View Profile
View Forum Posts
Private Message
Linux Mint: Hackers Install Software Modified With Backdoor on Website, Project Head Says
Hackers made a modified version of Linux Mint that contained a backdoor, then hacked the project's site to trick users into downloading that version, project head Clement Lefebvre wrote Sunday.
+ Reply to Thread
Results 1 to 10 of 10
-
--
"a lot of people are better dead" - prisoner KSC2-303 -
To be more precise, if you've downloaded mint 17.3 cinnamon 64 bits on Saturday February 20 2016 using a mirror on the download page your request was redirected to Bulgaria and if you didn't verify the checksum you installed a compromised version. Always check the MD5sum or signature of anything you download. This kind of attacks are not unusual, even for windows software.
http://blog.linuxmint.com/?p=2994
https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/ -
checksums are worthless if the download page is hacked like this one was, as they can easily be changed also.
--
"a lot of people are better dead" - prisoner KSC2-303 -
Checksums aren't worthless if you get them from a secure site after.
I think,therefore i am a hamster. -
Well that's true, unfortunately this is what most people use. Because it is easier to use for everyone. Hopefully linux mint should start to provide digital signature files now (GPG).checksums are worthless if the download page is hacked like this one was, as they can easily be changed also.
edit : here is how to do it for an ubuntu iso (this procedure is applicable to any download as long as a digital signature file ( *.gpg / *.asc ) and a public key are available.
https://help.ubuntu.com/community/VerifyIsoHowto
You can learn more about GPG here
https://en.wikipedia.org/wiki/GNU_Privacy_Guard
edit2 : silly me, mint does provide gpg signature files. The site is down right now so I can't check if they provided any instructions as to how to use them.Last edited by ackboo; 21st Feb 2016 at 16:36.
-
Although this does not effect my Linux Mint version, this does raise some concerns going forward. It seems nothing is safe anymore when you are connected to the web regardless of OS you use. One really needs to be vigilant when it comes to security. One day everyone will come to their senses and just unplug......
Got my retirement plans all set. Looks like I only have to work another 5 years after I die........ -
Well these days even your hardware can turn against you. Kaspersky lab security experts learned that the hard way. Some of them found a process they didn't know about on some of their personal computers. It turned out to be a bios activated feature they didn't activate and it can't be properly removed since it originates from a chip on the motherboard. The software is legit but weak and can provide a remote vulnerability for an attacker. (Linux is safe from this, for now)It seems nothing is safe anymore when you are connected to the web regardless of OS you use.
Fun read : https://securelist.com/blog/research/58258/absolute-computrace-frequently-asked-questions/
https://securelist.com/analysis/publications/58278/absolute-computrace-revisited/
Regarding the backdoor in mint, digital signatures are the only way to know what is running on your system. When you download software from a linux mint repository your system checks the digital signature before installing anything. You need to establish a chain of trust, by verifying that the iso you just downloaded is legit. GPG and SHA256sum is the way to go.
In windows it is easier, when you download an installer you can check the digital signatures tab in properties. Sometimes there is none and a checksum is the best tool you have.
https://www.grc.com/pw/patchsig.htm -
When was connecting to the web safe? There has always been some risk.Originally Posted by racer-x
I use nothing but Linux these days and, yes, I like the added security. But installing any software like windows AV progs or linux thinking it's going to make you hack proof is one of the worst security blunders you can make. -
More info, hundreds of compromised installs, the mint forum database stolen, fake checksums on the download page.
So yeah, from now on gpg/sha256 or comparing checksum files from several download servers is mandatory. And if you had a mint forum account you might want to make sure that no personal info can be used and that the password you used was solely for the mint forum.
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/ -
The developers published a list of improvements to linuxmint and its website.
http://blog.linuxmint.com/?p=3007
Quote
Similar Threads
-
Popcorn Audio Converter is Backdoor Trojan...
By snadge in forum Video ConversionReplies: 3Last Post: 24th Nov 2015, 10:52 -
Handbrake, Intel QSV, Linux Mint
By hogger129 in forum Video ConversionReplies: 6Last Post: 22nd Aug 2015, 07:44 -
aTube Catcher on a computer running Linux Mint?
By gastrof in forum Newbie / General discussionsReplies: 6Last Post: 4th Mar 2015, 09:48 -
Trying to connect Linux Mint to Xfinity WiFi on a Netbook
By dfisher052 in forum LinuxReplies: 10Last Post: 12th Jan 2015, 16:35 -
BackDoor.Flashback.39 trojan infects Apple computers
By TreeTops in forum Off topicReplies: 5Last Post: 2nd May 2012, 21:18