Some Linux Foundation crack attack details emerge

The Linux Foundation and its sites are still down after a hack attack.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

A well-maintained secure operating system, like Linux, can be safe. But, that doesn't mean that a Website built on top of it is necessarily safe. The Linux Foundation has found out the hard way. The Linux Foundation's main site, and related sites such as Linux.com are still down after a break-in was discovered on September 8th.

This attack came on the heels of the main Linux development site, kernel.org, being compromised in late August. Kernel.org is still down. In the meantime, Linus Torvalds has uploaded the mainline Linux source code to GitHub. This is a site that uses Git, a distributed version control system, for distributed software development. Once kernel.org is back in working order though Torvalds will be returning the code to it.

But while work continues apace on this site and over the Linux Kernel Mailing List (LKML), the Linux Foundation sites remain dark. If you visit these sites you'll find the following message:

Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their sub-domains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.

We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH [secure shell] keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.

We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.

That said, according to a Linux Foundation representative, "We believe there is a connection [between the kernel.org and Linux Foundation sites attacks] but are working with security experts and authorities to confirm the details." In addition, the spokesperson said, "We are working with authorities and aggressively working to restore services."

When pressed as to who these "authorities" were, I didn't get an answer. I presume though that police and other legal agencies are looking into this as being more than just a random attack. According to the site's FAQ, "We are aggressively investigating the source of the attack. Unfortunately, we can't elaborate on this for the time being."

So if you have a Linux.com account are you in any possible trouble? Maybe. The site's FAQ notes that while the "Linux Foundation does not store passwords in plaintext. However an attacker with access to stored password would have direct access to conduct a brute force attack. An in-depth analysis of direct-access brute forcing, as it relates to password strength, can be read at Choosing Secure Passwords .We encourage you to use extreme caution, as is the case in any security breach, and discontinue the use of that password if you re-use it across other sites."

I think you should assume that, unless you used a passphrase instead of a password, that your password has been compromised. If you only used it only on that site, you're probably fine. But, if, like many people, you use the same password on many sites, change your password on those sites immediately.

How did this happen? We don't know yet. Paul Ducklin, security firm Sophos's Head of Technology, Asia Pacific, speculated that the breech was made by a malware attack. What kind of attack? We don't know that either. From an e-mail sent by John 'Warthog9' Hawley, Chief Kernel.org Administrator, it appears that the first attack came in through a malware compromised PC.

If, as appears likely, a cracker obtained high level passwords, it would have been easy to "break" into the sites. It's like "breaking" into a house if you have the key-there's really nothing to it.

Eventually, we'll find out exactly what happened. What I already know today is that no operating system, not even such security heavy-weights as Chrome OS or OpenBSD, are somehow magically immune to attacks.

Anything can be successfully attacked. It's just that some systems are easier than others. This should serve as a reminder that Linux too can be vulnerable and needs to be guarded with proper security measures. Given how slowly and carefully The Linux Foundation is restoring its systems, it's clear they've learned that lesson.

Related Stories:

Hackers break into Linux Foundation

Ghost in the Wires: The Kevin Mitnick Interview

If you have a mysterious problem with a Linux box, try bashing your system with sys_basher

Fake SSL certificates pirate Web sites

Editorial standards