Slashdot Mirror
Apache Foundation Attacked, Passwords Stolen
Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."
Nothing but absolute respect for how Apache is handling this. Were there issues that became apparent as a result of this? Yes. But have they discovered the flaws, acknowledged them, and are looking to close those holes? Yes.
It's a shame more companies can't operate with such...transparency I guess you'd call it. However, consumers respond differently to different types of companies.
I, for one, am proud to see a company take this seriously instead of trying to sweep it under the rug.
Hmm, let's see:
Implanting a back door in any one (if not all) of the Apache products, so that when Citibank does an upgrade...
Far fetched, yes. But not out of the realm of possibility...
Maybe it was simply for the sake of practice and some other site with a similar setup is the real future target....just food for thought.
AFAICT, web servers themselves aren't commonly hacked these days - and indeed that seems to be the case here.
The foolish thing is - and it's downright stupid, make no mistake - while most modern web servers are fairly secure, the same is most definitely not true of the applications and frameworks that commonly run on them. And because it's quite common to find a password for one application works for others (either by a user using the same password or by design, eg. using a common backend such as LDAP), you only need one stupid application which doesn't take countermeasures against brute-force attacks and doesn't log failed logins (making fail2ban ineffective) and the whole damn lot is cracked open.
Also, inb4 "Ubuntu sucks" or similar trolls. Linux haters would be in here if it were Ubuntu or Red Hat. Netcraft would be trolling if FreeBSD were the host OS. And God Forbid Apache had been using Server 2008.
Yeah, I'd forsee twice the number of comments by this time if this was IIS with half of them saying "switch to a real OS!!"
I can think of a couple.
It's a very prestigious target (if you're the sort that would do this for some sort of prestige). It's also a poster-child for a solid OSS product - what better way to spread FUD?
Of course it is - one shared (at some point in time), by all browsers, amongst other software.
That's why it's "stupid" to trust your systems 100%
You yourself don't have a quick look at a link, especially one from an unknown source, before blithely clicking?
Especially if you're logged on with root or admin rights?
Or upload a trojan into the hosted Apache installers.
Sorry, but that distinction has long since been lost... if it was ever popular to begin with. These days we have good hackers and we have evil hackers.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
If someone can edit the Apache source tree without being detected and insert some subtle method of a backdoor (something far more subtle than this where uid=0 is in the code when uid==0 is meant), that would mean a LOT of money for the blackhat group, because so many Web servers run Apache that selling a possible backdoor to so many sites would be very lucrative, now, and years to come, as a hole put in now may allow for more targeted attacks in the future.
Actually while I ackowledge Apache's response was adequate, isn't it worrying that such a thing can happen ?
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Here is the actual e-mail they sent out, which unfortunately, I received:
https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=_________
The Apache Infrastructure Team
Since their servers were hacked, how do you know this was from really Apache? Did you click ona link in an email?
I can think of a couple.
It's a very prestigious target (if you're the sort that would do this for some sort of prestige). It's also a poster-child for a solid OSS product - what better way to spread FUD?
Nice! Even when an OSS project gets broken into, it's mention of its insecurity is still "FUD". What a jackass...
You really think my reaction is way overblown? So you're saying a code audit shouldn't happen? Maybe a few months is too long but some sort of audit should happen and it should be done by the people who, you know, maintain the actual code.
Take your sarcasm somewhere else. A code audit is not unreasonable given the situation.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)