Two FreeBSD Project Servers Hacked 46
hypnosec writes "The FreeBSD project has suffered a security breach. Hackers have successfully compromised servers that were part of the infrastructure used to build third-party software packages. The Security team over at the FreeBSD project is of the opinion that hackers were able to gain access to the servers using legitimate SSH keys and not by exploiting any operating system vulnerabilities. Instances of intrusion were first detected on November 11. FreeBSD project, through a message on public announcements mailing list said that the security breach hasn't affected the project's core components like kernel or system libraries but, has affected third-party software packages being distributed by the project."
Yes, I read /. on Saturday (Score:5, Informative)
New article link merely references the material already posted by freebsd [freebsd.org] on Nov 17th.
Re:Yes, I read /. on Saturday (Score:5, Funny)
Dupe, dupe, dupe,
Dupe of URL
Dupe, dupe,
Dupe of URL
Yes, oh, I, I'm gonna link you
Nothing can stop me now
'Cause I'm the Dupe of URL...
Re: (Score:3)
Sigh. I was actually hoping for new information. Instead we're left with "/. editors can't scrub for dupes." Which we all knew already.
Re: (Score:2)
Yes, but it was posted bt Timothy, who I and many others block all stories from (because he's an idiot that doesn't bother to look at the pages he links to, or in general give any other thought to posting), so at least it's new to some of us.
at least its 36 hours since the original posting (Score:4, Informative)
Posted by timothy on Saturday November 17, @09:22AM
from the happy-transparency dept.
Has anyone found out how they got the keys yet? (Score:2)
They're not something you can guess. Someone with access to those systems either was careless with them, let someone else use their account and they were stolen or its an inside job and they're simply trying to make it look like it was external hackers.
Re: (Score:1)
Re:Has anyone found out how they got the keys yet? (Score:4, Funny)
Re: (Score:2)
My guess:
1. Somebody who legitimately has the keys put them on a cell phone or laptop.
2. Somebody else pwns that device (because it's not running a super-secure OS), sees the keys.
3. The person with access doesn't know he's been hacked, or doesn't want to admit it, so the rest of the organization doesn't get notified and can't change the keys.
4. Voila, easy access to FreeBSD's servers.
That's one of the standard techniques in getting around security: You target the relatively insecure partner with legitimate
Re: (Score:2)
Well even having found a cell phone with ssh keys on it doesn't gain you access unless the ssh keys themselves have no passphrase.
This use to be a fairly common practice (unfortunately) when key caching agents were not available and every single transfer over ssh required yet another entry of your ssh passphrase.
If no passphrase was used on the keys, simply walking away from your workstation for two minutes allows an untrustworth co-worker to email your entire .ssh directory to himself at some obscure mail
Re: (Score:3)
Its as easy as simply running a dictionary attack.
You can't tell a pasphrase protected private key from an unprotected one. Both are gibberish. You would never know when you
decoded it correctly unless you try to use it.
Each dictionary attack attempt will have to be tried via an attempted log in to either the target site or a replicate there of.
But, hey, we are all ears if you have a better method. People have only been looking for one for something like 20 years. You can be a hero.
Re: (Score:2)
Perhaps you're not very good at statistical analysis, or you just haven't gotten the message [xkcd.com]. Yeah, they're not a magic bullet. You have to pick a decent one. But you can remember a HELL OF A LOT more entropy in the form of a phrase than you can in the form of a nonsense character string.
Of course you don't KN
Re: (Score:2)
Re: (Score:1)
It concerns me that so many people (lots of people on forums, Slashdot, and a few of my own peers) are focused on how the person's SSH private keys were obtained. It doesn't matter how the keys were obtained -- truly it doesn't. You have to assume those keys are going to be obtainable. Most people keep their private keys stored on their workstation or laptop, or on a USB flash drive; laptops get stolen, USB flash drives get stolen or lost, workstations get compromised, and so on. Given this, there's no
Re: (Score:2)
Look hard enough and you will find a conspiracy.
It seems just as likely to me that forensics required a certain period of silence while packages were checked against backup sources.
What could they announce on the 11th that would have made you happy? WE'VE BEEN BREACHED!! (perhaps add two or three more exclamation marks). Then what. 10 thousand questions, phone calls, and emails, distracting them from the task at hand?
You know that even you would be demanding more answers if they posted exactly what you a
Should have run on OpenBSD (Score:2)
"Only two remote holes in the default install, in a heck of a long time!"
Re:Should have run on OpenBSD (Score:4, Insightful)
"Only two remote holes in the default install, in a heck of a long time!"
A security breech using legitimate authentication credentials is not a remote hole.
OpenBSD would have been worse (Score:2)
Indeed.
And this is why there's an essay on how OpenBSD is insecure [wordpress.com]. Because security breaches do happen. You need to lock your systems down against internal attackers as well. Defense in depth and all that. Not just hermetically sealing your system by abstaining from running any services at all.
Still suspect this could have something to do with (Score:1)
Still suspect this could have something to do with the SSL backdoor allegations made a while back. http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg47029.html [mail-archive.com]
Yes I know the allegations have largely just petered out over time, but this doesn't allay my suspicion.
Re: (Score:2)
Linux, Windows, OS X, and Solaris all use the BSD SSL code, or very close derivations of it. If the BSD coders are lazy, then the coders responsible for the above-mentioned OSs are even worse, right?
Damn pirates (Score:3)
"hacked" (Score:2)