Slashdot Mirror
FreeBSD Project Discloses Security Breach Via Stolen SSH Key
An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
If you run on freebsd, examine your tar and tar.gz
Access via ssh key, someone may have changed the tree
If you only use base release, power down and anti-freeze
For package add post 9/16, SVN and confirm you're clean
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
and we are left wondering, would proprietary companies that get broken into so forthcoming?
I suspect most would not be so forthcoming.
Should they be?"
Yes.
Really do seem to know what they're doing, and are very proactive with their security.
I'm glad they openly announced this, how to deal with the breach for end-users, and also how they're dealing with it. (This coming from a proud FreeBSD server and desktop user)
(yes I use the Oxford comma.)
"...and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
Short answer:
No, they do not want to scare the stockholders.
and... Yes, they should be because openness allows people to recover or protect themselves faster.
Silence is a state of mime.
...that any company which holds personally identifiable information (so that's all of them - it goes from CRM databases to employee records and payroll) has a Statutory obligation to register Company details with the Information Commissioner's Office and to report any breaches to the Information Commissioner.
For the definition of "breach", read: lost or stolen mobile phone, laptop, notepad, application or registration document, tablet, audio recording, video capture, or any other method, known or unknown, of recording personally identifiable information.
Operation Guillotine is in effect.
You don't seem to be aware that SSH keys are typically encrypted, and still require a password to unlock. Yes, some people foolishly enable passwordless use of SSH keys, but that does not reflect on the principle of SSH key login in general.
You can password protect SSH keys. Furthermore, you can store them on an encrypted volume. Passwords can be bruteforced rather easily, because most people tend to use weak passwords. Bruteforcing an SSH server server that enforces PKI however... I guess the only way to get in is... to steal a user's key, which means you need physical access to it or the user has been really careless.
No matter how secure your system is (and SSH is very secure), if the individual using it is careless, the system will end up getting compromized.
From a recent security audit I participated in, you are mistaken. The number of SSH keys that were _not_ passphrase encrypted, in a typical multi-user environment, vastly exceeded the number that were encrypted. These keys were stored on an unsecured NFSv3 environment, and on poorly secured backup tapes. This configuration is common, and we even found several github and Sourceforge SSH keys for known participants in open source projects there.
While the number of security errors in those environments were quite large, they're quite commonplace. They are partly the result of the fact that SSH servers have no way of restricting users to the use of passphrase protected keys, and SSH key generators, especially those in the OpenSSH codebase, do not enforce the use of passphrase protected keys. (They issue a warning, but do not enforce the use of passphrase.) There are certainly tools available to help manage passphrase protected SSH keys. but even where available, they remain rarely used.
This is compounded by the lack of effective centralized management tools for SSH key access, and the nonexisting or recently implemented and rarely used expiration or revocation technologies for SSH. SSH should only be considered robust for protecting individual sessions from decryption. Its "key" technology should not be considered a robust authentication technology due to these commonplace flaws.
There are better general authentication approaches: SSH, both OpenSSH and SecureCRT's tool suites, now offer Kerberos authentication. This is a much safer technology, not vulnerable to the various "stolen passphrase free key" issues of normal SSH. Unfortunately, I've not seen any way for it to mesh well with SSH configurations that rely on the "ForceCommand" option being tuned for individual users and their SSH keys, especially source control technologies such as the "git" and "Subversion" and "CVS" access at Sourceforge.
or the user has been really careless.
Which is always the weakest link in any security system.
---- Booth was a patriot ----
Although this is a troll, there still is an unanswered question: how did the ssh key get stolen? While its nice to see that FreeBSD wasn't breached due to a vulnerability in *its* systems, someone obviously had a vulnerability in their system. To all the sysadmins out there, I think that's what keeps you up at night: How do you ensure that your users safeguard their secrets? Other than a "corporate policy" document imploring them to use "good judgement"?
Especially with BYOD coming into vogue, I think the security community needs to come up with a solution that is cross platform and easy to implement, verify and enforce.
Well.. maybe. Or Maybe not. But Definitely not sort of.
And so, when Microsoft gets raped by a bunch of hackers you think they are going to let the public know?
No, they are going to keep it under wraps.
No, they are *not* going to keep it under wraps, at least not if the break-in puts its users or customers at risk.
The reason is simple: Microsoft is required by law to disclose any such breach. The penalties for "keeping it under wraps" are severe and could include paying restitution/punitive damages to each individual customers/user.
But don't let such minor detail stand in the way of spewing your MHD all over slashdot.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Seriously? You are suggesting we leave passwords laying around in plain text in batch files, and go back to telnet???
Your method is only better in one single way. There is no worrying that you are the 0.0001% that did it wrong and are vulnerable. With your way, you KNOW you are already exploited!
would proprietary companies that get broken into so forthcoming? Should they be?
Yes, they are already required to
BTW, have we ever seen a satisfying explanation for what happened at kernel.org and linuxfoundation.org? We were initially told that it was something similar (stolen password/compromised user system), but AFAICT they have never explained how that could lead to the servers being root'ed. A rootkit *was* installed. That requires careless use of root privileges or an exploit of a privilege escalation vulnerability. Which was it?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
No, we are not left wondering (unless one thinks that FreeBSD has a patent on especially leaky SSH developer keys) so instead we pretend that we are left wondering to justify hanging around and scribbling on the bathroom wall.
If Apple can't keep their mitts on an iPhone prototype and Google can't keep their mitts on a Nexus prototype, do you really think these butter-finger organizations have any better control over their developer's SSH keys?
[t]here still is an unanswered question: how did the ssh key get stolen? While its nice to see that FreeBSD wasn't breached due to a vulnerability in *its* systems, someone obviously had a vulnerability in their system.
The explanation is simple enough, and provided on the compromise notice:
The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD.
It only takes one instance of walking away from your workstation leaving it running to have a co-worker slip into your chair and email your .ssh directory to some obscure off shore email address, then remove the outgoing email from the "sent" list. A stolen phone, a purloined laptop, the possibilities are endless, although in the latter two instances you would expect revocations to be issued (assuming you had a backup copy somewhere)..
Once someone has your private key they ARE you, and it it was done without being immediately discovered, the key could linger in the wild for months or years.
Sig Battery depleted. Reverting to safe mode.