Thursday, November 20, 2014

Running a Linux Desktop Does Not Equal Security Part 2

November 11, 2014 update:
Part 3 is available.

Yesterday I posted Running a Linux Desktop Does Not Equal Security ending under a heading of Even a Less-Popular Desktop, on a Less-Popular OS, Does Not Equal Security. I claimed that the sweet spot of combining a technologically advanced Linux desktop with the very real security advantage of obscurity is now over.

This has much to do with your expectations of who your attacker might be. In other words, your security model. I hope that your model is evolving as rapidly as the threat, but there is much evidence, (the failure of various compliance regimes, such as PCI comes to mind) that in general terms, security models suffer from significant lag.

For instance, if you are reading this post, you are likely being targeted by the NSA. I almost certainly am. While I find this beyond annoying as hell, that doesn't matter in this context. What matters more is NSA are past masters at traffic analysis, and are known to target systems administrators, anyone connected with crypto, and even readers of Linux Journal. That probably covers the vast majority of my audience, if “vast” is an appropriate term for a subset of very small set. A sliver of a sliver, if you will.

The thing is, NSA has the capability, and are known to exercise it. So, I have to classify an agency of my own government as an adversary. Insert Grrrr, howls of FUBAR, etc., but that is not the point here. At least these Bad Guys are Our Bad Guys. The United States is not the only nation-state in the world, and the resources that nearly any nation-state can bring to bear are huge. Even tiny hermit-kingdoms such as North Korea can field significant resources, and may have significant reasons, such as a lack of foreign currency, to do so.

It gets worse when you consider that organized crime is now building secure commercial exchanges, offering support for crimeware such as banking trojans, etc.

The resources available to adversaries have now become large enough that state-, quasi-state, and non-state threat actors can target even tiny slivers if they judge, for reasons that seem good to them, that there is a benefit. A successful attack, even if launched through a flawed rationale, is still a successful attack. Obscurity has lost some value. How much depends, again, on your security model.

Back to KDE on Linux

That is quite enough (probably to much) background. No commentary on overall Linux security, though this could certainly serve as an example of more widespread problems. That would be a whole other flight of posts. Let's get specific to KDE on Linux.

A few days ago, a problem with KDE Workspace surfaced. The relevant bits of
are (tpyos and all):

An application can gain root priveledges from an admin user with either misleading information or no interaction.

On some systems the user will be shown a prompt to change the time. However, if the system has policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user without any prompts.

This is a code-injection attack, leading to privilege escalation., and KDE rated the risk as medium (whatever that means). I have several problems with this.

Some might think that this attack seems local, as opposed to something that can happen over the wire, hence not important on a laptop or workstation. The problem with that line of thought is that modern attacks are chained. The compromise of an unprivileged user account can be devastating, given how much sensitive information might be immediately compromised, and the historic difficulty of knowing the amount and sensitivity level of compromised data.

The trend is overwhelmingly compromise of user accounts via the Web browser, commonly the atrocity that is nearly any Adobe product that will run on Linux, Java plugins, etc. All the usual suspects, one of which gave me a foothold, albeit as 'only' your unprivileged user account. Because you weren't browsing the Web as root, because that would be supremely stupid.

Look at the above quote again, and consider the subtleties of prompting. As an attacker, who now has your privileges, I can to write into your KDE configuration files. I can now change the settings of your desktop clock to display time in something other than your local time zone. In short order, you will likely notice and be annoyed by this, and reset the time. Your system is now pwned, and I did not need to raise any sort of prompting dialog box, which might arouse suspicion. I only had to wait for you to prompt yourself, and contrary to the KDE alert, policykit-desktop-privileges was not required.

As a malicious root user, I will now be much harder to even detect. I'm in your kernel, or writing to flashable memory on your network card, or whatever. Eradicating me from your network might involve feeding the system into a shredder. And yes, you can shred entire systems these days. It's an expensive but available service. Desperate times, and all that.

Sadly, I Am Not Done Yet

Once again, this post has gone on for too long, other things need doing, and I haven't even touched on what might be done about the problem. I am going to have to do a Part 3, and yes, I suck as a blogger. Sorry about that. I am trying to suck less, if only because now I will have to edit the entire flight of posts on this topic to include links to updates and/or previous posts. Lack of expertise always carries a penalty.

November 11, 2014 update:
Part 3 is available.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.