LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora intrusion update

[Posted September 19, 2008 by ris]

From:  "Paul W. Frields" <stickster-AT-gmail.com>
To:  fedora-announce-list <fedora-announce-list-AT-redhat.com>
Subject:  Fedora intrusion update, 2008-09-19 UTC 0230
Date:  Thu, 18 Sep 2008 20:41:29 -0400
Message-ID:  <1221784889.6988.1.camel@localhost.localdomain>
Cc:  fedora-advisory-board <fedora-advisory-board-AT-redhat.com>

Work on the Fedora infrastructure has returned to normal at this point.
Updates are once again available for Fedora 8 and Fedora 9, our current
releases, using the new package signing key we've implemented.  To read
more about the new package signing key, refer to:

https://fedoraproject.org/wiki/New_signing_key 
https://fedoraproject.org/wiki/Enabling_new_signing_key 

In addition, Rawhide has returned to service, as well as our other
services such as Fedora Hosted.

As always, our team of system administrators makes incremental
improvements constantly.  Sometimes these improvements involve temporary
outages, and such outages may occur in the future as part of normal
operations.  At this time, however, we believe Fedora's recovery efforts
are complete.  To reiterate our previous statement, we have not found
any security vulnerabilities in any Fedora software as a result of our
efforts.

The security investigation into the intrusion is still in progress.
When that investigation is completed, the Fedora Project's intention is
to publish a more detailed report on the matter.

We will issue further updates as more information becomes available.

-- 
Paul W. Frields
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://paul.frields.org/   -  -   http://pfrields.fedorapeople.org/
  irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

-- 
fedora-announce-list mailing list
fedora-announce-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-announce-list
(Log in to post comments)

Fedora intrusion update

Posted Sep 19, 2008 21:12 UTC (Fri) by rahvin (subscriber, #16953) [Link]

So contrary to the people that jumped down RedHat's throat we now have official confirmation that there is an ongoing investigation (some argued there was no evidence of such) and that when the investigation is complete the full details will be released. Fedora essentially has confirmed what those of us with patience were suggesting when the original complaints about cover up surfaced.

Fedora intrusion update

Posted Sep 21, 2008 17:08 UTC (Sun) by fatherted (guest, #33354) [Link]

rahvin said "...full details will be released."

but, the announcement said no such thing. it actually carefully hedged what would be said. thus: "...the Fedora Project's intention is to publish a more detailed report on the matter."

"more detailed" is nowhere near saying that one would release "full details". "more detailed" is what one says when one is NOT going to provide full details.

in some ways this is even more disturbing than the prior almost complete silence.

Fedora intrusion update

Posted Sep 19, 2008 22:23 UTC (Fri) by kragil (subscriber, #34373) [Link]

Translation:

We got hacked and still don't know how and whether it might happen again (to anyone), but when/if we know we will tell everyone.

Reassuring?

What I would like to know is what was running on the machines that were hacked etc.
I think it is save to say it was RHEL5?
With which services running?

I still don't like the way this is handled. That is just MHO, though.

Fedora intrusion update

Posted Sep 19, 2008 23:08 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

All they say is that they don't have all the details yet (and maybe they can't share what they have right now, for whatever reasons). They have told once and again that no compromised packages have been shipped, and that the Fedora infrastructure is believed safe now.

An investigation into such an incident is very time-consuming, and making sure that everything is safe (yes, paranoia does kick in hard after something like this happens) is a hard, long-winded job. Plus they are putting procedures in place to switch over to new signing keys, and defining guidelines for handling such intrusions in the future.

Yes, it can be argued that said procedures should have been in place for a long time, but hindsight is always 20-20.

Fedora intrusion update

Posted Sep 19, 2008 23:29 UTC (Fri) by jspaleta (subscriber, #50639) [Link]

Speaking of incident procedures. If you can point me to specific well documented pubic incident reporting procedures, I'd gladly take a look at them as a reference for Fedora's. I know Debian had an intrusion in 2004, and did a very good job of dealing with it. But its not clear if the Debian people were working from an established process or just winging it. Does Debian have a publicly communicated process on how intrusions are to be handled and communicated when they occur? If they do I'd love to read over it.

-jef

Fedora intrusion update

Posted Sep 20, 2008 5:39 UTC (Sat) by sbergman27 (guest, #10767) [Link]

No doubt you are looking for something fiddlingly detailed. And there is no doubt something more specific. But it all pretty much follows from this:

http://www.debian.org/social_contract

It may be that more distros need one, or need to pay more than lip service to what they have.

Things only get complicated when the one wants to apply "spin" to the disclosure, or lack thereof.

Fedora intrusion update

Posted Sep 20, 2008 12:15 UTC (Sat) by dowdle (subscriber, #659) [Link]

I'm sure they know how they got hacked... or they wouldn't have been able to prevent it from happening again and again.

The investigation is mostly like centered around who.

I'm willing to bet a dollar that the break-in was a result of a purloined password of someone with fairly high level access. Perhaps they don't know how the password was obtained.

Your statement that they don't know how (and that they and everyone else are still vulnerable) is unfounded just as is my guess.

Fedora intrusion update

Posted Sep 21, 2008 10:52 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

An unprotected key is a good bet actually. Far, far too many people have SSH keyfiles with no passphrase.

Unlike poor quality passwords there's no way to test for it on the server, the SSH client, understandably, doesn't advertise how well protected your keys are, so the server has to assume you're protecting them adequately.

While password discovery would be a big threat for an organised attack, since passwords are notoriously poorly protected by users, an unprotected SSH key is a lot more plausible as an attack of opportunity - a bad guy finds a SSH account somewhere, it has an unprotected key, and he uses the known hosts lists* to break into all the machines where it is valid. He's looking through the list for anything interesting and sees - aha- a Red Hat development machine.

* Well known vulnerability: SSH clients store the list of hosts they've previously connected to in plaintext, in order to facilitate fast confirmation of previously seen host keys. This list is stored with similar privileges (and often adjacent) to the private key material. So someone who can steal the key can nearly always also steal a list of hosts where it is most likely to be valid. The best available threat reduction is a hashing phase, which stores only a hash of the destination hosts, increasing the work needed for an attacker to identify the hosts. But this reduction is far from completely effective and is not widely enabled anyway, particularly by the sort of person who doesn't bother to have a good passphrase for their key.

Fedora intrusion update

Posted Sep 21, 2008 16:09 UTC (Sun) by johill (subscriber, #25196) [Link]

As far as I know, ssh hasn't stored the known hosts in plaintext for a long time, they are hashed now so you can match host -> entry but not do entry -> host.

Fedora intrusion update

Posted Sep 21, 2008 16:11 UTC (Sun) by johill (subscriber, #25196) [Link]

Oh, sorry, you had mentioned the hashing and I just read too fast, but it is indeed enabled by default on many distros now and I don't see a good way to crack it. .bash_history might be a better venue.

Fedora intrusion update

Posted Sep 21, 2008 16:43 UTC (Sun) by gmaxwell (subscriber, #30048) [Link]

I am aware of HashKnownHosts, but is anyone actually using it?

As far as I can tell it's not on by default in Fedora 9. It's kind of an annoying feature, if it were on I'd probably turn it off. The increase in security is minimal due to the existence of bash history.

The reason users don't encrypt their ssh key is because they don't want spend their lives typing passwords over and over again. Since in *theory* a users SSH keys should only be on a system they are sitting at (further intermediate hops should be handled via ssh-agent) it may not be unreasonable to use some pam/kernel_keyring integration so that the ssh key is at least encrypted with some derivative of their login password.


Fedora intrusion update

Posted Sep 25, 2008 1:56 UTC (Thu) by jimparis (subscriber, #38647) [Link]

> I am aware of HashKnownHosts, but is anyone actually using it?

It has been the default in Debian since May 26, 2005.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds