Slashdot Mirror
Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs (softpedia.com)
An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.
They've got a serious breach with no idea how the attackers got in and continue to get in. They need to take EVERYTHING down including their name servers and verify that their registration with the root servers hasn't changed, until they have done a through post breach analysis. Only then can they bring up newly installed servers with whatever vulnerability fixed.
This should take several days. Possibly even weeks, depending on the extent of their infrastructure.
I mean, at least make the code available.
SJW: Someone who has run out of real oppression, and has to fake it.
Which is how we got Joomla, which is the IE 7 of CMSs.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Only as bad as IE 7? Oh OK then
http://saveie6.com/
Ah, Drupal. Drupal is amazing, in that it's clear the developers looked at PHP, said "this is a horrible insecure language" and then decided "let's create a giant platform on top of it to try and fix up the flaws" rather than "let's look for a language that isn't terrible."
So now Drupal is its own language and library onto itself, and PHP has evolved to fix many of the problems Drupal attempts to solve but Drupal is stuck with their own implementations.
The amount of code Drupal has to load to render a single webpage is hilarious and somewhat worrying. It's enough that Drupal has to have its own code caching system on top of Zend or whatever you use to try and get performance to reasonable levels.
Which is probably the only reason you hear about WordPress getting hacked more than Drupal. Drupal has an impressive list of CVEs, but most people who try and use Drupal end up saying "fuck this" and using WordPress instead, because it's possible to get WordPress running without driving yourself insane.
>>Name a better CMS.
Notepad.
aaaaaaa
They were selling the database. The PMs aren't encrypted in most forums, I'm not sure about phpBB. The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords. They'll have email addresses that tie in with usernames. They'll know a little about the person so spear phishing is a possibility as is just plain phishing.
I've got some data involved in this one. Nothing major, nothing important. I am not the least bit concerned. I did not download any of the torrents. I do have the legit versions of the .ISOs seeding - all current versions and some older versions - going back to at least v. 14. So, it sucks but it's not the end of the world - unless this damages their reputation so much that people bail on them.
I like Linux Mint. I call it Linux for Retards - which means that I can use it without even looking at the manual. They're well supported, give access to the Ubuntu ecosystem, a cautious and safe build, and not a horrible community. I have a laptop with me that has Cinnamon on it. They'll be okay.
But, there's a few things that make the database valuable. The emails and username combinations are a good start. They can then do some work and figure out more personal traits and then attempt some social engineering, phishing, and even targeted malware - if they want to invest enough energy.
"So long and thanks for all the fish."
in the world of machine safety, we call it "reasonably foreseeable misuse". If a programming language allows security flaws happen when the programmer is lazy, it's a bad language, and should not be used for this application. Point.
http://www.controleng.com/blog...
aaaaaaa
Name a better CMS.
Offline. There is no way to secure WordPress for any length of time, so use it as a static site generator and post that. (Or Drupal, or anything else) More security and less resources needed.
The problem with idiot proofing things is that they keep coming out with better idiots.
It's not really WordPress that's so bad. Not really. They used to be pretty bad but they, themselves, have gotten their act together. The problem is that people don't keep things updated and will use extensions and add-ons and the likes from anywhere. They won't keep those updated either. If they're maintained well, if you pick the add-ons by activity and reputation and timely security fixes, and if you're a little attentive then you'll be okay.
There are a few add-ons (oddly enough) to help with this. There are ways to automate unattended updates. There are ways to lock down the permissions and make the suggested changes. Use a separate administrator name than user. Rename a couple of pages. After setup, remove the setup files, set the permissions to 555 when not in use, etc... You can do quite a bit, if you want. I've seen a few good guides - hell, there's a few people here who have done it enough that they can write you a guide in ten minutes and know which add-ons to use to secure it and which files to rename, all without opening a new tab.
(That's a hint, by the way. If, you know, someone's got some advice...)
"So long and thanks for all the fish."
No, WordPress is still insecure as shit on FreeBSD.
How is that relevant? I've never built a car either but I have still owned some really shit ones and have said as much. WordPress is messy, insecure and is tightly coupled to one DBMS. It's quick to set up but awkward to do it right.
Remember that such exploit is merely a way to create zombies, and a huge botnet of thousands and thousands of active zombies can be rented for a few dollars per hour. It's not a very lucrative market when you consider the labor and risk involved.
That explains why those hackers who got caught by the FBI a few years ago were immensely thrilled when they made $7,000 in bitcoins.
lucm, indeed.
I'm a mint user and I wasn't affected by it either. What do you think is going to happen, if your a mint user the page is going to reach out and grab your machine? It only affected one ISO and you would have had to down load it on the 20th. Then, you would have had to install the image. Simply being a mint user is meaningless.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Probably not. You know they like Linux, you've got a known working (verified) email address, you've got a username, you might be able to make some sort of personal profile based on forum comments. You can check locations with IP addresses but that's not always a certainty. You can probably narrow down which is their preferred Mint. Depending on what they've said in public (and maybe in private) then there's some potential to assign that profile to a person. If they've used the email and/or username elsewhere, they can put some more data together.
It really depends on what they're willing to put into it for effort. $85 is pretty cheap but they're probably not selling it as an exclusive so others will be targeting the users. They'll probably be coming through the data. It's a relational database so they may even automate some of this away (I would) and then simply start running reports. They might even have a way to weigh the data and find the more prominent posters and "mash up" what data they've shared. They'll potentially have some of the site's maintainers, admins, and even the dev team interacting with each other via PM. They might have even been dumb enough to PM passwords to each other.
But no, really that's not much. Not as far as data spillage goes, it's not much at all.
"So long and thanks for all the fish."
First, if the default out of the box is highly insecure, the product's insecure. If it has a plugin framework that is insecure, the product is insecure.
Just because you can make it secure (you think) doesn't mean the product is secure. Take windows for example, you can run it standalone with only vetted code in a vault and it'll be pretty "secure", but that doesn't make windows secure. You can also run a very stripped down version with lots of unnecessary crap removed and that will make it more secure than the default, but the system itself, in this case, is still not secure. And I'd posit that securing WordPress is the same game of security whackamole played by those attempting to secure windows. When you start building on sand, your task never ends.
The cesspool just got a check and balance.
FTA:
"During the second compromise, all Linux Mint ISO download mirrors were pointing to the same Bulgarian FTP site (IP: 5.104.175.212)"
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
If the website is compromised the md5 sums available for download on the same website are highly likely to be compromised, too...
but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?
Seriously?? This is why public keys exist...
When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"
So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?
Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!
To all the jerks that say I have a tinfoil hat, have fun with your viruses!
That's exactly what you were supposed to do! And its properly called precaution, not paranoia.
Now WP and PHP are going to get tons of flak, once again.
To put things into perspective: WordPress has north of 100 Million aktive installs. It powers more than a fourth of the entire web. That's orders of magnitude more than any other system on the planet ever has. For that, WP has an excellent security track record with the last new exploit infecting roughly 8000 websites. Once again of that type that weren''t following basic security procedures.
Using WP for a high-profile, high traffic website such as Linux Mint may be questionable due to load issues alone, but it is doable if you follow just the simplest security principles - such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.
All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress. That, and not showering your install with tons of plugin-bloat perhaps.
WordPress is a system for quickly cobling together a high functionality website and for that it is excellent. But you have to know your basics about PHP and the LAMP stack, otherwise you have no business setting up a WP intallation and are way better of getting one at wordpress.com or some other apphoster for WP. Which, btw., is a perfectly viable option if you've got your hands full maintaining a Linux distro and couldn't
The Linux Mint people screwed up and prerhaps even compromised some boxes that have yesterdays fake ISOs installed on them. They didn't to their homework in terms of basic web-security and this is not the fault of WP or PHP.
I hope they learn their lesson.
We suffer more in our imagination than in reality. - Seneca
No. Public keys exist to ensure only one person can decrypt what you are sending.
No, public keys also exist to verify private signatures. In all the years my public key has been out there, I've had it used for encryption maybe a handful of times (mostly for Debian voting verification), but it's been used for signature verification (mostly with Debian packages) more times than I can count.
notepad++
rewriting history since 2109
Brute forcing hash based passwords involves getting a program like John the Ripper or one of the versions that supports the bit coin mining hardware and just asking it to try a trillion of the most likely passwords in a few seconds.
I find it entertaining that many security experts are claiming sha-256 hashes are more secure than older weaker hashes yet I can spend less than $1,500 and buy hardware that will try more than 2 trillion sha-256 hashes a second yet the cost do the early md5 based passwords is now significantly higher.
I would like to see a mod of John the Ripper so it could be used as a PAM module to say "Your password would be found in round 4" using the rule 'substitute digits for letters'"
Verify the ISO against the SHA512 hashes and the PGP signature of the hash-file. Unlike re-downloading that actually gives you security.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.