Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fedora Infrastructure Compromised

Posted by CmdrTaco on from the hate-when-that-happens dept.

Trailrunner7 writes "The infrastructure of the Fedora Project was compromised over the weekend and an account belonging to a Fedora contributor was taken over by an attacker. However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure. The attack appears to have targeted one specific user account, which had some high-value privileges. The attacker was able to compromise the account externally, and then had the ability to connect remotely to some Fedora systems. The attacker also changed the account's SSH key, Fedora officials said."

26 of 115 comments (clear)

  1. Believe? by amicusNYCL · · Score: 2

    However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.

    What do you mean you "don't believe"? You don't have logs?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    1. Re:Believe? by syntap · · Score: 4, Insightful

      Logs can be faked. How about a bitwise comparison to the known-good package system?

    2. Re:Believe? by 0racle · · Score: 2

      Perhaps this is an early release of the information and given the amount of time they have spent in researching the issue they don't believe anything was actually done, but a more thorough investigation is still needed.

      --
      "I use a Mac because I'm just better than you are."
    3. Re:Believe? by new+death+barbie · · Score: 2

      would you trust the logs if you had them?

      --

      It's supposed to be completely automatic, but actually you have to press this button.

    4. Re:Believe? by 0123456 · · Score: 5, Informative

      That's why any secure system should be sending logs to a remote machine as well as /var/log.

    5. Re:Believe? by WetCat · · Score: 2

      Excluding logs before and in the exact time of break-in, while attacker hasn't put his stealth instruments to the victim machine yet.

    6. Re:Believe? by timeOday · · Score: 2
      A compromised server could store the packages unchanged but modify them on the way out.

      The critical piece as I see it is the distribution of the checksums. If package maintainers and end users agree on the checksums (and neither of their systems is initially compromised), then everything should be fine. Or am I overlooking something?

    7. Re:Believe? by Anonymous Coward · · Score: 5, Informative

      Logs can be faked. How about a bitwise comparison to the known-good package system?

      As a fedora dev account holder, I got the notification email. The filesystem was compared with a previous 'good' snapshot to determine what changes were made.

    8. Re:Believe? by Chapter80 · · Score: 5, Funny

      However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.

      What do you mean you "don't believe"? You don't have logs?

      Thankfully, I am on Windows, so I don't have to wonder whether hackers are conducting malicious activity.

    9. Re:Believe? by arth1 · · Score: 2

      Alternatively, if the logging daemon writes events to a logger on another machine, then logs could only ever be appended to and never altered.

      This is why there's still a market for dot matrix printers, especially those with a dip switch that disables reverse paper feed.
      Good luck erasing or modifying that audit trail remotely.

  2. Re:Yay, Open Source! by wagnerrp · · Score: 3, Insightful

    No, they have to Virtual Desktop in.

  3. Re:Yay, Open Source! by oodaloop · · Score: 2, Insightful

    And what, interject some bad code? How would anyone know?

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  4. Re:Rivalry by oodaloop · · Score: 2

    1 in 7. As long we're just making up wild accusations, let's just make up some wild numbers.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  5. Re:Yay, Open Source! by Anonymous Coward · · Score: 2, Interesting

    Actually, even Microsoft employees working remotely have to jump through so many hoops for a flaky VPN connection that there is no way anyone could get in for long enough to do significant damages. A Microsoft employee recruiting in colleges on the East coast showed me their system. You can't use a standard VPN client - even the built-in Windows one. It uses SmartCards and multiple passwords for authentication and disconnects if the card even shifts a bit in the card reader.

    It would probably be easier to steal a physical device than to get into their network from outside a Microsoft office.

  6. Not a professional job by Mathinker · · Score: 2

    The first action the intruder took, changing the SSH password, set off an automatic email notification, which is how the compromise was detected. Pretty stupid.

    A pity that the clueless black hats eventually learn, tho. Not that this means that open-source is totally helpless. In the past, malevolent software updates have been caught. If this becomes widespread, it just means that the development is slowed by the necessity for peer review.

  7. Article and headline are completely wrong by MSG · · Score: 5, Informative

    The infrastructure was not compromised. One user's password appears to have been compromised and changed. That account did not have "high value privileges".

    1. Re:Article and headline are completely wrong by timepilot · · Score: 2

      Or digging further:

      # Push access to packages in the Fedora SCM.
      # Ability to perform builds and make updates to Fedora packages.

      Which I would qualify as high-value.

    2. Re:Article and headline are completely wrong by I8TheWorm · · Score: 2

      Being able to change source code and that code getting pushed into builds which the RE group releases would suggest that it's a bit of a high value account.

      I argued for some time at a previous company that they were out of compliance with Sarbanes-Oxley and segregation of duty rules. The reason was the network admins had access to source code repositories (VSS, StarTeam, and TFS). Since network admins did pushes to QAS and PRD, they could feasably alter source code and push it to production.

      The reality, though, is a developer can put in malicious code and, as long as the rest of the dev team doesn't catch it, it can make it to production regardless. Network admins don't typically have any way of knowing anything about the code that's being pushed.

      All of that makes SOX pretty weak from an IT standpoint. But the end result is this: anyone who can push code to a repository has access to do terrible things.

      --
      Saying Android is a family of phones is akin to saying Linux is a family of PCs.
  8. Some history by snookiex · · Score: 2
    • Debian: [1], [2]
    • Ubuntu: [1]
    • Gentoo: [1]
    --
    Open Source Network Inventory for the masses! Kuwaiba
  9. Re:Yay, Open Source! by undecim · · Score: 4, Funny

    IIRC, something like that has happened before. The attacker managed to get RDP access to one of Microsoft's servers where they keep source code. However, when authorities were able to trace the connection back to his house, they entered to find he had died of a simultaneous heart attack, aneurysm, and stroke, with the Windows kernel source code open on his screen.

    --
    The Internet has given stupid people the resources of intelligent people.
  10. Re:This never would have happened... by 0123456 · · Score: 3, Insightful

    P.S. Of course if they were serious about security in the first place they wouldn't even allow logins with passwords and would require public key authentication instead.

  11. The actual email in case anyone wants the facts by seifried · · Score: 5, Informative

    http://lists.fedoraproject.org/pipermail/devel-announce/2011-January/000746.html

    Summary: Fedora infrastructure intrusion but no impact on product integrity

    On January 22, 2011 a Fedora contributor received an email from the Fedora Accounts System indicating that his account details had been changed. He contacted the Fedora Infrastructure Team indicating that he had received the email, but had not made changes to his FAS account. The Infrastructure Team immediately began investigating, and confirmed that the account had indeed been compromised.

    At this time, the Infrastructure Team has evidence that indicates the account credentials were compromised externally, and that the Fedora Infrastructure was not subject to any code vulnerability or exploit.

    The account in question was not a member of any sysadmin or Release Engineering groups. The following is a complete list of privileges on the account:

    • SSH to fedorapeople.org (user permissions are very limited on this machine).
    • Push access to packages in the Fedora SCM.
    • Ability to perform builds and make updates to Fedora packages.

    The Infrastructure Team took the following actions after being notified of the issue:

    • 1. Lock down access to the compromised account
    • 2. Take filesystem snapshots of all systems the account had access to (pkgs.fedoraproject.org, fedorapeople.org)
    • 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present. Here, we found that the attacker did:
      • Change the account's SSH key in FAS
      • Login to fedorapeople.org

      The attacker did not:

      • Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way
      • Generate a koji cert or perform any builds
      • Push any package updates

    Based on the results of our investigation so far, we do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise.

    While the user in question had the ability to commit to Fedora SCM, the Infrastructure Team does not believe that the compromised account was used to do this, or cause any builds or updates in the Fedora build system. The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account.

    As always, Fedora packagers are recommended to regularly review commits to their packages and report any suspicious activity that they notice.

    Fedora contributors are strongly encouraged to choose a strong FAS password. Contributors should *NOT* use their FAS password on any other websites or user accounts. If you receive an email from FAS notifying you of changes to your account that you did not make, please contact the Fedora Infrastructure team immediately via admin@fedoraproject.org.

    We are still performing a more in-depth investigation and security audit and we will post again if there are any material changes to our understanding.

    --

    Jared Smith

    Fedora Project Leader

  12. Re:This never would have happened... by mlts · · Score: 2

    Exactly. For example, any machines I have which have to have an Internet facing ssh port are definitely not going to be accepting passwords. Tools like ssh-guard are nice, but it isn't hard for a determined attacker to just keep coming from different IP ranges. To add a little bit of security, port knocking is a nice ability to have, just so an attacker doesn't see an open port to start having fun with.

    What would be ideal is if OATH support would advance to the point where I can just enter my username, then my password and then the random key from a SecurID or other token. This way, an attacker would have to go from passively looking at passwords as they float by to actively MITM-ing the connection.

  13. Re:Yay, Open Source! by Mitchell314 · · Score: 2

    Careful what you wish for. They could permanently fuse that damn paperclip to the desktop.

    --
    I read TFA and all I got was this lousy cookie
  14. Fedora infrastructure intrusion by doperative · · Score: 2

    "The Infrastructure Team took the following actions after being notified of the issue:

    1. Lock down access to the compromised account

    2. Take filesystem snapshots of all systems the account had access to

          (pkgs.fedoraproject.org, fedorapeople.org)

    3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present

    Here, we found that the attacker did:

            * Change the account's SSH key in FAS

            * Login to fedorapeople.org

          The attacker did not:

            * Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way

            * Generate a koji cert or perform any builds

            * Push any package updates .."

  15. Nah, Security by obscure VC software by The+O+Rly+Factor · · Score: 2

    Nah, MS uses Team Foundation Server for all of their version control. I have not ever met another single person or company that also uses TFS, nor have I really seen any good documentation on how to use it.