Linux security (was Re: [clug] Witty worm a wake up call)

Tony and Robyn Lewis beakysnugger at yahoo.co.uk
Mon Jun 7 10:38:01 GMT 2004 

On Mon, 2004-06-07 at 13:58, Michael James wrote:
> An article in Computerworld has some interesting points, 
>  that change some of my thinking
>  about the damage a Linux worm could do.

I'm interested in chatting about this some more...

I postulate to myself that the greatest security risk to me as a home
user of Linux, permanently on the net, is being duped into running some
malicious app that then installs a keylogger, captures my password as I
sudo for a command, and sends it away.  Or he sniffs my internet banking
details.

Then Mr Nasty can log in, and even sudo to root.  Then anything is
possible.

I consider the chances small.  I usually install debian packages, and
most of them are official.  But here's two questions I've tried googling
for, but haven't got a good answer:

1. how easy is it to keylog in Linux, assuming privileges of the user
you're trying to log?  I just tried firing up two xterms, and got as far
as running "cat /dev/pts/2 | tee /dev/pts/2" in one that the other was
using.  I saw my text in both windows, but <CR> was broken, and any
commands weren't actually executed.

Going further would probably be something like strace, which I just
did.  Did much better - I could see that it was responding to each
character, and it even looks like the characters for me entering my sudo
password.  Maybe all it would take is to modify strace (or use similar
libraries) and you've got a pretty silent key sniffer.

2. how easy would it be to rigorously test to see if you're being
sniffed?  Could you reasonably expect to see, say, how many processes
get your keystrokes (e.g. X -> shell -> some app), and then have a good
indicator as to if you're being sniffed?

Am I right to waste braincells and listspace on this?  Or am I talking
brown facts?

Aside, lower on the postulated risk list, I consider:
- accidental remote exploits in Apache or sshd, etc
- malicious remote exploits / backdoors in any number of the packages
I've installed (but being open source developers, they're all good guys,
right?)

Tony Lewis

More information about the linux mailing list