At BSides last weekend, I attended a talk by Matthew Arnold about the relative security of various Linux distributions. One of the focus points of the talk was Linux Mint, which I have been using on my personal machines for several years.
At first I assumed that the reason for that focus was the tie-in with this story from February about how the Mint download site had been compromised. That intrusion resulted in a brief time – several hours – where the .ISO files you’d get to install or try Mint were Trojaned. Since the web page sending you to those files was itself defaced, MD5sums were also published that “validated” the malicious files. Good times.
Arnold, however, presented an argument that this issue, however serious, was merely a visible manifestation of some much more fundamental issues with how “smaller distributions” (his term) such as Mint are managed. Now, if you’re wondering how the most popular Linux download in the world qualifies as a “smaller distribution,” welcome to the club: that was my exact question. It turns out that what is “small” about Mint is the scope of the organization running it, and its IT operation. Specifically, they have a single server that hosts builds, downloads of distribution .ISOs, package repositories and the public-facing website. So once the attackers had the web server, they had the entire thing. Game over.
Larger Linux distributions have an elaborate hierarchy – especially when you consider these are primarily volunteer organizations. When there’s an emergent security issue, people respond and start working on it within hours, since someone is awake and available, somewhere in the world, at all times. Mint is much smaller in this respect, too. One source told me “three people” are the whole team. Even if that is not exact, we’re probably not talking about hundreds or thousands. The amount of attention that can be focused on any one issue is necessarily lessened by running a Linux distribution on a shoestring, or as a hobby. This TechRepublic article gets deeper into this issue.
As for me, I will be rebuilding our two remaining Mint machines this weekend: one on Ubuntu 16.04 LTS and the other on Debian 8. If I feel any further hankering for Mint, I will get a box of Altoids.
it’s finally here, hooray! Where else can you get thirty-some people in a room at 10 AM on a Saturday to hear a talk on The Economics of Information Security?
Rochester is the geekiest place in the world, per capita.
Malvertising is the serving of malware through the ads that come along with much Web content. Creating and pushing malicious ads allows criminals to reach readers of many high-profile websites without the muss and fuss of defeating the security features of those same websites. Why hack their pages to deliver the malicious content when you can get an open invitation as an advertiser?
Since much web advertising is still allowed to be delivered as Flash, and since Flash remains what can only be described as a festering snakepit of vulnerabilities, attacking website readers this way is almost too easy. This is one of the main reasons I run an ad blocker. The fact that ad-blocked web pages load in way less than half the time, and the browser uses overall less than half the system resources it would otherwise, are pure gravy.
Some sites are pleading with you to turn off your ad blockers. In January, a Forbes Magazine website plea to disable the ad blocker was followed within milliseconds by a steaming pile of malware, delivered straight from those ads. The New York Times and my beloved Onion were also affected within the past year. Today I saw a report that most of the Netherlands’ most popular sites have been hit by similar attacks, potentially infecting millions without ad blockers or other deeper and possibly more intrusive countermeasures.
Until sites that are the clients of these ad networks create some pressure on them to lock down their S*, this will go on. And savvy web users everywhere will continue to use ad blockers.
As for me, my refusal to disable my blocker or whitelist random sites that demand it is absolute. If their pleas are only speed bumps, I click past and read anyway. If they refuse to serve me content without ads, I move on and find what I want somewhere else. There is always somewhere else.
UPDATE, Sep 15: Removed link to AdBlock Plus. See here for why.
I am starting a new adventure tonight: teaching information security to a community group.
I consider it my mission to make enterprise information risk management principles something that “just plain folks” can put into practice.
Threat assessment, vulnerability management and asset valuation are all possible at any scale. And with those three things we have a risk profile, right? So why doesn’t this happen more?
I will be updating here as I move into this new phase of my “life’s work.”
You might remember last May when I wrote about Warrant Canaries. Well, sometime since October, Reddit’s has fallen off the perch and stuck its tiny feet in the air (and no, it’s not pinin’ for the fjords).
Ars Technica reported yesterday that this statement:
As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
— present in Reddit’s Transparency Report published last year covering 2014 — was missing from the new 2015 edition, published yesterday. Reddit CEO Steve Huffman, known on the site as “spez,” wrote: “I’ve been advised not to say anything one way or the other.”
Which, of course, says it all.