[om-infra] Security - Linux Mint Compromised

Jean-Claude Vanier jclvanier at gmail.com
Thu Mar 3 05:43:53 EST 2016


+1
I suggest to start a bbw page dedicated to good practices and
containing a kind of checklist which can be consulted by everyone.


2016-03-01 17:33 GMT+01:00 Raphaël Jadot <rj at hodo.fr>:
>
>
> 01.03.2016, 04:45, "John Cave" <john at johncave.co.nz>:
>
>  Hello everyone, Over this weekend, the Linux Mint forums were compromised
> and all data stolen. Usually this is due to an Admin having a weak password
> and / or giving the password over cleartext and CMSes such as Discourse
> being stupid enough to have a "download all personal data here" button. I
> think we should take this opportunity over the next month to look into our
> own security practices. Here are some ideas I have. Firstly, we need to
> think about the BBW as it's obviously the worst thing if it were to be
> compromised. Some things we could consider might be always requiring a valid
> client certificate to be presented to connect to it over HTTPS, making sure
> we use different and unique passwords to connect to it (that we don't use
> for any of the CMSes we run) and that aren't for our Email accounts.
>
>
> That's very clever imo, we should then, following your idea:
> * Make a disclaimer at the home page of BBW telling the password here is
> important and to have a particularly strong
> * See how we could use client certificates. This server is managed by Wayne,
> I don't know what is possible to do. For what I know, only Cacert can
> provide free client certificates.
>
>
>  It's been a goal of Raphael's to have all of us log in using SSH
> certificates instead of normal passwords. I think we should make it our
> mission for this month to roll this out, as it's a good extra layer of
> security. We could also roll this out to Root accounts and share that
> encrypted private key amongst ourselves. We should use ECDSA-256
> certificates for future-proofing and make sure the private key is encrypted
> with a good, strong algorithm and password in case of personal computer
> theft.
>
>
>
>
>
>  We need to think about what we put in E-mails we send to this mailing list,
> as they'll be sent over the internet in cleartext. The BBW is the most
> secure way we have to transfer data. Anything sensitive should be placed
> there and just mentioned in an email. Any time we're logged into a CMS, we
> should let it update. Take a glance at the logs if you have time. Look into
> logging. Pretend something has been compromised. Do we have enough log
> information to be able to tell who the attacker is and what they took?
>
>
>
> Yes right, that'd be great! However I may lack some time as we are in
> process of migration of forums this week and just after we go with LP :)
>
> But yes we definitely need to improve all this, thanks for raising the
> topic!
>
>
>
>  Regards,
>  John
>  ,
>
>  _______________________________________________
>  OM-Infra mailing list
>  OM-Infra at ml.openmandriva.org
>  http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>
>
>
> --
> Raphaël J.
>
> _______________________________________________
> OM-Infra mailing list
> OM-Infra at ml.openmandriva.org
> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>



More information about the OM-Infra mailing list