A news story broke this week about a hack against the download site of Linux Mint (the official blog post is available here). Mint is a very popular, entry-level Linux operating system. The attacker hacked Mint’s site and redirected the download link to a modified version of the .iso file. The modified version had/has a backdoor installed via the Tsunami malware suite. This hack affected Linux Mint version 17.3/Cinnamon, but the backdoored version appears to have only been available for a short time. This is obviously bad news for anyone who downloaded and installed an affected version of this OS (17.3/Cinnamon), but there are some big-picture takeaways to be gleaned from this story. This is not just a story about Mint; it is also a story about file validation and the lack thereof.
- People don’t verify file integrity. Just a couple of weeks ago I posted about the importance of verifying file integrity, and I have written about file validation in my books. The attacks that would make one vulnerable to a tainted file may seem far-fetched, but this is a prolific, real-world example. Adding insult to injury, downloaded versions could have been clearly identified using a checksum or PGP signature. It is doubtful that many downloaders took the time to perform this step.
- It is *almost* understandable that they don’t. High-profile instances of attacks like these are incredibly rare. It is almost forgivable that people don’t validate file downloads before executing them. On the other hand the potential consequences of working on a compromised OS are grave. It is also worth pointing out that we have no idea how prolific NON-publicized instances of attacks like these are. Targeted, undiscovered, and hence un-publicized attacks of this nature are the ones that keep me up at night.
- The Mint team responded. Kind of. Sadly, the Linux Mint Blog responded officially to this incident by posting MD5 checksums (shown in the photo below). I have written about this before and hate to beat a dead horse but MD5 is insecure and should not be trusted for file validation. I’m glad they did something, but in the wake of an actual attack one would assume they would go to great lengths to verify file integrity in the future. MD5 is NOT “great lengths”, but rather a mild, half-hearted response. This is the most disappointing thing about this attack in my opinion.
My checksums will be updated this week to include SHA-256 and SHA-512 checksums for the affected version of Linux Mint.