This is disturbing news. It's a wakeup call. Workable defense against unknown and potentially devastating attacks requires a layered, multifactor approach for security and privacy. Professionals know that. And we can all implement at least the basics. System hardening is important, of course. But it's also essential to compartmentalize and isolate workspaces, both machines and their network access, and to segregate activity to avoid cross contamination and progressive compromise. VMs isolate somewhat, and multiple host machines isolate more effectively, but only if there's network isolation with firewalled LANs, and prudent sharing of removable media. It's also crucial to compartmentalize and isolate Internet access, using nested chains of VPNs, JonDonym and Tor as ad hoc anonymity mixes. That limits damage from compromise, as well as protecting privacy and anonymity. Indeed, firewalling potential damage from compromise is a key aspect of protecting security, privacy and anonymity. That could have been an article. For now it's a dense (run on) paragraph. Son las cosas de la vida
Mirimir, your post is almost like an echo from inside my thoughts before I even read to the bottom of the thread/your post!! That should scare you. LOL!!
In a strange way, I think this is good news from a number of perspectives: it will encourage more attention on security in Linux, and less complacency it will uncover more of the real situation we are facing - I'd rather know my threats better than not
LOTS of Linux malware has been released this year. Have a look back in the entries in here http://www.kernelmode.info/forum/viewforum.php?f=16&sid=13b48b97b19b71eaa33a8ce777774bfc
So that Turla campaign has infected more machines than analysts initially thought. I think security and privacy/anonymity is different thing and sometimes they conflicts, though still drawing clear line btwn them is difficult. Also, surely what you described is near bullet-proof for common attacks, however never sufficient for APT like this, or more advanced one. Just take an example of Hidden Lynx, they failed to attack a military industry first time due to Bit9's protection. Then they targeted Bit9, infiltrated their certificate infrastructure and abused it to 'properly' sign many of their malware. Now security software is cyberweapon. Another way they used is to infect the PC which is to be supplied to targeted company, i.e. infect new PCs just before the victim buy & put them. So company have to care about not only their security but all their connection! This is part of reason why fairly fighting against state-sponsored attack is almost impossible for individual person or company. Also those APT often bypass strict firewalling and log analysis by e.g. embed C&C communication into necessary browser web traffic (of course by invisible way). I thought Windows version of Turla used similar technique and MRG effitas' test malware BABO too. If you really want to protect against such attack, you have to direct your eyes on beyond computer and network. But practical answer is, just giving up 100% protection and spend fair resource to post-infection detection, and carry insurance. I'm not saying you're wrong, actually that is very good to limit potential damage, but am just poiting out that's not enough against APT.
Yup, I think many people here remember Operation Windigo where over 25,000 Linux/UNIX server were infected, but now I found it included BSD.
another link to 2 russian created malwares. http://www.zdnet.com/article/two-st...covered-following-in-windows-variants-tracks/
That Schneier quote is interesting: By the time any gov-grade stuff gets added to the virus definitions of all the major vendors, it's already a dead piece of malware or exploit. A part of me wants to believe that justifies having some form of AV, Linux or Windows, to at least hope that if you are infected by whatever that it'll send the sample to the AV provider (as opposed to having no AV, and it staying active for years). Reality though, is that's such an imperfect system for even everyday malware. There's just too many things to watch, even by automation, to keep up. Mirimir could run the security grid of any first world country. "The people love 'em, those in power fear him!" "We hold these security truths to be self-evident!" If I can keep the 5 some computers at my place running- I consider it a good day.
I think we should not get too panicky yet. Many details of that malware are still unknown. And we should also differentiate between Linux servers and desktop systems. Vulnerabilities in Linux servers are often caused by lousy configuration (loose permissions, bad passwords etc.) and by systems not updated in months, sometimes even years ("never touch a running system"). Granted - that's bad enough. But it doesn't necessarily mean that Linux desktop systems are in immediate danger.
