We are well into the 21st century, but it is astonishing how people can still believe that Linux-based operating systems are completely secure. Indeed, “Linux” and “security” are two words that you rarely see together.
Just as some people believe Macs are immune to viruses, some Linux users have the same misconception – and who can blame them? After all, vendors have been telling them that for years.
In 2012, after an exponential rise of OS X malware (such as MacDefender and Flashback), Apple decided to change its homepage by removing sentences like “It doesn’t get PC viruses.”
It doesn’t get PC viruses.
A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.
Only recently, Red Hat also decided to (finally) remove the label “virus-free” from the feature overview of Fedora Linux.
Virus- and Spyware-Free
No more antivirus and spyware hassles. Fedora is Linux-based and secure.
Linux users are not OS X users, although when it comes to security many of them have the same misconception that the latter had a few years ago.
So, let’s destroy four common urban legends about Linux security.
1 – Linux is invulnerable and virus-free.
“Linux is virus-free.” What does it even mean? Even if there were no malware for Linux – and that’s not the case (see for example Linux/Rst-B or Troj/SrvInjRk-A) – does this mean it is safe? Unfortunately, no.
Nowadays, the number of threats goes way beyond getting a malware infection. Just think about receiving a phishing email or ending up on a phishing website. Does using a Linux-based operating system prevent you from giving up your personal or bank information? Not at all.
And what about Heartbleed or Shellshock, or any other vulnerability of your choice? No, no system is invulnerable.
2 – Virus writers do not target Linux because it has a low market share.
Well, if it is true that Linux distributions (distros for short) have a low market share in the desktop landscape, the same cannot be said for other markets.
In the server landscape, Linux distros have almost 40% of the market share, while they hold a near-monopoly on supercomputers.
Finally, in the mobile landscape, Linux-based Android has the majority of the market share. According to Hugo Barra (Google’s Android VP of product management), in May 2013 there were 900 million Android devices.
3 – Windows malware cannot run on Linux.
Not exactly, truth be told. Although their number is still pretty low, there are more and more cross-platform threats. This is due to the multi-platform frameworks which are available nowadays also under Linux. Frameworks such as: Adobe Flash and Reader, Java, JavaScript, Perl, PHP, Python, Ruby, etc.
Just to give an example, in July 2012, we wrote about a multi-platform backdoor named Troj/JavaDl-NJ, which runs also on Linux.
Furthermore, Linux servers are often used to harbor Windows malware. When you click on a malicious link, the likelihood is that it directs you to a Linux server.
4 – On Linux you install software from software repositories, which contain only trusted software.
Beside the fact that social engineering is not the only way to get a malware infection, are you completely safe just because you use software repositories?
Let’s just take an example and search “How to install Java on Ubuntu.” You will immediately find tens or hundreds of step-by-step guides that suggest you add a particular PPA repository in order to install the latest version of Oracle Java (and as with Java, you will see the same pattern for many other software).
$ sudo add-apt-repository ppa:… |
But who is the maintainer of those repositories? This clearly depends on the link you opened and on the repository that is suggested. But, in the case of Java, it is not Oracle itself. Which means that you do not really know if it’s a legitimate or a malicious repository.
Linux threats by the numbers
The number of “in the wild” threats for Linux-based operating systems is still way lower than threats for Microsoft Windows or Apple OS X.
However, the threats are real. For example, Linux-based web servers are constantly under attack. Just to give you some numbers – at SophosLabs we were seeing an average of 16,000-24,000 compromised websites a day in 2013.
The numbers don’t look any better today: during the first week of March 2015, we added detection for almost 190,000 new malicious URLs. Of these new malicious URLs, the number of unique malicious domains was over 70,000.
This means that, on average, we were recording around 27,000 new malicious URLs per day and over 10,000 malicious domains per day.
Canonical, which is one of the most security-aware Linux companies, is also keeping a (not so up-to-date) list of Linux malware: https://help.ubuntu.com/community/Linuxvirus
Improve your Linux security posture
Most Linux distros come with some advanced security tools (although most of them are often pretty hard to configure – in other words, prone to misconfiguration).
So, if you are a tech-savvy Linux user, you should at least look at the basic security guidelines of your Linux distro.
Ubuntu: https://wiki.ubuntu.com/BasicSecurity
openSUSE: https://activedoc.opensuse.org/book/opensuse-security-guide
Fedora: https://fedoraproject.org/wiki/SecurityBasics
Arch: https://wiki.archlinux.org/index.php/security
CentOS: http://wiki.centos.org/HowTos/OS_Protection
Sabayon: https://wiki.sabayon.org/?title=En:Security
I’ll be offering some security tips to protect your Linux desktops and servers in another blog post in the coming days – so make sure to follow our blogs and keep up to date with Sophos, SophosLabs and Naked Security on social media.
Sophos Antivirus for Linux
Do you need antivirus on your Linux machines? In a word: yes.
One common objection to installing antivirus is that it can affect the machine’s performance. Fortunately, Sophos Antivirus for Linux has a small footprint and minimal impact on system speed. Basically, you won’t know it’s there – except, of course, when it detects and blocks a threat from infecting your machine or spreading to your users’ workstations.
The best thing about it, Sophos Antivirus for Linux is available now for FREE. Go try it out.
Paolo Rovelli works in SophosLabs as a software engineer in the systems development team.
Anonymous
why does downloading the firewall require my email address …..
Anonymous
So, they could use it to market materials to you.
Paul Ducklin
We email you your licence code, actually :-)
tuxun
ok, maybe… So why is there a license code on a free product (if the goal is not to grab our e-mail address for targeted marketing usages)? As linux tools user, I cant waste time to register on a website each time I install a new to(y)ol. Have you done such same thing for using apache, sql, php, firefox, vlc, libreoffice, your keyboard, your screen, your pen, your car?
Paul Ducklin
Seriously? You’d begrudge us sending you an email to tell you about our other products in return for a free licence to use our Linux product at home or at work?
I’m no fan of unsolicited email but when there is a quid pro quo, I can handle it. For example, if Heathrow Airport wants my email address in return for free Wi-Fi while I am waiting for my flight, I can live with that. They’ll send me one ad, not particularly intrusive; I’ll click unsubcribe; and that’s that.
I respect your choice not to use our product, but am not going to apologise because Sophos asks users to register for the download. If you don’t have time to put in your email address, then you don’t have time, and that’s that. (Ironically, it would probably have been quicker than writing to complain about the time you would have wasted :-)
pieter
You can also use a trash-mail. People, especially linux users are paranoid.
Hank Ramos
Many of us appreciate companies like Sophos that put out free versions of their software. Thank you!
Anonymous
alongside with that…
Anonymous
My Keyboard, screen, pen costs money.
My car not only costs money, but needs a lot more than just an email to be registered.
Keep up the good work Sophos. Plenty of people appreciate your efforts.
Lickdeez Nutz
Exactly
Sophos you have no need for anyones email address so you can give them a “license code” to indetify them and match it to an email address.
You have so many people snowed the same way google and microsoft do it.
Mountain Dew
” Does using a Linux-based operating system prevent you from giving up your personal or bank information? Not at all.”
How does any OS preventing that? Completely unrelated.
“Virus writers do not target Linux because it has a low market share.”
You mean desktop market share. On the servers market share (where the really important stuff is done), Linux is the king.
Anonymous
Hey smart one, He said that in the next sentence!
V-2
Well, you’re encouraging your readers to familiarize themselves with “basic security” guidelines for their distros, but the ones for Ubundu command them quite explicitly: “do not install antivirus, as you *really* don’t need it in Linux;unless you share files with Windows” and assure that “at the time of writing, there are no known viruses on the big bad web designed to target Linux. A few targeting Windows can execute in a manner that could allow compromise of a Linux system via an interpreter layer like Wine”. For what it’s worth, the time of writing (“last edited”) is 2012.
Anonymous
it could be possible for Malware to be cross-plataform. But that doesn’t mean, it would work in all the OSes, E.g. say a windows virus deletes all the file in c:/windows/system32. In Linux, there is no system32.
It seems to me, you’re trying to trick people into buying your software (i know, it’s free. But Sophos gains clearly something out of it, because it’s not open source!)
Anonymous
i would say “good job” for trying to look smart.. but no, not really. As if someone writing a payload to be cross-platform wouldn’t add the simplest ‘if/then’ to say ‘if windows, delete \windows\system32, else delete /boot’ smh.
Anonymous
The difference is not so much file paths, rather, underlying system differences… Super easy to escalate privileges on Windows, not so easy on Linux. It’s not a simple if/then, buddy. I can tell you know little about Linux. If something deleted /boot, who cares… Live boot and copy back… Antivirus is useless on Linux as malware does not function the same way.
bBoy
1.It’s not so easy, but possible to escalate privileges in linux.
2.Windows too has startup repair & repair through live usb.
3.You have to figure out the virus, a pain in the ass for the less tech savvy.
4.WIndows has ready AVs to do the cleaning for you,
I am writing this not because I hate linux, but because I love it and want it to be more secure for the average desktop joe & not just a hairy sys admin nerd.
Anonymous
With so many Linux distros, it is hard to disregard the possibility that some of them by default have features, intentionally built in by their creators, to perform malevolent, hardly detectable functions, without the knowledge of a user. Privacy issues that have been raised regarding Windows 10, can hardly be surprising, given the prominence of the most popular desktop system but more obscure (even more popular distros) might never raise any suspicion among less tech-savy users.
Not Sure
Our Linux teacher was mistakenly handing out viruses to all the students in our class.
He didn’t know he was carrying viruses, as he used no antivirus, so when he was handing us software with distros to test, pretty much everyones laptop in the class got infected.
When I complained, he agreed it was likely his doing by mistake (he wasn’t affected by the virus himself), so was unaware, but it just goes to show that everyone needs Anti-virus software. He became the Linux repository for viruses, so to speak.
Just like a human body with no immune system, if you run into a virus that could affect you, you will be completely naked to it.
Its common sense…
Anonymous
I agree with you. One great way for the teacher in question is to use an older, cheap machine booted up with a live linux based rescue disc (ClamAV, Sophos, AVG, Avira, Bitdefender, Kasperski, etc.) to scan and clean any media containing software he wants to hand out.
I feel for him as I had this happen at a second hand computer store my friend owned. I helped out installing software on refurbished machines. As my system is Ubuntu, all those viruses (not downloaded by me btw but already present on the USB drives I was using) didn’t get run. I should have known better scanned the drives before sticking them into Windows machines.
Still, installing antivirus software on your own Linux system, that’s just unnecessary. Use a live distro built for it so you use most resources to scan for viruses without losing capacity to having to run it together with your own system.
bBoy
Well even though a live distro is ideal in terms of security, time, money & ease of use becomes a question for the average user. Not to mention you have to update the AV sig from the beginning every time.
Juani
I agree we Linux users should improve our security, for different reasons. There are many techinques nowadays to sandbox our apps in case they have vulnerabilities. Installing an antivirus is obsolete. The antivirus are innefective against the polymorphic viruses of the 21st century. And if you don’t want to infect windows users, all you have to do is delete the autorun.inf files that your usb disks gets whenever you plug it in a windows box.
Wen
All good points. Also, nobody gets paid to break Linux (at least not like at Microsoft and Apple). Both Microsoft and Apple have large teams of engineers that are paid to constantly try to compromise their systems. Sure, white-hat hackers bring a lot of vulnerabilities to light, but this is far from an organized effort to harden specific aspects of an OS. The best thing that I used to say about Linux security is that, because of point 2 above, using Linux used to be a lot like flying under the radar. The bad guys just weren’t interested, because there was no way to make a big splash attacking Linux. But the nature and motives of attackers has evolved; it’s now more about what they can get than what they can do. The best thing about Linux is still the cost, but for my part, I find that many of the free applications are just not as robust as the commercial alternatives. Choosing Linux is almost like a lifestyle choice. If you’ve got the time, motivation, know-how and diligence to make (and keep) it secure, it’s a fine choice. I certainly have the background to do this, but I’m too focused on the work that I’m doing ‘on’ my OS to devote large swaths of my time to security ‘for’ my OS. Too bad, really; the basic design of Linux is far superior to products like Windows. In theory, Linux should be much more harden-able.
Anonymous
That’s not true at all. There are tons of bounties for finding Linux security flaws. Google once was offering 50,000 for root escalation on Chrome os, which is Linux based. Linux powers so many businesses… Do you really think Amazon, Intel, IBM, Google, etc. don’t have their own teams constantly checking for vulnerabilities? The fact is that they do and they contribute a lot of that work back to the community.
Simon Lidster
In addition Suse, openSuse, Fedora and Red Hat are all big business backed, and feed into the free versions. IBM, Novell, Red Hat, google and others have very large capabilities and vested interests in securing the platforms.
bBoy
I always wondered do the opensource and commercial versions have all the same security features?. Surely they must try security through obscurity to some level.
Anonymous
Most commonly used method with opensource combined with commercial: They release opensource version, let people to go through it and when most of the bugs have fixed and they are confident enough then they implement same feature to commercial one. So basically they use free edition to test new features and fix them.
joeA
One has to really try to get a virus on Linux. If you use safe repositories (which can be checked with very little effort), don’t run as root, install and use your firewall, and install software from untrusted sources, I defy you to become infected! The number of Linux and Mac viruses in the wild are still unbelievably tiny compared to Windows. Sorry, this is FUD.
Anon
Look at this way, yes, right now it might less likely give the infrastructure of Linux and the motivations behind attacking. But that doesn’t mean it can happy. Yes, it is less like, and yes, this post is very obviously so people download software, but it is still making good points. Linux is not invulnerable and shouldn’t be treated as such. Imagine it was all the way arround, that Linux not only dominated servers, but also the common market. A lot of people would be using Linux to make online shopping, sending emails, etc, etc. Somebody out would want to find an exploit for any reason, be it steal money, use other PC’s to make some kind of network, see secret very compromised data. Someone would that that you call “One has to really try to get a virus on Linux.”. do not doubt that if someone is really motivated they will try as hard to attack Linux as they ar to attack windows. Heck, people always find ways to attack antiviruses too. Linux is like a natural antivirus, if you can attack a 3rd party antivirus or even find a loophole, someone might be able to do the same for Linux.
Ralph
I have a product, how do I sell/popularize it? By scarring people with false claims. Good strategy.
Paul Ducklin
You might want to read any or all of the articles below if you think these are false claims. The “my OS is safer than your OS” argument has done a lot of harm to a lot of users out there!
https://nakedsecurity.sophos.com/2015/07/28/malware-on-linux-when-penguins-attack/
https://nakedsecurity.sophos.com/2016/03/02/php-ransomware-attacks-blogs-websites-content-managers-and-more/
https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/
https://nakedsecurity.sophos.com/2016/03/08/ransomware-arrives-on-the-mac-osxkeranger-a-what-you-need-to-know/
In the podcast (item #1 above), we discuss our findings that approximately 80% of web pages used in the delivery of malware are hosted on Linux servers. Of those, approximately 80% are other people’s servers that the crooks have “borrowed” illegally. Free hosting; free bandwith; and someone else to take the blame.
The irony is that when a Windows computer is insecure, the damage done by malware running on it tends to affect the user and the company they work for. When a Linux server is insecure, the damage done by malware running on it tends to affect everyone else…
Simon Lidster
Sure servers get attacked all the time, as they are powerful tools to be used for nefarious purposes.
My desktop isn’t though. It’s a harder target than a server since it’s behind a hardware firewall with NATting with no forwarded ports, it’s not on 24/7 and if it’s compromised it’s just another zombie PC.
The primary method of malware infection for desktops is compromised websites running malicious scripts – if there’s a case of Linux malware being spread like that I’ll buy Sophos (or Eset ;)) today.
It’s far easier for hackers to go for Windows or Mac users, than Linux (desktop) users, and far more lucrative.
Especially the APple guys – If you’ve got a Mac you must have more money than sense :D, whereas Linux users are too tightfisted to buy software or OS’s!
Paul Ducklin
A few remarks If I may.
The problem with the attitude “if I get infected, I’ll just be one more zombie” is something any cybercrook loves to hear. If you don’t care about your own data (and many zombies also do data stealing, keylogging and more, because they can), at least care about everyone else. If you get zombified and genuinely don’t care…then you are part of the problem, not part of the solution.
NAT was designed to extend the IPv4 address space. The security it provides is very limited and is a side-effect of how it works, not the reason it works that way. For example, read how this Unix malware opens a remote shell. NAT is irrelevant in this case:
https://nakedsecurity.sophos.com/2016/07/08/new-mac-malware-tries-to-hook-your-webcam-up-to-the-dark-web/
Lastly, you don’t have to buy Sophos Anti-Virus for Linux. It’s free for work or home:
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx
Anonymous
Is it really so wrong to be suspicious of a product being advertised on the product’s blog website while employing an alarmist strategy?
bBoy
Absolutely not but even when you shoved with evidence in your mouth and you refuse to accept it then it’s sad.
Anonymous
Trust your open-source-OS security on propietary software. It sounds like a pretty good strategy!
real
been using linux for 5 years and not one virus..who said they do get viruses ??? mr Microsoft ???
Mustapa
Hi Sophos Guys, this what I have been advising my customers all the time, AV companies always making a statement that Linux is not safe. Chief, FYI Troj/JavaDl-NJ, when it attacks a PC where usually with Administrator privileges, it will just run when you click the “OK”. In Ubuntu or even Redhat, we have tested it; it will ask the user to key in the root password. So mostly for Linux users, it does make NOT any sense why I need to use root privileges for a typical Javascript to run, Hense Linux security is better.
And for everybody here, Anti-Virus is Dead for Windows. No way Av can stop malware of virus anymore ( well unless they the one who created it). Update you AV to the latest update and please ensure you have the latest Window pacthes, let me send you a file and see whether I can have remote access to your window machine. Move to Linux or Mac OSX ( please don’t run as root/admin!). Just move.
Eric V
Most Windows users are running as admin. Same for OS X. You can’t convince non-IT people to create a separate account, with a different password, which they need to enter each time they want to “do something”. Heck, I can’t even get my colleagues in IT to do it. If the basis of your argument is that “if they were on Linux, they wouldn’t have these other bad habits that are the real root causes of today’s horrible security issues”, well…
Paul Ducklin
That’s not true. Almost all Windows and macOS users (it’s not called OS X any more) in the modern era have the right to promote themselves to an admin, but their accounts aren’t root all the time. Indeed, Windows 10 even has separate menu options for Command Prompt and Command Prompt (Admin).
All the mainstream Linux distros I’ve tried lately automatically add the user you create at install time into the wheel group and enable that group to use sudo for any command, e.g. sudo su -. So you’re still only as safe as your own common sense and restraint on all platforms :-)
Anonymous
Ok, haven’t verified other distros but under Slackware (which I use at home and work) no users other than root are created during the install time and the user management tools don’t add users automatically to any superuser groups at all. Even the sudo configuration is absolute empty – there is only one record for root itself… So to enable sudo for a specific user you should explicitly add required groups/apps/other for the user… ))) (read this – USE Slackware Linux!)))))
Paul Ducklin
Actually, I have been a Slackware user since the early days, still am…but even as a bit of a fanbuoy I wouldn’t put Slackware in the category of a “mainstream distro” :-) Slackware doesn’t help you set up full-disk encryption, either – you just have to learn how to do it.
Anon
This article is really a very poor representation of the state of Linux. It may be that the writer is sloppy or poorly informed but it’s a black eye for this to be on the Sophos.com site and it’s a sad piece for whatever it’s goal might be.
In a nutshell, Linux is used on more devices that attach to the Internet than Windows is. You have to break it down by:
– Desktop (Windows and then Apple lead), server (Linux absolutely dominates)
– Mobile (tablets and phones — Android is linux, iPhone is iOS which is related to MacOS which is based on a Unix-like OS that has much in common with Linux, Windows is a tiny slice of this market)
– Embedded (ktichen appliances, thermostats, printers, etc. — almost all run Linux) and
– Media devices (Linux dominates with products like Tivo, streaming devices like Roku, smart TVs although Apple has a big footprint with Apple TV which runs iOS).
Each of the above, Desktop, Server, Mobile, Embedded, and Media Devices have their own security challenges and threat vectors.
Apple absolutely thrashes Windows on security — both how difficult the devices are to hack, how deeply security goes across hardware and software (Touch ID from Apple with the corresponding secure enclave on the CPU is both extremely secure and a superb way to enable increased levels of security across apps and data on the device), and in protecting your data on the device (Apple’s rules for iOS apps are driven by a strong security model).
On the sever side, Linux absolutely crushes Windows on security. Windows machines have two main weaknesses — they have many vulnerabilities and, it’s easy to escalate privs that allows code to access anything on the machine.
On mobile, Apple’s iPhones running iOS absolutely thrash Android. Android has issues with stock firmware at the BIOS level (which allows anyone to re-image the device with whatever OS they want e.g. Cyanogen), Android has issues with not being able to be updated easily which prevents patching, and Android does not have and end-to-end solution that stacks up to secure enclave + TouchID biometrics like Apple does. There are no instances of credit card fraud with Apple Pay. There’s a reason for that.
Everything can be hacked but some things are inherently easier to compromise.
Stepping back, I would say Redmond does not prioritize security like Apple. And Redmond does not have security as an inherent aspect of product design like Linux / UNIX does. Redmond knows their weaknesses but has not found a way to commit to security like they may have. Windows also has the issue that Apple has avoided of needing to run on 1000’s of different hardware devices each of which has standard firmware and may have Windows or 3rd party drivers. Linux has this same issue with 1000’s of devices to support but Apple does not. I think Apple writes it’s own BIOS, boot loader, and drivers with security and performance in mind. I don’t know if Apple does it’s own firmware for e.g. disk drives but, it’s coming if it’s not here now due to what’s been revealed about NSA this week with their hard drive firmware attacks.
To be clear, NSA is attacking operating systems, encryption, Internet switches/routers, and firmware. Two of those things (Internet switches and firmware for hard drives) have nothing to do with operating systems.
All FYI.
Paul Ducklin
If you think that “on the sever side, Linux absolutely crushes Windows on security,” you probably ought to listen to this podcast:
https://nakedsecurity.sophos.com/2015/07/28/malware-on-linux-when-penguins-attack/
It’s still fashionable to bash Windows as fundamentally insecure and to trumpet Linux as though it were inviolable by design, but the simple truth, as unpalatable as it might be to some Linux fans, is that it’s surprisingly easy to configure an insecure internet-facing Linux server, just as it’s surprisingly easy to configure a Windows server to be secure.
The crooks who make their living by infecting Windows computers with malware rely on hacked Linux servers as their primary distribution vehicle. Like it or not, Linux is the content delivery network for Windows malware. (I use the word Linux here loosely, as you have, to mean “Linux plus the software stack,” or in the sense of “a GNU/Linux-based distro,” just as I use Windows loosely to mean “the whole shooting match: browser, messaging apps, add-on software, and all,”.
Some more articles that remind us all that there’s plenty of insecurity beyond the Microsoft world:
https://nakedsecurity.sophos.com/2016/07/20/update-now-macs-and-iphones-have-a-stagefright-style-bug/
https://nakedsecurity.sophos.com/2016/01/05/google-fixes-another-stagefright-type-bug-in-android-mediaserver/
https://nakedsecurity.sophos.com/2016/08/26/apple-ios-users-update-now-zero-day-attack-seen-in-the-wild/
https://nakedsecurity.sophos.com/2016/08/05/apple-rushes-out-ios-update-shuts-out-jailbreakers/
In short, I am simply not convinced that “Redmond does not have security as an inherent aspect of product design like Linux/UNIX does.” I think that is a dangerous generalisation that has been undeniably untrue since about the mid 2000s.
PS. Old-school Unix fans will be choking on their tea to read that “iOS […] is related to MacOS which is based on a Unix-like OS that has much in common with Linux.” You make it sound as though Linux came first and the BSD family was derived from it by copying the good bits :-)
Rudolf
Could you give another source than sophos.com? Otherwise I’ll deliberately mark all your reasoning as a pile of garbage. And maybe your other posts too.
Nick
A bad article by an inexperienced user. I’ve been working with Linux for over 10 years, both privately and professionally, and Linux is far more secure than they describe it here. Their embedded myths are the reality, which by no means describe something that does not exist. And the majority of all attacks on Linux were due to unsafe configured systems, not to general problems that made attacks possible. In addition, there is a very fast closure of safety gaps, which considerably hinders potential exploitation. Likewise, no system can be secure if you take a standard installation, and nothing else will do, nor protect your services, or even use unsafe passwords. Above all, Ubuntu-based systems are not, under the auspices of Canonical. In many respects, Ubuntu is incompatible with the source, has poor repository maintenance, uses Sudo in a highly uncertain way, splits from the community to go exotic dubious ways, and is a bad role model for what Linux can be. But Mir is a straightforward example of this nonsense. For years announced, and while Wayland is already being actively spread, Mir is just an immature concept. Likewise, Snappy compelling AppArmor to be half-safe, compared to Flatpak. In short, Canonical is a disgusting software shack that denies ways that no one wants to go seriously in mind.
Even if Linux is significantly resistant to a variety of threats, it is important to say that real security always means work. There are so many ways to secure Linux, which are often not used, although they are easy to use. Not unnecessarily complex constructs like SELinux, or the semi-giant AppArmor, both with a kernel exploit away from the window, but primarily GrSecurity, as well as sandboxes, virtualization using Xen / KVM, Systemd, Firejail, Namespaces, seccomp-bpf, Linux-Capabilities and more. You should also always use LVM-Volumes, and create an effective Volume-Separation, as well as assigning your own security zones for each area. Here, Linux offers so much to come close to a security of 100~%, but it is hardly used. It is also impossible to speak of myths when the unique potential is simply not exhausted. So many security problems could have been prevented, whether in terms of servers, Android and more. But as long as the wrong people determine about security in companies, nothing changes. They do not pay for something that only costs money, and does not bring any visible yield.
Anonymous
The argumentation here is just ridiculous. Basically each point is a blank joke. Take for example 4 – On Linux you install software from software repositories, which contain only trusted software. That’s actually a pretty good point in favour of linux. I have never heard of any malware being distributed via e.g. ubuntu repositories. Saying that you can principally add ppa repositories and that this makes linux less secure is really RIDICULOUS. If you allow anyone to execute an unknown software on your system with admin (i.e. root) permissions then any system gets insecure. Then you can also argue: Linux is not secure because when someone sees you typing in your password, then you are screwed. Or: Linux is not stable because the computer breaks when it has no electricity. Surely there are some basics that any user must fulfill. And in that regard 4. is just bullshit as allowing an unknown third party to allow arbitrary code with admin rights will always be dangerous. And there I actually see a plus for linux as adding a ppa is only possible in the command line and will thus only be used by advanced users (that hopefully know the danger) while for windows there isn’t any trustworthy source for software AT ALL.
Paul Ducklin
You need to get out more :-)
First, trusted software components (including the kernel itself, and ubiquitious libraries like OpenSSL) have frequently ended up both trusted and broken at the same time, sometimes with exploits that the crooks found first.
Second, there have been at least a few surprising breaches at mainstream distros, where even complete ISOs have ended up replaced with malware.
Here’s an example:
https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/
And whether you like to hear it or not, there are many perfectly trustworthy sources for Windows software (such as Microsoft’s own Windows Store).
No one is trying to dismiss your beloved Linux as fundamentally dangerous or insecure. But there’s a sort of “appeal to perfection” that seems to have taken root in a vocal minority in the Linux community. We’ve got a bunch of myths – myths that should have died out last century! – that have turned a statement such as “Linux can be made very secure with little effort” into an almost religious belief that “Linux is so secure by default that it makes thinking about security unnecessary”.
If it really were as easy as you imply to run a sealed-and-secured Linux-based system, we wouldn’t have found the results we did in this research:
https://nakedsecurity.sophos.com/2015/07/28/malware-on-linux-when-penguins-attack/
rama
SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the Linux kernel using the Linux Security Modules (LSM) framework. Discretionary access control (DAC) is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own. Mandatory access control (MAC) provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user.
–Fedora
Polemos
Everyone here is complaining about the author trying to sell his own software it is quite obvious he (the author) has an interest in this but it is also a genuinely good piece of information for the non-tech savy people running a gnu/linux distro. If you have the skills to use apparmor, SElinux, and compile a hardened kernel, use MAC (mandatory access control), etc then you have no need to use any third party software but if not this is a useful piece of info and kudos to the author for dispelling myths. After all being cocky and ignorant will and has always led to the doom of such people.
for tl-dr: good info if you have the know how you do not need any third party.
Paul Ducklin
Just to clarify – the author is trying to “sell his own software” for free. (That’s free as in beer, not free as in non-proprietary.) The “free” part extends to sue at work, not just at home.
SunGamer
“Indeed, “Linux” and “security” are two words that you rarely see together.”
Well, I wouldn’t really say that… Of course, Linux may have some security flaws and disadvantages, but compare it to Windows. Linux desktops are way more secure than Windows. I do not say that Linux is flawless, but you don’t say it’s less secure than Windows.
Paul Ducklin
If you are going to assert that “Linux desktops are way more secure than Windows”, it’s not enough to state that. You need to come up with some evidence. The fact that there is a tiny fraction of Linux malware compared to Windows malware doesn’t really prove much – except perhaps that Linux desktops are much less common than Windows – if your claim is that Linux is “way more secure”.
The simple truth is that in architecture and impolementation, Linux and Windows are at heart very much more similar (monolithic OSes with a large kernel space, plus a rich GUI, plus a dizzying choice of add-on hardware, drivers and applications) than they are different. Both have suffered from similar sorts of bugs, vulnerabilities and exploits over the past 15 to 20 years.
SunGamer
Currently, Linux Desktops are more secure. They are not common, and Linux is usually open source. Which means that malware for Linux is harder to develop. Yet, I do not say linux is insecure. Yes, I am using antivirus on Linux. However, I do not use Sophos, and I like it that way. Plus, I am backing up my data.
Paul Ducklin
Your claim that “malware for Linux is harder to develop because Linux is usually [*] open source” needs evidence to support it. All the evidence I have seen suggests that the openness or closedness makes little or no difference to the “malwarability” of a platform. If anything, having a locked-down, closed-up and curated operating system and application ecosystem seems to make it harder to write and disseminate malware – and the evidence for that, whether you like to hear it or not, is Apple’s iOS.
Linux, Windows and Mac all have excellent, free, public documentation for their APIs in order to attract software developers. So that’s where you’d start if you’re a coder – whether you are an innocent programmer or an evil haxxor. And all three platforms allow you to install apps of your choice, without locking you down to an application store of allegedly vetted apps. So if you choose unwisely (or choose a company or distro that doesn’t protect its own download assets wisely) then you could end up in harm’s way, for all three platforms.
[*] Linux is by definition *always* open source, and the GNU/Linux combination is also open source as a matter of requirement. Some Linux distros include optional closed-source stuff, but GNU != Linux != a distro.
Anonymous
WHAT? You are a damn fool. GIVE ME ONE VIRUS ON LINUX IDIOT? .. Malware not a virus its process that can be killed and you need to run it to be active.
SO many stupid people today.
Linux is a process controlled OS if it runs I can kill it and POOF gone.
Paul Ducklin
You seem to be saying this: it is possible to kill malware processes on Linux, therefore there isn’t any chance of malware on Linux.
That’s a bit like saying: you can call a tow-truck to the scene of a car crash to remove the wreck, therefore accidents never actually happen.
For the record, viruses make up a subset of all malware. In this discussion they can be treated identically. The only significant difference is that a virus is a type of malware that can spread itself. Self-spreading was an important feature back in the days of “sneakernet” and floppy disks; in today’s world of email attachments, spam, and web links, the self-spreading part doesn’t matter that much any more. Incidentally, most Linux viruses run “as processess that can be killed”, like any other process, in fact. Of course, a process that you just killed is *a process that was running until you noticed it* – that’s the same for viruses as for any other sort of malware or app. You can steal a lot of data, wipe a lot of files and unlawfully change a lot of configuration data in a very short time – a couple of miliseconds would be enough for most crooks.
Therefore, the ability to kill malware after it starts is useful and desirable (and may seriously reduce the damage you suffer), but doesn’t actually *prevent* the malware in the first place.
John S
Some Linux users are like people in a cult. They have been spoon fed all this nonsense just like Apple did with Mac OS users. Even Android has been shown to have flaws and while its core is Linux the flaws revolve around a poorly vetted apps store. The same can be said for Linux which has good and bad developer support. Just because the core is solid, doesn’t mean everything is. Linux on the desktop is hardly a target for easy prey so it gets far less attention then the billions of Windows users and rightly so.
Paul Ducklin
Actually, Android’s vulnerabilities have not been limited to failures in Google’s Play Store vetting process. Here are some sample Android vulnerabilities and coding blunders that make for interesting reading and remind every programmer amongst us that the devil really is in the details:
https://nakedsecurity.sophos.com/android-master-key-vulnerability-more-malware-found-exploiting-code-verification-bypass/
https://nakedsecurity.sophos.com/anatomy-of-a-buffer-overflow-googles-keystore-security-module-for-android/
Ironically, Apple has got a bit better in recent years – the company still has a curious approach to security holes of “keep 100% schtumm until the fixes are out”, meaning that sometimes you just don’t know where you stand, but at least the whispering campaign against anti-virus and security software that you used to hear at every Genius Bar seems to have petered out :-)
John S
Big targets are big business for personal data and average consumers who fall prey to phishing schemes. I am sure many big businesses rely on Linux based servers. That does not stop anyone from finding ways in. The quicker we all realize that its motivation not vulnerabilities that inspire hackers. I personally don’t use Linux on a desktop because I don’t like a single distro I have tried. Its not that these Linux developers have not tried, they have improved many Linux distro’s dramatically. But so has Windows and Mac OS and in my opinion which is just that, I focus more on usability and familiarity then this ideal that Linux is somehow immune to security threats. We all know that is not true so why use Linux with a false understanding that its better?
zomerwind
Trouble about this article is that it’s solution is a part of the issue:
@”4 – On Linux you install software from software repositories, which contain only trusted software.
Beside the fact that social engineering is not the only way to get a malware infection, are you completely safe just because you use software repositories?”
and
“The best thing about it, Sophos Antivirus for Linux is available now for FREE. Go try it out.”
Eh, like if I know you guys…
Paul Ducklin
Errrr, not sure what to say to that. Either you know us or you don’t. Either you trust us or you don’t. Seems like you’re making some sort of innuendo…
…but I don’t know what you are trying to imply. Maybe just say what you mean? (I thought open source was supposed to be all about transparency and clarity.)
Anonymous
Sophos is a well known company, so to say “like if I know you guys” is a bit silly. I do however have an issue with this as a whole. I very rarely write replies but I have a few points I would like to make. I run debian and there are under 200 known viruses for linux, if I am wrong then please correct me and show me evidence, don’t just point me to someone stating statistics somewhere. I have never, in the 14 years I’ve used Linux (and have never run an anti-virus) had any issues with security or been rooted etc. If you run scripts that you have just downloaded and don’t understand then that could cause issues, however, for the whole, linux has few issues in terms of viruses. Now, I also have an issue with running closed source software, which is what this anti-virus is. Many companies offer a program which does as advertised but also collects user data, no matter how small, it could be search queries but it’s still an infringement and a way to make money by selling the data, if it’s open source then this can be changed and averted, closed source is not good and defeats the idea of GNU linux. I don’t think this AV will do well and giving it away for “free” is obviously a test to see how well it does. I also find that anti-viruses are easily beaten anyway by “FUD/FUDDING”, I’m not saying I do this and I definitely don’t, but, AV’s works by collecting signatures of malicious programs and storing them, your files are then scanned by this DB to see if they match. You can easily run an already known wild trojan through a file splitter, split it into 100 or so parts, run that through an AV, convert that to hex, find the file and the line of code which is being picked up by the AV change it, do this for all the parts, recompile and there you have a new signature and undetectable trojan. I would lilke to say a lot more but I don’t see that I will gain much. I just wanted to put my penny’s worth in as it’s an interesting topic here.
PS: To the people complaining about giving up their e-mail address to receive their license key, be real, enough said.
Roger
Linux security can be very bad: people have developed a few rootkit that can be hidden when loaded. The new fanotify can be used by bad guy to hide critical change.
Sudo/ssh and other security software’s passphrase/key can be easily stolen by malicious person in data center or cloud.
Only use WZIS Software’s CaclMgr as privilege delegation software and make all privileged works under this software’s control, the system will be more secure.
Erik P
Someone can knock on my door and ask my bank details, so that makes linux have poor security…
Really, this article is completely unbalanced. Yes.. I can set up linux to be really insecure if I want. But phishing emails are hardly the fault of the OS and phishing can be done by simply knocking on your front door, even if you don’t own a computer. Java is rarely installed on Linux by default because of security. The writer conveniently fails to distinguish having a virus and being affected by a virus. Of course linux users know we could have a virus on our systems, but the systems are usually secure enough to prevent thr virus doing anything except just sitting there. I have tried to find the consequences of the linux viruses you mentioned.. who suffered from it? So it seems you are saying, unless a linux user does a complete reinstall of their system on occasion, viruses that do nothing to their system may accumulate. Well.. I knew that much. Indeed I have probably infected a windows machine with a virus, but that really is down to poor windows design. As Wikipedia says “As of 2018 there had not yet been a single widespread Linux virus or malware infection of the type that is common on Microsoft Windows; this is attributable generally to the malware’s lack of root access and fast updates to most Linux vulnerabilities”.
So technically, yes, Linux can get viruses, you.can get phishing emails. But what’s important to.most users is, will their system be affected by a virus, and the answer is: unless you are a moron, very very unlikely.
Anonymous
Hhmmm I remember these comment sections being quite different. Odd that this was posted March 26 2015, yet not a single soul who read it posted a comment till almost 5 months later. I find it odd because you would think that during this 5 month period you would have a wave of Linux user responding and challenging your info and claims. Probably quite passionately and even visceral at times. Yet as the years go by the comments seem to be somehow bland with hardly even a handful of Linux users actually getting technical and refuting the claims made here. There is no way, that not even a single Linux user, didn’t comment on this for almost 5 months. Certainly one of them had to have some kind of useful insight. I know people can often be rude and throw fits when their “fanboy” faith is challenged but I think your spam filter might be acting more like a censorship. You can say I’m full of it and that’s fair, but the fact is how would we know? It’s all Sophos. Your article’s, software, research/finding, sites that handles comments and every source you listed is created, hosted and monitored by you. Whether it be Naked Security, News.Sophos or just plain old original Sophos, its all Sophos! Even though parts of your info comes from other sources nothing is cited or supported clearly by outside sources. You keep refuting others claims and insist that the community is refusing to accept change about the reality of Linux security yet you want people to blindly take your information as fact. Which don’t kid yourself is the reality. For this very reason is why researchers spend so much time and energy meticulously citing sources and not just throwing in small fragments of info with limited scope. Quite frankly it doesn’t upset me if Linux is not as secure as I though and I haven’t really seen anything about Sophos being a bad company. Your comments even seem like you are informed. The problem is, the environment is so intentionally sterile and purposefully built to insulate by providing all the knowledge when its just a rabbit hole of one Sophos claim being supported by a previous Sophos claim. Sorry for the rant, but the point is to easy to understand. This gives me close to nothing useful, because if I don’t want to blindly trust you then I have to go track down all the complete sources and do all the work and research for myself. So no, after looking at this I will not be touching your antivirus because you seem to have a structure in place to isolate users with your voice and facts as much as possible. Nothing is free and what Sophos gets out of user was conveniently side stepped without a single question.
NONONO
Mentions not using software that’s not from your distors repo
THEN wants you to dl their software and asks for your email address for something that is free.
Something they have no need to have.
Besides the cocky LISYEM TO ME I KNOW IT ALL attitude the article implies.
Deepa Perumal
such an amazing article about linux hosting .
Alexander P.
Once I noticed high CPU usage on my Centos server, it was a crypto miner. I don’t know how it got there but maybe a malware npm package. So yes, linux can be infected. It was a surprise for me. On windows you also should trust only official sites when you download software, like you trust repositories on linux, and you’re fine.
JohnIL
Market share has a lot to do with how big a target a OS is. Malware has a much better chance of succeeding on a bigger market platform then on say a small one like Linux desktop. The focus would obviously be on Windows and cross over malware that affects different OS’s is just a bonus that sometimes happens with a exploit that can happen on multiple OS’s. My question has always been to a Linux or Mac OS user who claims they are malware immune. Exactly, how do you know that for sure, since you don’t use any security applications? Is this just based on assumption? Lot of malware works in the background with little or no notable issues that the end user would detect.