Keys and signatures
Trust no one, unless their SSH key is signed by Linux Format’s public key.
T
he devastating attack on Solar Winds discovered in December 2020 shows how a single weak link can undo even the most thoughtful security regimen. Here a supply chain attack was used to ship poisoned updates to its Orion software, used by thousands of customers worldwide to manage their infrastructure
.
These customers include several US government departments and major tech companies, and since the malware it bundled was so stealthy, many of them had no way of knowing what data was stolen or for how long it was accessible. Similar attacks have targeted Windows updates (for example, the Flame malware in 2012) and more recently the EncroChat messaging system, whose update mechanism was compromised by police in 2020, leading to 800 arrests across Europe.
It might, we suppose, be taken as proof of desktop Linux’s popularity that the Linux Mint website became was the victim of an attack in 2016. While not strictly speaking a supply chain attack, the hacker was able to gain control of the website and alter the link to download ISO images to point to a modified image that included the Tsunami malware. Not only did they modify the link, but also the checksum displayed below it. It’s common for projects to provide checksums alongside their files so that people can check their downloads haven’t been corrupted (though few people do). When your system downloads packages from its repositories, checksums (usually SHA256) are used to verify their integrity.