Apparently the folks who maintain the UnrealIRC [it's an IRC server - Internet Relay Chat - for gabbing it up with your friends] just noticed that they’ve had remote control software included in the distribution since 2009 and didn’t notice until just now.  Whoops.Apparently the infected software got picked up by at least one major distribution for inclusion in the default package sets.  Double-whoops.

So, it’s a Trojan that sits there and lets as-yet-unidentified bad guys transmit commands to servers running the daemon – those commands get executed in the context of the user running the server.  If you want the technical nitty-gritty, you’ll find it here, but the mechanics of it really aren’t really all that interesting.

What is interesting to me is the impact.   Some folks are suggesting that a false sense of security resulting from using Linux caused it to run undetected for so long.   I’m not sure I entirely agree – I think there are a few factors that contribute to this situation being worse than a malware event on other platforms.

Why?  Well, first of all, because some folks have advocated that anti-malware software is completely unnecessary in a Linux usage scenario.  If you subscribe to this view fully, you’re relying on the ability of the user to appropriately configure and run the platform appropriately – i.e. in a secure fashion.  But when you’re also encouraging the platform as a viable desktop alternative, you have to  understand that there are going to be folks who aren’t tech savvy who are going to run it.  In my opinion, it is irresponsible to on the one hand put technically non-savvy users at the helm and on the other hand tell them not to worry about malware.  It sets them up to fail should something like this occur.

Secondly, as we talked about last week, just because there are “more [potential] eyes on the code” in an opensource scenario, doesn’t mean that someone is actually looking at that code and auditing it.  So, some interesting food for thought here.  There are some lessons to be learned I think about the true nature of malware on the Linux platform.  It’s true that malware authors target it less – but the lack of preparedness that comes about from users not being used to dealing with this type of issue is something that I think we need to learn from.

There’s an interesting reader response on Network World today about an IT shop where the administrators aren’t allowed to use open source software. Apparently, due to “security concerns”, users aren’t allowed to use open source software.  The article itself is ultimately a dodge, in that it points out anecdotal reasons for open source being more secure (using TrueCrypt and PasswordSafe as examples), but really doesn’t dig into the meat of the question that much.

I’ve talked about the question before – about whether or not open source really is or isn’t more secure than closed source.  My conclusion originally was “it depends” – meaning, my belief was that the answer to that question will depend on which open source project you are comparing to which commercial development organization.  But, interestingly, there’s some new academic research out there that can shed some light on the question.  It’s a hell of a read.

So, the paper (entitled “An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software“) and I suggest you read it.  Right now.  Don’t wait.  Because most of us have been “looking it up in our gut” (i.e. not basing our conclusions on data – because data wasn’t available”) Now it is. So go check it out right now.

Check this out:

My theoretical development and empirical results indicate that, compared with closed source soft-
ware, vulnerabilities in open source software: (a) have increased risk of exploitation, (b) diffuse
sooner and with higher total penetration, and (c) increase the volume of exploitation attempts.

Note that he’s not saying that open source is worse from a security perspective vs. closed source (“.. it would be incorrect to conclude that open source is strictly worse for software security.”). What he’s actually saying is that the exploitability distribution differs according to where the project is in the lifecycle. So, exploitation is more pronounced. It’s very interesting reading if you have some time to commit to doing so.

So welcome back from the break! I hope you all had a great new year, and a good season.

So, to kick us off on a new season, I came across an article today talking about the biggest threat to open source security for 2009. In case you don’t feel like reading the whole thing, the point of the article is basically that “most open source lacks update services” and that that represents a huge risk to enterprises.

Now, I can tell what you’re thinking – you’re probably thinking that open source does have update services (rpm, apt-get, yum, etc.) and you’re probably wondering what this guy’s been smoking to write this. I wondered that too at first – and heaven knows I’m not an open source fanboi (I don’t subscribe to the belief that just because you publish the source that it all of sudden means that you have legions of interested and skilled security tested auditing your code for you.) But then I got to thinking about it a little bit and realized that there is a issue underlying it all that bears some thinking about. The article touches on an interesting point – even though it sails right by it to make another point that’s dubious.

Which is that (no matter how much some people might extol the virtues of RPM), keeping some open source software up to date requires a bit of knowledge – in other words, to make sure patches get installed properly, you sort of have to have a vague clue about what you’re doing. Not that you can’t do it, not that any open source project should do anything differently – just that some projects are harder to update than others. Compare that to Windows which – no matter what you say about it – doesn’t really require much skill to keep updated and patched.

And it also begs the ultimate question which is who’s accountable for there being a patch in the first place? In general, most open source communities have a good track record for delivering timely patches (some might even say faster than many commercial software vendors) – but who’s accountable? Will an enterprise have an assurance that they’ll get a patch? Whether or not it gets automagically installed, companies need to know that they’ll get a patch in place – and at the end of the day, they feel less confident when there’s no assurance.

So what’s the bottom line? Is it the case that open source will be chock full of holes in 2009 and get run over by a freight train of malware, trojans, and worms? Doubtful. Will open source users all of a sudden start getting bombarded by “Antivirus 2009″ popups telling them they’re infected? Not likely. But is it the case that admins need to have a higher degree of a clue to keep open source software patched and is it the case the companies are afraid to use it because they want greater accountability? I happen to think so.

Thanks to Diana for the hilarious picture and the suggestions on the edits.

As you may or may not remember, last week I commented that I think we need to rethink whether open source is or is not de facto more secure; if I had but waited a few days to go there, I could have used this article as an example of the kind of think I’m referring to. The article, originally from Infoworld, basically makes a case for why open source security tools are more popular than closed-source ones; however, I think that quite a few of the premises on which the argument is founded require further justification. To see what I mean, take a look at this quote:

Although no OS is truly secure, security tools offered on a Windows platform are immediately suspect, due to well-documented security issues of the underlying OS. Linux, FreeBSD, NetBSD, or OpenBSD-based products have a much better security track record (OpenBSD claims to have had only one remote hole in the default install in more than eight years).

OK, so Windows tools are immediately suspect. Why? The article says it’s because of “well documented security issues” and that other OS’es have a “better track record” but I’m not sure what he means. What metric is he using to quantify this better track record? Is it because of number of vulnerabilities? CERT says that Windows has less. Is it because of some other features of Windows? If so, which ones specifically? The point is that the article doesn’t say – the premise that other OS’es have better security is implied. I don’t buy it; at least, I won’t buy it without further justification.

Now people are going to say that I’m pro-Microsoft, but really the opposite is true. I’m not pro-anybody; in fact, at the house I run a number of different OS’es: OS X, Windows 2003 Server, Solaris on Sparc, and even Windows 98 (since it’s the only thing around that’ll still run Merchant Prince 2.) So I’m pretty much impartial – with the exception that I usually like to see the underdog win (so if anything I guess I lean toward supporting other platforms.) But I don’t agree that “because it does” is acceptable supporting evidence for an argument outlining why Microsoft’s security sucks. Maybe their security sucks and maybe it doesn’t – but I don’t think we can put a stake in the ground one way or the other until we decide on some evaluation criteria and actually do some analysis about it.

Look, I’ve used nessus and nmap professionally – on Linux if you’re curious – but the reason for that has nothing to do with better security… It has to do with the fact that nessus is free, it provides about the same level of value as commercial scanners, and it doesn’t run on Windows (until the 3.0.3 beta, that is.) If it ran on Windows, I’d use it on Windows. So at least in my case, the reason I use nessus has nothing to do with the (in)security of the OS – it has to do with what OS the tool supports (and please don’t mention NeWT).

Did you know that for quite a long time, individuals believed that living creatures could just magically appear out of thin air? It’s true. Up until the middle ages, folks believed that things like mold, maggots (ewww), and mice would just “pop” into existance from other substances like rotting meat and old bread. The theory was called Spontaneous Generation, and if you think about it, it makes sense: you put a piece of bread out on the table and watch it for a while. Magically, the bread “turns to mold”. Amazing. Mystical, even. Nowadays we know that there is more going on behind the scenes that accounts for the mold, but they didn’t know that then.

So where am I going with this? I was reading with interest Klocwork’s analysis of Firefox over at their blog (always interesting reading, by the way.) The background story is that Klocwork ran their source-code analysis tool on Firefox and found a bunch of (potential) programming issues. Now, of course there was a bunch of static in the comments from individuals on both sides of the “are these really issues” side of the fence, and I don’t really have an opinion on that one way or the other. However, it was one of the comments that really got me thinking. Here’s the comment, from an individual going by “clover”:

Actually I do find Firefox to be more secure than IE. Since it’s open source it is easier to audit because you don’t have to reverse engineer it. So far the Mozilla team has been good about fixing vulnerabilies as they arise, compared to Microsoft’s speed in handling these issues…

So that’s the traditional wisdom, right? Open source is easier to audit, ergo it is less likely to have vulnerabilities. But as we know, just because something is a widely held belief (like spontaneous generation) doesn’t mean it’s true; after all, if nobody re-evaluated the assumptions about where bread mold comes from, we’d still all think that it appeared by magic. So is this traditional wisdom true? For a long time, I thought it was. But now I’m starting to reconsider.

Why am I reconsidering this basic premise? Because I have yet to come across anybody except vendors like Klocwork (and to be fair Coverity and others) as well as the occassional researcher (HD Moore comes to mind) who actually do any auditing… No, it’s true: I’ve worked in a broad cross-section of the industry and I can say with experience that I have yet to find anybody who’s doing this seriously: the feds aren’t doing it, industry isn’t doing it, academia isn’t doing it. Who is? Researchers? Researchers only audit code to the extent that it gets them props (trust me, I speak as an ex-researcher) – and the biggest props correspond to the most popular software. So researchers aren’t necessarily auditing open source tools more. So where is all this auditing happening?

Look, if I use an open-source product like Firefox (which I happen to use by the way – because I like tabbed browsing, not for any security reason) instead of IE, does that mean I’m more secure? Maybe, maybe not. What about if I use an open-source browser that’s less popular like Konqueror? Does the fact that it’s open source de facto mean that more people have audited the code just because they have the ability to do so? I think if we think about it logically that we’d have to say “no”. Now I’m not saying that Firefox isn’t more secure than IE (or vice versa by the way), but I am saying that the statement that it’s more secure because it’s open source needs some more justification than a perceived increase in eyes on the code…