ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Red Hat (belatedly) confirms security breach

By | August 22, 2008, 11:34am PDT

Summary: More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages. The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in [...]

Red Hat (belatedly) confirms major security breachMore than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

Today’s acknowledgment is two-fold — an e-mail on the Fedora-Announce list and a critical Red Hat advisory — but some things surrounding the breach remain murky.

In the e-mail announcement, the group said some it discovered the breach “last week” but there’s no mention of when it actually occurred.

It said that one of the  Fedora servers was a system used for signing Fedora packages but insists with “high confidence” that the intruder was not able to capture the passphrase used to secure the Fedora package signing key.

  • Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
  • While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple
    third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In tandem with that announcement, Red Hat shipped a critical OpenSSH update to RHEL users that mentions an “an intrusion on certain computer system” that compromised some Open SSH packages.

  • In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an  updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.

The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

The company insists the effects of the intrusion on Fedora and Red Hat are not the same.

  • Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Red Hat Enterprise Linux, Security, Red Hat Inc., Fedora Project, Open Source, Servers, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
112
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Red Hat (belatedly) confirms security breach
lovedong 13th Sep
That is good.Thank you so much. replica watches
View in thread
0 Votes
+ -
this is the evidence that open source linux security sucks!
qmlscycrajg Updated - 22nd Aug 2008
this is the evidence that open source linux security sucks!
0 Votes
+ -
How?
matt10 22nd Aug 2008
This only proves _any_ OS or software is vulnerable. This is a fact anyone in the security field (using linux/windows/mac/etc) will quickly admit. Linux has the advantage of having the source code available, so anyone can help make it more secure.
0 Votes
+ -
I agree, LiNuX sux.
bananatwinkie 22nd Aug 2008
I have tried Ubuntu 8.04.1. Always have enter my frickin password for everything. It's so annoying. I still can't get my X-Fi card to work.
0 Votes
+ -
With people like this...
storm14k 22nd Aug 2008
"Always have enter my frickin password for everything. It's so annoying"

...computers will always be insecure. Keep playing with Windows buddy.
0 Votes
+ -
That's curious
xuniL_z Updated - 22nd Aug 2008
He never said anything about being a Windows user.


Funny how some people make ASSumptions like this onw. Reveals more than you realize and you continue to do so.


Keep on using open source systems buddy, the windows community doesn't like blowhards.
0 Votes
+ -
What assumption....
storm14k 23rd Aug 2008
Where else is he going to do any and everything to his system without any authentication. He simply told on himself.
0 Votes
+ -
Ummmm...
todbran@... 25th Aug 2008
"Keep on using open source systems buddy, the windows community doesn't like blowhards." The assumption was made because Windows is the most insecure software on the market. When one is jealous, the assumption is easy to make.
0 Votes
+ -
Say what !
Intellihence 25th Aug 2008
"Keep on using open source systems buddy, the windows
community doesn't like blowhards."

The windows community doesn't like blowhards except
when they are stealing/using open source and unix code.

FACT; Microsoft has been using UNIX linux code in the
Windows operating system for years.


Microsoft using Eric S. Raymond's code
http://www.linux.com/feature/53726

Microsoft to license Unix code
http://sonyvaio-cnet.com.com/2100-1016_3-
1007528.html

Now I want to know why Microsoft has been using
UNIX/LINUX code for years?

Do any of you windows users have an answer to this.

To make matters worse for Microsoft, Microsoft has been
calling Linux a cancer. So if Linux is a cancer, why is
Microsoft asking customers to port it to the Wintel iron.
I've got one big word for Microsoft.

HYPOCRITES!!!

Microsoft Fights Unix, Linux with Free SFU
http://www.itjungle.com/two/two022504-story03.html
0 Votes
+ -
I am confused
elderlybloke 29th Aug 2008
The word onw ,what does that mean?

Oh, perhaps it is dyslexia and caused by use of MSBS

Love from Ubuntu 8.04.
0 Votes
+ -
Good Windows customer
djchandler 22nd Aug 2008
Exactly what we don't need in the Linux community. Just keep on complaining to MS. Linux users work together to solve problems, not blame others.
0 Votes
+ -
I agree...Windows sux.
linux for me 23rd Aug 2008
With Microsoft's new UAC, every time I have to do something, I have to enter my password, and click on tons of messages to verify on top of it.

It's so annoying!
0 Votes
+ -
Mandriva
pgit 25th Aug 2008
Try Mandriva One live CD and see how far you can get with the hardware.
0 Votes
+ -
Ummmm....
todbran@... 25th Aug 2008
this is why Ubuntu is soooooo much more secure than Windows. A little knowlege and more than a minute of effort will get your X-Fi card going.
0 Votes
+ -
You tried the WRONG Linux: Give Sabayon Linux a Try!!!
i2fun@... 25th Aug 2008
Although Ubuntu has come out of nowhere to be the top installed Linux, it's far from being the best, easiest, or even most secure Linux. Nor is Fedora for that mater!

Ubuntu is sort of your garden variety "Do it Yourself" built Linux install (and Fedora is just a slight step up). They are so into total non-proprietary installs and freaked by lawsuit fears, etc, or anything remotely proprietary (like GPU Drivers) are all left for you to handle getting installed. Minimal Programs and applications are all you get in either of these, configured or running on first boot.

Meaning it's the Linux that comes in the Plain Brown Wrapper and if you've never used Linux, you're in for a freaky trip with Sudo (sorta of access), instead of Root access (full Administrative control of your own Linux installation).

I try to steer everyone away from Ubuntu (of all Distros to begin with, NOT). Because if I myself have a hard time with it, after using Linux for over 12yrs, a noob is going to be completely discouraged. Especially in just trying to get rid of the feeling they are using a distro strapped down in Brown molasses, plain, Driverless (devoid of any proprietary programs, drivers, installed and pre-configured hardware).

The Hard Core CLI-O-phytes (Command Line only) Linux users are scared to death that Linux might actually look nice and come with all the programs you could ever use pre-configured and installed along with all your hardware.

So the Classic Battle between Forward to the Future Distros and STUCK in the PAST ones continues. Ubuntu is one of those Distros that will never make it into Future Mainstream America because of this.

If you seriously want to try Linux, give Sabayon Linux a try. Simple install, everything is included and it all just works (even your X-Fi card)!

http://www.sabayonlinux.org

Re: Security? Linux beats everything else by miles and that's just plain obvious with it's Secure Linux Kernel. Designed in co-operation with NSA (National Security Agency) for their own use!

Which Operating System is used on almost all the Super Computers in the World? Yes it's Linux or some form of Unix System!!! wink Ride the Wave, it's FREE and it's Open! Sabayon Linux!!!
0 Votes
+ -
I've Tried Ubuntu
nfhiggs@... 25th Aug 2008
and wasn't impressed. For one thing - it was an absolute nightmare trying to set it up for a static IP address. It kept 'switching' to IPv6 which makes no sense because virtually no one uses IPv6 yet. And it was SLOOOW. On a web page with an animated GIF background (matrix symbol waterfall) for instance, it used 70% CPU power to display it, and it did so at a rather slow, jerky speed. My windows box on the other hand, with identical hardware, used about 10% CPU power to display the page - and it did so smoothly at the appropriate speed.
0 Votes
+ -
I've tried Ubuntu, too
Billsey 25th Aug 2008
And it serves my needs quite well, thank you.
0 Votes
+ -
Good for you
nfhiggs@... 25th Aug 2008
I'm glad it serves you needs. It didn't serve mine. Maybe it runs better on a C2D processor and DDR2-800 RAM, but a Sempron 3400 and a GB of DDR-400 'should' have been plenty powerful enough to run animated web graphics..

I found Fedora Core 4 much easier to set up with a static IP address. Not sure how it did with animated graphics because I only used it for a Teamspeak server, and I didn't even leave the monitor on it, since I administered the server remotely, but it seemed to do fine in that role.
0 Votes
+ -
Not Sure You Realise I'm NOT knocking Linux, just Ubuntu!
i2fun@... 26th Aug 2008
Linux is by far the best system for both security and presents the absolute best looking Desktop, knocking "Mohave" ...er ...Vista to the deck!!!

Reason? OpenGL has thoroughly trounced DirectX with some very efficient and fast footwork for the future. Unless Microsoft can go back and do a complete re-write of it (as did Khronos Group with OpenGL), they'll never be able to catch up!

Khronos Group BTW, is made up of literally all hardware manufacturers (including IBM, Intel, Nvidia, ATI/AMD, Nokia, Motorolla, Freescale, Sony, etc!

Version 3.0 has been fully released and OpenGL ES 2.0 Hardware will be out for the Google Mobile OS, Android later this year! This new Operating System will be supported on literally all new hardware once they get some security bugs ironed out. No other Mobile OS will be capable of it's full feature set! wink

LONG LIVE OPEN SOURCE LINUX and OPENGL/OPENCL API's for our Computing Future!
0 Votes
+ -
Well, that makes it conclusive...
rx7racer Updated - 25th Aug 2008
... YOU can't get your card to work in Linux, so Linux sux. I guess it's conclusive that Windows sux too, because I can't get wi-fi to work under XP in my dual-boot notebook(came with Vista/ added XP), with XP installed off a one year old SP2 disk. Neither the manufacturer (Acer) or the chipset manufacturer Intel has a compatible XP driver. And it took hours of searching around to find XP drivers for everything from graphics (had to use a hacked driver and installer), and even basics like HD drivers.
On the other hand, everything, including Nvidia graphics drivers and WiFi, worked running straight off a Mandriva Live One CD. Guess I'll buy a larger HD and make it a triple boot configuration - I only put XP on because I have one piece of software that doesn't work under Vista.
Moral is, looks like WinXP sucks way more than Linux, if my problems were stacked against yours - if one persons experience with one install actually meant anything in the bigger picture. But really, it just shows you're an opinionated and ill-informed troll.

Oh, and I really like Vista's UAC too - how is having to confirm, after being asked for a password, an improvement over being asked for a password? Or perhaps you just work in XP, where security isn't really a priority, and both users and processes routinely need and have admin access, without any confirmation at all?
0 Votes
+ -
See the problem has been...
ye 22nd Aug 2008
...that many people (typically ABMers) leave the impression that only Windows is vulnerable when Windows security issues are reported.

Things to the effect of "They should have been running OS x".
0 Votes
+ -
true dat
bmonster 22nd Aug 2008
Yea...truth is all OS's have security vulnerabilities that are going to be uncovered overtime. This fact won't stop trolls from trolling, whether that are Linux, Mac or Windows trolls. happy
0 Votes
+ -
The real problem has been that...
storm14k 22nd Aug 2008
...security issues are a common occurrence with MS. So when one occurs on any other platform the Microbrains are more than overjoyed to say "see..them too".
0 Votes
+ -
The "microbrains" do so because...
ye 22nd Aug 2008
...of the reason I gave earlier. And with > 90% market share it's no surprise there are more security issues reported with MS. That's just common sense.
0 Votes
+ -
But with the majority...
storm14k 22nd Aug 2008
...of the most vulnerable servers out there...web servers...running non-MS the market share argument simply doesn't hold true. So its more of an excuse than common sense.
0 Votes
+ -
To my knowledge...
ye 22nd Aug 2008
...IIS isn't targetted by malware any more than Apache. Or can you show otherwise?
0 Votes
+ -
YAWN at Ye ONCE AGAIN trotting out the old market share bs
bmerc 25th Aug 2008
Debunked, repeatedly. And yet you keep using it.
0 Votes
+ -
This is slightly different
GuidingLight 22nd Aug 2008
yes, all Operating Systems have security issues and bugs, many times the issue is that they "could" or "may" be exploited, some acheivable, some leaning towards theoretical if nothing else.

This is different as this was not relagated to could be breached, these systems were breached
0 Votes
+ -
That's the problem!
bill@... 23rd Aug 2008
You never know if the guy supposedly helping to make it secure is the same guy who hacked it in the first place. God only knows what-else he's putting in his supposed patch. There's no accountablility with open source and never will be as long as it remains "open" to the public. Even though 95% of the open source community has good intentions, the other 5% you can't trust or count on the other 95% to keep them in check.
0 Votes
+ -
No...
zkiwi 24th Aug 2008
The fact that it remains open (to view mostly, to update much less so) is exactly why it is more secure. You seem to forget the 1.5 years, maybe more that Microsoft's servers were infiltrated.

Also, a "not so nice person" inside of Microsoft could just as easily have put interesting variations, backdoors etc into whatever they were working on. In fact I'd argue it was easier to do and to get away with that with Microsoft. Why? Just look at how much documentation they had to produce (as in it never existed) about their systems for the EC. Remember they offered the EC a look at the source code because the documentation wasn't there.
0 Votes
+ -
RE: Red Hat (belatedly) confirms security breach
lovedong 13th Sep
That is good.Thank you so much. replica watches
0 Votes
+ -
It is?...
storm14k Updated - 22nd Aug 2008
I see no mention of the method of intrusion. How do you know someone didn't simply get hold of a password. Or it may have been an inside job by some fos hater.
0 Votes
+ -
How does this compare
rpmyers1 22nd Aug 2008
To the year and a half that an intruder had access to MS' internal network?
0 Votes
+ -
sucks is good, bites is bad
dragon@... 22nd Aug 2008
Get it Right!

Why do we keep saying sucks like it's a bad thing?

It's open source religion, how can we pass on an open source FUBAR. Just kindly Get it Right!
0 Votes
+ -
One.......
todbran@... 25th Aug 2008
flaw gives you the opinion that Linux sucks? Seeming how Windows have had hundreds of security flaws, some un-patched, I can't wait of your opinion on it.
0 Votes
+ -
RE: Red Hat (belatedly) confirms security breach
Loverock Davidson 22nd Aug 2008
LOL!! What have I been saying all along? That linux is NOT secure and is NOT suitable for any purpose. Sure I was labeled names even though ZDNet editors decided not to delete personal attacks about me but here is the proof that linux just isn't any good!

Go linux fanboys, go download your source code, use your complex commands to extract the files, try to figure out the right sequence to getting it to compile, then go look for where the executable file is in a maze of file structures!

And you wonder why people are not interested in linux!! LOL!
0 Votes
+ -
I think you're being a bit extreme.
ye Updated - 22nd Aug 2008
That linux is NOT secure and is NOT suitable for any purpose.

Despite what the Linux advocates would have us believe Linux is no more/less secure than any other OS.

However Linux is a very suitable platform for many things. I personally use Linux to run Oracle database and application servers. Rock solid, flexible, and high performance. It's a great product...best part of all is it's free!
0 Votes
+ -
Now you do know...
storm14k 22nd Aug 2008
...that he's a wanna be Mike Cox right?
0 Votes
+ -
I don't care. (nt)
ye 22nd Aug 2008
.
0 Votes
+ -
The difference is..
peter_erskine@... 24th Aug 2008
that Mike Cox is a spoof for a laugh, but Loverock is genuine nutcase.
0 Votes
+ -
Both sides of the fence
AllKnowingAllSeeing 24th Aug 2008
All camps have their "true believers", though I haven't seen Mike Cox here for a bit.
0 Votes
+ -
Waste of time
markdean 25th Aug 2008
He probably realized as I am, that these idiotic talkback forums serve little or no use other than to argue about OSes and the like and provide a lot of page imprints and click through traffic for zdnet advertising.

So I leave with this:

AIX ROCKS!!! All others suck!!!

See, it just doesn't do anything for me anymore...


See ya!
0 Votes
+ -
.....
Linux User 147560 22nd Aug 2008
And queue the village idiot king! You're late... guess you had to wait for that darn Windows machine to reboot. devil
0 Votes
+ -
Keep laughin Lovey boy...
Deefburger 25th Aug 2008
I'm laughing with you. How many breaches is that now? I can count them on one hand. While you were ROFL I was converting Infected Windows machines to Linux....Apple sells a few more machines and Windows gets breached again and gets more patches every Tuesday....

Laugh your A off pal!
0 Votes
+ -
download.microsoft.com
Deefburger 25th Aug 2008
Is running on Linux you fool!
0 Votes
+ -
Huh? How do you figure?
daboochmeister 25th Aug 2008
LiveHTTPHeaders shows it as running a combo of IIS 6.0 for most stuff, IIS 7.0 for some of the toolbar elements.
0 Votes
+ -
ROTFLMAO!
Loverock Davidson 22nd Aug 2008
This is so funny that I had to post twice to get all the laughter out. This proves linux isn't secure!

ROTFLMAO!!!!
0 Votes
+ -
Wake up in a new world every day?
IT_User 22nd Aug 2008
For more than a decade it's been well known that software on a network isn't secure. But now you you're suddenly awakened to that fact and you think it's a laughing matter?

Your information, mine, and that of a millions of others are at risk and you treat it as some kind of joke.

It's your choice, but you might start to think about growing up...
0 Votes
+ -
This proves your a troll!
Deefburger 25th Aug 2008
How many anti-virus programs have you been through to protect your "secure" windows platform? Keep laughing there buddy!
0 Votes
+ -
None. Anti-malware programs do not secure...
ye 25th Aug 2008
...Windows. At best they're only good for detecting trojan programs. Otherwise I consider them worthless. Windows' security is sound and does an excellent job of protecting the system without the need for third party programs.
0 Votes
+ -
What?
davidhite 25th Aug 2008
If you are on a windows machine with no protection you got an infection. Windows is a great platform if you need to run software written for windows. The Same can be said for *nix systems. I will say that a properly configured linux server preforms much better then anything Microsoft.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix