Forgot your password?
typodupeerror
Security Unix IT BSD

FreeBSD Project Discloses Security Breach Via Stolen SSH Key 86

Posted by timothy
from the happy-transparency dept.
An anonymous reader writes "Following recent compromises of the Linux kernel.org and Sourceforge, the FreeBSD Project is now reporting that several machines have been broken into. After a brief outage, ftp.FreeBSD.org and other services appear to be back. The project announcement states that some deprecated services (e.g., cvsup) may be removed rather than restored. Users are advised to check for packages downloaded between certain dates and replace them, although not because known trojans have been found, but rather because the project has not yet been able to confirm that they could not exist. Apparently initial access was via a stolen SSH key, but fortunately the project's clusters were partitioned so that the effects were limited. The announcement contains more detailed information — and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
This discussion has been archived. No new comments can be posted.

FreeBSD Project Discloses Security Breach Via Stolen SSH Key

Comments Filter:
  • by alphatel (1450715) * on Saturday November 17, 2012 @10:27AM (#42011771)
    If you run on freebsd, examine your tar and tar.gz
    Access via ssh key, someone may have changed the tree
    If you only use base release, power down and anti-freeze
    For package add post 9/16, SVN and confirm you're clean
  • Forthcoming... (Score:5, Insightful)

    by QuietLagoon (813062) on Saturday November 17, 2012 @10:31AM (#42011789)

    and we are left wondering, would proprietary companies that get broken into so forthcoming?

    I suspect most would not be so forthcoming.

    Should they be?"

    Yes.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      They wouldn't be until they were forced to due to possible leaking of customer data. I don't blame them, I've worked at a company whose ad servers got hacked and used to spread malware causing customers of ours to be blocked by google. After fixing the compromised servers we got contacted by some of our customers and had to lie (blame 3rd party) not to lose them.
      Another thing, companies rarely go after the hackers, even if they're dealing with total scriptkiddies (which is usually the case). While patching

      • If you had to lie about a security issue, you should immediately lose all trust and your company should immediately go out of business. Simple as that. Especially sleazy fucking advertising companies, which already tend to be some of the worst culprits.

        Worthless, lying, malware-serving companies such as your own are exactly the type I make every attempt to block in every major way possible (cookies, scripting, advertisement images, etc.). Of course, I don't discriminate--I block them all; none of their b

    • and we are left wondering, would proprietary companies that get broken into so forthcoming?

      No, we are not left wondering (unless one thinks that FreeBSD has a patent on especially leaky SSH developer keys) so instead we pretend that we are left wondering to justify hanging around and scribbling on the bathroom wall.

      If Apple can't keep their mitts on an iPhone prototype and Google can't keep their mitts on a Nexus prototype, do you really think these butter-finger organizations have any better control over t

  • by Anonymous Coward on Saturday November 17, 2012 @10:32AM (#42011795)

    Really do seem to know what they're doing, and are very proactive with their security.

    I'm glad they openly announced this, how to deal with the breach for end-users, and also how they're dealing with it. (This coming from a proud FreeBSD server and desktop user)

    (yes I use the Oxford comma.)

    • Completely OT; I agree with your usage of the Oxford here, however I tend not to use it unless omission would cause obvious confusion.

    • Really do seem to know what they're doing, and are very proactive with their security.

      The security team and cluster admin has also been working very hard over the past few months to partition the FreeBSD cluster a lot better. If this attack had happened in a month or two, you wouldn't be hearing about it because nothing of value would have been compromised. The attack was against the legacy package building infrastructure, which is due to be retired soon. It was able to get access to more systems because it had the developers' home directories mounted (this isn't be the case with the new

  • Short answer (Score:5, Insightful)

    by wbr1 (2538558) on Saturday November 17, 2012 @10:32AM (#42011797)
    "...and we are left wondering, would proprietary companies that get broken into so forthcoming? Should they be?"
    Short answer:
    No, they do not want to scare the stockholders.
    and... Yes, they should be because openness allows people to recover or protect themselves faster.
    • by Anonymous Coward

      I wonder, is it insider trading if you openly and publicly give ALL the information you have on a break-in that you (the company) detected, see that the immediate reaction of the market is far out of proportion to the actual harm, and then buy stock like crazy in the company you work at, only to sell it at a large profit a few weeks later? Are there laws against that? Considering that you have not hidden any information, you simply believe that you have a better appreciation of that information as part of w

      • by Anonymous Coward

        That's precisely why there are requirements in some cases for executives of companies to file notices when they buy and sell certain stocks in advance. As long as those are followed then it is usually fine.

      • by celle (906675)

        "Are there laws against that?"

            There should be as it's a major conflict of interest that opens a lot of bad doors to stock manipulation. You shouldn't be allowed to use(play with) the stock of the company you are employed by unless you own the company lock, stock, and barrel thereby only shooting your own foot. Your described situation is technically insider trading.
              Are there laws, probably not. Legal responses, depends on who you piss off.

    • by shentino (1139071)

      Unless the shareholders decide to throw a short sighted tantrum and force a company's hand. a company should be aware of the very bad PR possible from being caught withholding this sort of information.

      Tattling on yourself is good karma and protects you from being embarrassed later.

  • by Tastecicles (1153671) on Saturday November 17, 2012 @10:34AM (#42011811)

    ...that any company which holds personally identifiable information (so that's all of them - it goes from CRM databases to employee records and payroll) has a Statutory obligation to register Company details with the Information Commissioner's Office and to report any breaches to the Information Commissioner [ico.gov.uk].

    For the definition of "breach", read: lost or stolen mobile phone, laptop, notepad, application or registration document, tablet, audio recording, video capture, or any other method, known or unknown, of recording personally identifiable information.

    • I believe this has already become a EU directive. If you lose person-related data, you have to make it known within 24 hours after becoming aware of it, otherwise your company faces fines. And the fines have been increased to make companies feel it.

  • by overmoderated (2703703) on Saturday November 17, 2012 @10:58AM (#42011939)
    No matter how secure your system is (and SSH is very secure), if the individual using it is careless, the system will end up getting compromized.
    • by evilviper (135110)

      OpenSSH will refuse to use any key where the permissions are set too permissively, so others may be able to read it...

      Technology can't solve stupid user mistakes, but it can keep getting better at preventing common mistakes.

  • Why would you use a stolen SSH key to announce a security breach?

  • Short Answer (Score:4, Interesting)

    by benjymouse (756774) on Saturday November 17, 2012 @01:38PM (#42012877)

    would proprietary companies that get broken into so forthcoming? Should they be?

    Yes, they are already required to [proskauer.com]

    BTW, have we ever seen a satisfying explanation for what happened at kernel.org and linuxfoundation.org? We were initially told that it was something similar (stolen password/compromised user system), but AFAICT they have never explained how that could lead to the servers being root'ed. A rootkit *was* installed. That requires careless use of root privileges or an exploit of a privilege escalation vulnerability. Which was it?

  • Crypto: 0
    As received by: Transceiver Relay03 at Relay
    Language path: Cloudmark->Triskweline, SjK units
    [Cloudmark is a High Beyond trade language. Despite
    colloquial rendering, only core meaning is guaranteed.]

Is a person who blows up banks an econoclast?

Working...