Linux Mint users were exposed to a troubling vulnerability in February, when the Linux Mint website was hacked and distributed malware-infested ISOs for a day. The forum user database was also stolen. Linux Mint’s Clement Lefebvre recently posted a monthly newsletter for users, explaining how the problem has been fixed and how Linux Mint will be more secure in the future.
Fighting the malware
Linux Mint’s developers took immediate action to improve security. “We feel a bit guilty this month because the attacks took all our focus and we didn’t work on Linux Mint as much we’d want,” the newsletter reads. Future releases of Linux Mint may be delayed a little, but that’s a small price to pay given the circumstances.
Linux Mint received valuable help from Avast, which reached out to the OS maker following the attack and offered to analyze the hacked Linux Mint ISO file. A day later, Avast provided a full malware analysis of the file. The Linux Mint team issued an update to warn users who may have been using infected Linux Mint systems unknowingly. Avast and AVG were able to block access to the servers used by the hackers, preventing that malware from phoning home.
Hardening the website
Improvements have also been made to the Linux Mint website to guard against attacks that push users toward malicious software. This sort of risk was driven home when the popular open-source Transmission BitTorrent client was recently found distributing the first ransomware for Mac after hackers breached its website.
Restrictions have been placed on the Linux Mint website's servers, and the software that runs the servers has been hardened. Security software company Sucuri assisted here, scanning Linux Mint’s servers for malware and adding a firewall and malware scanning for protection. Linux Mint just updated its password policy to better secure the forums and community website, too.
Linux Mint also enabled HTTPS encryption everywhere on the website, except for the blog currently. While this wasn’t an issue in the recent attack, HTTPS prevents man-in-the-middle attacks, where someone would show you a fake Linux Mint website and push you to download a malicious ISO. HTTPS ensures you’re connected to the real Linux Mint website, and that it hasn’t been tampered with.
The website will also more clearly communicate the SHA256 checksums and GPG information associated with the ISO downloads. This allows you to check ISO files you’ve downloaded and confirm they aren’t modified, but exactly match the official ones produced by Linux Mint.
Increasing Linux Mint’s security
The hack demonstrates that, while Linux isn't frequently targeted by hackers, it's not immune to malware. “We cannot ignore the threat of malware and think that it only affects Windows,” write the developers. They note that a third-party personal package archive, or PPA, could suddenly go rogue and begin distributing malware to users who trust it for software updates.
To this end, the developers are considering re-adding the graphical Gufw firewall tool as part of the system’s default software. This would provide a graphical interface for managing which applications can and can’t connect to the network.
Linux Mint also wants to provide better information about how its update policy works. In response to the hack, a Debian developer criticized Linux Mint for not issuing security advisories, as other mainstream distributions do. He also accused Mint’s developers of creating a “FrankenDebian,” with unpredictable system updates. “I do not think that the Mint developers deliver professional work,” concluded the Debian contributor. Ouch.
Clem responded to such criticisms in a reply to a comment: “This is the kind of things (sic) which gets solved between users and their maintainers, or between maintainers and developers, not on a blog, with an open letter, surfing on the wave of despicable attacks and in front of a hungry crowd. Somebody who communicates like that isn’t trying to solve a problem.”