Vendor-sec host compromised, shut down

[Posted March 4, 2011 by corbet]

From:		Marcus Meissner <meissner-l3A5Bk7waGM-AT-public.gmane.org>
To:		OSS Security List <oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org>
Subject:		Vendor-sec hosting and future of closed lists
Date:		Thu, 3 Mar 2011 19:12:24 +0100
Message-ID:		<20110303181224.GB1433@suse.de>

Hi folks,

As moderator of vendor-sec and one of the sysadmins of lst.de I noticed
a break-in into the lst.de machine last week, which was likely used to
sniff email traffic of vendor-sec. This incident probably happened on Jan 20
as confirmed by timestamp, but might have existed for longer.

As the system in use at lst.de is quite old and the admin team and myself
does not really have the time anymore to keep it on a secure level, we
would like to move the list to another hosting place.

I have disabled the specific backdoor, but as I am not sure how the
break-in happened it might reappear. So I recommend not mailing embargoed
issues to vendor-sec-jcswGhMUV9g@public.gmane.org at this time.


I have asked Solar Designer if he could take over hosting, and he was agreeing,
including a full GPG crypted setup.


However we found during this brainstorming that changes in the setup
of the vendor-sec list likely are good at this point in time.

The number of subscribers is high, and probably 80-100 people get vendor-sec
emails, making leaks by members always a possbility.

Also the usefulness of v-s in general has a bit diminished, especially with
oss-sec present and more active and more involved upstream projects doing
their own management. Mark J Cox has some stats for Redhat updates showing this.

(To use the threadmill metaphor, v-s does not help us vendors as much
with the speed of the patch threadmill as it did 5 - 10 years ago.)



So I would like to open up a discussion with _all_ OSS Security folks present.

- Is a closed vendor coordination like vendor-sec still needed at this time?

  Meaning: does the benefit of a closed group really outweigh the
  "left out feeling" of non members and its annoyances?

- If yes, would it be an idea to confine or split into lists of focus groups?
  (like Linux vendors, BSD vendors, all OSS source using vendors, etc?)

- Or of course the old option is open:
  Should we proceed with the current state as-is, but throw a bit more
  GPG encryption on top?

- What other options do we have or should we pursue?

At least SUSE, Redhat and Openwall are open for discussion.
Please discuss :)

Ciao, Marcus (vendor-sec moderator)

to post comments

Vendor-sec host compromised, shut down

Posted Mar 4, 2011 16:55 UTC (Fri) by pr1268 (guest, #24648) [Link] (1 responses)

Oh, the irony!

Vendor-sec host compromised, shut down

Posted Mar 5, 2011 5:12 UTC (Sat) by drag (guest, #31333) [Link]

hehe.

Nowadays if you want a totally secure server to distribute sensitive information then your best chance is to leave it wide open to the public. Then have people participating use proper encryption.

At least that way you get rid of any illusions.

Vendor-sec host compromised, shut down

Posted Mar 6, 2011 0:33 UTC (Sun) by csamuel (✭ supporter ✭, #2624) [Link] (1 responses)

It's worth noting that after that email the cracker came back and destroyed the system, according to this. :-(

So after I posted this (and went for some beers) the attacker read this and reentered the lst.de machine, went amok and destroyed the machine's installation. The machine has now been shutdown.

So everyone please consider vendor-sec () lst de is dead and gone at this point, successors (or not) will hopefully result out of this discussion.

Vendor-sec host compromised, shut down

Posted Mar 7, 2011 2:32 UTC (Mon) by paravoid (subscriber, #32869) [Link]

For a mailing list that is about security, I'm surprised with the lack of backups, forensics and security procedures ("when you detect a breakin, get the machine offline first!"). A shame.