More Info on Debian.org Security Breach 545
mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."
Password was *sniffed* (Score:5, Informative)
This was both user and admin stupidity I guess. Admins who care about security shouldn't permit access through cleartext passwords and users shouldn't send their password in cleartext if they care about their account. Unfortunately many users don't know about this risk.
Re:Password was *sniffed* (Score:2, Informative)
Re:Great (Score:4, Informative)
You could easily keep a pre-generated giant pad itself on a usb drive or something similar.
The root of the problem (Score:1, Informative)
SELinux would likely have prevented the root exploit from allowing this individual from doing as much harm as was done.
I would think that it's time for the big players like Debian, Slackware, Red Hat etc to start implementing it on their network connected machines.
It's being incorporated into the stock kernel for a reason. Use it!
Re:One recommendation (Score:3, Informative)
It looks like a bit of work to set up and administer but you'd think that an organization like Debian would make sure all their computers would be running it.
Re:Password was *sniffed* (Score:5, Informative)
Re:Boxen.. (Score:2, Informative)
Re:But wait.... (Score:1, Informative)
Re:One recommendation (Score:3, Informative)
SuckIt Exploit (Score:5, Informative)
Move the
Patch the kernel with either Grsecurity or Openwall Patch on 2.4.22 kernel and set it as mononthlic kernel, not modular with no open hooks for adding additional modules.
Then I installed the suphp module for PHP to run scripts as users instead of nobody, especially when people trying to exploit it. I get it at www.suphp.org and it works extremely well. Since the changes, I haven't seen any rootkits being successfully implemented on the servers I admin. And note the fact that I manages over 260 servers for various clients points to the track records.
Re:What's up with these anti-Linux attacks? (Score:3, Informative)
Two useful utilities to flush out the rootkits (Score:5, Informative)
Here are two useful utilities to flush out the SucKIT rootkit:
Kernel Security Therapy Anti-Trolls [freshmeat.net]
and
Kernel Security Checker [freshmeat.net]
Have a nice day !
Re:ldap? (Score:2, Informative)
That's what he meant by his comment - the Debian Project is effectively halted by this - and obviously that can't go on for long.
[1] You can obtain a listing of these by running the command ldapsearch -h db.debian.org -x -b dc=debian,dc=org '(objectClass=debiandeveloper)' from a internet-connected host.
Re:Human Error (Score:3, Informative)
Eh? Why is everyone talking about a weak password?
The article says sniffed password.
I assume that they're not using cleartext password authentication which means that it wasn't sniffed on the wire, it's was sniffed on a (compromised) box the some user used to log in.
And if the clientbox is compromised it doesn't matter if you use password or a passphrased key.
Even keeping your key on something removable (like an USB keychain) doesn't help you, the cracker can easily snarf both key and passphrase
The only way to bypass that would be an external pinpad style device.
Re:Debian physical site security? (Score:4, Informative)
in the US and Netherlands (there are buildd machines available to debian developers in various locations). The machines are beefy enough - HP
recently donated a server with 48 GB RAM, for example. I believe the bandwidth out of ftp.debian.org is Gigabit ethernet (and having only that to the mirrors will be a bottleneck
when sarge is released!)
So, no, they're not in some dudes basement; we have good facilities courtesy of our sponsors.
- Alastair
SELinux (Score:1, Informative)
Re:biometrics (Score:5, Informative)
Palm scanning only proves you have the hand of someone allowed to access a system. Retina scanning only proves you have the eyeball of someone allowed to access a system.
Well, the manufacturers of palm/retina scanners generally do include a feature that detects if the bodypart being scanned has a pulse. So you can't fool these scanners just by cutting off someone's hand or ripping out their eyeball. (Although it might be possible to manufacture fake contact lenses or glue-on fingerprints that would work.)
On the other hand, the basic weakness is that the biometric signature is still just a big password. You can "sniff" the signature by installing a fake reader. You can steal the signature off the harddrive of the domain controller. You can bypass the reader by splicing the wire. And your "password" is the same for every site.
Bottom line: I would sooner trust a token card.
-a
Re:What could be done better... (Score:3, Informative)
never have been used to gain root privileges
Re:Something big is missing (Score:2, Informative)
Re:Human Error or faulty security models? (Score:3, Informative)
The end result is: We will soon have a very strong security model built in to the standard stable kernel. The sad thing is that it will be off by default, and you will still need the set of userland tools that use it.
We have an excellent opportunity (with the 2.6 release) to seriously increase the security of Linux systems. People need to start promoting LSM modules and programs NOW so that we can get this to be the default state of most installed Linux boxes.
Jedidiah
Re:biometrics (Score:3, Informative)
One would hope so, but the evidence [schneier.com] isn't as promising.