Changes to password policies

Written by Clem on March 8th, 2016

In reaction to the recent attacks on Linux Mint, policies were changed on the forums and community websites, to only accept complex passwords:

  • With a minimum length of 10 characters
  • Which include both lower and upper case characters
  • And which include digits and symbols

Note: This post was edited on March 16th. The ability to set custom passwords on the community website was initially removed and it is now available again. Many thanks for your feedback.

 


Monthly News – February 2016

Written by Clem on March 1st, 2016

News

The attacks

Since that Saturday night on February 20th, all our efforts went towards protecting our project and our community. After the despicable attacks on our website and the deliberate attempts at hurting our users, we had to react fast and efficiently. The compromised server was shut down, all ongoing projects were stopped and all our time, efforts and resources were used to address the situation.

We had to work really hard, day and night for more than a week on this. We had to learn a lot too, fortunately we weren’t alone. We received help, we purchased new resources, we made new friends and we acquired help and expertise.

I’d like to thank the phpBB team and Automattic (the company behind WordPress.com) for reaching out to us to see if and how they could help.

I’d like to thank Avast for working with us on this. They contacted us and offered to help analyze the fake ISO. We gave them a copy of it and all the info we already had. A day later they came back with a full malware analysis and we were able to issue an update to warn people who might still be affected by it. Avast also pushed updates towards their own users and they were able to block access to the Bulgarian servers used by the hackers. Finally, the addresses the malware was connecting to were either shut down or blocked by Kaspersky’s DNS sinkhole. I’ve been really impressed by Avast and the awesome work they did, it really helped us react quicker.

I’d like to thank our friends at eUKhost and AYKsolutions. Whenever we needed help, they were there.

I’d like to thank the people who first detected and reported the attack, the people who helped us scan for vulnerabilities and the various people who gave us security advice and challenged us in checking more and more security aspects as the week progressed.

I’d like to thank everyone at Sucuri and their leader Daniel Cid in particular for how awesome they have been with us. They had a great reputation and so we naturally went towards them to get our servers scanned for malware and cleaned up. Our servers are now monitored by Sucuri and protected by their firewall. We’ll be entering a partnership with them and it’s a real pleasure not just to benefit from the protection and the range of services they’re offering us but also to have that close relationship with security experts and to be able to quickly get in touch with them whenever our project needs it.

And finally, I want to thank you. When things go bad and somebody’s hurt we see all sorts of reactions. You’ve been great and that also really helped us. We always had a special relationship with you, we see it every month with your donations, your comments and your support. After the attacks, you were worried and you needed answers but you were also extremely patient and supportive. We tried to answer as many people as possible, it was hard in the middle of all the work we had to get done, but we kept getting taps on the back, we started to see people within the community step up and answer queries, reply to others and generally help in various different ways. We already knew what a great community we had. It was really put to the test here and it didn’t disappoint. We’re really proud to be working for you and we can’t wait to get back to work on the distribution itself.

New security aspects

Aspects directly related to these attacks:

To protect ourselves and reduce the risk of future attacks, many restrictions were placed on our servers. This might affect some of the websites a bit. If you find yourself unable to comment, to upload or to do something that worked well before, please let us know.

Aspects which could be used in future attacks:

To protect you and reduce the risk of man-in-the-middle attacks, almost all websites moved to HTTPs so you’re guaranteed you’re looking at the real Linux Mint server and the communication between you and us is encrypted. These measures protect you against local attacks (somebody listening to your local network, somebody maliciously opening up free Wifi to capture passwords being typed in a public place, or even on a greater scale.. fake DNS resolution pointing you to malicious servers). Note: The blog is yet to switch to HTTPS, we’re working on that still.

To make ISO verification more accurate we’ll communicate SHA256 sums and GPG information more prominently going forward. MD5 was displayed as the primary mean of verification, with SHA256 and GPG being available for people who wanted them. We’ll review the way this information is shown and try to make more people use SHA256 and hopefully also GPG by default.

Aspects which relate to the operating system:

We’re considering re-adding Gufw to the default software selection. What happened was very uncommon but as our project and Linux in general are getting more and more popular, our operating system is becoming more and more of a target. We cannot ignore the threat of malware and think that it only affects Windows. The centralization of our software and the better practices of our users who rarely directly install 3rd party packages or binaries are an asset, but they can also be a vulnerability. A malicious PPA archive could affect Ubuntu and Linux Mint users, it could offer legitimate packages for months and then suddenly spread malware that would be immediately accepted by thousands of users. It’s important to understand that the reason we’ve been so safe until now is because we’re smaller and because we therefore represent a much less interesting target. We can’t just protect ourselves from attacks, we also need to think of how we can react to them after they’ve taken place. We need scanners, and we’ll look into that as well, and we need something people can use to quickly and easily configure outgoing traffic and review applications communicating with their network, and Gufw does that very well.

One of the key advantages of Linux Mint is its stability vs security policy, the level of information shown and the fact that update management is configurable. It puts power in the hand of the user, which is something that is lacking in many other operating systems. For that power to be an asset though, users need to understand what’s at play. We’ve seen times and times again now, so-called experts and developers alike who were really struggling to understand the core of the problem itself. This isn’t something they’re learning from and this isn’t something which is properly documented. I think we need to do a better job when it comes to presenting the problem, raising awareness around it and making it easier for people to form their own strategy and have the operating system follow it. There is no one-size-fits-all solution to this. The key is configuration, but to rely on the user, we need the user to have access to better information and easier management. We’ve worked on this in almost every releases, and we’ll continue to improve it.

Donations and development

Many thanks to all the people who donated to us and to all our sponsors. We feel a bit guilty this month because the attacks took all our focus and we didn’t work on Linux Mint as much we’d want. There are some really cool things going on within the development team, there are now 4 X-Apps projects (xed, xreader, xplayer and xviewer), most of the Mint tools were migrated to python3/GTK3/gsettings and given better HiDPI support, we’re looking at better out of the box touchpad support in Cinnamon (which should probably go into MATE also) and the possibility to set different backgrounds on each workspace…etc. It’s a bit too soon to give any details though, so we’ll wait until we’re done working on security aspects and we’ll then start to cover improvements and new features on the Segfault blog and in the next monthly news.

 

Thank you to all of you.

 

Sponsorships:

Linux Mint is proudly sponsored by:

Platinum Sponsors:
Private Internet Access
Gold Sponsors:
Linux VPS Hosting
Silver Sponsors:
ThinkPenguin.com
Bronze Sponsors:
Vault Networks *
AYKsolutions Server & Cloud Hosting
7L Networks Toronto Colocation *
BGASoft Inc
David Salvo
Milton Security Group
Sysnova Information Systems
Community Sponsors:

Donations in January:

A total of $11606 was raised thanks to the generous contributions of 539 donors:

$360, Teach English Abroad
$200, Adam M.
$173 (14th donation), Andreas Schmidt
$143, Andreas und Carsten Mahr
$112, Salvador P. C. B.
$112, Bogdan S.
$112, Jack B.
$112, Carsten S.
$112, Heltyca Srls
$112, Roland L.
$100 (3rd donation), Timothy P.
$100, Kenneth P.
$100, Jim G.
$100, Charlie G.
$100, Jan-erik Ö.
$100, Kirk H.
$100, Robert H.
$100, James C.
$100, Colin S.
$100, Charlie E.
$100, Thomas K.
$100, Enetics Technologies Pty
$100, Brian S. J.
$100, Vincent W.
$77 (16th donation), Kouji K.
$71.84 (18th donation), Wolfgang P.
$70, Jhonatan V.
$64, Audio C.
$60, Scotland L.
$56 (2nd donation), Hans-georg T.
$56 (2nd donation), Paul A.
$56 (2nd donation), Christian D aka “zorbeck”
$56 (2nd donation), Oliver P.
$56, Nora V. W.
$56, Hans L.
$56, Udo W.
$56, Bruno D.
$56, Viviane S.
$56, Dirk S.
$56, Crispin M.
$56, Klaus B.
$50 (68th donation), Matthew M.
$50 (67th donation), Matthew M.
$50 (2nd donation), Forrest B.
$50 (2nd donation), Brian M.
$50 (2nd donation), Paul B.
$50 (2nd donation), JimM
$50 (2nd donation), Dennis B.
$50 (2nd donation), Eric J.
$50 (2nd donation), Douglas J.
$50, Wei X.
$50, Michael L.
$50, Thomas G.
$50, Dennis B.
$50, David S.
$50, David H.
$50, Thomas J.
$50, Laura H.
$50, Javon S.
$50, Michael A.
$50, David S.
$50, Joel Carlson aka “Fox7799
$45 (2nd donation), Nasser Bader aka “VIRUS
$45, Wolfgang K.
$45, J R. R.
$45, Alexander K.
$43, Giuseppe V.
$40 (3rd donation), George J.
$40, Emile S.
$40, John M.
$38 (2nd donation), Bernard R. aka “Beer4661”
$35, Andre’ D. J.
$34 (71th donation), Olli K.
$34 (3rd donation), Markus T.
$34, Cathal H.
$34, Christoph M.
$34, Alejandro F. B.
$34, Christian H.
$34, Birgit B.
$34, Wolfgang G.
$34, Reijo H.
$30 (6th donation), Jerry G.
$30 (2nd donation), Lawrence D.
$30 (2nd donation), Joe K.
$30, Josef R.
$30, Steven T. aka “oakhilltop”
$30, Nicklas S.
$30, Christopher A.
$30, David B.
$28 (6th donation), John K. aka “jbrucek”
$28 (4th donation), Carlos M. S.
$28 (2nd donation), Daniel L.
$28 (2nd donation), Anton W. aka “redant
$28, Peter D. W.
$28, Daniele P.
$28, Jens K.
$28, Stefan W.
$28, Lars H.
$28, Jan B.
$28, Daniel M.
$28, Thomas W.
$28, Roland P.
$28, Carsten M.
$28, Stefan L.
$28, Robert P.
$28, SSM aka “Gelbros J3”
$27 (3rd donation), Stefan A.
$27, Michael B.
$26.87 (9th donation), Scott L.
$25 (53th donation), Ronald W.
$25 (11th donation), Curt Vaughan aka “curtvaughan ”
$25 (6th donation), Larry I.
$25 (4th donation), Joseph G.
$25 (4th donation), iMarketing Solutions LLC aka “iMarketing
$25 (4th donation), Guillaume C.
$25 (3rd donation), Frances K.
$25 (3rd donation), John L.
$25 (3rd donation), JanEspen
$25 (2nd donation), Peter L.
$25 (2nd donation), Reel D.
$25 (2nd donation), Rajesh Hazari aka “Rajesh
$25 (2nd donation), Todd B.
$25 (2nd donation), Donald I.
$25 (2nd donation), Philip G. aka “-PGG-”
$25 (2nd donation), N1X3L
$25, Derek B.
$25, Jesse S.
$25, Christopher B.
$25, Timothy H.
$25, Nigel B.
$25, Horst S.
$25, James C. aka “inhiway”
$25, Charles S.
$25, Tomas L.
$25, David E.
$23, Shaun C.
$22 (4th donation), Pentti T.
$22 (4th donation), Per J.
$22 (3rd donation), Theodore S.
$22 (2nd donation), Adriano A.
$22 (2nd donation), Thomas W.
$22 (2nd donation), Bernard D.
$22 (2nd donation), Markovic D.
$22, Loïc P.
$22, Michal T.
$22, Christoph H.
$22, Rico N.
$22, Maurice G.
$22, Christian G.
$22, Florian R.
$22, Tom S.
$22, Jean-pierre S.
$22, Leslie W.
$22, Michal P.
$22, Mario K.
$22, Jacques S.
$22, Marco F.
$22, Marco D.
$22, Kim aka “Voodooseeker”
$22, Joachim K.
$22, Frank H.
$22, Thomas S.
$22, Jordi B. M.
$22, Gil the Arm
$22, Bernd Z.
$20 (48th donation), Tsuguo S.
$20 (12th donation), Curt Vaughan aka “curtvaughan ”
$20 (6th donation), Tom T.
$20 (5th donation), Aleksey Eletsky aka “promise”
$20 (5th donation), Julie H. aka “Kjokkenutstyr
$20 (4th donation), Scott Anderson aka “lwarranty”
$20 (3rd donation), Joshua R.
$20 (3rd donation), Peter L.
$20 (3rd donation), Douglas H.
$20 (3rd donation), jmkent aka “Burton”
$20 (3rd donation), Phil H. aka “smef
$20 (2nd donation), David B.
$20 (2nd donation), Peter R.
$20 (2nd donation), Jason D.
$20 (2nd donation), Oblong Software Products
$20 (2nd donation), Stefan A.
$20 (2nd donation), Ian C.
$20 (2nd donation), T. H.
$20 (2nd donation), Stephen B.
$20, Gordon M.
$20, Eric L.
$20, Keith D.
$20, Guillermo M.
$20, Timothy A.
$20, Duncan M.
$20, TomT3rd
$20, Vincent M.
$20, David R.
$20, Jeff D. B.
$20, David L.
$20, Frank J.
$20, R. C. F.
$20, John P.
$20, Vaughan B.
$20, 1455 Group LLC
$20, T. H.
$20, Joseph C.
$20, Keith B.
$20, Matthew D.
$20, Quadris Systems, Inc
$20, Charles L.
$20, Ronald K.
$20, Mr J. M. P.
$20, Momtchil R.
$20, Ariella B.
$20, Thomas O.
$20, Francis R.
$20, Jay F.
$20, Joseph S.
$20, Lance A.
$20, Luigi D.
$20, Kamil A.
$20, Noe R.
$20, Leon S.
$17 (3rd donation), Philipp M.
$17 (2nd donation), Ian B.
$17 (2nd donation), Derek T.
$17 (2nd donation), Pierre M. (2nd contribution)
$17, Jaap R.
$17, Richard H.
$17, Eric B.
$17, Philippe W.
$17, John R.
$17, Marcos M. P. D.
$17, Didier S.
$17, Philippe L.
$17, Angus M.
$17, Paolo T.
$16, Pierre R.
$15 (5th donation), Jobs Hiring aka “Jobs Near Me
$15 (4th donation), Jobs Hiring aka “Jobs Near Me
$15 (3rd donation), James T.
$15 (2nd donation), Anthony F.
$15 (2nd donation), Tyler B.
$15 (2nd donation), Ilya K.
$15 (2nd donation), Steve Sharp
$15 (2nd donation), Nasser Bader aka “VIRUS
$15, Vincent P.
$15, Gabriel B.
$15, Kirk W.
$15, Personnel
$15, Marco E. F. V.
$15, Gilbert D. R.
$15, Julien T.
$15, Aaron F.
$15, Rajendra S.
$15, James C.
$15, T2S Hire
$15, Gerald W.
$14 (2nd donation), Stefanos C.
$14, Stefanos C.
$12 (58th donation), Tony C. aka “S. LaRocca”
$12 (4th donation), Andreas S.
$12 (3rd donation), Michał M. aka “Zaraki
$12, Seahawks 12th Man
$12, EJ. Teh
$12, Jia F. L.
$11 (25th donation), Raymond E.
$11 (7th donation), Rene Schwietzke aka “Rene S.
$11 (6th donation), Brendan M.
$11 (5th donation), Queenvictoria
$11 (4th donation), Hosting 96
$11 (4th donation), J.C.Senar – linuxirun.com
$11 (4th donation), Artur Hapetta
$11 (3rd donation), Gabriele B.
$11 (3rd donation), Jerome M.
$11 (2nd donation), Danilo S.
$11 (2nd donation), F.D.P. Geurink
$11 (2nd donation), David B. aka “Jimbow”
$11 (2nd donation), Crefelean Nicolae aka “kneekoo
$11 (2nd donation), Ovidio A. H.
$11 (2nd donation), Josef M.
$11 (2nd donation), Laurent H.
$11 (2nd donation), Peter Chivers
$11 (2nd donation), Neil E.
$11 (2nd donation), W. Georgi
$11, Benjamin H.
$11, Jose J. P. I.
$11, Bruce Beardall
$11, Alberto S.
$11, Daniel B.
$11, Vedran S.
$11, Achim D.
$11, Bruce Beardall
$11, Jens M.
$11, William N.
$11, George K.
$11, Etienne H.
$11, Philipp H.
$11, Manuel B.
$11, Peter P. aka “Bulletproof Van”
$11, Sam N.
$11, Claus V.
$11, Rainer F.
$11, Jean C. A.
$11, Tom V. D.
$11, Henrik B.
$11, Felix L. M. R.
$11, Marc N.
$11, Jannick S.
$11, Michel V.
$11, Sergio Soriano Peiro
$11, Rajesh Nair aka “Nair”
$11, Franck M.
$11, Peter-Paul aka “Rimpelbekkie”
$11, Stefan E.
$11, Pierre Collette
$11, Stephan K.
$11, Simon L.
$11, Dimitrios Z.
$11, Richard M.
$11, Konstantinos T.
$11, Petr T.
$11, Silvia K.
$10 (10th donation), CW P.
$10 (9th donation), Jt Spratley aka “Go Live Lively
$10 (6th donation), Antoine T.
$10 (5th donation), Orion Metrics aka “Programmer
$10 (5th donation), Paul C.
$10 (4th donation), aka “Caturix
$10 (4th donation), Gonzalo Montes de Oca aka “RoyalGNZ
$10 (4th donation), Vitali K.
$10 (3rd donation), John J. aka “Sankaty”
$10 (3rd donation), A. K.
$10 (3rd donation), Jorge M.
$10 (2nd donation), Stephen D. Cope
$10 (2nd donation), Raul C.
$10 (2nd donation), Kordun Oleg
$10 (2nd donation), John C.
$10 (2nd donation), Clifton S.
$10 (2nd donation), Tomislav K.
$10 (2nd donation), Brynley F.
$10 (2nd donation), Thomas T.
$10 (2nd donation), William C.
$10 (2nd donation), Frederik M.
$10 (2nd donation), Jeremy V.
$10 (2nd donation), Yano Y.
$10 (2nd donation), Andreas S.
$10, Andre J.
$10, Godfrey H.
$10, Josef H. R. H.
$10, Rickey W.
$10, James H.
$10, Sergio L. L. R.
$10, Bastian B.
$10, Baki A. U.
$10, Philip H.
$10, Карпенко В.
$10, Russ A.
$10, Bryan G.
$10, Russell P.
$10, Mike C.
$10, eNeKuX aka “eNeKuX”
$10, Stephen K.
$10, Iain B.
$10, Matsko I.
$10, Aart E.
$10, Thomas C.
$10, Hot M.
$10, Fabio T.
$10, Colin M.
$10, Steve G.
$10, Tony B.
$10, Adam P.
$10, Yijun X.
$10, Tim O.
$10, Flaminio R.
$10, Thomas D.
$10, Steven S.
$10, Paul K.
$10, Larry. R.
$10, Ryan S.
$10, Missagh M.
$10, Barbaros E.
$10, Jill J.
$10, Tim K.
$10, Samraj R.
$10, Noah L.
$10, Lindsay O.
$10, Roger H.
$10, Rolf V.
$10, Norman B.
$10, David S.
$10, William D.
$10, Shannon F.
$10, Juan
$10, Black W. L.
$10, Petr Š.
$10, Ivanov D.
$10, Michael C.
$10, Aktar M.
$10, Jakub Š.
$10, James C.
$9.57, Todd M.
$8 (3rd donation), Stefan M. H.
$7 (4th donation), Paul S.
$7 (2nd donation), Glen R.
$7 (2nd donation), Lluis Solanelles
$7, Udo M.
$7, Doug Byfield aka “Doug B.”
$7, L L.
$6 (6th donation), Tung-Yi Chen aka “Tic”
$6 (5th donation), Arvis Lacis aka “arvislacis
$6 (5th donation), Nikita G. aka “Ni El Go”
$6 (4th donation), Lionel aka “Kinobi
$6 (4th donation), Andjelko Stojsin aka “Andjelko S.
$6 (2nd donation), Matthias W.
$6 (2nd donation), William T.
$6, Sortino R.
$6, Ludovic C.
$6, Electronic U. O.
$6, Robin B.
$6, Marco B. aka “Nightfly
$6, Maria L. H.
$6, Dieter W. K.
$6, Katja H.
$6, Stefan A.
$6, Luis I. R.
$6, Pawel J.
$6, Brendan Lyons
$6, Matus I.
$6, Georgios Mavropalias
$6, Miroslav aka “Xtrodinary
$6, Jan W.
$6, Dinesh G.
$6, Abbo K.
$6, Robert M.
$6, Jorge F. F.
$6, Diplom-Ingenieur (FH) Andreas Gerlich
$6, Петров Р.
$6, Jaume L. P.
$6, Hendrik Z.
$6, Emilie P.
$5 (12th donation), Libertad Tecnologica
$5 (10th donation), Jt Spratley aka “Go Live Lively
$5 (9th donation), Nicolás Costa de la Colina aka “NCosta”
$5 (5th donation), Hakim
$5 (5th donation), Sonmez S.
$5 (5th donation), Eric H.
$5 (4th donation), VPN Easy
$5 (4th donation), Jack H.
$5 (4th donation), Rachel
$5 (4th donation), Kirsti Drewsen
$5 (3rd donation), Michael J. N. J.
$5 (3rd donation), Vitali K.
$5 (3rd donation), Metal Roofing Installation
$5 (2nd donation), Pete E.
$5 (2nd donation), Geoffrey O.
$5 (2nd donation), F A Cianciolo
$5 (2nd donation), Michael J. N. J.
$5 (2nd donation), Elias J.
$5 (2nd donation), T A.
$5 (2nd donation), Cody X.
$5 (2nd donation), Diego Bezerra
$5, Пластеев Д. aka “Softericon”
$5, Christopher S.
$5, Fernando C.
$5, Zavisa N.
$5, Richard A.
$5, Jerry F.
$5, Alexey K.
$5, Kevin D.
$5, Sebastian T.
$5, Jorgen Rhode Jensen aka “jrj”
$5, Michael J. N. J.
$5, Lisa J.
$5, elogbookloan
$5, Daniel G. Lago
$5, Artur T.
$5, Duane W.
$5, Benceno
$5, Hweyun J.
$5, Tomasz aka “rogallrlz”
$5, Zachary M.
$5, Andrew G.
$5, Soul-Herbs.com aka “Ayahuasca
$5, Julian Montiel aka “jmontielc”
$5, payday loans las vegas
$5, Cristina S. B.
$5, Ultrabuy.com
$5, William G.
$5, Dave M.
$4 (2nd donation), Charles-david H.
$4, Brian B.
$4, Tom aka “tumek_pl”
$4, Gabriele M.
$4, Michal L.
$3 (15th donation), Kouji K.
$3 (5th donation), Stefan M.
$3 (5th donation), KnifeFellas.com
$3 (4th donation), Dmytro K.
$3 (3rd donation), safe-scripts
$3 (2nd donation), Saraplv aka “Sara”
$3 (2nd donation), Saraplv aka “Sara”
$3, Matthias G.
$3, Tahir H.
$3, Ricardo C. aka “xisso”
$3, Brian H.
$3, Audrius D.
$3, Tomasz U.
$3, Vitalii N.
$3, Sébastien J.
$3, Everett F.
$2.67, Vicki S.
$2.5 (4th donation), Peter Robert Jones
$42.99 from 29 smaller donations

If you want to help Linux Mint with a donation, please visit http://www.linuxmint.com/donors.php

Rankings:

  • Distrowatch (popularity ranking): 3161 (1st)
  • Alexa (website ranking): 7073

All forums users should change their passwords.

Written by Clem on February 21st, 2016

 

It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature/profile/etc…
  • Any personal information you might written on the forums (including private topics and private messages)

People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.

Out of precaution we recommend all forums users change their passwords.

While changing your passwords, please start with your email password and do not use the same password on different websites.