Ubuntu’s 18-Wheeler Wide Security Hole
Roland is a member of The Motley Fool Blog Network -- entries represent the personal opinion of the blogger and are not formally edited.
Quite some time ago I filed bug 731504 with the launchpad system for Ubuntu (a registered trademark of Canonical Ltd.). Ordinarily, this wouldn’t be something worthy of blogging about on the Fool, but this particular bug impacts every Fortune 1000 company that considers using their server software and it definitely impacts their many partners including IBM (NYSE: IBM) and Dell (NASDAQ: DELL).
This bug stems from a viciously short sighted marketing policy that will basically cause this famous Linux distribution to fade into the ether like hundreds of other Linux/Unix distributions most of us don’t remember. The marketing decision of trying to make “a distribution” fit on a single “live CD” instead of a “live DVD” might have gotten a lot of early adopters with old equipment, but it sent development on a downward spiral.
At the crux of this issue are the sins we commit in order to save space. The sin committed here was forcing everything developed with Nokia’s (NYSE: NOK) phenomenal Qt application development framework to use database plug-ins instead of statically compiled and linked connection code. This is a mortal sin no holy book on the planet can ever forgive. I pointed this out in a lengthy discussion and was actually told in an email by someone with an actual ubuntu.com email address:
>Surely you are aware of the implications that static compilation has with regards to maintenance, especially in the context of security. It is exactly those implications that make it less than desirable to have static compiled parts anywhere in the system.
I kid you not!
Well, since it appears all of upper management at Cononical Ltd. failed Introduction to Data Processing 101, let me offer them the benefit of having over 20 years in large and small scale IT development. An OpenSource database plug-in is the largest security hole you could willingly create in any commercial use system. I used to use the Russian and Chinese mafia groups for my example, but in the wake of the recent Anonymous hack using them will make it more real.
Let us say that 20-50 highly skilled members of Anonymous fork off development of one of the many OpenSource ERP or eCommerce packages that are currently well on their way to overtaking SAP, Siebel, or any of the other commercial packages. (The dirty little secret with OpenSource is that 20-50 highly skilled and determined developers can and will overtake most commercial products when they have thousands of free testers and bug fixers.)
The Anonymous members don’t do this out of the goodness of their hearts. When you install the .DEB file for this product, it installs a new Qt database plug-in for every known database plug-in. These new plug-ins do everything the old plug-ins did (because they had all of the source) so you don’t notice anything at first. Of course the new plug-ins create text files in your /tmp or TEMP directory something along the lines of 123456.dbg.trace. The “janitor” or application monitor job all OpenSource applications seem to come with these days periodically checks the temporary directory looking for such files and ftps them to application.support.trace.ftp. Even your system manager won’t think much of it with such file names.
Initially, what is in each of those files is the database name, database ip address, username, password, and user machine ip address. Eventually the “janitor” job will pull down “instruction” files which tell it to dump all database schemas to similar files and return them to the ftp site. Once they have all of that, they can extract at will anything they want from your systems NO MATTER WHAT DATABASE OR APPLICATION.
Every system you have has been penetrated simply because you chose to install one .DEB, which was actually a highly praised and well written application, but, it replaced your plug-ins with ones that had nefarious intent.
IT 101: The only time it is “safe” to use database plug-ins is when they come directly from a commercial database vendor and that vendor keeps a titanium grip on the plug-in source.
We are going to see a lot of these attacks over the next few years given the current economic and political turmoil around the world. It doesn’t matter if it is a terrorist group, Anonymous, or an organized crime entity. You have to demand statically compiled database connections to minimize the threat of these attacks.