VideoHelp Forum
+ Reply to Thread
Results 1 to 10 of 10
Thread
  1. aBigMeanie aedipuss's Avatar
    Join Date
    Oct 2005
    Location
    666th portal
    Search Comp PM
    Linux Mint: Hackers Install Software Modified With Backdoor on Website, Project Head Says
    Hackers made a modified version of Linux Mint that contained a backdoor, then hacked the project's site to trick users into downloading that version, project head Clement Lefebvre wrote Sunday.
    --
    "a lot of people are better dead" - prisoner KSC2-303
    Quote Quote  
  2. To be more precise, if you've downloaded mint 17.3 cinnamon 64 bits on Saturday February 20 2016 using a mirror on the download page your request was redirected to Bulgaria and if you didn't verify the checksum you installed a compromised version. Always check the MD5sum or signature of anything you download. This kind of attacks are not unusual, even for windows software.

    http://blog.linuxmint.com/?p=2994
    https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/
    Quote Quote  
  3. aBigMeanie aedipuss's Avatar
    Join Date
    Oct 2005
    Location
    666th portal
    Search Comp PM
    checksums are worthless if the download page is hacked like this one was, as they can easily be changed also.
    --
    "a lot of people are better dead" - prisoner KSC2-303
    Quote Quote  
  4. I'm a Super Moderator johns0's Avatar
    Join Date
    Jun 2002
    Location
    canada
    Search Comp PM
    Checksums aren't worthless if you get them from a secure site after.
    I think,therefore i am a hamster.
    Quote Quote  
  5. checksums are worthless if the download page is hacked like this one was, as they can easily be changed also.
    Well that's true, unfortunately this is what most people use. Because it is easier to use for everyone. Hopefully linux mint should start to provide digital signature files now (GPG).

    edit : here is how to do it for an ubuntu iso (this procedure is applicable to any download as long as a digital signature file ( *.gpg / *.asc ) and a public key are available.
    https://help.ubuntu.com/community/VerifyIsoHowto

    You can learn more about GPG here
    https://en.wikipedia.org/wiki/GNU_Privacy_Guard

    edit2 : silly me, mint does provide gpg signature files. The site is down right now so I can't check if they provided any instructions as to how to use them.
    Last edited by ackboo; 21st Feb 2016 at 16:36.
    Quote Quote  
  6. Member racer-x's Avatar
    Join Date
    Mar 2003
    Location
    3rd Rock from the Sun
    Search Comp PM
    Although this does not effect my Linux Mint version, this does raise some concerns going forward. It seems nothing is safe anymore when you are connected to the web regardless of OS you use. One really needs to be vigilant when it comes to security. One day everyone will come to their senses and just unplug......
    Got my retirement plans all set. Looks like I only have to work another 5 years after I die........
    Quote Quote  
  7. It seems nothing is safe anymore when you are connected to the web regardless of OS you use.
    Well these days even your hardware can turn against you. Kaspersky lab security experts learned that the hard way. Some of them found a process they didn't know about on some of their personal computers. It turned out to be a bios activated feature they didn't activate and it can't be properly removed since it originates from a chip on the motherboard. The software is legit but weak and can provide a remote vulnerability for an attacker. (Linux is safe from this, for now)
    Fun read : https://securelist.com/blog/research/58258/absolute-computrace-frequently-asked-questions/
    https://securelist.com/analysis/publications/58278/absolute-computrace-revisited/

    Regarding the backdoor in mint, digital signatures are the only way to know what is running on your system. When you download software from a linux mint repository your system checks the digital signature before installing anything. You need to establish a chain of trust, by verifying that the iso you just downloaded is legit. GPG and SHA256sum is the way to go.

    In windows it is easier, when you download an installer you can check the digital signatures tab in properties. Sometimes there is none and a checksum is the best tool you have.
    https://www.grc.com/pw/patchsig.htm
    Quote Quote  
  8. Member
    Join Date
    Mar 2011
    Location
    Nova Scotia, Canada
    Search Comp PM
    Originally Posted by racer-x View Post
    ... It seems nothing is safe anymore when you are connected to the web regardless of OS you use....
    When was connecting to the web safe? There has always been some risk.

    I use nothing but Linux these days and, yes, I like the added security. But installing any software like windows AV progs or linux thinking it's going to make you hack proof is one of the worst security blunders you can make.
    Quote Quote  
  9. More info, hundreds of compromised installs, the mint forum database stolen, fake checksums on the download page.
    So yeah, from now on gpg/sha256 or comparing checksum files from several download servers is mandatory. And if you had a mint forum account you might want to make sure that no personal info can be used and that the password you used was solely for the mint forum.
    http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
    Quote Quote  
  10. The developers published a list of improvements to linuxmint and its website.
    http://blog.linuxmint.com/?p=3007
    Quote Quote  



Similar Threads

Visit our sponsor! Try DVDFab and backup Blu-rays!