Stories
Slash Boxes
Comments

SoylentNews is people

Mint Cinnamon ISOs Hacked

posted by cmn32480 on Sunday February 21 2016, @03:16PM   Printer-friendly
from the ruh-roh dept.

Appalbarry writes:

If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.

From Clem:

We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.

The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mint Cinnamon ISOs Hacked | Log In/Create an Account | Top | 54 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by TheLink on Monday February 29 2016, @05:08AM

    by TheLink (332) on Monday February 29 2016, @05:08AM (#311439) Journal

    But how does a user securely obtain the public key of the publisher?

    Doesn't matter in practice. If the past 9 releases over X years have been signed by the same key and nobody including the releasers themselves have been making noises then when the 10th release is signed by the same key then it's more likely to be as OK as the past releases.

    In contrast this logic cannot apply if you use SHAx or MD5. Since hackers could often also tamper with the page listing the hashes.

    Of course even then as this incident has shown even if you are using SHAx the lower security usually doesn't matter that much in practice - it doesn't go hidden for long.

    The real problems are how they got hacked in the first place. Most organizations will have the same weaknesses and vulnerabilities to being pwned if not more. The bulk of them don't really get pwned by tampered ISOs, they get pwned by running forum software that's full of holes or by social engineering, getting spearphished etc.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Pino P on Monday February 29 2016, @03:45PM

    by Pino P (4721) on Monday February 29 2016, @03:45PM (#311627) Journal

    The "key continuity" model could work for something long established like PuTTY. But how would it work for a new application?

    • (Score: 2) by TheLink on Tuesday March 01 2016, @06:13AM

      by TheLink (332) on Tuesday March 01 2016, @06:13AM (#311964) Journal
      The same way users should build trust in a new application. Gradually.

      And if it takes NewAppVendor 1 year to detect and announce that the released NewApp was actually signed by a malicious party's GPG key, then perhaps people should stop trusting NewAppVendor and NewApp so much and avoid using NewApp and other stuff by NewAppVendor.

      People who care about security wouldn't have placed that much trust in PuTTY when it first started.