Please support VectorLinux!

Author Topic: Interesting Article. Is Vector safe from this?  (Read 9038 times)


rbistolfi

  • Packager
  • Vectorian
  • ****
  • Posts: 2299
Re: Interesting Article. Is Vector safe from this?
« Reply #1 on: September 05, 2013, 03:56:49 am »
This one is a Trojan, meaning that the attacker needs to trick you into executing it. We can protect ourselves from this one by just not executing untrusted programs (harder than it sounds.)
That said, looks like Vector does use the safe setting for ptrace mentioned in the article. You can check with:

Code: [Select]
$ cat /proc/sys/kernel/yama/ptrace_scope
0 is the more permissive setting, and 1 is the safer one (from https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace)
"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!

sledgehammer

  • Vectorian
  • ****
  • Posts: 1451
Re: Interesting Article. Is Vector safe from this?
« Reply #2 on: September 05, 2013, 07:07:50 am »
Quote
You can check with:

Code:

$ cat /proc/sys/kernel/yama/ptrace_scope



Rodrigo, I get a "command not found"

Do you know what I need to add or change in my system to enable ptrace?
VL7.0 xfce4 Samsung RF511

wigums

  • Packager
  • Packager
  • Vectorite
  • ****
  • Posts: 158
Re: Interesting Article. Is Vector safe from this?
« Reply #3 on: September 05, 2013, 07:57:46 am »
Quote
One question I wanted to have the researcher answer for me is this: Why did SELinux not stop the trojan from functioning on Fedora 19?

things that make you say hmmmmm
(dont forget who wrote selinux)
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.

rbistolfi

  • Packager
  • Vectorian
  • ****
  • Posts: 2299
Re: Interesting Article. Is Vector safe from this?
« Reply #4 on: September 05, 2013, 08:52:07 am »
Quote
You can check with:

Code:

$ cat /proc/sys/kernel/yama/ptrace_scope



Rodrigo, I get a "command not found"

Do you know what I need to add or change in my system to enable ptrace?

Hi John,

Maybe you didnt remove the "$" character? Thats justva  convention that means "run the following command in a terminal". The command would be:

Code: [Select]
cat /proc/sys/kernel/yama/ptrace_scope
"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!

MarkGrieveson

  • Vectorian
  • ****
  • Posts: 531
Re: Interesting Article. Is Vector safe from this?
« Reply #5 on: September 05, 2013, 05:19:22 pm »
Like John, it also doesn't show up on my computer.  

Code: [Select]
vector:/~
mark:$ cat /proc/sys/kernel/yama/ptrace_scope
cat: /proc/sys/kernel/yama/ptrace_scope: No such file or directory
vector:/~
mark:$
« Last Edit: September 05, 2013, 05:22:42 pm by MarkGrieveson »
I am using VL7.0 standard with XFCE

CrazyDog

  • Member
  • *
  • Posts: 85
Re: Interesting Article. Is Vector safe from this?
« Reply #6 on: September 05, 2013, 06:14:41 pm »
Thanks for the replies everybody.  I appreciate it.  I do some financial stuff with my bank online and just wanted to make sure I was safe.  I believe that Vector is the safest choice out there.  :)

rbistolfi

  • Packager
  • Vectorian
  • ****
  • Posts: 2299
Re: Interesting Article. Is Vector safe from this?
« Reply #7 on: September 06, 2013, 03:04:34 am »
Like John, it also doesn't show up on my computer.  

Code: [Select]
vector:/~
mark:$ cat /proc/sys/kernel/yama/ptrace_scope
cat: /proc/sys/kernel/yama/ptrace_scope: No such file or directory
vector:/~
mark:$

Maybe. John was getting "Command not found". Your kernel doesnt seem to have ptrace scope enabled, whats the output of "uname -r" in your system? I am in 7.1 and it is enabled here. I will check it out, we could build a new kernel for 7.0 if needed. If anyone wants to experiment with this in 7.0 please let me know.
"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!

vincent2

  • Vectorite
  • ***
  • Posts: 412
Re: Interesting Article. Is Vector safe from this?
« Reply #8 on: September 06, 2013, 03:39:08 am »
Quote
$ uname -r

3.10.10


$  cat /proc/sys/kernel/yama/ptrace_scope
1

better install kernel 3.10.10, you'll be more secure!

kernel 3.11 could be more

retired1af

  • Packager
  • Vectorian
  • ****
  • Posts: 1280
Re: Interesting Article. Is Vector safe from this?
« Reply #9 on: September 06, 2013, 05:44:20 am »

kernel 3.11 could be more

And why should we do that when 3.10 is the stable tree? Hmmm?
ASUS K73 Intel i3 Dual Core 2.3GHz

MarkGrieveson

  • Vectorian
  • ****
  • Posts: 531
Re: Interesting Article. Is Vector safe from this?
« Reply #10 on: September 06, 2013, 07:34:06 am »
Code: [Select]
vector:/~
mark:$ uname -r
3.0.8

I am using VL7.0 standard with XFCE

rbistolfi

  • Packager
  • Vectorian
  • ****
  • Posts: 2299
Re: Interesting Article. Is Vector safe from this?
« Reply #11 on: September 06, 2013, 07:47:51 am »
Thanks Mark, we will have 3.10 packages to test in a couple of hours.
"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!

sledgehammer

  • Vectorian
  • ****
  • Posts: 1451
Re: Interesting Article. Is Vector safe from this?
« Reply #12 on: September 06, 2013, 09:59:40 pm »
I updated the kernel once and it worked, but forgot how.  I think I followed the instructions in:

http://forum.vectorlinux.com/index.php?topic=10385.msg66371#msg66371

Do they still work?  I see the new kernel in untested but I may not try it this weekend as I am pretty busy with the computer and don't want to screw it up.



VL7.0 xfce4 Samsung RF511

MarkGrieveson

  • Vectorian
  • ****
  • Posts: 531
Re: Interesting Article. Is Vector safe from this?
« Reply #13 on: September 07, 2013, 10:30:50 am »
Those instructions look like they're for a system using lilo rather than grub.  Perhaps they would work with just skipping the lilo step.  Anyway, I think I'll wait for the announcement that a new kernel has made it to testing, as rbistolfi mentioned.
I am using VL7.0 standard with XFCE

sledgehammer

  • Vectorian
  • ****
  • Posts: 1451
Re: Interesting Article. Is Vector safe from this?
« Reply #14 on: September 07, 2013, 11:37:32 am »
I use lilo, but I think your suggestion to wait a good one.
VL7.0 xfce4 Samsung RF511