[om-infra] Security - Linux Mint Compromised
John Cave
john at johncave.co.nz
Mon Feb 29 22:14:57 EST 2016
Hello everyone,
Over this weekend, the Linux Mint forums were compromised and all data stolen. Usually this is due to an Admin having a weak password and / or giving the password over cleartext and CMSes such as Discourse being stupid enough to have a "download all personal data here" button. I think we should take this opportunity over the next month to look into our own security practices. Here are some ideas I have.
Firstly, we need to think about the BBW as it's obviously the worst thing if it were to be compromised. Some things we could consider might be always requiring a valid client certificate to be presented to connect to it over HTTPS, making sure we use different and unique passwords to connect to it (that we don't use for any of the CMSes we run) and that aren't for our Email accounts.
It's been a goal of Raphael's to have all of us log in using SSH certificates instead of normal passwords. I think we should make it our mission for this month to roll this out, as it's a good extra layer of security. We could also roll this out to Root accounts and share that encrypted private key amongst ourselves. We should use ECDSA-256 certificates for future-proofing and make sure the private key is encrypted with a good, strong algorithm and password in case of personal computer theft.
We need to think about what we put in E-mails we send to this mailing list, as they'll be sent over the internet in cleartext. The BBW is the most secure way we have to transfer data. Anything sensitive should be placed there and just mentioned in an email.
Any time we're logged into a CMS, we should let it update. Take a glance at the logs if you have time.
Look into logging. Pretend something has been compromised. Do we have enough log information to be able to tell who the attacker is and what they took?
Regards,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.openmandriva.org/mailman/private/om-infra_ml.openmandriva.org/attachments/20160301/44645230/attachment.html>
More information about the OM-Infra
mailing list