Linux Mint Hacked Briefly – Bad ISOs, Compromised Forum

On February 20th, servers hosting the Linux Mint web site were compromised and the site was modified to point to a version of Mint with a backdoor installed. Very few people were impacted, fortunately; only those who downloaded Mint 17.3 Cinnamon on February 20th. The forum user database was also compromised.

What is most impressive here is not that Linux Mint was compromised, but the response and security measures that were already in place that prevented this from becoming a bigger problem. First, it was detected the same day that it was a problem, so the vulnerability only lasted less than a day. Second, it only affected downloads of a specific version, and only if they clicked a specific link, so anyone who was downloading from a direct HTTP request or a torrent is unaffected. Third, they were able to track down the names of three people in Bulgaria who are responsible for this hack.

As far as the forum compromise, the breech netted usernames, emails, and encrypted passwords, as well as personal information that forum users may have entered in signatures or private messages. It’s always nice to see when compromised sites are not storing passwords in plain text, though.

There is one security measure which should have protected against this and failed for a couple of reasons, and that’s the signature. Normally, the file download is accompanied by a signature which is generated from the file, like an MD5 or SHA checksum. By generating the checksum of the downloaded ISO file and comparing it to the reported signature on the web site, one can confirm that the file has downloaded correctly and that it is the same file. In this case anyone downloading the bad ISO should have caught that the downloaded file was not the official one because the signatures did not match. This can fail. Most people are too lazy to check (and there is no automated checking process). More importantly, because the attackers controlled the web site, they could change the site to report any signature they wanted, including the signature for the bad ISO file.

If you are affected by this, you should change your password on the forum and anywhere you use the same email/password. More importantly, as great as the verification signature is, shouldn’t there be a better way to verify so that people use it regularly and so that it can’t be compromised so easily?

BackTrack 3 final is out

OpenSuse and Ubuntu are perfectly serviceable Linux distros, but we’ve had a soft spot for BackTrack from the very start. Good news for us, since yesterday was the long awaited release of BackTrack 3 Final. It uses the same kernel as before (to maintain WiFi injection compatibility) and Nessus is still out, but it is not without a great deal of other improvements. Its forensic capabilities are better than ever, largely due to included apps like a fully functional version of SAINT and a special version of Maltego made just for BackTrack. The download is free, but Remote-Exploit is asking users not to distribute it without notifying them first, because they’re trying to keep track of the number of downloads.

[via Midnight Research Labs]

OpenSUSE 11.0 reviewed

Download squad has posted a thorough review of OpenSUSE 11.0. Previous versions of the Linux distro were plagued by thorny and confusing installations, but OpenSUSE 11.0 installs much more easily and cleanly. After a few standard configuration screens, the user has several options for admin accounts, disk partitions, dual-boot setups, and more. The installation of the OS files takes about 20 minutes from there, followed by a quick reboot and first boot, making for a highly customizable yet speedy install from start to finish.

The other major problem with previous versions was the inconsistent speed of their package handling system. In 11.0, though, a new command line app called Zypper makes installing updates, patches, and other packages much faster.

The final verdict is that OpenSUSE 11.0 has become a viable alternative to Ubuntu; the overall quality of the open source distro was never in question, but now that speed has gone from being its biggest deficiency to being one of its biggest strengths, we expect to see a lot more chameleons in the wild.

OpenTom – roll your own TomTom distro

TomTom already runs Linux. The OpenTom project has documented the TomTom hardware and software to allow custom software builds to run. The Wiki covers everything from build tools to hardware connections. So far, a mp3 player has been released using the build tools. Hmm, I might have to pick one up to develop on myself. Thanks to [kniVes788] for the tip.