back to article Red Hat hack prompts critical OpenSSH update

Red Hat has warned that hackers were able to commandeer its systems and tamper with code - but said that since its content distribution was not hit, it is confident that polluted code has not served up to users. The first hint that something was wrong came last week when Fedora rebuilt its systems, a reconstruction that was …

COMMENTS

This topic is closed for new posts.
  1. Herby

    At least they are taking security seriously!

    Unlike others who make code available for PC's in the operating system arena.

    Maybe there is a lesson to be learned here.

  2. Anonymous Coward
    Anonymous Coward

    And so it begins ...

    there are other ways in to compromise Linux distros, but this is the obvious one.

    But, hey on the bright side market share is large enough to warrant such intrusions.

  3. Charles
    Happy

    Prudence...

    If you notice someone got into your house, I would think changing the locks would be among the first of your moves, too. For once, an article of security done (AFAIK) properly.

  4. Colin Guthrie
    Thumb Up

    Seems to have been handled....

    ... like grown ups.

    So a bad thing happened. We can shout and scream about how it shouldn't have happened in the first place but it did and the important thing is the promptness of the reaction and the apparent transparency of the explanations.

    I'm not a big fan of RedHat or Fedora personally (nothing really against them either!) but from what I've read, I think this has been handled fairly well.

  5. Bruce
    Gates Halo

    How many distros home servers have been hacked now?

    RedHat

    Debian

    GNU

    ???

    They should have used Windows Server 2003.

  6. Anonymous Coward
    Anonymous Coward

    @Bruce

    You have to remember Bruce, that it's still news when something like this happens to a linux distro ;o)

  7. The Mighty Spang

    @ac

    yeah and it would be news if they broke into the windows update servers and made them serve up malicious code.

    considering its the servers they run themselves and serve binaries on this goes beyond pretty effing serious.

  8. Chris
    Gates Horns

    re: How many distros...

    You seem to forget that MS had it's servers hacked too and more than once. For at least one of the hacks MS wasn't sure how long it had gone for.

    http://www.theregister.co.uk/2000/11/06/microsoft_hacked_again/

    And how many times do you think it's happened and they told nobody? In OSS everyone finds out so you can't hide behind your false smiles.

  9. Herbert Meyer
    Thumb Up

    thank you, reg

    This is the article I have been waiting for for a week (two fors in a row ?). Thank you.

  10. kondor vlastos
    Paris Hilton

    Linux good!

    Linux is the most secure system. The NSA designed SElinux so I know it is the most secure. Linux cannot be hacked. Windows is bad! The NSA helped Windows be secure since Win 95 and they helped Lotus be secure too but Windows is bad. Linux cannot ever be hacked cause it rocks!

    I want your bank to use RedHat so I can make a loan!

  11. Steven Swenson
    Flame

    @Bruce && @The Mighty Spang

    "They should have used Windows Server 2003."

    Let's not get riled up now. Surely Bruce jests.

    And no, it wouldn't be news if someone breaks into a Windows server. Everyone has come to expect Windows to be compromised.

  12. vincent himpe

    pie .. face

    all wiped off now.

  13. Bruce
    Flame

    Two years of easy to guess SSH/SSL keys

    should make people think twice about defending Linux.

    http://it.slashdot.org/article.pl?sid=08/05/13/1533212&from=rss

  14. John H Woods Silver badge

    @herbert mayer --- two fors in a row?

    This is the article for which I have been waiting for a week

  15. halfcut

    A title is required.

    Still two fors. The second one is redundant. Try "I've been waiting for this article for a week".

    Mmmm. Pedantry. I feel better now.

  16. Alan Donaly
    Flame

    Wintards aplenty

    Now lets just suppose this is a test for you. Do you understand what actually happened there at fedora no no you don't I don't and I use Linux and know quite a bit about it. Your posts show you to be ignorant yahoos if you can explain how the token +signing process works I will eat my hat otherwise your just nitwits and can't be taken seriously. Look go back to sniffing glue or whatever you do in your real life and leave the comments to humans.

  17. Ian Coutts
    Thumb Up

    Re: two fors

    I have been waiting a week for this article.

  18. Dino
    Paris Hilton

    Re: two fors

    This article, been waiting for a week, have I.

    Yoda

  19. Destroy All Monsters Silver badge
    Boffin

    Known problem, very difficult to manage w/o strict control

    Poisoning the software supply chain

    Levy, E.

    This paper appears in: Security & Privacy, IEEE

    Publication Date: May-June 2003

    Volume: 1, Issue: 3

    On page(s): 70- 73

    Abstract

    To the indiscriminate and opportunistic attacker, breaking into a software package's development and distribution site and waiting until unsuspecting users install it is more efficient than locating and hacking into users' systems individually. Starting in 2002 and continuing in to 2003, we've seen new emphasis on this type of attack. All the recent activity has showcased the trend that attacks against open-source software distribution sites are increasing. The author looks at how softwares distribution-both open source and proprietary-can invite attacks.

    [...]Some open-source vendors have adopted technology comparable to that of proprietary vendors. For example, the RPM Package Manager (www.rpm.org), which RedHat introduced, lets the package creator cryptographically sign the package; Debian’s package format has analogous functionality. Unfortunately, the signatures in these packages merely tell who packaged the software and whether it has been tampered with since then. Because of the nature of open-source software and Linux distributions, in which most of the software is authored by someone other than the packaging vendor, these signatures tell you little about

    the packaged software’s integrity.

    In fact, many open-source projects fail to provide the minimal information required to verify the software’s integrity. Several projects don’t even provide cryptographic hashes of their software packages. When they do, the hashes usually are stored along with the software packages in the same distribution site, where an attacker easily can replace them while also replacing the software with a

    tampered version.[...]

  20. Anonymous Coward
    Anonymous Coward

    This may explain...

    ....why there have been no Fedora updates for a few days...

    If the bad guys could get in here and cause a trojan ssh to be installed on every actively updated Fedora iinstallation in the world, they would hit a jackpot. :-(

    Happy to see that it has been dealt with openly and responsibly!

  21. John O'Hare
    Paris Hilton

    @Bruce

    "They should have used Windows Server 2003."

    Quite sure you would never see stories about the MS source being poisoned.

    Simply because MS wouldn't let anyone know; probably even if millions of desktops did get pwned in the process.

    Just roll out another windows update and noone's the wiser.

    "What? Your Windows XP desktop got owned? Must be a virus."

    What's the term for that again? Security through obscurity, wasn't it?

    Ignorance is bliss...

    Paris, 'nuff said.

  22. TeeCee Gold badge
    Happy

    @halfcut

    If the second "for" is redundant as you say, how come you've felt the need to include two in your reworked version as well?

    I see your "Mmmm" and raise you an "Aha!".

  23. Mike
    Linux

    SLACKWARE

    Is for secure servers. You use redhat if you feel you may need to sue someone in the future, or are just too lazy to manage your upgrades.

    Flame on fanboys..

  24. Herbert Meyer
    Black Helicopters

    the rest of the story

    OK John, you told us What. There are a few W's left:

    WHO ? Were the systems compromised by a bent RH employee, or from the outside by Ukranian hackers / the NSA / the Martians ? (pick one, or supply a new THEM).

    HOW ? If it was an inside job, with a keyboard and a flash drive; from outside, by a known or unknown security hole. Either way, it should have been logged, and the trace should allow finger pointing.

    WHY ? Are "THEY" (see above) trying to hack eCommerce to collect credit card numbers, to hack mail servers to further tap our mail and phone calls, or turn the entire googleplex into a bot ?

    If it was an inside job, I can understand the lack of information. RH does not background check their employees very well. Very embarrassing.

    If their logging and audit are not up to the task, more embarrassing. Remember GrandPa IBM - RASS: reliability, availability, serviceability and security. They have blown at least one.

  25. Anonymous Coward
    Linux

    Red Hat site down for "Routine Maintenance"

    ...for the last several hours. Monday afternoon's a pretty typical time to do routine maintenance. This is standard service in this day and age; no one expects any web site to be up 24x7, after all.

  26. Anonymous Coward
    Dead Vulture

    Backdoors? Trojans? Logic bombs?

    What exactly is wrong with the SSH packages that were signed by the intruder? Do they contain backdoors? Trojans? Logic bombs? What? It seems unbelievable to me that this isn't being discussed.

    P.S. FreeBSD's CVS repository got pwned, back in the day.

  27. Anonymous Coward
    Anonymous Coward

    Re: the rest of the story

    "WHO ? Were the systems compromised by a bent RH employee, or from the outside by Ukranian hackers / the NSA / the Martians ? (pick one, or supply a new THEM)."

    You forgot the obvious candidates for THEM: Al-Queda, illegal immigrants and paedophiles. Personally, my money is on the Martians.

  28. Anonymous Coward
    Joke

    cat humour > /dev/null

    Keep signing in perspective: most of the M$ binaries I have just used this morning are written by Martian employees of SCO's lawyers in Kufic script but in the wrong codepage and saved as 8.3 too. :)

    Al Qaeda is way too smart to try to leverage FC/RH, surely. Everyone worth attacking uses MS windows anyways surely?

    Now, who else seems to like to plant their own keys in things...erm....lemme think

    Altogether now....

    "I saw a man upon the stair..."

  29. Herbert Meyer
    Linux

    read another reg article about phalanx root kit

    link:

    http://www.theregister.co.uk/2008/08/27/ssh_key_attacks_warning/

    and then connect the dots.

This topic is closed for new posts.