that vulnerability is only going to get worse and worse.

So I guess this is a call to arms to all Linux developers to change your tune about how vulnerable Linux is to attacks. Don't let your ego (or the ego that has surrounded the OS) blind you to the truth. It is vulnerable, but it doesn't have to be. The Linux community at large can work as a collective whole to close the holes that threaten to bring the open source flagship down a peg.

Don't let Microsoft get ahead in the area of security. That would be a sad day.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Editor's Picks