[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theo Zourzouvillys wrote: > > whoops. > Overview > > The CERT/CC has received a report that the system housing the primary > FTP servers for the GNU software project was compromised. Whoops indeed, this was uncovered end of July, and GNU maintainers were told at start of the month* as they were needed in some cases to verify MD5 checksums. I won't say too much as I'm not sure whether the GNU maintainers information was suppose to be in confidence, I couldn't find a public archive of the announcement on August 2nd, but it doesn't say much that isn't covered in the CERT announcement. The exploit was local, using a published exploit, the fix for which took over 3 months to make the relevant Linux distro's security update. Suffice to say fewer people will have shell access to these boxes in future. Other changes have taken place on GNU servers that I'm not privvy to, but it is obvious as a user that other boxes have been hardened, or reinstalled, since this was uncovered. - From what I can gather the box was just used to attack other places, no evidence of local malicious activity was reported, other than the installation of software to allow/hide the activity, possibly password sniffing. Whilst I'm sure more could have been done technically, I think there is mainly a procedural lesson to be learnt about shell accounts on important servers. - From what I can gather the shell accounts on this box were largely a legacy of procedures from a more relaxed era, as when I started the documentation still said "apply for a shell account", but even then the procedures had changed and I was told just place the software on an accessible ftp/http site and email the MD5 checksums and URLs to the relevant email account, and someone else would update the ftp servers. I'm guessing this wasn't enforced on older GNU maintainers, alas. Simon *And yes Neil this was when I noticed Kuhn wasn't in my "web of trust", I think the FSF volunteers could make better use of GNUPG, but at the end of the day encryption wouldn't have helped here (we were using lots of that), only better procedures. It becomes painfully apparent how big (and small) projects now rely on the integrity of a large number of people, machines and software. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/O5VFGFXfHI9FVgYRAhdAAKCDYlYncpgJbXVdWYX29j4K1GuXQgCfcr7C a/cz5p/myIMYA8riQaE9gDg= =6DuY -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.