What happened with Fedora - and Red Hat too [LWN.net]

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 15:09 UTC (Fri) by kripkenstein (subscriber, #43281)
Parent article: What happened with Fedora - and Red Hat too

Good to finally have some details. Those details, it turns out, are worrying.

My prime concern upon reading this summary is that there were two *separate* breaches, one for
the Fedora servers, and one for the Red Hat servers. It seems reasonable to presume that this
isn't a coincidence, for two such successful attacks to occur in close proximity. So, this is
a targeted effort against both Red Hat and Fedora, which by itself worries me.

In addition, this appears to be a serious breach in the sense that it isn't incidental to one
particular machine. That is, it seems most reasonable that the same attack method worked on
both targets. To me this implies that it wasn't a socially-engineered stealing of a password
to an account on one of the machines, as this wouldn't work for the other - unless a single
user has accounts on both, with the *same* password (not a good idea in general, but many of
us fall prey to this sort of thing...). If not, then the attackers have a method that works
against both the Fedora and Red Hat servers; it is possible that they have in their hands
details of a security vulnerability shared between these systems, which appears to me to imply
that it might be present in lots of systems around the world.

All of that said, it does appear Red Hat/Fedora are taking these intrusions seriously, and
that little actual damage has been done, that is the good news here as I see things.

(Log in to post comments)

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 15:19 UTC (Fri) by kripkenstein (subscriber, #43281) [Link]

Sure, could be - I really don't know. But I still tend to doubt that the same server is used
for both Fedora and Red Hat in their infrastructure for the functionality that was breached.
And given how much space was spent in the official summary about how the two breaches are
separate, I tend to presume we are talking about separate servers. But I hope that's
incorrect, and I presume we'll find out soon enough.

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 16:37 UTC (Fri) by elanthis (guest, #6227) [Link]

It could have been a single Red Hat employee who let his key or passphrase get stolen.  If he
had access to both Red Hat and Fedora systems, well... there you go.

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 16:39 UTC (Fri) by Ed_L. (guest, #24287) [Link]

I presume we will find out "soon enough" as well. However, given that in all likely hood RedHat/Fedora have the best security in the business, I would not presume we will find out before Red Hat quietly shares at least some details with its erstwhile competitors and sometime collaborators e.g. Debian, Gentoo, Mandriva, Canonical, Freespire, SuSE...

What happened with Fedora - and Red Hat too

Posted Aug 22, 2008 17:23 UTC (Fri) by drag (subscriber, #31333) [Link]

Usually the human is the weakest link in any security system.

It's very likely that the attacker gained access to a account using social engineering or by
bad ssh habits on the part of a Fedora developer.

What happened with Fedora - and Red Hat too

Posted Aug 25, 2008 0:56 UTC (Mon) by jamesh (guest, #1159) [Link]

> To me this implies that it wasn't a socially-engineered stealing of
> a password to an account on one of the machines, as this wouldn't
> work for the other - unless a single user has accounts on both, with
> the *same* password (not a good idea in general, but many of us fall
> prey to this sort of thing...).

It isn't uncommon for large organisations to have shared authentication systems distributed via LDAP or similar, so having the same password on multiple boxes is not that surprising.

Also, it isn't uncommon for people to use the same SSH key pair to log into multiple servers, so that is another possible explanation for both RH and Fedora infrastructure being breached in a single attack.