Your Linux PC isn't as secure as you think it is

If 2014 taught Linux users anything, it's that they can't afford to ignore system security completely.

It's been an apocalyptic year for Linux security, with a sophisticated Trojan and security holes over 20 years old. The Shellshock bug left Linux desktops and servers wide open for anyone to own. Security updates fixed these problems--but you may not even be getting those patches.

Security revelations in 2014 shattered the myth of Linux impenetrability. No, the sky isn't falling, and yes, Linux is still inherently more secure than Windows--but this year proved that Linux lovers still need to pay at least some attention to their system's protection.

Turla's been infecting Linux systems for years

Security researchers have known about a piece of malware called "Turla," "Snake," or "Ouroboros" for years. Turla is an extremely sophisticated piece of government-sponsored malware--one that appears Russian in origin. As usual, it was Windows malware.

But, this week, Kaspersky unveiled it had found a Linux version of Turla. This Trojan has been silently infecting Linux systems for years. It's based on an open-source backdoor program called cd00r. Turla listens to network traffic and allows an attacker to run commands on the infected Linux system. Crucially, the Torjan doesn't require root access--it just runs as your standard user account, so all the sudo and privilege restrictions used on the Linux desktop won't hinder it. While it's a network service, it's clever enough to hide itself from the netstat tool so you won't see it listening if you start looking at your network connections. Read Kaspersky's blog post for the gory details.

This is terrifying for a few reasons. It demonstrates that, yes, Trojans can infect Linux systems. And, no, not having access to root won't necessarily stop a piece of malware. All the interesting stuff like online banking happens under your user account, anyway.

Realistically, Turla probably isn't infecting your PC. You're probably not a target. As a government-sponsored piece of malware, Turla is designed to infect targets for purposes of surveillance or corporate espionage, not to steal your credit card number. But there's been a Linux Trojan infecting computers around the world for years now. Yes, Linux Trojans are possible and do exist. has security issues going back 20+ years

Late last year, we learned there are a huge list of security vulnerabilities in the graphical server and its libraries. Some of these security holes have been around for more than 20 years. The researcher who discovered these holes said security was a disaster, and "it's worse than it looks."

This week, many of these security vulnerabilities were made public knowledge. Your Linux distribution should be rolling out security updates for your server and proprietary NVIDIA driver shortly, if it hasn't already. But, even after these patches, security still doesn't inspire much confidence. is such a big problem because it's based on the X11 architecture, which originated 30 years ago. Thankfully, new graphical server technologies like Wayland and Ubuntu's Mir are about to take's place.

Shellshock was terrifying for Linux desktop (and server) users

Remember Shellshock, a bug in the Bash shell used on Linux and other Unix-like systems? The advice from security experts at the time was that it didn't affect desktop users. Windows PCs didn't have Bash. Macs did, but it was only used by advanced users who went looking for it.

The situation was different on Linux desktops and servers, where Bash is used constantly. Terrifyingly, every DHCP request your computer makes was run through Bash. So, if you visited a compromised public Wi-Fi hotspot on your Linux laptop and connected to it, the DHCP server could give a response that would force your Linux system to run an arbitrary command--possibly downloading some sort of Trojan. Here's an easy proof-of-concept attack.

Security updates quickly neutered the threat for desktop Linux users, but the Shellshock vulnerability was present in Bash for 20 years. Sure, we don't have any indications of widespread attacks against Linux desktop users, but that's not the point. The point is that Linux desktop systems were wide open. When Linux users gloat about how much more secure our systems are than those Windows desktops, we might want to remember how Shellshock affected us.

Are you even getting security patches?

Thanks to the way Linux packaging and software repositories work, you may not even be getting the security patches developers release. Sure, you'll generally get them for your web browser and other important pieces of software that are considered "officially supported," but what about the other packages the community is responsible for?

There are lessons to be learned from the ownCloud packaging mess in Ubuntu. This piece of server software wasn't getting updates in Ubuntu. The community member who originally packaged it just decided to move on, leaving the ownCloud package orphaned and vulnerable.

And that's just with Ubuntu. Be careful if you're using one of the smaller, niche Linux distributions. The Arch Linux-based "Manjaro" distribution hasn't been receiving timely security updates like it should. This is understandable if you're using a small distribution and the developers are working on it as a hobby, but it's something to watch out for... and a risk to actual users.

Want to stay up to date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed.

Linux system security is a broken, but so is everything else

So your Linux system isn't as secure as you thought it was. Well, that's not really an attack against Linux in particular. All computer security is pretty bad. As Quinn Norton titled her excellent rant on the subject, "Everything is Broken." Yes, even Linux, and--more importantly--all the software programs you have to put on top of Linux to get a functioning system.

Linux will continue to have nasty security holes, but again: the sky isn't falling. Your Linux system is still far more secure than the average Windows desktop. Attackers are more interested in targeting the larger Windows install base. And Linux does have a great security architecture Windows lacks, too--simply getting most of your programs from a centralized software repository instead of a gaggle of websites helps a lot.

No, you don't need to start running antivirus software on your Linux system, but be aware: You're not perfectly safe on Linux, or any other system.

Like all those Windows and Mac systems out there, your Linux system is full of security holes. We just haven't found them all yet. Be humble when talking about Linux's security or you may find yourself with egg on your face when the next Shellshock bug blows up.

Join the CSO newsletter!

Error: Please check your email address.

Tags LinuxShellsecuritysoftwareoperating systems

More about KasperskyLinuxMacsNortonUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chris Hoffman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts