November 11, 2014 update:
Part 3 is available.
Part 3 is available.
Yesterday I posted Running a Linux Desktop Does Not Equal Security ending under a heading of Even a
Less-Popular Desktop, on a Less-Popular OS, Does Not Equal Security.
I claimed that the sweet spot of combining a technologically advanced
Linux desktop with the very real security advantage of obscurity is
now over.
This has much to do with your
expectations of who your attacker might be. In other words, your
security model. I hope that your model is evolving as rapidly as the
threat, but there is much evidence, (the failure of various
compliance regimes, such as PCI comes to mind) that in general terms,
security models suffer from significant lag.
For instance, if you are reading this
post, you are likely being targeted by the NSA. I almost certainly
am. While I find this beyond annoying as hell, that doesn't matter in
this context. What matters more is NSA are past masters at traffic
analysis, and are known to target systems administrators, anyone
connected with crypto, and even readers of Linux Journal. That
probably covers the vast majority of my audience, if “vast” is an
appropriate term for a subset of very small set. A sliver of a
sliver, if you will.
The thing is, NSA has the capability,
and are known to exercise it. So, I have to classify an agency of my
own government as an adversary. Insert Grrrr, howls of FUBAR, etc.,
but that is not the point here. At least these Bad Guys are Our Bad
Guys. The United States is not the only nation-state in the world,
and the resources that nearly any nation-state can bring to bear are
huge. Even tiny hermit-kingdoms such as North Korea can field
significant resources, and may have significant reasons, such as a
lack of foreign currency, to do so.
It gets worse when you consider that
organized crime is now building secure commercial exchanges, offering
support for crimeware such as banking trojans, etc.
The resources available to adversaries
have now become large enough that state-, quasi-state, and non-state
threat actors can target even tiny slivers if they judge, for reasons
that seem good to them,
that there is a benefit. A successful attack, even if launched
through a flawed rationale, is still a successful attack. Obscurity
has lost some value. How much depends, again, on your security model.
Back to KDE on Linux
That is quite enough (probably to much)
background. No commentary on overall Linux security, though this
could certainly serve as an example of more widespread problems. That
would be a whole other flight of posts. Let's get specific to KDE on
Linux.
A few days ago, a problem with KDE
Workspace surfaced. The relevant bits of
are (tpyos and all):
An application can gain root priveledges from an admin user with either misleading information or no interaction.
On some systems the user will be shown a prompt to change the time. However, if the system has policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user without any prompts.
This is a code-injection attack,
leading to privilege escalation., and KDE rated the risk as medium
(whatever that means). I have several problems with this.
Some might think that this attack seems
local, as opposed to something that can happen over the wire, hence
not important on a laptop or workstation. The problem with that line
of thought is that modern attacks are chained. The compromise of an
unprivileged user account can be devastating, given how much
sensitive information might be immediately compromised, and the
historic difficulty of knowing the amount and sensitivity level of
compromised data.
The trend is overwhelmingly compromise
of user accounts via the Web browser, commonly the atrocity that is
nearly any Adobe product that will run on Linux, Java plugins, etc.
All the usual suspects, one of which gave me a foothold, albeit as
'only' your unprivileged user account. Because you weren't browsing
the Web as root, because that would be supremely stupid.
Look at the above quote again, and
consider the subtleties of prompting. As an attacker, who now has
your privileges, I can to write into your KDE configuration files. I
can now change the settings of your desktop clock to display time in
something other than your local time zone. In short order, you will
likely notice and be annoyed by this, and reset the time. Your system
is now pwned, and I did not need to raise any sort of prompting
dialog box, which might arouse suspicion. I only had to wait for you
to prompt yourself, and contrary to the KDE alert,
policykit-desktop-privileges was not required.
As a malicious root user, I will now be
much harder to even detect. I'm in your kernel, or writing to
flashable memory on your network card, or whatever. Eradicating me
from your network might involve feeding the system into a shredder.
And yes, you can shred entire systems these days. It's an expensive
but available service. Desperate times, and all that.
Sadly, I Am Not Done Yet
No comments:
Post a Comment
Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.
I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.
If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.