ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apache.org hit by SSH key compromise

By | August 28, 2009, 8:13am PDT

Summary: The open-source Apache Software Foundation pulled its Apache.org Web site offline for about three hours today because of server hack caused by a compromised SSH key.

The open-source Apache Software Foundation pulled its Apache.org Web site offline for about three hours today because of server hack caused by a compromised SSH key.

A brief message posted on the site (see image below) made it clear the compromise was “not due to any software exploits in Apache itself”, but was actually caused by a compromised SSH key.

The group did not say which Apache software servers were affectedUPDATE: An initial report from Apache is now available.

* Screenshot via The H Security. More at Threatpost.com.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

SSH, Apache Software Foundation, Open Source, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
12
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apache.org hit by SSH key compromise
birumut Updated - 29th Apr 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
SSH Key password
bjbrock 28th Aug 2009
Was a password not required as well? Good security would dictate a hardened password in addition to the SSH key before access was granted. It has been shown several time that a key alone is not adequate. I would like to hear more about how the breach occurred.
0 Votes
+ -
Why allow keys for backup to come inbound??
Chester Wisniewski - Sophos 31st Aug 2009
I understand the need to use SSH for off-site backup on occasion, but in
addition to bjbrock's point (which it sounds like there was not a password)
why would keys used to copy OUT a backup be allowed to come back in?
It certainly could be that their backup provider was compromised in some
way, but using a secure password, and not allowing inbound shell with
that account would have easily stopped this type of attack.

Chet Wisniewski
www.sophos.com
0 Votes
+ -
I'm wondering if this is a fallout from the Debian OpenSSH fiasco
honeymonster Updated - 28th Aug 2009
That particular bug caused all SSH keys (and
more) generated by a Debian system - or by any
derived distros such as Ubuntu - to have very
low entropy and easily guessable.

Even though Apache is on FreeBSD servers their
certificate provider could have been using a
Debian system for SSH generation. It was a
nasty bug which cost a lot of $$$ because
customers had to re-pay to have good keys re-
issued.

It is good to see Apache Software Foundation
being upfront, candid and very transparent
about it. Kudos.

Despite this incident Apache seems to on top of
things and - above all - forthcoming. They
deserve respect. Somehow I don't think Apple,
Microsoft or Google would be as informative as
Apache are.
0 Votes
+ -
You give Apache far too much credit
LiquidLearner 28th Aug 2009
They are basically pointing the finger, saying "it's not our fault, it was an SSH key". Of course they are coming out and being up front and honest about everything. I promise you the other companies you mentioned would be doing the same thing. But you can also bet that if it had been due to a major Apache vulnerability they would not have been so telling immediately. They would have double and triple checked to make sure it wasn't someone else's fault before making a statement of any sort.

However the scenario you laid out is possible and I agree with that. I just think you should have left out the "dig" at Apple, MS and Google as they would have reacted the exact same way.
0 Votes
+ -
Actually...
storm14k 29th Aug 2009
....they wouldn't. Apache has far more to loose by hiding something. Unlike the companies listed their popularity is not heavily based on marketing and perception. Thats not a knock...thats just business. The others can market their way around a problem like this. Apache can't. They only have their track record to live on. Once again thats just business.
0 Votes
+ -
I'm not discounting
LiquidLearner 29th Aug 2009
that overall Apache would have been more honest than the other companies had it been their fault but I can assure you they would not have been so quick to give out information. They would have spent additional time ensuring that it was actually their fault and there wasn't some way to blame someone else. And that's not a knock either, it's just business. As you put it.
0 Votes
+ -
Its still more damaging to them...
storm14k 31st Aug 2009
...to stall rather than just be upfront if it WAS
their fault. Once again all they have is their rep
and no marketing campaign to improve it. Both
situations would be damaging but if its their
fault then thats one knock against them. If its
their fault and they stall then thats two knocks
against them. Its just easier to tell it.
0 Votes
+ -
RE: Apache.org hit by SSH key compromise
nigebj 31st Aug 2009
Compromised key does not necessarily mean technically compromised, humans are usually the weakest link in any security system let's face it. Could simply be a rogue user who had, at one time if not now, legitimate access.
0 Votes
+ -
ssh over public internet
davidr69 31st Aug 2009
Does this mean that Apache has servers listening for ssh traffic over the public Internet? No VPN?
0 Votes
+ -
RE: Apache.org hit by SSH key compromise
Stoarge Containers 2nd Dec 2009
Thanks for the information.The article was very informative.I liked the article and I expect more article of this kind in future from You.

Thanks
Storage Containers
http://www.boxtcontainers.com
0 Votes
+ -
RE: Apache.org hit by SSH key compromise
Stoarge Containers 2nd Dec 2009
Thanks for the information.I expect more articles from you in future.The article was very helpful and informative.

Thanks
Storage Containers
http://www.boxtcontainers.com
0 Votes
+ -
RE: Apache.org hit by SSH key compromise
birumut Updated - 29th Apr 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix