that'll teach them for running windows
Hackers break into FreeBSD with stolen SSH key
Hackers broke into two FreeBSD project servers using an SSH authentication key* and login credentials that appear to have been stolen from a developer, it has emerged. Developers behind the venerable open-source operating system have launched an investigation and have taken a few of the servers offline during their probe, but …
-
-
Tuesday 20th November 2012 11:20 GMT PyLETS
How strong is their package PKI ?
It's difficult to install a Debian package without a developer signature or without knowing about the package lacking one. So there would be little to be gained by an attacker compromising a distribution server if the trojanised packages won't install and if they throw up warnings to users who have installed the default distribution keys. A successful attack on the PKI without anyone noticing (if that were possible) could be more serious. I'd hope the BSD developer community have taken similar precautions. Always a good idea to check the SHA1 hash signature on the .iso installation disk if doing a new install, which should give some degree of confidence in the default keys which come with the distro.
-
Tuesday 20th November 2012 14:57 GMT Antoinette Lacroix
Re: How strong is their package PKI ?
Nothing to do with packages. The servers in question host source code which is needed to build ports. Checksums for every file are stored on client machines, which will refuse the build, if checksums don't match. As stated in the article, servers were taken off-line as a precaution. It's a non-issue and only made it's way into the media since is has the words 'vulnerable' and 'FreeBSD' in one sentence, which you don't see very often.
-
Tuesday 20th November 2012 15:11 GMT My Alter Ego
Re: How strong is their package PKI ?
What I took from the advisory was
"We have also verified that the most recently-available portsnap(8) snapshot matches the ports Subversion repository, and so can be fully trusted"
which I read as the current portsnap is valid, however [there's a miniscule possibility that] anything retrieved using portsnap fetch in the given timeframe may not have been trustworthy.
Of course, maybe I'm just being completely paranoid, but as you say, I'm not very used to seeing FreeBSD and vulnerability in the same sentence.
-
-
Tuesday 20th November 2012 17:14 GMT Antoinette Lacroix
Re: BSD Vulnerability
A few months ? More like 4 years. A patch was made available 3 weeks later.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install with telnetd enabled.. Telnetd has been disabled by default since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is recommended that the SSH protocol be used instead. "Average users" of FreeBSD (if there are any) won't get their hands on RELEASE builds anyway. About 1% download STABLE, the other 99% check out the source tree and rebuild WORLD and KERNEL according to their needs. I hate to rub this in but FreeBSD users - contrary to the Linux crowd - usually know bloody damn well what they are doing.
-
-
-
-
Tuesday 20th November 2012 15:03 GMT My Alter Ego
Re: How strong is their package PKI ?
The problem is that I install from the ports tree (compile each package, not install a binary package), so there was a possibility that the attacker could have modified ports (by adding custom patches). The ports tree has a Makefile that will download the source (usually from the project, not FreeBSD) and then applies a set of patches. It does check the downloaded source file against an SHA256 hash however the we expect the patches to be trusted if they come from portsnap.freebsd.org
Seeing as the attacker had developer access, even if each port was signed, there still could have been an issue. It's not like the attacker just had access to an FTP server or mirror - [as far as I can tell] it would be like having access to Debian's build environment - changes could be made to the source, tarball checksums could be recomputed, and malicious binaries could be built.
Any ports I installed/updated during the timeframe may have contained malicious patches, so I've spent an enjoyable morning determining what changes I've made in the last while, and reinstalling everything that could be possibly compromised.
-
-
Tuesday 20th November 2012 11:20 GMT ForthIsNotDead
Headline is incorrect
THEIVES break into Free BSD with STOLEN SSH Key.
There. Fixed it for you.
Not really a Linux hacking issue IMHO. Just like if you write your PIN number on the back of your credit card - it's not a bank security issue if your account gets plundered!
No systems failed here, except the human developer that allowed his key to be stolen.