Phishing for Linux

Preston Gralla would like to welcome Linux users to the world of malware. This is in reference to the phony security update claiming to be from Red Hat, asking users to download a patch that (if they're silly enough to do so) will compromise their system. This reminds me of Bliss, a virus that appeared back in 1996 that depended on nix users to run it manually before it could infect anything. First off, I think the press made a bit too much of a half-hearted attempt to compromise Linux systems. (Malware writers, here's a hint: Learn to spell-check, and remember that Red Hat is two words, not one.) This "attack" is really only noteworthy because it seems to be the first wide-scale attempt at phishing Linux users specifically. Secondly, this just goes to show how weak Microsoft's argument about security really is: Windows malware usually installs itself by taking advantage of security holes in IE or other programs. Attackers trying to compromise Linux systems apparently need to depend on social engineering rather than the flaws in the OS itself. No system is secure if you have users who are willing to install software without verifying its source. This attempt is an indication that Linux users should be (or remain) careful, and take a minute to verify any package before they install it. No vendor or project is going to send these e-mails out to random addresses. If you haven't signed up for security alerts, then you know off the bat that something isn't right. Users should also bookmark their distribution's security page(s) and check those frequently. While I still hold that Linux is far more secure than Windows, Linux isn't immune to security flaws. Many of the vendors, including Red Hat, Mandrake, Novell/SUSE and others, include update tools in their distribution that allow the user to check for updates on a regular basis without having to depend on alerts. These usually include a GUI tool for the Linux desktop for those using a Linux desktop. It's also worth noting that most Linux vendors sign their packages with a GNU Privacy Guard (GPG) signature, so that users can verify the source of a package. I have no doubt that Linux users will be subjected to more phishing attempts in the future. But, if this is the best the phishers can do, the threat isn't very significant.