Linux Mint website hacked - Compromised ISOs containing Tsunami IRCBot malware

[Shoob]

All forums users should change their passwords. - Linux Mint Blog

Quote

It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

 

[dalekphalm]

11 hours ago, PCgamer324 said:

lmao when people don't use checksums from a website other than the source...

 

*sigh*

 

idiots

You realize that the compromised ISO was ON the "source" website? Eg: The official, 1st party, Linux Mint website? Eg: The guys who create and distribute Linux Mint?

[elkenrod]

I am actually upset about this.

[PCgamer324]

9 hours ago, dalekphalm said:

You realize that the compromised ISO was ON the "source" website? Eg: The official, 1st party, Linux Mint website? Eg: The guys who create and distribute Linux Mint?

that was my point, I think you misread my post

 

never use the checksum from your source (even 1st party), and never use just one

[brownninja97]

On 22/02/2016 at 1:29 PM, Theo said:

wow man dont speak such nonsense. If common sense wasnt enough why  would so many smart people in the forum recommend it.
 

the easiest way to explain this is like people in america asking why they need health insurance when they are never sick. 

[dalekphalm]

On 2016-02-22 at 8:29 AM, Theo said:

wow man dont speak such nonsense. If common sense wasnt enough why  would so many smart people in the forum recommend it.
 

Frankly, I have no idea why so many "smart" people still advocate that "Common Sense" is enough on the Internet these days, when clearly, it's not.

 

Malware threats have become so much smarter that you can still be very careful about common sense (Never going to a sketchy site, not clicking on obvious scam emails, etc), and you can still get a virus/malware. Fully legitimate websites can and have been compromised to serve up malware to unsuspecting users. And no, using Adblock and noscript isn't enough either (Not to mention that those are not part of "common sense" - those are tools used to help prevent security issues - tools that average Joe has no idea exist), since there are many vulnerabilities that are discovered that do not need such attack vectors. Sure they usually get patched when discovered, but I still feel sorry for the first few people who get infected.

 

Common sense is not enough for the average user. Frankly, I don't even think common sense is enough for tech enthusiasts anymore either. I personally feel that if a tech enthusiast wants to use common sense only, and run with no AV - sure, that's fine, you've probably been lucky all this time - but DO NOT recommend that action to others.

 

Common sense is only step one in keeping your computer safe from malware/hackers.

On 2016-02-22 at 9:08 AM, Enderman said:

its not enough, and the people who think it is are idiots...

i dont mean necessarily for this threat, but for anything you download

and antiviruses are updated daily so it would have caught it soon after downloading, or at least detect the malicious botnet software that the hackers could run

 

2 hours ago, brownninja97 said:

the easiest way to explain this is like people in america asking why they need health insurance when they are never sick. 

That's a good one - I still cannot fathom how American's in general are so okay with the privatized healthcare system they live in. They don't understand that a single payer, free healthcare system to all citizens is only an improvement for everyone. They're so worried about their TAXES! being used to pay for someone else, that they're missing the bigger picture. Plus, the US - WITH the privatized healthcare system - still spends more per person than most free healthcare systems do. It's kind of hilarious. So their taxes are still being spent on Healthcare (more so then many other countries) - they just also have to pay out of pocket too.

[Enderman]

2 minutes ago, dalekphalm said:

Common sense is only step one in keeping your computer safe from malware/hackers.

you wouldnt believe how many people think its the only step necessary...

[dalekphalm]

5 minutes ago, Enderman said:

you wouldnt believe how many people think its the only step necessary...

Well I think that most of them continue to feed this belief because they've been lucky, and never gotten an infection. Just because they've never gotten an infection, therefore means that no one will, and that no one needs AV?

 

I've never gotten in a car accident before, but I sure as hell still wear my seatbelt.

[Enderman]

2 minutes ago, dalekphalm said:

Well I think that most of them continue to feed this belief because they've been lucky, and never gotten an infection. Just because they've never gotten an infection, therefore means that no one will, and that no one needs AV?

 

I've never gotten in a car accident before, but I sure as hell still wear my seatbelt.

plus the fact that if they DO get an infection then they wouldnt even know about it since they dont use an antivirus

[Colonel_Gerdauf]

26 minutes ago, Enderman said:

plus the fact that if they DO get an infection then they wouldnt even know about it since they dont use an antivirus

Some of these people go as far as to believe that antivirus as a whole is malware and even spyware. That may be true in some cases, but making such a hasty generalization is always amusing to me.

[dalekphalm]

52 minutes ago, Colonel_Gerdauf said:

Some of these people go as far as to believe that antivirus as a whole is malware and even spyware. That may be true in some cases, but making such a hasty generalization is always amusing to me.

Indeed, I agree.

 

I'm in the camp that if you want to run a minimalistic setup to reduce system resources being used, then stick with something like Microsoft Security Essentials (Windows 7) or Windows Defender (8/8.1/10), or one of the really tiny open source AV's, and combine that with weekly/monthly MalwareBytes scans.

 

That in itself is far better than just common sense alone.

 

Of course, unless they specifically disabled it, anyone running Windows 8/8.1/10 with no AV already has Windows Defender installed and active, which gives at least basic active AV scanning shield.

[RustyZombie]

1 hour ago, dalekphalm said:

Well I think that most of them continue to feed this belief because they've been lucky, and never gotten an infection. Just because they've never gotten an infection, therefore means that no one will, and that no one needs AV?

 

I've never gotten in a car accident before, but I sure as hell still wear my seatbelt.

There are a lot of people that believe that the statistical outlier that is their personal experience somehow nullifies the differing experiences of everyone else.  I've seen it used as an argument so many times it makes me want to tear my hair out whenever someone uses it.  Good thing I'm already bald.

[Theo]

3 hours ago, dalekphalm said:

snipsnip

I have posted this so many times on threads asking about AV's, ive given up though, i can't bother anymore

[dalekphalm]

15 minutes ago, Theo said:

I have posted this so many times on threads asking about AV's, ive given up though, i can't bother anymore

Don't know why it seems to bother you so much. If you - personally - feel that common sense is enough for you, then sure. Don't use AV. But do not seem surprised when others give a counter viewpoint and logical reasoning as to why you should in fact still use AV.

[Theo]

24 minutes ago, dalekphalm said:

Don't know why it seems to bother you so much. If you - personally - feel that common sense is enough for you, then sure. Don't use AV. But do not seem surprised when others give a counter viewpoint and logical reasoning as to why you should in fact still use AV.

Well what bothers is me that usually people who say its enough dont do any work/store any valuable info on their pc, however the person that is asking might and then he could be in for a surprise in the future.

Seeing bad advice just bothers me in general

[dalekphalm]

1 hour ago, Theo said:

Well what bothers is me that usually people who say its enough dont do any work/store any valuable info on their pc, however the person that is asking might and then he could be in for a surprise in the future.

Seeing bad advice just bothers me in general

Oh, I think I misunderstood you then.

 

Can I just clarify your position? Are you in favour of suggesting people use AV? Or do you feel "common sense" is enough?

[Robin88]

The hacker is a total prick, but really the website admins shouldn't have allowed this to happen in the first place, so shame on them.
I'm glad I stayed with 17.2 for the time being, as I was just thinking the other week that I might go with a clean install of the newest stable release, but until the Mint team get things under control I'll wait it out.

This shows unequivocally that even if you know a file to be safe, you should always scan it with a competent malware scanner first with no exceptions, because it only takes that one time for a compromised website to serve you a malicious file and you're screwed.

That's what I've always done, even with files from Microsofts own website, mostly because of paranoia and mostly because I don't want to get burned by complacency on my part, and touch wood very firmly (hehe) since I started doing that religiously, I've not been hit by malware on any of my devices, even on Windows XP that's connected to the internet (it is installed as a VM though, so it isn't on dedicated H/W)

I'm strongly of the opinion that you should always run anti-malware even if you think you're wise to the tactics malware creators use, because one day you will slip up, humans are not infallible and one day, when you're tired, ill, drunk or even just distracted by life, you'll forget, you'll not pay attention, you'll click the wrong thing, you'll type the wrong address, or you'll open an email attachment that's malicious, and there'll be nothing to stop the malware from wrecking your system and everything you hold dearly to you that's kept on it.

[Theo]

42 minutes ago, dalekphalm said:

Oh, I think I misunderstood you then.

 

Can I just clarify your position? Are you in favour of suggesting people use AV? Or do you feel "common sense" is enough?

haha im completely against only using "common sense"

[dalekphalm]

19 hours ago, Theo said:

haha im completely against only using "common sense"

My apologies then for my attitude towards your earlier posts. I misunderstood your position