Hackers break into two FreeBSD Project servers using stolen SSH keys
Users who installed third-party software packages distributed by FreeBSD.org are advised to reinstall their machines
IDG News Service - Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project's security team warned.
Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. "The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution," said a message on the project's public announcements mailing list.
The two compromised servers acted as nodes for the project's legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.
The incident only affected the collection of third-party software packages distributed by the project and not the operating system's "base" components, such as the kernel, system libraries, compiler or core command-line tools.
The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.
Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.
"We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors," the team said. "Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources."
The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.
As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.
This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.
"This is a hearty reminder that a chain is only as strong as its weakest link," said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. "In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access -- whether those are servers, laptops or even mobile devices."
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Four Little-Known Ways WAN Optimization Can Benefit Your Organization WAN optimization has evolved into a complete system that optimizes traffic across a broad range of most popular applications while providing deep visibility...
- SharePlan Security SharePlan is a continuous, secure, enterprise-ready file sync and share platform that facilitates smart, real-time collaboration across all devices.
- Three Ways Your DNS Can Impact DDoS Attacks Domain Name System (DNS) plays a big role in consumers' day-to-day Internet usage and is a critical factor when it comes to distributed...
- Online Video and Web Traffic: Sochi 2014 Winter Olympic Games Over 25 leading global broadcasters worked with Akamai to deliver the action, excitement and inspiration of Sochi because they understand online viewers expect...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT... All Networking White Papers | Webcasts