Re: [malware-list] Threat model for Unix Computers

From: Peter Dolding
Date: Fri Aug 08 2008 - 18:27:01 EST


On Fri, Aug 8, 2008 at 8:48 PM, Jörg Ostertag <Joerg.Ostertag@xxxxxxxxx> wrote:
> Am Mittwoch, 6. August 2008 03:44 schrieb Theodore Tso:
>> On Tue, Aug 05, 2008 at 08:46:00PM -0400, Rik van Riel wrote:
>
> ...
>
> I'm trying to fill in some other thread models, not all directly related to
> virus-scanning, but if we want to get a complete anti-threat model for linux,
> we should take them into account too.
> In addition I'll add some usage scenarios for later extracting some threat
> scenarios ...
>
> Desktop-Users:
> ----------------------
>> The Linux Desktop (where clueless users may be tricked into
>> running malware).
>
> I would add the chance of users exporting there locally stored Files via CIFS,
> SMB, http, ... for accessing them with there beloveled streaming clients.
>
> Speaking of exporting Files from a Desktop PC we should also take in account
> File-Sharing clients.
>
> Some more examples of a Desktop Users desire would be:
> - copying Files to/from there PDA (BT,USB,WLAN)
> - sharing internet connection with there PDA (BT,USB,WLAN)
>
> Another threads would be:
> - giving access to the Desktop-PC to guest-users for
> "just let me look up something in the internet"
> and the guest-user on the Desktop not informing about the (in his point of
> view) urgent installation of there beloved
> Browser-malware^H^H^H^H^H -adware ^H^H^H^H^H -extention
>
> For all the Files stored on the Desktop PC we should also take in account,
> that the paranoid Desktop user would store them inside a crypted
> device/container. Some examples would be: truecrypt-container/-partition,
> External crypted Harddrive, ...
>
> ... speaking of storing Files I would expect even Desktop Homeusers to store
> there Files on a local mini Fileserver (like a Fritz-Box, NSLU2, ...) to
> share them with other devices like Multimedia players, ...
>
> Notebook-Users:
> ------------------------
> And then we have the Linux Notebook users. I separate these from the Desktop
> users, because they will have most of the Scenarios for Desktop users plus
> some additional treats.
> - Connecting to random accesspoints (Airports, Hotels, ...)
> - Exporting there Wireless (BT,WLAN,UMTS, ...) to random people. Sometimes
> willingly, sometimes unwillingly
> - leaving there Notebooks unattended
> - without Bios password
> - without HDD-encrytion
> - without Boot-Manager Password
> - without screenlock
> - ...
>
> Linux Desktops in public places:
> --------------------------------------------
> I'm thinking of Linux Desktop PCs in places like Internet-Cafe,
> Public-Library, School, ...
> These would be similar to the Standard Linux Desktop but adding some
> additional threats.
> - willingly trying to attack the PC with physical access to
> - CD-Rom
> - USB-Devices
> USB-Stick
> Card Reader
> - Network cable
> - Floppy drive (if still existing)
> - Reset Button
>
>
>> The Linux File Server (where it is *highly* unlikely to have
>> active running malware, since there are no clueless
>> users running on said file server), but where malware
>> may be stored and read over CIFS, NFS, etc.
>
> Maybe it "was" unlikely, but you can see more and more
> (Now-)Unix-administrators originally used to other operating systems and with
> a different view to security. So it would be nice if we would be able to
> protect these users/admins/installations too.
>
> Mail-Proxy:
> --------------
>> The Linux Mail server is really a restricted case of the Linux
>> Fileserver; where the only way in is SMTP, and the
>> only protocol out is IMAP/POP.
>
> I would add SMTP for the outgoing channel too.
>
>
> Web-Proxy:
> ----------------
> Only to complete the list:
> The Linux Web Proxy is another example of a Linux Server.
> The way in would be http traffic (mostly over port
> 80 and 443) and the way out will be either over a shared
> proxy port or offered transparent if the Linux machine is used
> as router.
>
> In my opinion all good webproxies with scanner already provide a pretty good
> solution here.
>
>
Software Conflits
------------------------
Anti-virus Software conflicting with other secuirty software. This is
a design issue on Windows and some of the hooks different companies
have tried to develop for the Linux world.

Linux systems can have HIDS and other non anti-virus monitoring
software. On windows realtime scanning can be crippled if you
install 2 anti-viruses at a time due to stuffing up each others hooks.
We need to avoid this on Linux. There is more that will want to
monitor the same things as a Antivirus on Linux looking for different
kinds of problems. Yes the first platform where 1 alone running does
not cut it.

Peter Dolding
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/