Admins with the Gentoo Project say they have disconnected major parts of its website a week after discovering it could be vulnerable to a command injection attack that allows bad guys to remotely execute code on the machine. At time of writing, users trying to access Gentoo Archives and at least seven other areas of Gentoo.org …
"...what information attackers may have stolen"
Who cares what information was stolen? It's an open project, anyway. The big question is whether anything was altered. Ten thousand rootkitted downloads of SSH, anyone?
A sad week for Linux
Quite a blow to the image of Linux being a secure operating system.
Microsoft must be having a big party this weekend...
RE: A sad week for Linux
Maybe, but at least they're visibly doing something about it.
Which has got to count for something.
I suppose that taking the servers offline mitigates the potential damage due to people downloading, possibly altered for malicious purposes, pieces of software.
I, for one, wouldn't like to be downloading an update to ssh that included a backdoor. Especially not if this backdoor gained any potential attacker a root shell. With the download servers offline, they can work of fixing whatever damage may have been caused without further risking end users.
Whereas MS kit (mostly Windows) needs a patch every few days (July 2007, I think it was 1 every 2 days). This is just 1 Linux distro, and it's happened, erm... once. Windows is so full of holes, it's a wonder they just don't name it Sieve. FFS.
RE: A Sad week for Linux
This isn't anything to do with Linux's security. The main python CGI script is coded badly. It's the usual mistake of implicitly trusting the outside world rather than mistrusting it.
This could have happened on any OS, with any Architecture, as long as it had the python libraries installed (hooray for Platform agnostic languages). At least they had the foresight to react instantly to the bug report and didn't try and cover it up or ignore it.
"Microsoft must be having a big party this weekend..."
While the latest zero-day exploits for all versions of Windows and MS Office allow malware distributors free access to hundreds of thousands of consuerm and business PCs, until the September "Patch Tuesday."
I think I'll stick with an OS that let's *me* find the security holes by looking at the source code, and tell anyone I like (including the original authors), thanks anyhow.
RE: A sad week for Linux
That image of linux being a secure operating system was blown when people actually started using it. Do you ever check vulnerability sites? Holes are popping up just as fast, or even faster, for Unix/Linux and open source software.
Just because you're a linux and open source zealot doesn't automatically make you a talented programmer who is security conscious and doesn't make mistakes. Especially true with the open source projects that are run by hobbyists or amateurs trying to learn as they go, with little QA. Something isn't secure simply because it runs on Linux....
Most so-called "secure" operating systems or programs suddenly start to become very unsecure when they are popular. Why? Because they become worthwhile targets for reverse engineers, security researchers, and black hats. Now this doesn't necessarily mean some software isn't designed better than others when it comes to security, but lack of exposure does not mean something is secure.
There was a time when everyone thought Firefox was just bullet proof, and IE was just one big security hole. Now that Firefox is popular, security holes are popping up left and right - google it.
I think this would even hold true for things like OpenBSD, renowned for their security. If OpenBSD one day became the dominant OS, it would ultimately start to be broken down. Probably not to the extent that Windows or Linux is, but still.
Not sure about Gentoo ...
but the packages in Ubuntu are all key signed so that if it had been altered the user gets a warning saying as much.
It is an image problem
The problem in this case is not with the OS, but with the design of the project's site.
There obviously are issues to consider about whether the packages have been compromised by people who have accessed the servers without authorization. There might even be some thoughts about the same people working on the Gentoo versions of OS packages who would make this kind of error on the site.
The fact remains, though, that this didn't happen because of Linux, as the same security problem happens on any OS with any web server any time a web designer or programmer passes unvetted arguments from a web user to a system command.
The machine compromised is web viewed data only
To the best of my knowledge their is no download data involved in the machine.
The purpose of the machine is archive of mailing list, overview of all packages and stuff like that, thats only viewed as web pages, so the worst thing to happen would be compromised web pages with malware.
Security of a distribution is done through using multiple computers, so high risk applications doesn't effect critical aspect like the downloads that all Gentoo users, use to install/update the system.
Re: A sad week for Linux
That image of linux being a secure operating system was blown when people actually
started using it. Do you ever check vulnerability sites? Holes are popping up just
as fast, or even faster, for Unix/Linux and open source software.
I'm getting tired of this. Anonymous Coward, I cordially ask you to assess how many of these holes affect enough users to make them a global problem to all Linux users as often as equivalent Windows users with equivalent severity. Show me the most recent root compromise, please. There's always a patch for me on Windows every patch Tuesday, but that's not so on my Linux server. Not only do I pick the best, most secure servers for the job, all running on Linux, I take every step possible to keep any kind of exploitation from being a threat if I can possibly help it. IMHO, most holes now in Linux occur in userland GUI applications and toolkits, and on the server in security-hole-favouring languages like, er, PHP. And since I use neither, most holes in system applications and libraries are a trivial fix that occurs one time in three announcements. (Gentoo: http://security.gentoo.org/ ) My machine was last patched a couple of months back, for instance, and I'm fully up-to-date on security.
Just because you're a linux and open source zealot doesn't automatically make you
a talented programmer who is security conscious and doesn't make mistakes.
Oh, but it does! We're *even* better looking than you are! :-)
Seriously though, more FUD from the front lines. Of course no-one is secure unless they audit all their code all the time (more or less OpenBSD, which doesn't get use in banks for nothing, you know). But yes, Open Source *is* the major thing that sets these free operating systems apart from the others. Maybe we aren't all superb programmers (that was an honest, if slightly shameful, mistake at Gentoo, and something I felt sure wouldn't have got past them for long, but at least they had the common bloody sense to keep it from being a major threat to central Gentoo infrastructure), but we all have the right and the wherewithal to become better programmers on these OSs if we want to. That's the Darwinian nature of Open Source at its finest. There are, unlike on closed operating systems, examples of excellent, fast, stable and - most importantly - secure-by-design applications and kernel code. We've already mentioned OpenBSD; so look at the Dovecot IMAP server or VSFTPD FTP server. Then you can start reporting holes to their authors. We would welcome your input - I would, anyway, since I'm using both Dovecot and VSFTPD. (The technique for both Dovecot and VSFTPD, by the way, is to write API functions that surround common but more dangerous low-level calls commonly exploited by some accident of the programmer to use them improperly. For instance, I could write a function that allocated a buffer of a given size for a given purpose by a given name, and then have other routines copy data into or out of that buffer with the constraints I set for it, rather than, say, using a low-level memory copy that might overwrite the program counter [buffer overflow] accidentally because I was careless not to make sure the buffer really did have enough space or - more recently - that I miscalculated the amount of space available and my assumption turned out to have a security impact. The tragedy of it all is that no such examples appear on Windows servers which are forever more patching up these stupid holes.) That's just the beginning, of course - Unix has employed privilege separation to great effect since day one, while Windows never did until very recently (and then, not enough to make an impact). No matter what kind of project is open sourced, there are now more eyes looking at it than if they were closed, and I doubt very much QA played any part in security if Windows is an example to go by. However you look at it, vulnerabilities are less problematic, more quickly dealt with and usually much more genuine, with the added fact that they are *found* by good guys and *reported* by good guys rather than found and patched only once they've hit at least some users due to careful targetting by VXers, in Open Source Software. Doesn't mean popularity won't change that, of course; certainly doesn't mean OSS is immune from unknown attacks (it isn't). But in every important respect, OSS is geared up for a good fight that no closed source software ever could be.
PS: I know, I know, this is really just restating the bloody obvious, but it must be done. Sorry!
The Ubuntu servers were not production servers. They were machines set up to host blogs and community related projects that were entirely administered by volunteers.
The admin of a bunch of those servers was so poor at his job that he was using FTP to transfer files. It's no wonder they were hacked. None of the official Ubuntu servers were touched and nor were any packages. You could hack a rock if it ran an FTP daemon.
It sounds like Gentoo is being precautious. Good on them. Aside from that, nothing to see here. Please move along and take your rubbish with you.
not the main prgrammers
I doubt that the main contributors to the project would have been involved in writing the site. rather, a few people who wanted to help in other ways almost certainly did most of the coding, since Python is a language most programmers don't want to touch with a 20' barge pole.
Re:RE: A sad week for Linux
"Most so-called "secure" operating systems or programs suddenly start to become very unsecure when they are popular. Why? Because they become worthwhile targets for reverse engineers, security researchers, and black hats"
Which is exactly why we have so many botnets of Linux w/Apache servers... uh.. erm...
RE: RE: A sad week for Linux
"I think this would even hold true for things like OpenBSD, renowned for their security. If OpenBSD one day became the dominant OS, it would ultimately start to be broken down. Probably not to the extent that Windows or Linux is, but still."
The MS "we're hacked because we're popular" lie rears it's head again.
There's some complete and total drivel been posted in these comments, demonstrating a clear misunderstanding of any of the issues involved.
I really *really* hope that you lot aren't IT decision-makers.
Agreed with Mo
The Gentoo-fanbois charge El Reg once again... they're nearly as bad as the Apple-cult.
Re: A sad week for Linux
This is the result of poor scripting on the website, its the webmaster's fault.
There's no (new) security issues in Gentoo, so I don't think we'll be seeing a mass migration just yet...
Well from my experience (even if it is not true in every company i went past), if these people are at all working in IT related business, they are probably quite high up the ladder.
When you are both pretentious and incompetent, you can only have pointy hairs ;)
(reference to Dilbert -- obviously, I hope)
To john frey:
And botnets of OpenBSD boxen allying with the infamous solaris botnets and the terrible Zseries mainframes botnets, all the time. It is a well known fact, and it is true, I ve read it one some webpage over the internet :)
(though, it would be a nightmare with the bandwidth they are typically associated with)
Not to talk about high end routers injecting maliciously crafted traffic (always blame the routers, nobody knows what happen in those and they look complicated with all the colorful cables going out of them)
not to worry
Yes these guys are not experts, not making decisions, and don't know what they are talking about, the fact remains though it's easy to get compromised and it's not enough to say well it's just a stupid little blog server or something any weak link in the chain will do as an opening which is why if you are running a server you better have your shit straight
most people BTW who actually make decisions don't look much at the type of OS it is only how it's configured and everything else is just bullshit you eat your dogfood you keep your system updated and your passwords fresh and hard and you watch for your intrusion detection to tip you off, it helps to run nessus once in a while and have snort upgraded
trip wire is good too none of this is optional stuff you get a serious try every couple of days and all the time your being scanned. Please tell me what does any of this have to do with the server operating platform
Oh yes and inevitably someone will get in shit happens welcome to the real world trolls/fanbois.
Just out of curiosity, which banks are using OpenBSD? I was under the impression that most banks (at least in the states) are running primarily Solaris.
OS is pointless
The whole OS argument is non-existant. If admins and developers all did a propper job then these sort of issue wouldn't even be in the headlines.
Viruses are of no consequence. Fact is that more OSS holes are being found now that people are using it more and more. Firefox and Linux have been highlighted recently. Doesn't make them less secure than anything else.
As usual with most exploits, propper administration makes most issue negligable. (Firewalls, encryption, anti-virus, IDS, not browsing dodgy sites etc.) In this case it's the application rather than OS that has the issue - one of the more tricky elements to secure. (Although an IDS and regular patching would probably have helped)
I dislike OSS due to the cult status and the ease of use. The reverse is true for Windows - easy to use and it's everywhere. Security isn't an issue on either side, Windows can be secured as can Linux - just takes some knowledge and common sense. To be honest if the OS is right for the job I'll use it - security is administration rather than the technology being used.
Obviously there is an application thats responsible but which one the
source may be open but no one has to tell you their server configuration (which is why I laugh at netcrafts poll) they need to finish going over their damn logs and find out which one and publish the internet is a piss poor place to get time sensitive information sometimes. Lazy admins a taser might change their working habits you can count on this being one of those times when pride keeps them from looking at this as a problem solving issue and not an ass covering one. It really isn't rocket science to unravel this sort of thing in an open source environment it's not like Windows where they can hide things from you.
OSS is not synonymous with best practice
end of the day a free buggy peice of crap is still a buggy peice of crap
with the amount of badly written php sites out there [i choose php only because its been pissing me off all week at work] you would have thought they would build some response screening mechanism into its runtime, which is on by default [like asp.net], not something you have to manually configure or install a module onto the web server for
the main disadvantage i find with linux is how easy it is to misconfigure it, personally had hours of 'fun' trying to get a samba share accesable by the work group, all because id forgotten to elevate the group into a global, or face book, the source code 'leaks' of last week were caused by someone forgetting to enable the PHP parser on the server, net result one box spewed out the plain text code that made up the page.
so if the OSS world wants to have a wider adoption of the tech, i suggest the they stop titting about with 'inovative' gui's and do some real work on creating a uniform config system hell maybe even a wizard to make it newb friendly, cus right now linux is only secure if you know what you are doing, and to my mind considerably worse than windows if you dont
FUD and more FUD
I don't know that the Register's story is to blame, exactly, but Daniel was correct in the above comments. This was an exploit of a CGI script on a server. It could have happened to anybody, running any system on that server -- even Apple or Microsoft.
A sad day for Gentoo as an organization, but to cast this as having anything to do with Linux or Open Source Software is misleading. Also to state that this is similar to the Ubuntu problem technically is also misleading, in my opinion.
SOURCE CODE STOLEN!
OH NOES, they got PWND, hackers might have gotten away WITH THE SOURCE CODE FOR GENTOO !!!!!!
User Friendliness strikes again...
If any idiot can administer something then some idiot probably will...
Banks use whatever OS they feel happy with i.e. all of them (although note the lack of OpenBSD in this list).
From netcraft, a few banks I could think of before I got bored :
HSBC : Linux, unknown
Barclays : Solaris, AIX
Llyodstsb : Win 2003, NT 4
Abbey : Win 2000, Win 2003, unknown
RBS : Win 2000, NT 4, unknown
BoS : AIX, unknown
Halifax : Win 2000
Natwest : Win 2000
MBNA : Linux, Solaris
There's no such thing as a truly secure OS. If you think there is, then you're asking to be pwned in short order.
Always assume you're vulnerable, and do what you can to reduce the possible attack surface. Linux just happens to be *more* secure than Windows, as a rule, because the default settings are usually more restrictive, and the vulnerabilities which do crop up get patched faster.
Also, any operating system is only as secure as the weakest application running on it. That includes web applications, as in this case, which anyone reading this site should know are generally about as secure as an unlocked car in the bad end of town.
Hm... maybe I should show these comments to my Python-toting friend and show him exactly why I *wont* use the damn thing.
This isn't really about the OS getting 0wn3d, it is more about lazy programming. I thought SQL/command injection had been taken care of by at least the webmasters of important sites, now I see that this isn't the case.