[kwlug-disc] Linux Mint site hacked
B.S.
bs27975 at yahoo.ca
Mon Feb 22 14:39:10 EST 2016
There's a reason why gpg and checksums exist. It won't be 'because we can', but 'because we have to'. Including the separate (out of 'band') fetching of keys. i.e. Separate 'transaction' / distinct fetch request.
I'm also seeing some things (can't recall where) that self-check, too. gpg not only checking integrity of the 'package', but also that it is the expected package, from the expected source. Particularly important when using mirrors.
To add to Lori's post, they're also suggesting you change any passwords you have at Mint as well.
Although one might think there are no details there of importance, I guess the possibility is correlation with other data hacked elsewhere. e.g. e-mail address becoming a common / unique identifier. Let alone if one used a password of 'password' there, where might one have used the same password at other also (silently) hacked sites, to add details to the accumulated profile ... perhaps to the point of making a hack attempt of that userid at some other site worthwhile, like a bank.
- adds to the argument of using one off / per site userids and passwords via something like lastpass. And/or one off / per site e-mail addresses, via something like MaskMe.
I saw something not long ago about ATM code getting hacked. (Perhaps occurring some time ago.) e.g. Reversing a withdrawal at every withdrawal. Permitting the hacker to repeatedly withdraw cash, without impacting a daily limit, until the machine ran out of funds. Seemed to me, at the time, that commercial concerns were being far less diligent than consumer interfaces, which seemed strange. So ... there's a valid reason for secure boot, I guess. i.e. checksums and gpg.
Lori's note, and to your point too, Cranky - minds me just how high the bar is to making any sort of e-contribution back to the community, in terms of ecosystem / environment, before writing that first line of code. Be it the need for infrastructure, or repository, checksums, gpg keys, build services, and all else. All unproductively consuming time and energy away from innovating that actual line of code that moves something forwards. Astonishing that non-professional contributions actually happen, if first they have to grok git, gpg, source forge, jenkins ("An extendable open source automation server"), or whatever other flavour of each is du jour.
So, no, nothing's sacred, and one's red flag should be that there was no gpg key or checksum, or that there was no verification process at delivery / opening. If it's 'easy', be suspicious?
- Never mind ... can you trust that published key or checksum? (Presumably a hacked web site would list the nefarious value, too.)
<sigh>
>________________________________
> From: CrankyOldBugger <crankyoldbugger at gmail.com>
>To: KWLUG discussion <kwlug-disc at kwlug.org>
>Sent: Monday, February 22, 2016 1:49 PM
>Subject: Re: [kwlug-disc] Linux Mint site hacked
>
>
>
>Is nothing sacred anymore?
>
>On Mon, 22 Feb 2016 at 13:43 L.D. Paniak <ldpaniak at fourpisolutions.com> wrote:
>
>Apparently, the Linux Mint website was hacked over the weekend:
>>http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website-and-forum-after-hack-attack/
>>
>>ISO images downloaded on Feb 20 should be discarded or checked against
>>known-good checksums.
>>Images from mirror sites may have a wider window of vulnerability.
More information about the kwlug-disc
mailing list