Lesson from Linux Mint breach: Trust is not enough

If you're downloading files from the Internet, you need to make absolutely sure they're authentic

Lesson from Linux Mint breach: Trust is not enough

No one ever looks at checksums, claims the attacker behind the Linux Mint breach. That needs to change.

The attack against Linux Mint's website, where users were tricked into downloading a modified ISO Linux Mint 17.3 Cinnamon from a Bulgarian server, highlights the risks of downloading software from the Internet. Just because the download link is on the official (thus, trusted) website is not enough to guarantee the software itself is safe. Users have to verify the authenticity of the software themselves.

"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," project lead Clem Lefebvre posted on the Linux Mint blog. Lefebvre has taken the entire server offline to contain the breach and fix the issues.

Getting trusted software

While the general recommendation is to rely on official sources, that advice is not so helpful when the official sources are compromised. In the first postintrusion blog post, the Mint team told users to consult the ISO's MD5 checksum to ensure the downloaded file matched the string posted on the website. In fact, users should always verify the checksum before installing to make sure the file hasn't been tampered with.

Users should look for download links served up over HTTPS and not HTTP where possible, said Wim Remes, a Rapid7 manager. While Lefebvre said HTTPS would not have helped in this specific case, it's a good thing to look for. "Verify the SSL certificate in case you are questioning the source," Remes said.

While MD5 checksums are widely used, they aren't the best choice for verifying file authenticity because MD5 hashes are weak and can easily be cracked. The more secure alternative would be to generate SHA256 checksums. Even SHA-1, which has its own security weaknesses, would be a better choice than MD5.

There's another, more pressing problem with Mint's advice about using MD5 checksums: If the attacker has access to the website to be able to modify the download links to point to a malicious download, then presumably the attacker can post the modified file's checksum to the site, which appears to be exactly what happened, according to ZDNet.

This is why maintainers should adopt signed checksums for their software, and users need to get in the habit of verifying downloads with public keys. In this case, the developers would sign the software with their private key, and the users downloading the software package would verify the signature with the available public key to ensure authenticity.

With signed checksums, attackers can't easily put up modified ISOs and fake checksums. Assuming, of course, that attackers don't somehow steal the private PGP key and password as well. Pro tip: Don't store the private key and password on the public server.

To be fair to Mint, the team does sign releases with a PGP key, and the file is available on its download server, but it isn't easy to find. This isn't a problem with only Mint, though. Many distributions, even Ubuntu, make it difficult for users to find the signature file, let alone the instructions on how to verify the signature. Tails, the paranoid's choice of Linux, offers clear instructions on how to verify PGP signatures when downloading the ISO.

More software developers, not Linux maintainers alone, should adopt the practice.

The key mistakes

The attacker compromised the website by exploiting a flaw in WordPress to get a www-data shell. While the site had the most recent build of the popular content management platform, the attackers were able to find a way in because the site used a custom theme and had "lax file permissions for a few hours," Lefebvre said.

The team appears to have made other mistakes beyond file permissions. The attackers were able to break into the community forums and related user information. Setting aside the question of whether Mint should be using phpBB -- frequently criticized for security vulnerabilities -- the database was not properly secured. The person claiming responsibility for the breach posted part of a configuration file on Hacker News showing that Mint had selected the same database username as the database name itself, "lms14." The database password appeared to be "upMint."

Perhaps "the insanely secure db credentials had something to do with the breach? But what would I know," the poster wrote.

Anyone who downloaded Linux Mint 17.3 Cinnamon on Feb. 20 should immediately get rid of that file and redownload the correct ISO. If the ISO, which has been modified to run a DDoS botnet, has already been installed, the system should be taken offline and re-installed with the real ISO.

Remes also suggests using an older, verified version and then using the update/upgrade packages from the repository instead of just grabbing a new ISO.

The "Linuxmint.com shell, php mailer, and full forum dump" was available for sale on underground forums hours after the attack was made public, according to Yonathan Klijnsma, senior threat intelligence analyst for Fox-IT, a Dutch security firm. Anyone who had a forum account should immediately change their passwords if they had been reused on other sites.

Lefebvre claims this is the first time Linux Mint has experienced anything more serious than a DDoS attack and that communication is important part of recovery. "It's also important we communicate about this attack because we're not talking about downtime or inconvenience here, this is a call to action," he said. People who are affected by the breach need to know what is happening so that "they don't get hurt or used going forward," he wrote.

Copyright © 2016 IDG Communications, Inc.