News

The attacks

Since that Saturday night on February 20th, all our efforts went towards protecting our project and our community. After the despicable attacks on our website and the deliberate attempts at hurting our users, we had to react fast and efficiently. The compromised server was shut down, all ongoing projects were stopped and all our time, efforts and resources were used to address the situation.

We had to work really hard, day and night for more than a week on this. We had to learn a lot too, fortunately we weren’t alone. We received help, we purchased new resources, we made new friends and we acquired help and expertise.

I’d like to thank the phpBB team and Automattic (the company behind WordPress.com) for reaching out to us to see if and how they could help.

I’d like to thank Avast for working with us on this. They contacted us and offered to help analyze the fake ISO. We gave them a copy of it and all the info we already had. A day later they came back with a full malware analysis and we were able to issue an update to warn people who might still be affected by it. Avast also pushed updates towards their own users and they were able to block access to the Bulgarian servers used by the hackers. Finally, the addresses the malware was connecting to were either shut down or blocked by Kaspersky’s DNS sinkhole. I’ve been really impressed by Avast and the awesome work they did, it really helped us react quicker.

I’d like to thank our friends at eUKhost and AYKsolutions. Whenever we needed help, they were there.

I’d like to thank the people who first detected and reported the attack, the people who helped us scan for vulnerabilities and the various people who gave us security advice and challenged us in checking more and more security aspects as the week progressed.

I’d like to thank everyone at Sucuri and their leader Daniel Cid in particular for how awesome they have been with us. They had a great reputation and so we naturally went towards them to get our servers scanned for malware and cleaned up. Our servers are now monitored by Sucuri and protected by their firewall. We’ll be entering a partnership with them and it’s a real pleasure not just to benefit from the protection and the range of services they’re offering us but also to have that close relationship with security experts and to be able to quickly get in touch with them whenever our project needs it.

And finally, I want to thank you. When things go bad and somebody’s hurt we see all sorts of reactions. You’ve been great and that also really helped us. We always had a special relationship with you, we see it every month with your donations, your comments and your support. After the attacks, you were worried and you needed answers but you were also extremely patient and supportive. We tried to answer as many people as possible, it was hard in the middle of all the work we had to get done, but we kept getting taps on the back, we started to see people within the community step up and answer queries, reply to others and generally help in various different ways. We already knew what a great community we had. It was really put to the test here and it didn’t disappoint. We’re really proud to be working for you and we can’t wait to get back to work on the distribution itself.

New security aspects



Aspects directly related to these attacks:

To protect ourselves and reduce the risk of future attacks, many restrictions were placed on our servers. This might affect some of the websites a bit. If you find yourself unable to comment, to upload or to do something that worked well before, please let us know.

Aspects which could be used in future attacks:

To protect you and reduce the risk of man-in-the-middle attacks, almost all websites moved to HTTPs so you’re guaranteed you’re looking at the real Linux Mint server and the communication between you and us is encrypted. These measures protect you against local attacks (somebody listening to your local network, somebody maliciously opening up free Wifi to capture passwords being typed in a public place, or even on a greater scale.. fake DNS resolution pointing you to malicious servers). Note: The blog is yet to switch to HTTPS, we’re working on that still.

To make ISO verification more accurate we’ll communicate SHA256 sums and GPG information more prominently going forward. MD5 was displayed as the primary mean of verification, with SHA256 and GPG being available for people who wanted them. We’ll review the way this information is shown and try to make more people use SHA256 and hopefully also GPG by default.

Aspects which relate to the operating system:

We’re considering re-adding Gufw to the default software selection. What happened was very uncommon but as our project and Linux in general are getting more and more popular, our operating system is becoming more and more of a target. We cannot ignore the threat of malware and think that it only affects Windows. The centralization of our software and the better practices of our users who rarely directly install 3rd party packages or binaries are an asset, but they can also be a vulnerability. A malicious PPA archive could affect Ubuntu and Linux Mint users, it could offer legitimate packages for months and then suddenly spread malware that would be immediately accepted by thousands of users. It’s important to understand that the reason we’ve been so safe until now is because we’re smaller and because we therefore represent a much less interesting target. We can’t just protect ourselves from attacks, we also need to think of how we can react to them after they’ve taken place. We need scanners, and we’ll look into that as well, and we need something people can use to quickly and easily configure outgoing traffic and review applications communicating with their network, and Gufw does that very well.

One of the key advantages of Linux Mint is its stability vs security policy, the level of information shown and the fact that update management is configurable. It puts power in the hand of the user, which is something that is lacking in many other operating systems. For that power to be an asset though, users need to understand what’s at play. We’ve seen times and times again now, so-called experts and developers alike who were really struggling to understand the core of the problem itself. This isn’t something they’re learning from and this isn’t something which is properly documented. I think we need to do a better job when it comes to presenting the problem, raising awareness around it and making it easier for people to form their own strategy and have the operating system follow it. There is no one-size-fits-all solution to this. The key is configuration, but to rely on the user, we need the user to have access to better information and easier management. We’ve worked on this in almost every releases, and we’ll continue to improve it.

Donations and development



Many thanks to all the people who donated to us and to all our sponsors. We feel a bit guilty this month because the attacks took all our focus and we didn’t work on Linux Mint as much we’d want. There are some really cool things going on within the development team, there are now 4 X-Apps projects (xed, xreader, xplayer and xviewer), most of the Mint tools were migrated to python3/GTK3/gsettings and given better HiDPI support, we’re looking at better out of the box touchpad support in Cinnamon (which should probably go into MATE also) and the possibility to set different backgrounds on each workspace…etc. It’s a bit too soon to give any details though, so we’ll wait until we’re done working on security aspects and we’ll then start to cover improvements and new features on the Segfault blog and in the next monthly news.

Thank you to all of you.

Sponsorships:

Linux Mint is proudly sponsored by: