The tech website Bleeping Computer, which carries news about security and malware, has once again demonstrated that when it comes to Linux, its understanding of security is somewhat lacking.
What makes the current case surprising is the fact that the so-called security issue which the website chose to write about had already been ripped to pieces by senior tech writer Stephen Vaughan-Nicholls four days earlier.
Called Chaos, the vulnerability was touted by a firm known as GoSecure as one that would allow a backdoor into Linux servers through SSH.
In a withering critique, Vaughan-Nicholls pointed out that it was just another case of trying to guess SSH credentials through brute force and hence had everything to do with weak passwords and little or nothing to do with either Linux or SSH.
{loadposition sam08}He also demolished all the other claims made by GoSecure, pointing out that the port which was claimed to be opened by Chaos was TCP port 8338. But to open a raw TCP socket as GoSecure claimed, Vaughan-Nicholls pointed out that one needed root access.
Which called for using two weak passwords on a single system, meaning that the admin would have to be an A-grade n00b.
Yet, four days later Bleeping Computer's Catalin Cimpanu wrote a piece titled "Improperly Secured Linux Servers Targeted with Chaos Backdoor."
Amazingly, he acknowledged Vaughan-Nicholls article – and then proceeded to treat the claims about Chaos with all the seriousness they did not deserve!
What should have given the whole game away was the fact that GoSecure's Sebastian Feldmann, who wrote about Chaos, said that he had been unable to find any documentation about the technical details of "this backdoor". Perhaps this was because any serious researcher would have realised that there was no threat posed by Chaos, except to servers run by n00bs.
GoSecure itself pointed out that though the Chaos code in question had been around for five years, less than 150 servers had been compromised through its use.
Why write about it then? One can only theorise that the combination of Linux and backdoors/malware/ransomware in a headline serves as clickbait. Bleeping Computer has form in this regard, as iTWire pointed out in September 2016.
As Vaughan-Nicholls wrote: "...the real moral of the story isn't that there's a bad new Linux security problem. There's not. It's that, for the millionth time, if you lock your systems down with good passwords, you can avoid a lot of really stupid security problems."