Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Red Hat (belatedly) confirms security breach

By Ryan Naraine | August 22, 2008, 11:34am PDT

Summary

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.
The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in [...]

Topics

Red Hat Enterprise Linux, Security, Red Hat Inc., Fedora Project, Open Source, Servers, Hardware, Ryan Naraine

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
Vendor HotSpot
Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Red Hat (belatedly) confirms major security breachMore than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

Today’s acknowledgment is two-fold — an e-mail on the Fedora-Announce list and a critical Red Hat advisory — but some things surrounding the breach remain murky.

In the e-mail announcement, the group said some it discovered the breach “last week” but there’s no mention of when it actually occurred.

It said that one of the  Fedora servers was a system used for signing Fedora packages but insists with “high confidence” that the intruder was not able to capture the passphrase used to secure the Fedora package signing key.

  • Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
  • While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple
    third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In tandem with that announcement, Red Hat shipped a critical OpenSSH update to RHEL users that mentions an “an intrusion on certain computer system” that compromised some Open SSH packages.

  • In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an  updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.

The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

The company insists the effects of the intrusion on Fedora and Red Hat are not the same.

  • Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

More from “Zero Day”

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion

Talkback Most Recent of 111 Talkback(s)

  • this is the evidence that open source linux security sucks!
    this is the evidence that open source linux security sucks!
    ZDNet Gravatar
    qmlscycrajg
    (Edited: 08/22/2008 11:44 AM)
  • How?
    This only proves _any_ OS or software is vulnerable. This is a fact anyone in the security field (using linux/windows/mac/etc) will quickly admit. Linux has the advantage of having the source code available, so anyone can help make it more secure.
    ZDNet Gravatar
    matt10
    08/22/2008 11:52 AM
  • I agree, LiNuX sux.
    I have tried Ubuntu 8.04.1. Always have enter my frickin password for everything. It's so annoying. I still can't get my X-Fi card to work.
    ZDNet Gravatar
    bananatwinkie
    08/22/2008 12:11 PM
  • With people like this...
    "Always have enter my frickin password for everything. It's so annoying"

    ...computers will always be insecure. Keep playing with Windows buddy.
    ZDNet Gravatar
    storm14k
    08/22/2008 12:18 PM
  • That's curious
    He never said anything about being a Windows user.


    Funny how some people make ASSumptions like this onw. Reveals more than you realize and you continue to do so.


    Keep on using open source systems buddy, the windows community doesn't like blowhards.
    ZDNet Gravatar
    xuniL_z
    (Edited: 08/22/2008 07:04 PM)
  • What assumption....
    Where else is he going to do any and everything to his system without any authentication. He simply told on himself.
    ZDNet Gravatar
    storm14k
    08/23/2008 11:30 AM
  • Ummmm...
    "Keep on using open source systems buddy, the windows community doesn't like blowhards." The assumption was made because Windows is the most insecure software on the market. When one is jealous, the assumption is easy to make.
    ZDNet Gravatar
    todbran@...
    08/25/2008 12:33 PM
  • Say what !
    "Keep on using open source systems buddy, the windows
    community doesn't like blowhards."

    The windows community doesn't like blowhards except
    when they are stealing/using open source and unix code.

    FACT; Microsoft has been using UNIX linux code in the
    Windows operating system for years.


    Microsoft using Eric S. Raymond's code
    http://www.linux.com/feature/53726

    Microsoft to license Unix code
    http://sonyvaio-cnet.com.com/2100-1016_3-
    1007528.html

    Now I want to know why Microsoft has been using
    UNIX/LINUX code for years?

    Do any of you windows users have an answer to this.

    To make matters worse for Microsoft, Microsoft has been
    calling Linux a cancer. So if Linux is a cancer, why is
    Microsoft asking customers to port it to the Wintel iron.
    I've got one big word for Microsoft.

    HYPOCRITES!!!

    Microsoft Fights Unix, Linux with Free SFU
    http://www.itjungle.com/two/two022504-story03.html
    ZDNet Gravatar
    Intellihence
    08/25/2008 08:13 PM
  • I am confused
    The word onw ,what does that mean?

    Oh, perhaps it is dyslexia and caused by use of MSBS

    Love from Ubuntu 8.04.
    ZDNet Gravatar
    elderlybloke
    08/29/2008 02:03 PM
  • Good Windows customer
    Exactly what we don't need in the Linux community. Just keep on complaining to MS. Linux users work together to solve problems, not blame others.
    ZDNet Gravatar
    djchandler
    08/22/2008 01:15 PM
  • I agree...Windows sux.
    With Microsoft's new UAC, every time I have to do something, I have to enter my password, and click on tons of messages to verify on top of it.

    It's so annoying!
    ZDNet Gravatar
    linux for me
    08/23/2008 06:27 AM
  • Mandriva
    Try Mandriva One live CD and see how far you can get with the hardware.
    ZDNet Gravatar
    pgit
    08/25/2008 07:40 AM
  • Ummmm....
    this is why Ubuntu is soooooo much more secure than Windows. A little knowlege and more than a minute of effort will get your X-Fi card going.
    ZDNet Gravatar
    todbran@...
    08/25/2008 12:25 PM
  • You tried the WRONG Linux: Give Sabayon Linux a Try!!! wink
    Although Ubuntu has come out of nowhere to be the top installed Linux, it's far from being the best, easiest, or even most secure Linux. Nor is Fedora for that mater!

    Ubuntu is sort of your garden variety "Do it Yourself" built Linux install (and Fedora is just a slight step up). They are so into total non-proprietary installs and freaked by lawsuit fears, etc, or anything remotely proprietary (like GPU Drivers) are all left for you to handle getting installed. Minimal Programs and applications are all you get in either of these, configured or running on first boot.

    Meaning it's the Linux that comes in the Plain Brown Wrapper and if you've never used Linux, you're in for a freaky trip with Sudo (sorta of access), instead of Root access (full Administrative control of your own Linux installation).

    I try to steer everyone away from Ubuntu (of all Distros to begin with, NOT). Because if I myself have a hard time with it, after using Linux for over 12yrs, a noob is going to be completely discouraged. Especially in just trying to get rid of the feeling they are using a distro strapped down in Brown molasses, plain, Driverless (devoid of any proprietary programs, drivers, installed and pre-configured hardware).

    The Hard Core CLI-O-phytes (Command Line only) Linux users are scared to death that Linux might actually look nice and come with all the programs you could ever use pre-configured and installed along with all your hardware.

    So the Classic Battle between Forward to the Future Distros and STUCK in the PAST ones continues. Ubuntu is one of those Distros that will never make it into Future Mainstream America because of this.

    If you seriously want to try Linux, give Sabayon Linux a try. Simple install, everything is included and it all just works (even your X-Fi card)!

    http://www.sabayonlinux.org

    Re: Security? Linux beats everything else by miles and that's just plain obvious with it's Secure Linux Kernel. Designed in co-operation with NSA (National Security Agency) for their own use!

    Which Operating System is used on almost all the Super Computers in the World? Yes it's Linux or some form of Unix System!!! wink Ride the Wave, it's FREE and it's Open! Sabayon Linux!!!
    ZDNet Gravatar
    i2fun@...
    08/25/2008 03:34 PM
  • I've Tried Ubuntu
    and wasn't impressed. For one thing - it was an absolute nightmare trying to set it up for a static IP address. It kept 'switching' to IPv6 which makes no sense because virtually no one uses IPv6 yet. And it was SLOOOW. On a web page with an animated GIF background (matrix symbol waterfall) for instance, it used 70% CPU power to display it, and it did so at a rather slow, jerky speed. My windows box on the other hand, with identical hardware, used about 10% CPU power to display the page - and it did so smoothly at the appropriate speed.
    ZDNet Gravatar
    nfhiggs@...
    08/25/2008 04:41 PM
View More Comments

Talkback - Tell Us What You Think

advertisement

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
advertisement