Improved security

Important informations about SolydXK including releases notes, forum rules and other anouncements
User avatar
Arjen Balfoort
Site Admin
Posts: 9426
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Improved security

Postby Arjen Balfoort » 23 Feb 2016 16:31

In the light of Mint's recent hack, I've improved the security for our main site and forums.
In addition to these measures, both sites now use the https protocol.

I also now use sha256sum instead of md5sum for all the ISOs.
Which resulted in some minor changes in certain SolydXK packages:
  • solydk-system-adjustments
  • solydx-system-adjustments
  • usb-creator
  • solydxk-constructor
If you find anything not functioning as you'd expect, please post your findings here.


SolydXK needs you!
Development | Testing | Translations

User avatar
palimmo
Posts: 824
Joined: 19 Nov 2013 19:44
Contact:

Re: Improved security

Postby palimmo » 23 Feb 2016 17:23

Thanks Schoelje. We really appreciate your commitment.
One quick question:
how could we check if an OS installation is not affected by the same issue Linux Mint encountered?
I'm curious.
Proud user of SolydK!

Dai diamanti non nasce niente, dal letame nascono i fior. http://aquilone.wordpress.com/

User avatar
Arjen Balfoort
Site Admin
Posts: 9426
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Improved security

Postby Arjen Balfoort » 23 Feb 2016 17:42

From http://blog.linuxmint.com/?p=2994&_utm_source=1-2-2:
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2198
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Improved security

Postby grizzler » 23 Feb 2016 17:57

That's a check for this particular infestation, but I think there's a broader issue here: the ISO's hash/checksum file, whether it's MD5 or SHA256, is downloaded from the same source as the ISO. That's why this hack didn't cause suspicion with the people who downloaded the bad ISOs. The checksums had been altered as well.

Someone on the Mint blog suggested using GPG signature files. You need the private key of the originator to create a valid signature. That's a bit harder to forge.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9426
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Improved security

Postby Arjen Balfoort » 23 Feb 2016 19:20

I don't have any experience with GPG signing. So, I'm just trying something here.

You mean something like this?
http://downloads.solydxk.nl/solydx/soly ... sha256.sig

Code: Select all

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAABAgAGBQJWzK8GAAoJEOrbL7C8pjw82d8P/iwoK88K4ohQxH4U4vk2E45I
T1Gnfn0QZDKTWxL62Mza8JNwHR6C3Qsj3HcNYdjCR/ZNVmVhxgsv4zibIGPqpI8B
qGugpbjlCJUoKoYLBlodvz6Ey6enX8SeJsMQdRLb6wBeER5BgHPLWa6KHZpGvkQN
KGn0Z6u2MyihoamnSpBF3zrdElRBFzw3LBvSkeK/oOODkjWL5Z768JkkE69MQKNV
dDs/L+Ia/a3u28q4BLVQpzzEC7l1ceHPQOVB/BZ8x6E4MJXgn+0Nmx3+eU+cOcxr
4SylZG45t1gg8TQnf8peBiM4hg+dyV/Bbek2ntV2+8vRi2QpzufqaPoVf07ahR7r
2JLlJ+Z+m/ZPN9uAyQKUPKr6/An/BQq83KOQDbcWR8O1zh7gtDGJ3Wsxz01UO0f2
UL7wzl1OTTk6GKkedYqE6RilTSoXu9kk68zdz9d8oGW7sPoMnJiYGAdFURG0bWsv
Uvpf9aK3QRlDDtWhqwYu4MSKpDIM+PNVusxi55ZSAQIkemFg0xRdV6g46QH2/iSN
PEoqV8VyKF7MyqaLay6LKwDQf5zbvj/9lGioveob0qu+sh4owXfJzaHEWOZBqZ0D
U+Hs+qWlWAlNB0/6LPNhjo09hj7lCAnczbN0aJAV/DQUPHLZvWQ6b8N4w2y0ol08
CoW8lRlBNXDFt9O+Z3HR
=Z0ST
-----END PGP SIGNATURE-----
Created with:

Code: Select all

gpg2 -ab --output solydx_8_64_201601.iso.sha256.sig solydx_8_64_201601.iso.sha256
But if I verify the signature, I get this:

Code: Select all

$ gpg2 --verify solydx_8_64_201601.iso.sha256.sig
gpg: Signature made Tue 23 Feb 2016 11:12:06 AM PST using RSA key ID BCA63C3C
gpg: Good signature from "Arjen Balfoort (Schoelje) <arjenbalfoort@solydxk.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1FD0 3599 DC09 A23A 5011  EB5F EADB 2FB0 BCA6 3C3C
I doubt that's good enough. Not to mention that hardly anybody will check the hash AND the key.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2198
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Improved security

Postby grizzler » 23 Feb 2016 20:40

Something like that, yes. However, I would sign the package itself (i.e. the ISO) rather than the hash, so you can remove the hash altogether. That's what I do with some of the duinsoft packages/tarballs (although I still provide a hash there too, because the update mechanism needs to be backward compatible and I used to use just hashes as well). If you remove the hash, the signature is the only thing people can check. The Tor project does this as well:
https://www.torproject.org/projects/torbrowser.html.en
https://www.torproject.org/docs/verifyi ... es.html.en

The verification output is exactly what I would expect. The signature is valid, so the file hasn't been changed. The warning is just because you haven't certified your key as "known to be yours" and apparently nobody else has signed your key either. GPG/PGP is based on a web of trust, complete with key signing parties. I never got round to that either, although I really should...
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
ilu
Posts: 2659
Joined: 09 Oct 2013 12:45

Re: Improved security

Postby ilu » 23 Feb 2016 22:02

Thank you for working on it. The threat level for Linux users is going to increase. Of course it hits the big players first but better be safe.

Just to let you know: Https on my FF does not work - it says something like "No identity data for this website". Could be a problem on my end though so don't bother if it works alright for others.

User avatar
Zill
Posts: 1850
Joined: 13 Aug 2013 14:28
Location: Lincolnshire, UK

Re: Improved security

Postby Zill » 23 Feb 2016 23:15

FWIW, https://solydxk.com/ and https://forums.solydxk.com/ work fine here with both FF and Chromium.

Code: Select all

firefox:
  Installed: 44.0.2

chromium:
  Installed: 48.0.2564.82-1~deb8u1

User avatar
MAYBL8
Posts: 1487
Joined: 10 Mar 2013 18:41
Location: Maryland Heights, MO USA
Contact:

Re: Improved security

Postby MAYBL8 » 23 Feb 2016 23:20

Works ok here with PaleMoon


User avatar
Arjen Balfoort
Site Admin
Posts: 9426
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Improved security

Postby Arjen Balfoort » 24 Feb 2016 12:06

I've added GPG signature to the downloads, including a small howto: https://solydxk.nl/get-support/verify-y ... -with-gpg/


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2198
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Improved security

Postby grizzler » 24 Feb 2016 13:14

Great.

Small error near the bottom of the howto: "you're download" should be "your download".

By the way, what do we do about the CE uploads? I notice the Constructor (at least version 2.6.4) still produces MD5 hashes.
Frank

SolydX EE 64 - tracking Debian Testing

rokytnji
Posts: 713
Joined: 02 Oct 2013 01:51

Re: Improved security

Postby rokytnji » 24 Feb 2016 15:13

I checked out some things on myself since I have a Mint forums account.

https://haveibeenpwned.com/

My email address was gathered at Mint forums.
Pwned on 1 breached site
I am not sweating it because I do not use the same password from site to site.
Linux Mint

In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.

Compromised data: Avatars, Dates of birth, Email addresses, Geographic location, IP addresses, Passwords, Time zones, Website activity
Just posting info. Because knowledge empowers one to survive the internet baddies.
Feeling support for Clem and the Mint community. Because we are all in this together.
I am a pretty pragmatic human being. . So for me it is not a time to be saying "why"! What is done is done. Time to deal with it.

User avatar
Arjen Balfoort
Site Admin
Posts: 9426
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Improved security

Postby Arjen Balfoort » 24 Feb 2016 15:41

grizzler wrote:Small error near the bottom of the howto: "you're download" should be "your download".
Done.
grizzler wrote:By the way, what do we do about the CE uploads? I notice the Constructor (at least version 2.6.4) still produces MD5 hashes.
I have that removed from 2.6.5. Only sha265 files are generated. I use the sha265 files to check if the uploaded ISO is correct. I then generate the GPG sig file per ISO on the server when I release the ISOs.


SolydXK needs you!
Development | Testing | Translations

User avatar
Zill
Posts: 1850
Joined: 13 Aug 2013 14:28
Location: Lincolnshire, UK

Re: Improved security

Postby Zill » 24 Feb 2016 17:10

rokytnji wrote:I checked out some things on myself since I have a Mint forums account.

https://haveibeenpwned.com/

My email address was gathered at Mint forums.
While this website may be perfectly legitimate, with my cynical hat on I do question whether it is wise to enter my email address into yet another website. After all, it is quite easy to produce a "phishing" website to sucker users into providing email addresses, and possibly other data, that can then be sold on.

The spammers have been doing this for years with the "unsubscribe" option shown on their emails, just so they can validate the addresses are still current. :-(

p.s. The best advice is to always use a unique, random and un-guessable, password for each website. This might not prevent an email/password being hacked but at least it limits the damage.

kurotsugi
Posts: 2261
Joined: 09 Jan 2014 00:17

Re: Improved security

Postby kurotsugi » 24 Feb 2016 17:33

how could we check if an OS installation is not affected by the same issue Linux Mint encountered?
I'm curious.
to be clear, no need to check your system since 'solyd' haven't been attacked. earlier mentioned method only works specifically for this mint incident. there's no report about another attack so other linux user should be safe :3

User avatar
samriggs
Posts: 247
Joined: 03 Nov 2013 22:55
Location: Canada

Re: Improved security

Postby samriggs » 25 Feb 2016 00:49

Howdy folks
Good to see this happening :)
Ya my emaill etc got pawnded also I changed passwords to make sure including this place (as I let Schoelje know) just to make sure :)
Place is looking good :D
I'm glad to see the increase happening also.
Take Care all
Sam

"Windows, the worst system for too much money, Linux, the best system for free"
SolydK 64bit SolydX 32bit
Registered Linux User #545430

User avatar
grizzler
Posts: 2198
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Improved security

Postby grizzler » 25 Feb 2016 07:35

Schoelje wrote:I then generate the GPG sig file per ISO on the server when I release the ISOs.
Right... (*FX: puts security manager's hat on...) :ugeek:

Are you making sure that what is required to generate the signature (i.e. your private key) is only available on the server at that precise moment when you generate it? That is, do you delete the (keyring holding the) key afterwards?

I realise generating the signature on the server is the most convenient way to handle this, but I feel slightly uncomfortable with it. This whole exercise was about making sure there was no way to compromise the "verification code" of the download. You have to assume that if some miscreant gains access to the server, he can mess with everything. Having everything to generate the signature available on the server all the time doesn't seem right.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9426
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Improved security

Postby Arjen Balfoort » 25 Feb 2016 07:38

I really don't have enough knowledge to do that. Wouldn't know where to begin, either.
Like I said, I have no experience with GPG at all.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2198
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Improved security

Postby grizzler » 25 Feb 2016 07:59

We'll need to discuss this further, I think. Have to leave now, though. Later...

Edit
Right. My previous edit has disappeared. No matter. I don't have any more time to spend on investigating the possibilities I mentioned here earlier. That will have to wait until tomorrow.
Frank

SolydX EE 64 - tracking Debian Testing

kurotsugi
Posts: 2261
Joined: 09 Jan 2014 00:17

Re: Improved security

Postby kurotsugi » 25 Feb 2016 16:52

somehow I think we're a lil bit off from the main problem. please correct me if I'm wrong, the problem with mint case was :
1. there was a security hole in mint server which made an attacker gain access to the server database.
2. the database (which contain sensitive data, i.e : admin password) was encrypted with weak encryption. the attacker easily got admin's credentials which made the attacker gain admin's privilege on all mint's server.

I think the iso fraud case was merely "a result of action". giving a strict signature "might" prevent someone modify our iso but it won't solve the problem. if we think it carefully, in the first place, the iso fraud case won't happened if the server is secure tight. these signature stuff doesn't enhance our server security at all. personally I think md5sum is enough. the check was made to ensure the iso integrity (i.e: it's not corrupted during download or broken). I never thought it as a security feature because the "security stuff" was applied in the other area (i.e: on the server side).

on the mint case, the solution would be clear:
1. continously patch all security updates on the server.
2. encrypt the database with stricter encryption.

that being said, I'm not against the idea making the iso check as security stuff. I'm just saying that the real problem wasn't about it.


Return to “News & Anouncements”

Who is online

Users browsing this forum: No registered users and 3 guests