Slashdot Mirror
Apache Foundation Attacked, Passwords Stolen
Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."
"The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights"
The passwords were stored as hashes (message-digest or otherwise) with randomized salt, right? I mean, they have a clue about security, surely.
Right?
Finally - a CowboyNeal option that is the right one!
The software was hosted on brutus.apache.org
Et tu, Brute?
You can't trust Apache... turn your back on them, and they'll steal your land
FTFA:
"The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators[sic] clicked on the link [to the site containing the XSS exploit]. This compromised their sessions, including their JIRA administrator rights."
Famous last words: "So they showed me this button and I pushed it. Now what?"
Colorless green Cthulhu waits dreaming furiously.
cause that would have confused the hell out of the attackers.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
What the hell are you talking about?
FTFA: Apache said the use of one-time passwords was a "lifesaver" because it limited the damage and stopped the attack from spreading to other services/hosts. Nice that the damage was contained. What would be the motivation(s) for hacking Apache, anyway? It's not like it's Citibank.
In a band? Use WheresTheGig for free.
From TFA: "The passwords were encrypted on the compromised servers (SHA-512 hash) but Apache said the risk to simple passwords based on dictionary words "is quite high" and urged users to immediately rotate their passwords. "
I'm a n00b with security. Am I correct in thinking that there's no way to decrypt a password without the salt? How would Apache have determined the salt? And what are the odds of the thieves finding the salt?
Why are these people hosting important information on ... Ubuntu servers? With all the options these days for Linux distros, I would never consider Ubuntu for anything beyond a workstation.
Does anyone have any thoughts as to why Apache would be targeted like this?
Apache doesn't exactly garner bad blood from shady groups. Big corporations and governments have too much to lose by attacking Apache this way. I could understand an attempt by organized crime or a blackhat organization to secretly insert a back door into the Apache code base, but this was too heavy-handed to even consider being a secret attempt.
The whole thing is weird.
Turn them on, so you can see where they go.
http://tinyurl.com/preview.php
Nothing but absolute respect for how Apache is handling this. Were there issues that became apparent as a result of this? Yes. But have they discovered the flaws, acknowledged them, and are looking to close those holes? Yes.
It's a shame more companies can't operate with such...transparency I guess you'd call it. However, consumers respond differently to different types of companies.
I, for one, am proud to see a company take this seriously instead of trying to sweep it under the rug.
XSS FAQ
http://www.cgisecurity.com/xss-faq.html
WASC Threat Classification - Cross-site Scripting
http://projects.webappsec.org/Cross-Site+Scripting
Believe me, if I started murdering people, there would be none of you left.
Although Apache says it's one-time use passwords were a lifesaver, that would be to itself? As many people use the same password for multiple systems, isn't there a pretty large risk of this impacting many, many other systems. Perhaps these techies wouldn't use such practices, but I'm guessing it's common enough. How many 'admin passwords' are now in the hands of these criminals? The damage from this could be pretty severe but will we ever know this?
mu
A potential aim of getting these specific passwords would be to be able to use those user's identification credentials have custom crafted vulnerabilities at the source level checked-in into Source Control in one or more any of the Apache applications and frameworks (not just the Apache Web server but things like modules and language frameworks and libraries).
Certainly for state actors engaging in cyber-war, having their own backdoors in things like the Apache Webserver would be invaluable. They also have the know-how and the resources to both hack into the site and develop their own source-code level backdoors.
Criminal organizations with significant black hat operation would also be willing and capable of this sort of strategic action.
I would definitelly double check any code checked-in by the people whose passwords were stolen.
Operating system has nothing to do with this attack. Web server has nothing to do with this attack. JIRA has to do with this attack. If a session cookie is stolen and is valid when used by the 3rd party, it's the application's fault. The solution would be a better, more secure session manager in JIRA. Additional solution would be using HTTPS.
.. that's bothered me since I saw my first tinyurl. You have no clue where that URL is actually pointing to. Could be a legit site, could be a cp site, who knows which? Verifying the link you are clicking on is information security 101.
FTA:
On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:
ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]...This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.
Oops...check those URLs, admins...
Hey, this is serious! These hackers might have access to the full source code for Apache. Now they can craft specially targeted attacks against most web servers - no longer does Apache have that advantage over the leaked Windows source code. A terrible day for security on the web.
Socialism: a lie told by totalitarians and believed by fools.
ahhh, good point. i didn't even think of that. i just assumed the hackers would already have access to their source.
WÌÌfÍ--ÍSÌÒÍ...Í...ÌHÌÍfÍÍÍ--ÍÍÍ
I received this from Apache just moments ago. It may clear up some questions. I redacted personal info.
Dear [redacted],
You are receiving this email because you have a login, [redacted], on the Apache JIRA installation, https://issues.apache.org/jira/
On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010
We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password
you set when signing up as [redacted] to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it
should be assumed that the attackers can guess your password from the password hash via brute force.
The upshot is that someone malicious may know both your email address and a password of yours.
This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change
your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online
banking sites, or sites known to be related to your email's domain, [redacted].
Naturally we would also like you to reset your JIRA password. That can be done at:
https://issues.apache.org/jira/secure/ChangePassword!default.jspa
We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email.
We are also available on the #asfinfra IRC channel on irc.freenode.net.
Regards,
The Apache Infrastructure Team
Excerpt from the email I got from Apache this morning:
"You are receiving this email because you have a login, 'XXXX', on the Apache JIRA installation, https://issues.apache.org/activemq/
On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010
We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password you set when signing up as 'XXXX' to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it should be assumed that the attackers can guess your password from the password hash via brute force.
The upshot is that someone malicious may know both your email address and a password of yours."
So, since people tend to reuse passwords associated with a given email address, the payoff is that you go after a weakly protected source of both - the value isn't in compromising Apache per se, but using Apache to obtain credentials which you might use/sell to access other sites. I just wonder why salting wasn't used - although if someone stole the whole database they'd have the salt anyway.
It's just funny, to me, that the tone here is very moderate, calm, and perhaps even lightly defensive.
If this same thing happened on an IIS box, we'd have a flood of comments of 'get a real OS!' regardless of how off target those shouts would be. It's just the nature of the beast.
they just couldn't figure out how to access subversion so they got the code thru some more entertaining ways
s/hackers/crackers/g
Additionally, Brutus is password cracking software... not mentioned in the summary.
you can compromise your system by clicking on a link? That is fucked up design.
Deleted
What sane person would run Ubuntu on their server?
What XSS allows is redirection to an attacker's controlled site, plus some script code execution on the victim's browser.
If the victim's computer does not honor document.cookie or other equivalent method, is cookie stealing still possible ?
Going further, why do most browsers honor the document.cookie method ?
Do you mean the source code for the Apache web server itself? Hasn't that always been available? Since when has it been a closed source product like IIS?
Oh, hand on a sec, there's sarcasm here?
There are number of people posting comments about how this isn't an issue since Apache's code is open. Let me outline a few possible issues even with the code being ...
... http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html ... :-)
1. If Apache keeps non-released security information in their bug tracker it could end up being disclosed. Great if you want to get your hands on security issues before patches are released.
2. Private comments can be leaked out which are probably not meant for general consumption. Probably not a huge issue, but it depends on the content.
3. Many people use the same passwords everywhere -- and the same usernames. Any cracked accounts could prove quite useful.
On the flip side it goes to show that XSS and CSRF are, as many security (open and closed) groups note, are a major problem -- and are pretty easy to exploit. While it is not fun to have this occur it may wake up some engineers into seeing that 'if it can happen to Apache maybe we should take it seriously'.
Then there is the whole thing of Apache using Jira instead of something Open
If you talk to most people about XSS issues, there's something hard-wired in our brains to shut them off after about 12 seconds. Apparently even experts can get caught off-guard. So I'll try to keep this short.
When you're signed into a website, avoid doing anything Internet-related other than to interact with that website. This includes checking your e-mail or instant messaging, even if you're using other software to do those things. When you're done with that website, sign out and close your web browser (obviously, restart your web browser after if you want to do more web browsing.)
Also, configure your web browser to remove your cookies at the end of each session. This is inconvenient if you're used to having websites recognize you for a month or so without having to login, but allows you to effectively "logout" of everything by simply closing your web browser. You can set this behavior to default in Firefox (and probably all other current web browsers) and override it for specific websites if you really want to preserve this functionality for Slashdot while making yourself more secure for online banking websites.
Sorry if this happens to be rookie stuff for you, but there are a lot of people who don't understand XSS attacks and shouldn't have to in order to operate safely on the Internet. And this doesn't even get into the PDF exploits and other crap that's happily bypassing antivirus scanners now...
This one works: UntinyFox.
Reading the source, it appears to use this website to convert the URLs.
Bad people think:
1. I'm cool, look what i did.
2. Now I have the usernames and passwords, and probably password schemas for a bunch of Apache developers and admins. Hit their sites. Profit!
3. Maybe one of these accounts will let me manipulate Apache source distributions. Backdoors. Profit!
4. Competitor using resulting FUD to increase market share. Profit!
Password reuse, the lazy hacker's easy-button.
user "I have no idea how they got my account."
Should of installed Gentoo instead
There is many script which scans webpage for tinyurl type links and performs reverse operation and make them show as original url. One of such scripts is URL Elongator Plus for Opera http://extendopera.org/userjs/content/url-elongator-plus (it is UserJS script). Works fast, is configurable and supports lots of pages.
There is also other similar scripts.
http://en.wikipedia.org/wiki/Framekiller
one line of code:
top.location.replace(self.location.href);
put it in every page you ever publish on the web
it's not 100% foolproof, nothing is
but it's so little effort for protection from an important kind of xss attack
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Judging from these attacks and the two attempts to inject malware in Linux via infected submissions to a site distributing user-submitted Gnome themes, it looks to me like the commercial black hat community is already testing the water for the future when Windows isn't quite as easy to infect/zombie (or perhaps, for a future where most of the clueless are running locked-down non-general-purpose computing devices like the iPad).
I have a feeling that things may start to heat up for FOSS, to the extent that eventually (say in another 10-20 years) I'll have to move from thinking about Linux as being my secure system, to some new exotic OS like Haiku or Plan9 (and even then, there is the big problem that I'll also have to find exotic replacements for things like Firefox and Thunderbird).
Or have I just invented the next mutation of the "Year of the FOSS Desktop" meme? /facepalm
I can understand that you're disappointed about the inconvenience, but how much more of a straightforward and informative email could you possibly ask for?
From what i'm reading it could have happened to a IIS box in the exact same way.. the webserver didn't do anything wrong, nor the OS. Javascript (guessing) was used to steal a session cookie. So we could say the Browser (or lack of no-script plugin) is to blame.
http://soylentnews.org/~tibman
This may be a good time to review the "defense in depth" concept; having a quality password can actually help in some circumstances.
..Nobody's said E tu Brute? Inconceivable!
Well you do notice that Microsoft and Microsofters are now in the Apache Foundation, so it is only natural that the Microsoft way of thinking starts to affect operations. Look for more cracks as their way of thinking gets deeper into Apache.
The software was hosted on brutus.apache.org
Et tu Brutus?
Every big and famous webapp had, and has, XSS holes, period. It doesn't matter how smart they are.
Wouldn't you say that Slashdot should be very safe? For it must have been under a lot of attacks, and all the xss holes must have been discovered and fixed.
I spent a few minutes looking around and I found one already. I'll publish it here right now for your amusement, I don't think real damages can be caused before the hole is closed.
The Password/Claim OpenID form has no XSRF protection. It also works with GET method which makes it even sweeter. If a slashdot user's browser fetches this URL (trick him to click it; or more sinisterly, use it in a img src)
http://slashdot.org/login.pl?openid_url=http://evil.openid.server.com/&op=claim_openid
his slashdot account will be linked to an openid without him knowing it. The attacker can then log into the account with the openid, game over.
Now let's point to CmdrTaco and laugh.
Oh, hand on a sec, there's sarcasm here?
Nope.
You fail to recognize sarcasm when not concentrating...
Would you happen to be from a small planet somewhere in the vicinity of Betelgeuse?
He uses Gentoo. He's installed the words, but the grammar is still compiling.
I am TheRaven on Soylent News
"The software was hosted on brutus.apache.org..."
Et tu, Brutus?
Why are so many hinting that Ubuntu is to blame? This has nothing to do with the underlying OS. This has to do with a vulnerability in third party software.
JIRA developer Atlassian was attacked as well.
http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html
A good day as any to reset passwords.
Do you mean the source code for the Apache web server itself? Hasn't that always been available? Since when has it been a closed source product like IIS?
The problem is they could do changes and reviews posing as other long-time trusted developers. This is a vulnerability in the chain of trust. If such an attack would be discovered too late, all the latest updates could be left vulnerable. For example, if the attack is discovered 1 month later, some back-door patches could get in the stable (production) release.
So this is like cancer: discovered in time, the consequences can be controlled, but discovered too late, all hell breaks loose.
Although most of the threats behind a short URL are XSS & friends, the use of short URLs to masquerade malicious things is clearly on the rise. It also look like a service has been released with the goal of analyzing short URLs (not only expanding): http://long-shore.com - the website also exposes a RESTful API that can be used to submit URLs and flag malicious ones.
http://en.wikipedia.org/wiki/Framekiller
one line of code:
top.location.replace(self.location.href);
put it in every page you ever publish on the web
it's not 100% foolproof, nothing is
but it's so little effort for protection from an important kind of xss attack
Wikipedia used to have that, but dropped it. It interferes with useful services like Google Translate (IIRC).
MediaWiki developer, Total War Center sysadmin
wow parents and grandparent are ridiculously stupid!
Hatin' on products I don't like and getting modded up talking about tech I totally don't understand like it was 2005!