Trouble in paradise: mint website/forum/iso's hacked

I'm sorry, I just read then that it was the website that got hacked, not the OS. (Excuse the Noob)

 

The website was hacked, yes. But it was hacked to point to a compromised version of the OS.

 

It's important to understand that the hacked version of Mint that was made available never made it onto the Mint servers. Instead, a link on the website was altered to redirect requests to a different server located in Bulgaria.

 

It was a noob hack, the malware was a simple IRC bot, nothing fancy. They also never hacked the mint iso's they just changed the download link to a fraudulent iso hosted elsewhere, as has been said.

Mint should be avoided, they have a history of poor security practices.

 

If I run "Herd Protect" I get flags within OS files of unsigned packages - I do not have the capacity to determine their potential critical functionality within the OS.

Many of these are AMD driver associated, some are Intel, etc. Frankly it get's very confusing.


Click to view full size!

Run Herd Protect yourselves and review the outcomes - yes there maybe some false positives but that is far better than nothing being noted.

 

Care to elaborate?

 

I think that's a bit harsh...

The site got hacked, but the OS itself is fairly secure IMO provided you keep the kernel updated.

 

http://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/

 

Your second statement contradicts your first statement.

Yes, I'm curious also.

 

Mint does not blacklist updates, it ranks them according to their capability to break the OS - You are still free to install the updates, the update manager merely informs you that there may be issues if you apply certain updates according to their rank.

You can also update the Kernel via the update manager and the process works really well, when I was running Mint I was running the latest Kernel no worries.

What a load of shit. You can run any DM you want, the difference is the operating systems in question are packaged distro's that don't rely on an individual following a wiki to compile and install them - Following a wiki step by step does not make one a power user, and running a packaged distro in most cases simply means your over the mucking around getting a distro such as Arch up and running and simply want an OS 'that works'.

It's what you do with the OS that makes you a power user - If there is such a thing...

The Mint website was hacked redirecting to a compromised distro - The legitimate OS itself is actually a very good product. It seems to me like someone is on a bit of a witch hunt trying to get people to loose faith in a perfectly good distro simply because they're pissed at it's ranking on Distrowatch....

 

Mint is more or less Debian/Ubuntu with a slightly more liberal licensing system (i.e.: packaging up codecs and things that are in that grey area of licensing) and some pre-packaged, pre-configured things chosen that make the life of a non-technical desktop user easier.

That doesn't make it bad, nor does it make it good. It's just a niche distro like any other niche distro, and has it's rightful place in the world based on merit, like all open source.

I don't use Mint, because I can make other more customisable distros do exactly what I want (and Mint doesn't do what I want). Compare and contrast to my dad, who utterly hated Linux up until he tried Mint, and loves it. Fine by me - he's weaned off proprietary OSes, and has found something that pleases him in open source land.

I also don't think this security breach is a reason to distrust Mint. I think it's a good reason to consider carefully how you download and verify ISOs. All of the theoretical stuff people post about checking sha256sums and pgp signatures normally gets met with a "why would you bother?" type response from regular people. Well, here's why you bother.

 

+1.

It would be nice if there was a simple extension for the top web browsers that simplifies the checking of sha1/sha256/gnupg signatures of files or at least automates that process a bit. Actually... No, I will go one step further and say that it would be nice if it was a built-in feature of the top browsers.

Why?

Not everyone wants to learn the command line or learn the hideous cryptography monster that is GnuPG (lets be honest, you practically need a masters degree in cryptography to understand how to use the frick'n thing, even with tools like GPGTools and GPG4WIN.)

Edit: I found the following extensions...

Firefox -> https://addons.mozilla.org/en-US/firefox/addon/download-status-bar/?src=userprofile
Chrome -> Plenty of download managers, but nothing that specifically says it supports checksum verification.
IE -> Nothing as yet.
Edge -> Nothing as yet.
Safari -> Nothing as yet.

 

That's a bloody great idea! Especially some sort of web-of-trust type system for common PGP keys (like distro package-signing keys).

That's already how browsers verify SSL/TLS (by distributing peer-reviewed, signed and certified CA certs). Extending that to PGP for signed downloads would be a brilliant idea.

 

The kicker.... A WOT capability already exists in PGP and OpenPGP. You can get PGP and OpenPGP keys signed by external entities, it's just never used.

Makes you wonder how hard it would be to extend a browser to support PGP/OpenPGP signatures and to do public key signature checks, doesn't it?

Edit: this would kill most users to do...
https://www.gnupg.org/gph/en/manual/x56.html
https://www.gnupg.org/gph/en/manual/x135.html

 

I use Mailvelope, for GPG in webmail. The feature list isn't enormous, but it works well. It in turn is based on OpenPGP.js, so it appears a lot of the nuts-and-bolts work is done. Extending those projects (don't re-invent the wheel, but instead strengthen the core by basing your project on theirs and feeding back issues and fixes upstream) to be a full-blown download verifier sounds entirely plausible.

If the major distro authors could band together, I'm certain a solution in the form of a browser extension that would work generically for any distro (or even extended to any downloaded file) would be achievable.

 

Looking at OpenPGP.js and Mailvelope now.

I wonder if we could email the major distro's with the idea and see where it leads? (About both Web-of-Trust and the browser extension ideas)

I freely admit that I'm not great at JavaScript, but I am willing to learn now.

 

I was on holidays for a bit there, so here's the guide. Better late than never. Using Linux as my OS to do this in. But the ideas should translate to any OS with the same open source tools installed.

I download with wget. You can use a GUI browser or whatever.

1) I download my ISO:

Code:

# wget -c 'http://mirror.internode.on.net/pub/linuxmint/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso'

I download the sha256sum file, and matching signature:

Code:

# wget http://mirror.internode.on.net/pub/linuxmint/stable/17.3/sha256sum.txt
# wget http://mirror.internode.on.net/pub/linuxmint/stable/17.3/sha256sum.txt.gpg

I attempt to verify the sha256sum file:

Code:

# gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Thu 07 Jan 2016 02:06:20 AEST using DSA key ID 0FF405B2
gpg: Can't check signature: public key not found

I don't have the matching key. So I go looking on a trusted key server for it. I hit

https://pgp.mit.edu/pks/lookup?search=linux+mint+package&op=index

And get one hit back, which happens to be the Linux Mint main author's name:

Search results for 'package mint linux'
Type bits/keyID Date User ID
pub 1024D/0FF405B2 2009-04-29 Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>

I can import that key using my command line, and the serial number returned above:

Code:

# gpg --keyserver pgp.mit.edu --recv-keys 0FF405B2 
gpg: requesting key 0FF405B2 from hkp server pgp.mit.edu
gpg: key 0FF405B2: public key "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2017-11-03
gpg: Total number processed: 1
gpg:               imported: 1

Now you can verify the signature on the sha256sum [1] :

Code:

# gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Signature made Thu 07 Jan 2016 02:06:20 AEST using DSA key ID 0FF405B2
gpg: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA  666F 3EE6 7F3D 0FF4 05B2

Test the ISO you downloaded against the sha256sum (I've cut out the files I didn't download from the output here):

Code:

# sha256sum --check sha256sum.txt
linuxmint-17.3-cinnamon-64bit.iso: OK

And I'm good to go.

Footnotes:

[1] Here's an obvious hole in the trust model - do I trust that the key uploaded to the keyserver is correct? Well, of course not. But, I can see that the public key in question has been signed by other people's keys:

Code:

# gpg --list-sigs 0FF405B2
pub   1024D/0FF405B2 2009-04-29
uid                  Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sig          D068D42F 2014-12-08  [User ID not found]
sig 3        0FF405B2 2009-04-29  Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sig          3B7F81DA 2016-02-16  [User ID not found]
sig          AD11CBEE 2010-03-17  [User ID not found]
sig          B8F07507 2014-03-16  [User ID not found]
sub   2048g/0F346519 2009-04-29
sig          0FF405B2 2009-04-29  Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>

They're not in my database yet, but I can incrementally track each one down, and see how trustworthy they are. The idea is that eventually you'll spot a key in the "web of trust" that you recognise (or maybe even one you've signed, if you're into crypto and participate in key signing parties), and can then trust the system as a whole.

While the steps appear complicated, they're not really. You only have to download the key once, and it's good for a few years (most people make their keys valid from 3-5 years before they expire). So the steps next time become:

1) Download ISO
2) Download sha256sum.txt
3) Download sha256sum.txt.gpg
4) Verify sha256sum.txt via sha256sum.txt.gpg and your previously downloaded key
5) Verify ISO via sha256sum.txt
6) Use ISO in the safe knowledge that all is well.

As mentioned earlier in this thread, what would be really cool is if all that could be wrapped up in a browser extension, and made to be generic enough to allow anyone to verify any download, in the same way we use https and TLS to verify websites (the main difference being that SSL/TLS uses a centralised CA - Certificate Authority - instead of a decentralised web of trust). I'd like that very much.

 

I don't think the author justifies his argument well enough to say there is evidence of a "larger problem".

Given that the site was hacked as well as the forum, which used software that was known to be vulnerable at the time, I suspect that it was gross negligence on the website administrators part, not the OS maintainers.

Something similar happened to Fedora a while back: http://www.eweek.com/developer/Fedora-Site-Hacked-but-Servers-Code-Undamaged

If it were a different scenario, say a repository and/or a signing key for a particular package was compromised, then I'd be a whole lot more concerned about the security practices of the OS as a whole.

As elvis pointed out, that kind of scenario isn't to far fetched and has happened in the past...

http://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked/#!
https://www.debian.org/News/2003/20031202

 

Yes, the problem has happened before. Popular distros will be targeted, and at some point will be broken in to. Heck, even RSA themselves have been broken in to and their data compromised!

https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise

Just because it hits the media for Linux Mint, (a) doesn't mean it's the end of the world, and (b) doesn't mean it's not happening for thousands of other businesses and open source groups across the world right now.

Personal security is about doing what you can to prevent things happening, which includes checking the integrity of files you've downloaded from the Internet, regardless of where they came from.

Every single time you "apt-get install" or "yum install" something, the GPG signatures on the files are checked automatically for you. That's a good thing. Highly recommended that you do the same thing manually on the ISO images you download and install as your base OS (and that goes for any vendor or product, not just open source Linux distros).

 

I actually wrote an article for Tecseek.com on this topic. It covers a lot of what has already been said here.

I'm guessing most of us here with half a brain will most-likely agree with my own conclusion, drawn from pure logic and common-sense.

Note, I'm not self-promoting by posting this link. Just sharing my views in a more professional environment. http://tecseek.com/2016/03/01/linux-mint-is-safe-and-secure/