Which remote services please? [Debian.org compromise ...]

Posted Dec 1, 2003 15:12 UTC (Mon) by mh (guest, #7058)
In reply to: Which remote services please? [Debian.org compromise ...] by Wills
Parent article: Debian.org compromise update

Read the article again:

On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed
password was used to access an (unprivileged) account on
klecker.debian.org.

This probably means ssh access.

Sniffed password

Posted Dec 1, 2003 18:50 UTC (Mon) by ncm (guest, #165) [Link] (1 responses)

In other words, somebody broke into some developer's machine and recorded a user there logging into the Debian server. Since we don't know whose computer was broken into before the attack on the Debian server, there's no reason to expect the attacker won't sniff the password and break in again. Since the attacker can sniff keystrokes, he can also alter source code, sign packages, or any number of much more subtle things than just installing rootkits.

There's no compelling reason to believe it hasn't happened already.

I find it odd that the announcement didn't include a request to scour every host that developers have logged in from. Maybe that indicates they know whose it was.

Sniffed password

Posted Dec 1, 2003 21:12 UTC (Mon) by ballombe (subscriber, #9523) [Link]

I find it odd that the announcement didn't include a request to scour every host that developers have logged in from. Maybe that indicates they know whose it was.

They have, please read http://www.wiggy.net/debian/developer-securing/ .

Also I believe they know who he was since they mentioned a failed login attempt to murphy.

Which remote services please? [Debian.org compromise ...]

Posted Dec 5, 2003 13:33 UTC (Fri) by Wills (guest, #1813) [Link]

Yes, I read the mention of password sniffing but I must admit I thought it was too incredible to be the real reason (not being disclosed by Debian) because Debian is supposed to take security seriously and they would neither allow any developer to login to important Debian servers from insecure/untrusted PCs including public internet terminals nor allow untrusted people to have physical access to their key servers. If a Debian server password was really sniffed, one of Debian's tusted developers must have used an insecure, untrusted PC, which had a sniffer installed, to login to a trusted Debian server -- very poor security practice. If you value the security of a remote server, never login to it except from a PC which is kept as secure in every way as the server.