Linux

Open source phishing: A call to arms


Recently, consumer auction giant eBay announced that nearly 1,200 registered eBay users' information was stolen via phishing attacks. That's not shocking. What's shocking is that it's very likely the phishers were using rootkitted Linux boxes. They expected the attacks to come from Microsoft boxes. This time that's not the case.

It was only a matter of time. As Linux becomes more and more popular, the spread of more nefarious uses for the operating system will only grow. And grow. And grow. And what will more than likely happen is the threats will only get worse. Because of the flexibility and power of the OS, the criminals creating the attacks will be able to push the boundaries even farther than what we've seen when the Windows OS is used. The mere thought of this should make those in the business of security quake in their boots. But ultimately what it should do is open the eyes of the Linux developers.

Say, those who develop Sendmail.

There are well-known holes in Sendmail. These holes can be used for many purposes - most of them bad. I would like to think that the developers of such applications would diligently be plugging away at their projects to close all of the known issues before such phishing attacks grow out of control. And it will. And all those fingers that used to point at Microsoft will soon be pointing at Linux.

I myself have had many mail servers set up only to quickly find out they have been blacklisted on Spamhaus or another blacklist. Why? Because Sendmail was not secure. I would think the developers of Sendmail would know this and secure it out of the box. And those configuration options that are site (or domain) specific, why not issue warnings at installation? I have installed numerous applications that, during installation, will give me very specific instructions on locking down the installation. For example, why not, during installation, have Sendmail say something like:

#####################WARNING#######################

PLEASE MAKE SURE TO CONFIGURE YOUR DOMAIN MASKING NAME IN /etc/mail/sendmail.cf. TO DO THIS CONFIGURE THE FOLLOWING AT (OR AROUND) LINE 94:

DjYOURDOMAIN.COM

#####################END WARNING##################

How simple is that? Very.

Of course that's just the tip of the iceberg. It's time for Linux developers to stop thinking, "Linux isn't vulnerable." It is -- and that vulnerability is only going to get worse and worse.

So I guess this is a call to arms to all Linux developers to change your tune about how vulnerable Linux is to attacks. Don't let your ego (or the ego that has surrounded the OS) blind you to the truth. It is vulnerable, but it doesn't have to be. The Linux community at large can work as a collective whole to close the holes that threaten to bring the open source flagship down a peg.

Don't let Microsoft get ahead in the area of security. That would be a sad day.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

7 comments
Steve Durbin
Steve Durbin

With all the better MTA products available for the platform, sendmail stopped being my fave choice several years ago...and that's from someone who used to run it on the UUCP net. Even if you do want to run sendmail, having any single layer talking to the net is asking for trouble. Sendmail with a proxy in front of it is safer. In today's environment anything not using layered security is asking for trouble. The main difference is that on Linux we have a choice - and can thus make "natural selection" work for us. On Windows you generally don't.

jdclyde
jdclyde

You put a linux box in place and a windows box in place. Which one will be exploited first, just sitting there? Now, if you install applications, then they are opening up avenues of attack. And the big difference is, if it is a windows box, they load on a keystroke logger and get all of your information. If you have a linux box with a compromised sendmail config, someone could send an email through your system. Compare this to how many windows email servers are working as a relay that is forwarding spam? Should Sendmail be secure? Sure. Do I use it? No. We use Domino on Linux and it has been a good combination.

CharlieSpencer
CharlieSpencer

Right or wrong, for years I've heard the argument, "Just wait until Linux is as widely installed as Microsoft. Malware writers will see it as better target when it's running on more systems." It's a bit ironic to learn the malware writers don't see it as a better malware target, but as better malware delivery system.

Jaqui
Jaqui

it is the extra apps that have the holes in security. [ your own example of sendmail shows this ] the os doesn't include email server, webserver, ftp /ssh .vnc servers. That is the distros that include those. one of the easiest means to secure yourself, go into the configuration of firefox or seamonkey and TURN OFF AUTOMATIC SOFTWARE INSTALLATION. if you want to install a particular addon, turn it on before clicking the install link. Don't allow a site to install an addon easily. I find that postfix is more secure by default than sendmail [ not by much, but it is better ] and postifx can use the sendmail config files to ease the migration.

Jaqui
Jaqui

as a malware delivery system the systems open for exploitation to do it, are directly caused by MS. If MS didn't "wizard" the configuration and MS admins rely on said wizards, they would not assume that a wizard configured tool is secure.

jlwallen
jlwallen

i guess i should have been more specific. sometimes i generalize and say "linux developers" when what i should be saying "application a" developers. i know, i know..."linux developers" actually refers to the linux kernel developers. as my step daughter says "my bad".

Jaqui
Jaqui

I do see vulnerabilities in the security channels for the kernel, and the base system, but not as often as for the applications. :) as well, it is most commonly coming from the developers of the particular bit of software that these vulnerabilities are being reported by. [ including applications ] The single largest collection of vulnerable apps are actually cross platform. Web apps have the worst security design lately. [ Web apps like the scripts running TR, not apps like sendmail / apache ]

Editor's Picks