Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Two FreeBSD Project Servers Hacked 46

hypnosec writes "The FreeBSD project has suffered a security breach. Hackers have successfully compromised servers that were part of the infrastructure used to build third-party software packages. The Security team over at the FreeBSD project is of the opinion that hackers were able to gain access to the servers using legitimate SSH keys and not by exploiting any operating system vulnerabilities. Instances of intrusion were first detected on November 11. FreeBSD project, through a message on public announcements mailing list said that the security breach hasn't affected the project's core components like kernel or system libraries but, has affected third-party software packages being distributed by the project."
This discussion has been archived. No new comments can be posted.

Two FreeBSD Project Servers Hacked

Comments Filter:
  • by alphatel ( 1450715 ) * on Monday November 19, 2012 @02:00PM (#42029951)
    This was already submitted two days ago [slashdot.org].
    New article link merely references the material already posted by freebsd [freebsd.org] on Nov 17th.
  • by Lawrence_Bird ( 67278 ) on Monday November 19, 2012 @02:07PM (#42030033) Homepage

    Posted by timothy on Saturday November 17, @09:22AM
    from the happy-transparency dept.

  • They're not something you can guess. Someone with access to those systems either was careless with them, let someone else use their account and they were stolen or its an inside job and they're simply trying to make it look like it was external hackers.

    • Probably tricked someone into giving them up. Your security chain is only as strong as the weakest link
    • by Idbar ( 1034346 ) on Monday November 19, 2012 @02:24PM (#42030205)
      Probably someone left the keys in a bar in San Francisco. Isn't that the way it works these days?
    • My guess:
      1. Somebody who legitimately has the keys put them on a cell phone or laptop.
      2. Somebody else pwns that device (because it's not running a super-secure OS), sees the keys.
      3. The person with access doesn't know he's been hacked, or doesn't want to admit it, so the rest of the organization doesn't get notified and can't change the keys.
      4. Voila, easy access to FreeBSD's servers.

      That's one of the standard techniques in getting around security: You target the relatively insecure partner with legitimate

      • by icebike ( 68054 ) *

        Well even having found a cell phone with ssh keys on it doesn't gain you access unless the ssh keys themselves have no passphrase.

        This use to be a fairly common practice (unfortunately) when key caching agents were not available and every single transfer over ssh required yet another entry of your ssh passphrase.

        If no passphrase was used on the keys, simply walking away from your workstation for two minutes allows an untrustworth co-worker to email your entire .ssh directory to himself at some obscure mail

    • by Anonymous Coward

      It concerns me that so many people (lots of people on forums, Slashdot, and a few of my own peers) are focused on how the person's SSH private keys were obtained. It doesn't matter how the keys were obtained -- truly it doesn't. You have to assume those keys are going to be obtainable. Most people keep their private keys stored on their workstation or laptop, or on a USB flash drive; laptops get stolen, USB flash drives get stolen or lost, workstations get compromised, and so on. Given this, there's no

      • by icebike ( 68054 ) *

        Look hard enough and you will find a conspiracy.

        It seems just as likely to me that forensics required a certain period of silence while packages were checked against backup sources.

        What could they announce on the 11th that would have made you happy? WE'VE BEEN BREACHED!! (perhaps add two or three more exclamation marks). Then what. 10 thousand questions, phone calls, and emails, distracting them from the task at hand?
        You know that even you would be demanding more answers if they posted exactly what you a

  • "Only two remote holes in the default install, in a heck of a long time!"

  • Still suspect this could have something to do with the SSL backdoor allegations made a while back. http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg47029.html [mail-archive.com]

    Yes I know the allegations have largely just petered out over time, but this doesn't allay my suspicion.

  • by bursch-X ( 458146 ) on Monday November 19, 2012 @05:24PM (#42032527)
    And the worst: They stole all the source code and pirated BSD!!!!
  • It's not really a hack if you log in with legitimate credentials. Compromised, yes. Hacked? No.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...