Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Foundation Attacked, Passwords Stolen

Posted by CmdrTaco on from the yeah-we-meant-to-do-that dept.

Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."

5 of 214 comments (clear)

  1. Re:Naturally, the passwords were not in clear by Arancaytar · · Score: 5, Informative

    Addendum: Never mind, sorry - unlike the summary implies by "all users" the attack was targeted at capturing passwords from users who logged in while the site was compromised.

    Naturally, simple hashing is no protection against that.

  2. Should'a been running IIS! by Kenja · · Score: 5, Funny

    cause that would have confused the hell out of the attackers.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  3. TinyURL Previews by The+MAZZTer · · Score: 5, Informative

    Turn them on, so you can see where they go.

    http://tinyurl.com/preview.php

  4. Respect by Xacid · · Score: 5, Insightful

    Nothing but absolute respect for how Apache is handling this. Were there issues that became apparent as a result of this? Yes. But have they discovered the flaws, acknowledged them, and are looking to close those holes? Yes.

    It's a shame more companies can't operate with such...transparency I guess you'd call it. However, consumers respond differently to different types of companies.

    I, for one, am proud to see a company take this seriously instead of trying to sweep it under the rug.

  5. Re:Naturally, the passwords were not in clear by not+already+in+use · · Score: 5, Informative
    Here is the actual e-mail they sent out, which unfortunately, I received:

    Dear ____________,

    You are receiving this email because you have a login, '________', on the Apache JIRA installation, https://issues.apache.org/jira/

    On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:

    https://blogs.apache.org/infra/entry/apache_org_04_09_2010

    We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password you set when signing up as '________' to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it should be assumed that the attackers can guess your password from the password hash via brute force.

    The upshot is that someone malicious may know both your email address and a password of yours.

    This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online banking sites, or sites known to be related to your email's domain, gmail.com.

    Naturally we would also like you to reset your JIRA password. That can be done at:

    https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=_________

    We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email. We are also available on the #asfinfra IRC channel on irc.freenode.net.

    Regards,

    The Apache Infrastructure Team

    So, yeah. They were storing the passwords unsalted, which means that it is susceptible to a simple dictionary crack.

    Needless to say, I'm quite disgusted with the Apache foundation right now.

    --
    Similes are like metaphors