[Durham] Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
mark
mark at aktivix.org
Thu Feb 25 09:32:08 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Richard Patterson:
> Please be aware that the Mint website was compromised recently,
> and hacked ISOs were uploaded containing a backdoor.
Thanks Richard,
Fortunately, nobody I know seems to have been affected by this.
For some time now, me and some other Mint users have been advocating
for some simple improvements in security and I really hope we'll be
taken more seriously now.
The main things we were asking for were to use a stronger hash
function than MD5, to sign with GPG, to integrate the signing key into
the WOT, to move the forums to a different machine from the main site,
and to implement TLS on the main site (i.e. the site with all the
download links on it).
- From what's been written, it seems that the attack used a wordpress
vulnerability to get a www-data shell and thence edit the download
links. So that is a reminder to us all that we should keep our webapps
on different machines from other things, I think. And to have
nightmares about our IOT devices.
Cheers,
Mark
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWzsoHAAoJECivkG/nESo7sUYQAJOEt13rQydSzTO3xAWWPU96
ovu7FTmdkUB+E0vza/fVZYfqLnK2aX+AD1IYXkkj4Pdf7Prn8ho6M2CHrc1Q0J4h
QXRWtiYetlyiEU+y2dGmmJuS/jwtMiLprCoD362i2LITWmhmnl2UrBQ3W1hPNheV
dtdaGafBjgHeie/LdLOvwlAdIBSpg+sVsnMXriw9n6GlO5l50+B1oryKgSKhbzT5
YUjMS3fkcN+gu+baC1aK/QxNQL64tJcYjKmNnhP9pdUBblC7M8//XlD81PNZ9oDC
bCk0JXczcjccPYvFdn1Rx00KpOLpebFtYGMHFeakEtVSvu0XdUGVdf0e44o2RXis
EHJI29J/eRqTFsNWzpEFMdd3N/59q1qwuH0jXKtgqB1Z3geVht+UA5pPaVbGvla4
WKePJ66SCPkp4uNqEthHZdy106iL3fTGHYu0MWCwIC/7qGt+wMkswkKMoJPC6YOF
eb53iB1ipCZqItfPFFsxSGa1GrJKmoVbwEubrKBNu8MPxQZhk39ZA3tHTJF2XUjK
7sl1h/RIKzE+RRIBnwquRPws1OkrVXXEKXpY807rmPbmO2ErHcowiyBIuYCQM2zR
hDHNfAG5etVA8nLy3dbuHUBR5xrALRDm60zEMUBwReNCOjs+6nGGoMynaDjuYYj2
vI5K91rtd7Te9NGxce3A
=TN/R
-----END PGP SIGNATURE-----
More information about the Durham
mailing list