Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.os.linux.security > #682 > unrolled thread

2/20/16 Linux Mint downloads compromised

Started bybleak_fire_ <penachew@yomomma.hot.invalid>
First post2016-02-21 05:48 +0100
Last post2016-02-21 17:40 +0100
Articles 11 — 6 participants

Back to article view | Back to comp.os.linux.security


Contents

  2/20/16 Linux Mint downloads compromised bleak_fire_ <penachew@yomomma.hot.invalid> - 2016-02-21 05:48 +0100
    Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 06:14 -0600
      Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 14:19 +0100
        Re: 2/20/16 Linux Mint downloads compromised Johnny <johnny@invalid.net> - 2016-02-21 10:22 -0600
          Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:44 +0100
            Re: 2/20/16 Linux Mint downloads compromised Caver1 <caver1@inthemud.org> - 2016-02-21 11:58 -0500
    Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 08:43 -0500
      Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 14:06 +0000
        Re: 2/20/16 Linux Mint downloads compromised Paul <nospam@needed.com> - 2016-02-21 09:37 -0500
          Re: 2/20/16 Linux Mint downloads compromised Richard Kettlewell <rjk@greenend.org.uk> - 2016-02-21 16:06 +0000
    Re: 2/20/16 Linux Mint downloads compromised Yrrah <Yrrah-aolm@aolm.invalid> - 2016-02-21 17:40 +0100

#682 — 2/20/16 Linux Mint downloads compromised

Frombleak_fire_ <penachew@yomomma.hot.invalid>
Date2016-02-21 05:48 +0100
Subject2/20/16 Linux Mint downloads compromised
Message-ID<nnd$1d3e6689$238e4bd5@695a3fabb9aa8c3c>
http://blog.linuxmint.com/?p=2994

Quotes:

"Beware of hacked ISOs if you downloaded Linux Mint on February 20th!"

"We were exposed to an intrusion today. It was brief and it shouldn’t 
impact many people, but if it impacts you, it’s very important you read 
the information below."

"Hackers made a modified Linux Mint ISO, with a backdoor in it, and 
managed to hack our website to point to it."

"As far as we know, the only compromised edition was Linux Mint 17.3 
Cinnamon edition."

"If you downloaded another release or another edition, this does not 
affect you. If you downloaded via torrents or via a direct HTTP link, 
this doesn’t affect you either."

"Finally, the situation happened today, so it should only impact people 
who downloaded this edition on February 20th."

"The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to 
absentvodka.com."

"Both lead to Sofia, Bulgaria, and the name of 3 people over there. We 
don’t know their roles in this, but if we ask for an investigation, this 
is where it will start."

-- 

bleak_fire_

since nine-seven

[toc] | [next] | [standalone]


#683

FromJohnny <johnny@invalid.net>
Date2016-02-21 06:14 -0600
Message-ID<20160221061427.6994565f@jspc>
In reply to#682
On Sun, 21 Feb 2016 05:48:09 +0100
bleak_fire_ <penachew@yomomma.hot.invalid> wrote:

> http://blog.linuxmint.com/?p=2994
> 
> Quotes:
> 
> "Beware of hacked ISOs if you downloaded Linux Mint on February 20th!"
> 
> "We were exposed to an intrusion today. It was brief and it shouldn’t 
> impact many people, but if it impacts you, it’s very important you
> read the information below."
> 
> "Hackers made a modified Linux Mint ISO, with a backdoor in it, and 
> managed to hack our website to point to it."
> 
> "As far as we know, the only compromised edition was Linux Mint 17.3 
> Cinnamon edition."
> 
> "If you downloaded another release or another edition, this does not 
> affect you. If you downloaded via torrents or via a direct HTTP link, 
> this doesn’t affect you either."
> 
> "Finally, the situation happened today, so it should only impact
> people who downloaded this edition on February 20th."
> 
> "The hacked ISOs are hosted on 5.104.175.212 and the backdoor
> connects to absentvodka.com."
> 
> "Both lead to Sofia, Bulgaria, and the name of 3 people over there.
> We don’t know their roles in this, but if we ask for an
> investigation, this is where it will start."
> 

This would be a good time for Cinnamon users to try Douane Firewall.

https://github.com/Douane/Douane/wiki/Compilation

[toc] | [prev] | [next] | [standalone]


#684

FromYrrah <Yrrah-aolm@aolm.invalid>
Date2016-02-21 14:19 +0100
Message-ID<b3ejcbtqdvnbms8j4rhjjvp9m9lo5m3v0n@net.com>
In reply to#683
Johnny <johnny@invalid.net>:

> This would be a good time for Cinnamon users to try Douane Firewall.
> 
> https://github.com/Douane/Douane/wiki/Compilation

I would if there were a compiled download or better a PPA or better
still, if it were in the Mint or Ubuntu repos.

Yrrah

[toc] | [prev] | [next] | [standalone]


#689

FromJohnny <johnny@invalid.net>
Date2016-02-21 10:22 -0600
Message-ID<20160221102250.1bdb6303@jspc>
In reply to#684
On Sun, 21 Feb 2016 14:19:56 +0100
Yrrah <Yrrah-aolm@aolm.invalid> wrote:

> Johnny <johnny@invalid.net>:
> 
> > This would be a good time for Cinnamon users to try Douane Firewall.
> > 
> > https://github.com/Douane/Douane/wiki/Compilation  
> 
> I would if there were a compiled download or better a PPA or better
> still, if it were in the Mint or Ubuntu repos.
> 
> Yrrah
> 

Maybe after this, they will add it to the repositories.

I have to admit, it's hard to get the Douane firewall working, and I
imagine most people just gave up.

It's amazing that someone smart enough to write a program like this,
can't properly explain how to install it, and get it working.

The first problem you run into during the manual installation is when
you are told to start the service with sudo service douane start.

Once you start the service, you have blocked access to the Internet,
and can't complete the rest of the installation, until you open a
terminal and enter the command sudo service douane stop.

Once you have completed the installation, you will find Douane is not
listed in the Menu.  You have to open the Menu Editor, and add it
manually.

I added it to Accessories, named it Douane, and added the start
command: douane-configurator.  Then I went to ~/Douane, found the icon
to use.

After all this, when you open the configurator and start the Douane
firewall, you will find that you get no dialog box asking which
programs you want to allow to access the Internet.  You are just
blocked from Internet access.

Then you have to go to ~/Douane/douane-configurator/douane,
you have to make autostart.py, dbus.py, and _init-.py executable.

Then when you start the firewall, and then start Firefox, you will get
a dialog box asking if you want to allow Firefox to access the Internet.


[toc] | [prev] | [next] | [standalone]


#690

FromYrrah <Yrrah-aolm@aolm.invalid>
Date2016-02-21 17:44 +0100
Message-ID<l4qjcb9i6lbln3h89ik0983qqmirk6q0br@net.com>
In reply to#689
Johnny <johnny@invalid.net>:

> > > This would be a good time for Cinnamon users to try Douane Firewall.
 
> > I would if there were a compiled download or better a PPA or better
> > still, if it were in the Mint or Ubuntu repos.
 
> Maybe after this, they will add it to the repositories.
> 
> I have to admit, it's hard to get the Douane firewall working, and I
> imagine most people just gave up.
>(useful info deleted)

Thanks for the info. I think the author needs help. I know far too
little about the matter, so I can't be of assistance.

Yrrah

[toc] | [prev] | [next] | [standalone]


#692

FromCaver1 <caver1@inthemud.org>
Date2016-02-21 11:58 -0500
Message-ID<nacq58$p8c$1@dont-email.me>
In reply to#690
On 02/21/2016 11:44 AM, Yrrah wrote:
> Johnny <johnny@invalid.net>:
>
>>>> This would be a good time for Cinnamon users to try Douane Firewall.
>
>>> I would if there were a compiled download or better a PPA or better
>>> still, if it were in the Mint or Ubuntu repos.
>
>> Maybe after this, they will add it to the repositories.
>>
>> I have to admit, it's hard to get the Douane firewall working, and I
>> imagine most people just gave up.
>> (useful info deleted)
>
> Thanks for the info. I think the author needs help. I know far too
> little about the matter, so I can't be of assistance.
>
> Yrrah
>

I have yet been able to successfully configure Douanne.

-- 
Caver1

[toc] | [prev] | [next] | [standalone]


#685

FromPaul <nospam@needed.com>
Date2016-02-21 08:43 -0500
Message-ID<naceo1$bl4$1@dont-email.me>
In reply to#682
bleak_fire_ wrote:
> http://blog.linuxmint.com/?p=2994
> 
> Quotes:
> 
> "Beware of hacked ISOs if you downloaded Linux Mint on February 20th!"

http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/

    "If you run Linux, use the command md5sum nameofiso.iso, e..g

        md5sum linuxmint-17.3-cinnamon-64bit.iso

     The ISO image is clean if the signature matches
     one of those listed below..."

Well, don't do that. It takes 60 seconds on a Pentium 4
computer, to "fix" an ISO so it has the correct MD5SUM.
MD5 is compromised, and is no good for this purpose.
SHA1 is better than MD5, in that if a compromise exists,
it can't be done on a P4 in 60 seconds.

This article reviews the usefulness of MD5.

https://en.wikipedia.org/wiki/Md5

SHA1 has a security rating of "yellow". MD5 has
a security rating of "red". The change-over to SHA-2
(SHA256) for https certificates, has a rating
of "green". If a mirror of the Mint site provides
a SHA1 checksum file, that might be good enough for
detecting script kiddie changes, but a nation state
with a supercomputer might be able to fake a correct
SHA1 as well.

https://en.wikipedia.org/wiki/Sha1

It might be better to just throw the ISO image away,
and download again, when a safe source is known.

*******

http://mirror.csclub.uwaterloo.ca/linuxmint//stable/17.3/

linuxmint-17.3-cinnamon-32bit.iso                  30-Nov-2015 10:14      1G
linuxmint-17.3-cinnamon-64bit.iso                  28-Nov-2015 18:18      1G
linuxmint-17.3-cinnamon-nocodecs-32bit.iso         30-Nov-2015 21:06      1G
linuxmint-17.3-cinnamon-nocodecs-64bit.iso         30-Nov-2015 18:10      1G
linuxmint-17.3-cinnamon-oem-64bit.iso              01-Dec-2015 09:31      2G
linuxmint-17.3-kde-32bit.iso                       05-Jan-2016 22:57      2G
linuxmint-17.3-kde-64bit.iso                       05-Jan-2016 21:26      2G
linuxmint-17.3-mate-32bit.iso                      30-Nov-2015 10:31      1G
linuxmint-17.3-mate-64bit.iso                      28-Nov-2015 18:19      2G
linuxmint-17.3-mate-nocodecs-32bit.iso             01-Dec-2015 02:43      1G
linuxmint-17.3-mate-nocodecs-64bit.iso             01-Dec-2015 01:01      2G
linuxmint-17.3-mate-oem-64bit.iso                  01-Dec-2015 10:42      2G
linuxmint-17.3-xfce-32bit.iso                      05-Jan-2016 16:41      1G
linuxmint-17.3-xfce-64bit.iso                      05-Jan-2016 15:48      1G
md5sum.txt                                         06-Jan-2016 16:00     958
sha256sum.txt                                      06-Jan-2016 16:03    1406 <---
sha256sum.txt.gpg                                  06-Jan-2016 16:09     181

So some SHA256 checksums are available.
Now, try and find a working utility to do that :-)
I usually end up collecting source code for these
checksum programs, just because of the deficiencies
I find in some of them. One "suite" I downloaded,
it actually failed some test cases I ran against it,
which didn't exactly build my confidence in publicly
available code. Failing a test case isn't the worst
thing in the world, since it means the program isn't
going to be validating any downloads on you and effectively
claiming they are good downloads. It would basically
reject everything you'd downloaded.

46b8a14826a53f4cacf56d1132a5184c2132f274aef8103e5e8e8cae9e1cfde0  linuxmint-17.3-cinnamon-32bit.iso
854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3  linuxmint-17.3-cinnamon-64bit.iso
506a8e88c83cddc7fadd2b7c5bf25b7e6a15f028e1628004dcd6470084430f17  linuxmint-17.3-mate-32bit.iso
d02bfaae749db966778276a8ae364843c1ffb37b3e1990c205f938bda367ad2a  linuxmint-17.3-mate-64bit.iso
e61ed8f5df9283e86926fb7c414f36f7649ce716517093807a193aaf7d396bb8  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
c149f3f57275e5d64bf0401d12eff5d021b92688dbd21cdbb4111cb3415eda17  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
ba6c4f3e70929f3e90d03fb3063892085b7a0e829579dc0f48723e94a2bc6570  linuxmint-17.3-mate-nocodecs-32bit.iso
71604ef7479855213ae044e4c896f38249ea4bc567f0013bd0157080f3130941  linuxmint-17.3-mate-nocodecs-64bit.iso
48d82518a73962f9b5d9d61383a90132b64ee6fa489a67547468c136c8a27bfd  linuxmint-17.3-cinnamon-oem-64bit.iso
694bf952d68eb5a69560a756e578d85531be1498b08dd30aee6919c9139a7434  linuxmint-17.3-mate-oem-64bit.iso
be64bf240a47df03fedca1b8aeb9357896e3dedd55446a0f87eca4f638c9d28c  linuxmint-17.3-kde-32bit.iso
aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4  linuxmint-17.3-kde-64bit.iso
cebff34e99b071d7237d2cfd2e24719f5a72e9e499a82d424007e850befc755b  linuxmint-17.3-xfce-32bit.iso
83c1796a37582bdea74117193cef369582d72093fd0b5278ae03016bd8685b04  linuxmint-17.3-xfce-64bit.iso

And if you haven't "embraced the hex", it's 2016, say hello
to the hexadecimal number system :-)

Have fun,
    Paul

[toc] | [prev] | [next] | [standalone]


#686

FromRichard Kettlewell <rjk@greenend.org.uk>
Date2016-02-21 14:06 +0000
Message-ID<871t86ma3c.fsf@mantic.terraraq.uk>
In reply to#685
Paul <nospam@needed.com> writes:
> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
>
>    "If you run Linux, use the command md5sum nameofiso.iso, e..g
>
>        md5sum linuxmint-17.3-cinnamon-64bit.iso
>
>     The ISO image is clean if the signature matches
>     one of those listed below..."
>
> Well, don't do that. It takes 60 seconds on a Pentium 4
> computer, to "fix" an ISO so it has the correct MD5SUM.

Go on then, produce a second well-formed ISO image that hashes to
e71a2aad8b58605e906dbea444dc4983.

Or if you’d prefer to work with a smaller first preimage:

    $ cat /etc/motd

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    $ md5sum /etc/motd
    9830e3dbb6a828f2cc824db8db0ceaf7  /etc/motd

Clock’s ticking!

> MD5 is compromised, and is no good for this purpose.

MD5’s collision resistance is well known to be completely broken, but
this application does not depend on collision resistance.  

It’s certainly somewhat disappointing to see it still used in 2016, but
that’s no excuse for spreading FUD.

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]


#687

FromPaul <nospam@needed.com>
Date2016-02-21 09:37 -0500
Message-ID<nachtt$oai$1@dont-email.me>
In reply to#686
Richard Kettlewell wrote:
> Paul <nospam@needed.com> writes:
>> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
>>
>>    "If you run Linux, use the command md5sum nameofiso.iso, e..g
>>
>>        md5sum linuxmint-17.3-cinnamon-64bit.iso
>>
>>     The ISO image is clean if the signature matches
>>     one of those listed below..."
>>
>> Well, don't do that. It takes 60 seconds on a Pentium 4
>> computer, to "fix" an ISO so it has the correct MD5SUM.
> 
> Go on then, produce a second well-formed ISO image that hashes to
> e71a2aad8b58605e906dbea444dc4983.
> 
> Or if you’d prefer to work with a smaller first preimage:
> 
>     $ cat /etc/motd
> 
>     The programs included with the Debian GNU/Linux system are free software;
>     the exact distribution terms for each program are described in the
>     individual files in /usr/share/doc/*/copyright.
> 
>     Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>     permitted by applicable law.
>     $ md5sum /etc/motd
>     9830e3dbb6a828f2cc824db8db0ceaf7  /etc/motd
> 
> Clock’s ticking!
> 
>> MD5 is compromised, and is no good for this purpose.
> 
> MD5’s collision resistance is well known to be completely broken, but
> this application does not depend on collision resistance.  
> 
> It’s certainly somewhat disappointing to see it still used in 2016, but
> that’s no excuse for spreading FUD.
> 

So you're saying, if I take the Mint ISO, modify it,
then adjust a portion of the ISO that doesn't matter
to the function of the installation or operation,
so the MD5 is the same as the official release,
it doesn't matter ?

Perhaps I misunderstand what a checksum is for ?

    Paul

[toc] | [prev] | [next] | [standalone]


#688

FromRichard Kettlewell <rjk@greenend.org.uk>
Date2016-02-21 16:06 +0000
Message-ID<87vb5ikpz4.fsf@mantic.terraraq.uk>
In reply to#687
Paul <nospam@needed.com> writes:
> Richard Kettlewell wrote:
>> Paul <nospam@needed.com> writes:
>>> http://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/
>>>
>>>    "If you run Linux, use the command md5sum nameofiso.iso, e..g
>>>
>>>        md5sum linuxmint-17.3-cinnamon-64bit.iso
>>>
>>>     The ISO image is clean if the signature matches
>>>     one of those listed below..."
>>>
>>> Well, don't do that. It takes 60 seconds on a Pentium 4
>>> computer, to "fix" an ISO so it has the correct MD5SUM.
>>
>> Go on then, produce a second well-formed ISO image that hashes to
>> e71a2aad8b58605e906dbea444dc4983.
>>
>> Or if you’d prefer to work with a smaller first preimage:
>>
>>     $ cat /etc/motd
>>
>>     The programs included with the Debian GNU/Linux system are free software;
>>     the exact distribution terms for each program are described in the
>>     individual files in /usr/share/doc/*/copyright.
>>
>>     Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>>     permitted by applicable law.
>>     $ md5sum /etc/motd
>>     9830e3dbb6a828f2cc824db8db0ceaf7  /etc/motd
>>
>> Clock’s ticking!
>>
>>> MD5 is compromised, and is no good for this purpose.
>>
>> MD5’s collision resistance is well known to be completely broken, but
>> this application does not depend on collision resistance.  
>>
>> It’s certainly somewhat disappointing to see it still used in 2016, but
>> that’s no excuse for spreading FUD.
>
> So you're saying, if I take the Mint ISO, modify it,
> then adjust a portion of the ISO that doesn't matter
> to the function of the installation or operation,
> so the MD5 is the same as the official release,
> it doesn't matter ?

No, I’m not saying that.

> Perhaps I misunderstand what a checksum is for ?

You’ve misunderstood what is wrong with MD5.

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]


#691

FromYrrah <Yrrah-aolm@aolm.invalid>
Date2016-02-21 17:40 +0100
Message-ID<4spjcbdkuvrb84kipmp84gkkbbdkhcevb1@net.com>
In reply to#682
bleak_fire_ <penachew@yomomma.hot.invalid>:

> "Beware of hacked ISOs if you downloaded Linux Mint on February 20th!"

TARFU. Also: 
<http://news.softpedia.com/news/linux-mint-forums-completely-compromised-users-need-to-change-their-passwords-500724.shtml>

Yrrah


[toc] | [prev] | [standalone]


Back to top | Article view | comp.os.linux.security


csiph-web