My ZDNet blogging colleague Jason Perlow has switched his systems over to Linux after his Facebook account was compromised. Can plucky "Tux the Penguin" protect Perlow's digital kingdom? Sadly, I don't think so ...
Now, if someone feels that switching to Linux makes them feel safer, then that's as good a starting point as any. When it comes to operating systems I'm an agnostic, and see the OS as a platform or a tool, as opposed to a religion or a sports team I have to get behind. With more and more people making the shift to the cloud, the OS that you use no longer matters, it's the browser that matters.
But the question here is whether Mr Perlow is protected from future breaches of his digital fortress now he's switched to Linux. based on the information he's provided so far, I don't think that he is.
Let's take a look at the evidence to support my case.
First, even after a thorough examination, there's no sign of malware on any of his systems. This might seem like a trivial point, but whenever someone blames malware for anything (and it's common for people to blame malware for anything and everything that goes wrong with their computers), if you can't find a shred of evidence to support the claim, then you might as well blame leprechauns, fairies or Santa for your troubles. Throwing out the notion that it was a "bizarre Facebook virus" just doesn't make sense.
Without evidence, blaming "malware" is a total cop-out.
Was Perlow's password compromised? Well, he claims to have "used a strong mixed alphanumeric password," but this doesn't tell us much. Brute-forcing even relatively strong passwords, which while not trivial, is not a tough thing to engage in when you have a botnet as your disposal. Even with a strong password, the hacker has the twin advantage of time and luck on their side. This is precisely why we use strong passwords, but still use different passwords for different places.
But it doesn't end there. Even with the best passwords in the world, there are still vulnerabilities that you can do very little about. XSS, XSRF and SQL injection are three possibilities. These are attacks that originate online and leave no local trace. All you need to do is visit a compromised Facebook account (doesn't have to be a Facebook account, but if you're targeting Facebook users, it's a good place to start), and the flaws in the website itself does the rest. This sort of thing is damn hard to defend against - you have too be vigilant, and change your password at the first sign of trouble.
There the other nagging issue of why other online accounts belonging to Perlow weren't compromised. I'm thinking things like Twitter and so on. If he suspects a malware breach, then I hope he's changed every single password he's ever used on those systems.
Oh, and as Columbo would say ... "One more thing ..."
Something else Perlow said caught my attention:
It’s certainly possible that the compromise occurred on another system that I had used to log into FaceBook, such on a friend’s or a family member’s computer that got infected which had my login credentials cached.
Well there's your (likely) problem! He then goes on to say:
It’s unlikely since I always run something like CCleaner to wipe out all traces before leaving a PC that I had used, but I won’t rule it out.
The problem here is that "using something like CCleaner" might wipe all traces of your browsing off the PC, but if that system was already compromised, then all that prevention is for nothing.
Also, you can have all the security measures in place, but if you then go off and trust a third-party system with your credentials, then that side-steps all the measures you're put in place to protect yourself.
I don't think there's anything wrong with the steps that Perlow's taken to protect his digital kingdom, but personally I think that he's missed the real issue here. What's he going to do if his account is compromised again ... switch to an abacus? After all, Secunia doesn't list any vulnerabilities for that platform ...
Note: Back in the Fall of 2009 I wrote a piece called "Time to ditch Windows for online banking and shopping." Some of you seem to be wondering if my position has changed since then. The answer is "no." What I'm saying here is that if you are making a shift then the reasons need to be clear. In this case, I don't think that switching to Linux is the answer since I don't believe that the OS has played any factor in the leakage of the information. Without discovering malware on the systems in question, my money is on another system being compromised. The moral of the story is be careful what third-party system you use - and if you do need to use an untrusted system, using a Linux bootable ISO might help ;)
Maybe Perlow would be better switching his friends and family to Linux?