Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two FreeBSD Project Servers Hacked

Posted by samzenpus on from the protect-ya-neck dept.

hypnosec writes "The FreeBSD project has suffered a security breach. Hackers have successfully compromised servers that were part of the infrastructure used to build third-party software packages. The Security team over at the FreeBSD project is of the opinion that hackers were able to gain access to the servers using legitimate SSH keys and not by exploiting any operating system vulnerabilities. Instances of intrusion were first detected on November 11. FreeBSD project, through a message on public announcements mailing list said that the security breach hasn't affected the project's core components like kernel or system libraries but, has affected third-party software packages being distributed by the project."

9 of 46 comments (clear)

  1. Yes, I read /. on Saturday by alphatel · · Score: 5, Informative

    This was already submitted two days ago.
    New article link merely references the material already posted by freebsd on Nov 17th.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:Yes, I read /. on Saturday by Jeremiah+Cornelius · · Score: 5, Funny

      Dupe, dupe, dupe,
      Dupe of URL
      Dupe, dupe,
      Dupe of URL
      Yes, oh, I, I'm gonna link you
      Nothing can stop me now
      'Cause I'm the Dupe of URL...

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:Yes, I read /. on Saturday by kwerle · · Score: 2

      Sigh. I was actually hoping for new information. Instead we're left with "/. editors can't scrub for dupes." Which we all knew already.

  2. at least its 36 hours since the original posting by Lawrence_Bird · · Score: 3, Informative

    Posted by timothy on Saturday November 17, @09:22AM
    from the happy-transparency dept.

  3. Re:Has anyone found out how they got the keys yet? by Idbar · · Score: 3, Funny

    Probably someone left the keys in a bar in San Francisco. Isn't that the way it works these days?

  4. Re:Should have run on OpenBSD by Zemplar · · Score: 3, Insightful

    "Only two remote holes in the default install, in a heck of a long time!"

    A security breech using legitimate authentication credentials is not a remote hole.

  5. Re:"Passphrases" by icebike · · Score: 2

    Its as easy as simply running a dictionary attack.
    You can't tell a pasphrase protected private key from an unprotected one. Both are gibberish. You would never know when you
    decoded it correctly unless you try to use it.

    Each dictionary attack attempt will have to be tried via an attempted log in to either the target site or a replicate there of.

    But, hey, we are all ears if you have a better method. People have only been looking for one for something like 20 years. You can be a hero.

    --
    Sig Battery depleted. Reverting to safe mode.
  6. Damn pirates by bursch-X · · Score: 2

    And the worst: They stole all the source code and pirated BSD!!!!

    --
    There are two rules for success:
    1. Never tell everything you know.
  7. Re:Malice vs Incompetence by RocketRabbit · · Score: 2

    Linux, Windows, OS X, and Solaris all use the BSD SSL code, or very close derivations of it. If the BSD coders are lazy, then the coders responsible for the above-mentioned OSs are even worse, right?