back to article Hackers break into FreeBSD with stolen SSH key

Hackers broke into two FreeBSD project servers using an SSH authentication key* and login credentials that appear to have been stolen from a developer, it has emerged. Developers behind the venerable open-source operating system have launched an investigation and have taken a few of the servers offline during their probe, but …

COMMENTS

This topic is closed for new posts.
  1. NomNomNom

    that'll teach them for running windows

    1. Anonymous Coward
      Anonymous Coward

      Your originality astounds me.

  2. PyLETS
    Boffin

    How strong is their package PKI ?

    It's difficult to install a Debian package without a developer signature or without knowing about the package lacking one. So there would be little to be gained by an attacker compromising a distribution server if the trojanised packages won't install and if they throw up warnings to users who have installed the default distribution keys. A successful attack on the PKI without anyone noticing (if that were possible) could be more serious. I'd hope the BSD developer community have taken similar precautions. Always a good idea to check the SHA1 hash signature on the .iso installation disk if doing a new install, which should give some degree of confidence in the default keys which come with the distro.

    1. Antoinette Lacroix

      Re: How strong is their package PKI ?

      Nothing to do with packages. The servers in question host source code which is needed to build ports. Checksums for every file are stored on client machines, which will refuse the build, if checksums don't match. As stated in the article, servers were taken off-line as a precaution. It's a non-issue and only made it's way into the media since is has the words 'vulnerable' and 'FreeBSD' in one sentence, which you don't see very often.

      1. My Alter Ego

        Re: How strong is their package PKI ?

        What I took from the advisory was

        "We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted"

        which I read as the current portsnap is valid, however [there's a miniscule possibility that] anything retrieved using portsnap fetch in the given timeframe may not have been trustworthy.

        Of course, maybe I'm just being completely paranoid, but as you say, I'm not very used to seeing FreeBSD and vulnerability in the same sentence.

        1. Anonymous Coward
          Anonymous Coward

          BSD Vulnerability

          Did you miss the exploit released a few months back, BSD telnetd Remote Root Exploit?

          1. Antoinette Lacroix

            Re: BSD Vulnerability

            A few months ? More like 4 years. A patch was made available 3 weeks later.

            This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install with telnetd enabled.. Telnetd has been disabled by default since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is recommended that the SSH protocol be used instead. "Average users" of FreeBSD (if there are any) won't get their hands on RELEASE builds anyway. About 1% download STABLE, the other 99% check out the source tree and rebuild WORLD and KERNEL according to their needs. I hate to rub this in but FreeBSD users - contrary to the Linux crowd - usually know bloody damn well what they are doing.

    2. My Alter Ego
      Boffin

      Re: How strong is their package PKI ?

      The problem is that I install from the ports tree (compile each package, not install a binary package), so there was a possibility that the attacker could have modified ports (by adding custom patches). The ports tree has a Makefile that will download the source (usually from the project, not FreeBSD) and then applies a set of patches. It does check the downloaded source file against an SHA256 hash however the we expect the patches to be trusted if they come from portsnap.freebsd.org

      Seeing as the attacker had developer access, even if each port was signed, there still could have been an issue. It's not like the attacker just had access to an FTP server or mirror - [as far as I can tell] it would be like having access to Debian's build environment - changes could be made to the source, tarball checksums could be recomputed, and malicious binaries could be built.

      Any ports I installed/updated during the timeframe may have contained malicious patches, so I've spent an enjoyable morning determining what changes I've made in the last while, and reinstalling everything that could be possibly compromised.

      1. Anonymous Coward
        Anonymous Coward

        Re: How strong is their package PKI ?

        This is one of the downsides of PKI for packages; while it does protect against the (admittedly probably more likely) attacks against files on FTP mirrors, it does give a sense of security that the packages are OK when in fact they may not be.

  3. ForthIsNotDead
    Meh

    Headline is incorrect

    THEIVES break into Free BSD with STOLEN SSH Key.

    There. Fixed it for you.

    Not really a Linux hacking issue IMHO. Just like if you write your PIN number on the back of your credit card - it's not a bank security issue if your account gets plundered!

    No systems failed here, except the human developer that allowed his key to be stolen.

    1. Ben Tasker
      Happy

      Re: Headline is incorrect

      Not really a Linux hacking issue IMHO.

      Especially given that the story is about FreeBSD not Linux

      But otherwise, you're quite right, it's not really hacking if you have the credentials required to get in

    2. Anonymous Coward
      Anonymous Coward

      Re: Headline is incorrect

      THIEVES.

      There, fixed that for you.

  4. Ru
    Headmaster

    "Trojanised packages"

    Verbisation should be treated with all the contempt usually reserved for "mobe".

    1. Mako

      Re: "Trojanised packages"

      I have supportified your contemptualisation by mousing over to "Upvote" and buttoning it.

  5. ForthIsNotDead
    Facepalm

    @Ben Tasker

    Woops. My bad. Apologies.

    Not really a Non-Windows person, as you probably guessed!

    1. Vic

      Re: @Ben Tasker

      > Not really a Non-Windows person

      Shame, given your username here.

      There's a rather nice Forth compiler available for the Linux platform.

      Disclosure: I wrote some of it :-)

      Vic.

This topic is closed for new posts.

Other stories you might like