Slashdot Mirror
Apache Foundation Attacked, Passwords Stolen
Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."
"The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights"
Finally - a CowboyNeal option that is the right one!
Addendum: Never mind, sorry - unlike the summary implies by "all users" the attack was targeted at capturing passwords from users who logged in while the site was compromised.
Naturally, simple hashing is no protection against that.
The passwords were stored as hashes (message-digest or otherwise) with randomized salt, right? I mean, they have a clue about security, surely.
Right?
From the article: "The passwords were encrypted on the compromised servers (SHA-512 hash) but Apache said the risk to simple passwords based on dictionary words "is quite high" and urged users to immediately rotate their passwords."
Does this smell like Chloroform to you?
cause that would have confused the hell out of the attackers.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
After RTFA, yes, the passwords were stored using SHA-512. However, for three days the login form for one of the compromised services was altered, possibly allowing clear-text passwrod grabbing.
Is Apache a valuable target? I'm interested in what people would crack this site for, if not for fun or proof of concept.
Also, inb4 "Ubuntu sucks" or similar trolls. Linux haters would be in here if it were Ubuntu or Red Hat. Netcraft would be trolling if FreeBSD were the host OS. And God Forbid Apache had been using Server 2008.
FTFA: Apache said the use of one-time passwords was a "lifesaver" because it limited the damage and stopped the attack from spreading to other services/hosts. Nice that the damage was contained. What would be the motivation(s) for hacking Apache, anyway? It's not like it's Citibank.
In a band? Use WheresTheGig for free.
Does anyone have any thoughts as to why Apache would be targeted like this?
Apache doesn't exactly garner bad blood from shady groups. Big corporations and governments have too much to lose by attacking Apache this way. I could understand an attempt by organized crime or a blackhat organization to secretly insert a back door into the Apache code base, but this was too heavy-handed to even consider being a secret attempt.
The whole thing is weird.
Turn them on, so you can see where they go.
http://tinyurl.com/preview.php
Nothing but absolute respect for how Apache is handling this. Were there issues that became apparent as a result of this? Yes. But have they discovered the flaws, acknowledged them, and are looking to close those holes? Yes.
It's a shame more companies can't operate with such...transparency I guess you'd call it. However, consumers respond differently to different types of companies.
I, for one, am proud to see a company take this seriously instead of trying to sweep it under the rug.
AFAICT, web servers themselves aren't commonly hacked these days - and indeed that seems to be the case here.
The foolish thing is - and it's downright stupid, make no mistake - while most modern web servers are fairly secure, the same is most definitely not true of the applications and frameworks that commonly run on them. And because it's quite common to find a password for one application works for others (either by a user using the same password or by design, eg. using a common backend such as LDAP), you only need one stupid application which doesn't take countermeasures against brute-force attacks and doesn't log failed logins (making fail2ban ineffective) and the whole damn lot is cracked open.
Also, inb4 "Ubuntu sucks" or similar trolls. Linux haters would be in here if it were Ubuntu or Red Hat. Netcraft would be trolling if FreeBSD were the host OS. And God Forbid Apache had been using Server 2008.
Yeah, I'd forsee twice the number of comments by this time if this was IIS with half of them saying "switch to a real OS!!"
Operating system has nothing to do with this attack. Web server has nothing to do with this attack. JIRA has to do with this attack. If a session cookie is stolen and is valid when used by the 3rd party, it's the application's fault. The solution would be a better, more secure session manager in JIRA. Additional solution would be using HTTPS.
The host OS doesn't even enter in to it. They exploited JIRA, which is in Java, to steal cookies from the user via a XSS attack, which they used to steal an admin account and then they used that to install a plugin which overrode the standard login facilty. JIRA could probably have used some hardening, but frankly I suspect the security of nearly every bug tracker is pretty suspect.
I wonder if NoScript's XSS blocker would have foiled it?
Hey, this is serious! These hackers might have access to the full source code for Apache. Now they can craft specially targeted attacks against most web servers - no longer does Apache have that advantage over the leaked Windows source code. A terrible day for security on the web.
Socialism: a lie told by totalitarians and believed by fools.
Dear ____________,
You are receiving this email because you have a login, '________', on the Apache JIRA installation, https://issues.apache.org/jira/
On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010
We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password you set when signing up as '________' to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it should be assumed that the attackers can guess your password from the password hash via brute force.
The upshot is that someone malicious may know both your email address and a password of yours.
This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online banking sites, or sites known to be related to your email's domain, gmail.com.
Naturally we would also like you to reset your JIRA password. That can be done at:
https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=_________
We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email. We are also available on the #asfinfra IRC channel on irc.freenode.net.
Regards,
The Apache Infrastructure Team
So, yeah. They were storing the passwords unsalted, which means that it is susceptible to a simple dictionary crack.
Needless to say, I'm quite disgusted with the Apache foundation right now.
Similes are like metaphors
they just couldn't figure out how to access subversion so they got the code thru some more entertaining ways
Of course it is - one shared (at some point in time), by all browsers, amongst other software.
That's why it's "stupid" to trust your systems 100%
You yourself don't have a quick look at a link, especially one from an unknown source, before blithely clicking?
Especially if you're logged on with root or admin rights?
Oh man. This, a day after Atlassian itself got breached:
http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html
Their fault or not, having their name linked to two breaches in as many days has gotta be unpleasant at best for Atlassian.
Do you mean the source code for the Apache web server itself? Hasn't that always been available? Since when has it been a closed source product like IIS?
Oh, hand on a sec, there's sarcasm here?
If you read the article, the Apache folks were compromised before the Atlassian breach - and in the article, it appears Apache contacted Atlassian regarding the xss compromise which was used 2 days later directly on atlassian itself.
http://en.wikipedia.org/wiki/Framekiller
one line of code:
top.location.replace(self.location.href);
put it in every page you ever publish on the web
it's not 100% foolproof, nothing is
but it's so little effort for protection from an important kind of xss attack
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Sorry, but that distinction has long since been lost... if it was ever popular to begin with. These days we have good hackers and we have evil hackers.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
And TFS said that passwords were stolen via an XSS exploit. You could be storing passwords on the server with some sort of quantum solution and still be screwed, because the passwords are stolen before they hit the server.
Sounds like there's two stages here though. Get admin access via logging passwords with the XSS exploit, and then get at the DB and do whatever the hell they want. Even if you have XSS vulnerabilities (and they're terribly common), admins should still know better than to login through a tinyurl link, since that's now one of the easiest ways for a malicious user to get a vulnerability on the page.
That said, storing unsalted hashes is still abysmally stupid.
How are sites slashdotted when nobody reads TFAs?
And how does a salt help when they can get the salt?
Well, they'd have to generate a new hash-table using the specific hash, which at the very least is an extremely time consuming effort that puts up another potential roadblock in getting a whole shit load of user's passwords.
Now, if you do not do this you would be 100% safe :)
Wrong. All they need is your email password and then can reset or get user names for any other accounts you have. What is important, however, is that your email password is entirely unique and extremely strong.
If you do this, you should be disgusted at *yourself* first. Then at the attackers. Then at the altasian for making software susceptible to this (they made the hash as it is in the DB, not Apache).
Wrong again. I'm not disgusted in myself since my password is certainly not common enough to be cracked by a precalculated hash-table.
Similes are like metaphors
Here is the actual e-mail they sent out, which unfortunately, I received:
https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=_________
The Apache Infrastructure Team
Since their servers were hacked, how do you know this was from really Apache? Did you click ona link in an email?
Every big and famous webapp had, and has, XSS holes, period. It doesn't matter how smart they are.
Wouldn't you say that Slashdot should be very safe? For it must have been under a lot of attacks, and all the xss holes must have been discovered and fixed.
I spent a few minutes looking around and I found one already. I'll publish it here right now for your amusement, I don't think real damages can be caused before the hole is closed.
The Password/Claim OpenID form has no XSRF protection. It also works with GET method which makes it even sweeter. If a slashdot user's browser fetches this URL (trick him to click it; or more sinisterly, use it in a img src)
http://slashdot.org/login.pl?openid_url=http://evil.openid.server.com/&op=claim_openid
his slashdot account will be linked to an openid without him knowing it. The attacker can then log into the account with the openid, game over.
Now let's point to CmdrTaco and laugh.
He uses Gentoo. He's installed the words, but the grammar is still compiling.
I am TheRaven on Soylent News