FreeBSD Project Discloses Security Breach Via Stolen SSH Key 86
An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
Re:Forthcoming... (Score:2, Interesting)
They wouldn't be until they were forced to due to possible leaking of customer data. I don't blame them, I've worked at a company whose ad servers got hacked and used to spread malware causing customers of ours to be blocked by google. After fixing the compromised servers we got contacted by some of our customers and had to lie (blame 3rd party) not to lose them.
Another thing, companies rarely go after the hackers, even if they're dealing with total scriptkiddies (which is usually the case). While patching our servers we left certain parts of the hackers webshell active but rewrote it so he had no actual access to the system and we would get notified instead. We already had his IP from the server logs and it was consistantly the same IP originating from a customer dsl line in Russia. After patching this same IP tried connecting several times.
So what do you do next? Nothing.
Short Answer (Score:4, Interesting)
would proprietary companies that get broken into so forthcoming? Should they be?
Yes, they are already required to [proskauer.com]
BTW, have we ever seen a satisfying explanation for what happened at kernel.org and linuxfoundation.org? We were initially told that it was something similar (stolen password/compromised user system), but AFAICT they have never explained how that could lead to the servers being root'ed. A rootkit *was* installed. That requires careless use of root privileges or an exploit of a privilege escalation vulnerability. Which was it?