Hackers break into FreeBSD project servers with stolen SSH authentication key

22 Nov

BSD software developers say that hackers broke into two of its FreeBSD project servers using a stolen SSH authentication key, with admin login credentials that appear to have belonged to one of the developers.

The lead project developer behind the open-source operating system has launched a full-fledged investigation into the security breach and has taken a few of the servers offline during his probe. However, early indications are that the damage might have been far worse than was initially thought.

None of the so-called base repositories – stores of core components such as the kernel, system libraries, compiler and daemons were hit, however. And only servers hosting source code for third-party packages were exposed by the attack, which was detected on November 11 and announced on Saturday, November 17, following a preliminary investigation.

The intrusion itself may have happened as far back as September 19, according to the lead developer. On November 11, an intrusion was detected on two servers within the cluster. The affected machines were taken offline for analysis, and probably won’t be reconnected until sometime next week.

Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precautionary gesture. “We have found no evidence of any modifications that would put any end user at risk. However, we do urge all BSD users to read the report available on our site and decide on any required actions themselves. We will continue to update you as further information becomes known. We do not currently believe users have been affected given current forensic analysis,” read a FreeBSD statement on their site.

“And no Trojanized packages have been uncovered, at least as yet. But FreeBSD users have been urged to carefully check third-party packages installed or updated between September 19 and November 11 nonetheless, as a precaution,” it continued.

The team has promised to tighten up security, in particular by phasing out legacy services such as the distribution of FreeBSD source via CV Sup, in favor of the more robust Subversion, freebsd-update, and portsnap distribution methods. The hack was “not due to any vulnerability or code exploit within FreeBSD”, according to the BSD developers.

The whole incident raises some embarassing and troubling questions since it seems that the unknown attackers behind the hacking attempt managed to steal both SSH (remote administration) key file and passwords from a developer.

Analysis of the attack can be found in an informative blog post by Paul Ducklin of Sophos. Attacks on open-source repositories are far from unprecedented. was suspended for a month in July 2011 following a much more serious malware attack and a server compromise.

Then in August 2011 another breach on the website left visitors exposed to malware that could infiltrate said MySQL databases.

But perhaps the most similar attack to the FreeBSD hacking attempt occurred in 2009, with a breach against the Apache Software Foundation, also facilitated by the misuse of SSH keys.

In other internet security news

The U.S. Transportation Security Administration (TSA) has taken yet another bad doze of publicity with the recent discovery that its questionable security system allows passengers in its PreCheck system to choose their own security status, and thus compromising other security features.

The TSA’s PreCheck system allows some frequent fliers willing to pay $100 for a background check to skip some of the onerous security checks, like taking off shoes and unpacking laptops or toiletries. PreCheck customers are still subject to more intensive searches on a randomized basis, however.

Aviation blogger John Butler discovered that the barcode information used for the boarding passes of Precheck fliers wasn’t encoded, and could be read by a simple smartphone app. It contained the flier’s name, flight details, and a number, either a 1 or a 3, with the latter confirming the passenger was cleared for lesser screening.

Ordinarily, it would be a relatively simple task to just scan the issued boarding pass, decode it, and then change the security setting if you are planning to bring something suspicious aboard, or even change the name on the ticket to match a fake ID.

But after placing the new information into a barcode, and a couple of minutes of cut and paste, the new boarding pass would work as normal, Butler explained, and that’s where all the issue lies.

“The really scary part in all of that is both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information,” he said. “So the TSA document checker will not pick up on the alterations.”

This means that, as long as their boarding pass has a 3 on it, they can always use the Pre-Check line. But the agency that appears to devote so much time to irradiating fliers, fondling vibrators, promoting the homosexual agenda, or just plain stealing fliers’ belongings doesn’t seem to have thought of that.

The TSA only deems it necessary to have barcode readers for checking the data itself against the presented ID, not the accuracy of the boarding pass itself. And simply encrypting the data would also work as well, so how come they didn’t think of that?

According to the TSA’s vision statement, the agency strives to “continuously set the standard for excellence in transportation security through its people, processes, and technology.” Really? Wow!

In other security news

According to a new study recently released, on average, hackers exploit security vulnerabilities in software for about ten to eleven months before the full details of the security issues surface to the public.

Researchers from Symantec say that these zero-day attacks, so called because they are launched well before security firms and industry vendors are even aware of the vulnerabilities per se, are more prevalent and more potent than previously believed.

Overall, zero-day exploits are often closely guarded secrets and the simple reason is that they can be very valuable to potential hackers. However, once the details of the exploited security flaws emerge in public, application developers and system admins alike can rapidly get to work to mitigate or halt the attacks dead in their tracks.

But in today’s imperfect cyber world, this comes at a huge price– it also tips off the world that these security vulnerabilities also exist in systems.

Case in point– Leyla Bilge and Tudor Dumitras, both of Symantec Research Labs, identified no less than eighteen zero-day attacks between January 2008 and December 2011, and eleven of them were previously undetected.

“A typical zero-day attack lasts an average of about 312 days and, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to five orders of magnitude,” the security researchers note.

The study is based on data from customers who had opted into Symantec’s anti-virus telemetry service.

A paper on the research– “Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World” was presented at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina last week.

In other internet security news

U.S. federal police and the Department of Justice (DoJ) are increasingly gaining real-time access to Americans’ social network accounts, such as Twitter, Facebook and Google+, but prior to obtaining search warrants, newly released documents reveal.

And the numbers are really dramatic– live interception requests made by the U.S. Department of Justice to social-networking sites and email providers jumped over 80 percent from 2010 to 2011 alone, and the trend is rapidly increasing.

Documents the ACLU released yesterday reveal that U.S. federal police are using a 1986 law originally intended to tell police what phone numbers were dialed for far more invasive surveillance– monitoring of whom specific social-network users communicate with, what IP addresses they’re connecting from, and perhaps even likes and +1s.

The DoJ conducted 1,662 live intercepts on social networks and email providers last year, up from only 922 a year earlier, the reports demonstrate.

The ACLU hopes that the disclosure of the documents it sued to obtain under the Freedom of Information Act will persuade Congress to tighten up the requirements for police to intercept “noncontent” data — a broad category that excludes e-mail messages and direct messages.

The current legal standard “allows the government to use these powerful surveillance tools with very little oversight in place to safeguard Americans’ privacy,” says Catherine Crump, an ACLU staff attorney.

And it could work. On September 25, Rep. Zoe Lofgren, D-Calif., introduced a new bill that would require police to get warrants to access Americans’ email and track their mobile phones. But last week, senators delayed a vote on a similar bill after law enforcement groups vehemently objected to it.

The U.S. DoJ didn’t immediately respond to questions about social-network surveillance. We’ll update this story if we receive a response.

It still isn’t clear on just how many of those 1,662 real-time intercepts last year — which do require a judge’s approval — targeted social networks, and how many were aimed at email providers themselves.

Traditional phone intercepts remain far more frequent– for example, the U.S. Marshals Service says that 409 of its noncontent intercepts were for internet service providers, while 14,568 were for telephone call data.

The largest number of them fell into the fugitive-finding category, including parole or probation violations. To perform noncontent intercepts on social networks, police must generally seek court authorization for a pen register or trap and trace order, both of which are terms borrowed from decades-old surveillance law.

They were originally designed to allow law enforcement to easily collect the phone numbers associated with incoming and outgoing calls, and were extended to the Internet by the Patriot Act eleven years ago.

However, the Patriot Act didn’t make it any more difficult for law enforcement to ask for such an order. Police must merely claim their request is “relevant” to an ongoing investigation. A search warrant, by contrast, requires probable cause, and a live wiretap order is even more privacy-protective.

What’s also unclear is what kind of real-time data police are seeking from social networks through these orders. It’s clear that they can obtain the current IP address of a Facebook user, for instance, and the port number, which is increasingly important.

But it’s less clear whether a “+1” or information about a user’s circle of friends would be permitted. And the wording of that section of the Patriot Act is more broad than narrow. It says that police can demand all “routing” or “addressing” information that’s transmitted through an Internet service or that’s “likely to identify the source of a wire or electronic communication.”

Christopher Soghoian, principal technologist with the ACLU’s Speech, Privacy and Technology Project says “This is a very invasive surveillance technology. We don’t even have a feel for how broadly it’s currently being used, and that’s only part of the issue.”

In other internet security news

Virus and malware creators say they are now experimenting with Google’s Go as a potential programming language for creating malware and viruses.

The Encriyoko Trojan uses components written in Go, a compiled language developed by Google. It first emerged from the company more than three years ago. Once installed on a Microsoft Windows PC, the Trojan attempts to use the ‘Blowfish’ algorithm to encrypt all files matching various criteria including particular document types and a range of file sizes.

The exact key used to encrypt the data is either pulled from a particular file on the D: drive or is randomly generated. This renders the information useless to its owner if the cipher key cannot be recovered.

“Restoration of the encrypted files will be difficult, if not impossible,” Symantec warns about the Trojan. The malware is circulating in the wild, and disguises itself as a tool to root Samsung Galaxy smartphones – a process that would otherwise allow customized operating systems to be installed on the phones.

It’s possible that the unknown virus writers are simply using a programming language they’ve taken a liking to. “Go could also be more resilient to reversing attempts by researchers as it isn’t really mainstream for now. The latter may be more a perception by the coders than in reality.”

It goes without saying that Google needs to look into this very rapidly in order to prevent the potential creation of viruses and other malware that could severy impede systems and then propagate itself to multiple networks.

In other internet security news

The U.K.’s Government Communications Headquarters (GCHQ), the actual nerve center for eavesdropping police in England, has launched a new initiative to better persuade tech-savvy British citizens to help defend their own country against potential hackers and cyber attackers.

Government officials at the GCHQ are going after cyber crooks aged 16 and over who are not already working in computer security and could possibly guard the country’s networks against the hacking ambitions of hostile states, cyber criminals and so-called script kiddies.

But the GCHQ must first triumph in a ‘Balancing the Defense’ game. The participants will analyse a fake government network for possible paths of intrusion, help determine the potential threats they face and suggest new ways to defend them, all while taking into account the increasingly budget-concious that is the U.K.

The GCHQ will have just one week, starting on October 1st to be briefed on the scenario and submit its report. “We hope that this competition will uncover those who have the vital mix of technical ability and business awareness to make tough decisions in the best interest of an organization,” said Joen Karl, the architect of the competition.

“At the GCHQ, we are really committed in finding and developing the new cyber security skills in the U.K. and these are the skills sets that employers including ourselves are most interested in,” he added in a statement.


Posted by on November 22, 2012 in Technology updates


36 responses to “Hackers break into FreeBSD project servers with stolen SSH authentication key

  1. Pingback: dlegtlwic
  2. Wayne Wilson

    November 28, 2012 at 4:22 pm

    I really like your blog.. very nice colors & theme. Did you design this website yourself or did you hire someone to do it for you? Plz answer back as I’m looking to create my own blog and would like to find out where u got this from. thanks .


      November 30, 2012 at 9:47 pm

      Firstly thanx for comment.this blog is designed by me.i hav not paid money for that.if u want blog like me just reply me i will help u.i m also new in blogging but i definitely help u..

  3. mestreseo

    December 11, 2012 at 8:20 pm

    i think this blog is very informative though. mestreseo mestreseo mestreseo mestreseo mestreseo

  4. Tyson F. Gautreaux

    December 15, 2012 at 6:29 am

    I just want to say I am new to blogging and honestly enjoyed your blog site. Almost certainly I’m want to bookmark your blog . You definitely come with outstanding article content. Kudos for sharing with us your website page.

  5. stimulate hair follicles

    December 19, 2012 at 8:11 am

    I just want to say I am beginner to blogging and really enjoyed this blog site. Almost certainly I’m planning to bookmark your website . You surely come with wonderful posts. Kudos for sharing your web-site.

  6. faster hair growth

    December 19, 2012 at 11:23 am

    I simply want to mention I am newbie to blogs and absolutely liked this web blog. More than likely I’m going to bookmark your website . You really come with fantastic well written articles. Regards for sharing with us your web-site.

  7. Visit This Link

    December 20, 2012 at 5:17 pm

    The the next time I read a weblog, I hope that this doesnt disappoint me up to this one. I am talking about, I know it was my substitute for read, but I just thought youd have something intriguing to state. All I hear is normally several whining about something that you could fix ought to you werent too busy seeking attention.

  8. accident car lawyer

    December 22, 2012 at 11:24 pm

    Picking out Fast Programs Of philadelphia accident attorney

  9. Temporary Brian

    December 23, 2012 at 9:17 am

    I just couldn’t depart your web site before suggesting that I really enjoyed the standard info a person provide for your visitors? Is gonna be back often in order to check up on new posts .

  10. visit site

    December 23, 2012 at 12:35 pm

    This really solved my problem, thank you!

  11. consumers

    December 24, 2012 at 11:13 am

    Jesus Christ theres a great deal of spammy comments on this web site. Have you ever before thought about trying to remove them or putting in a tool?

  12. ca cheats

    December 24, 2012 at 7:48 pm

    extremely beneficial stuff, in general I picture this is worthy of a book mark, thank you

  13. Roma Fondow

    December 25, 2012 at 2:01 am

    Rattling excellent info can be found on blog.

  14. iphone screen repair pleasanton

    December 25, 2012 at 2:49 am

    This is a wonderful website, would you be interested in working on an interview about just how you made it? If so e-mail me personally!

  15. rent hearing aids orleans

    December 25, 2012 at 6:11 am

    I was basically wanting to know if you ever considered switching the design of your website? Its very well written; I really like what you have got to say. But maybe you could add a little more in the way of written content so people can connect to it better. Youve got an awful lot of text for only having one or two pictures. Maybe you can space it out better?

  16. visit chairmat

    December 25, 2012 at 7:18 am

    Is it fine to insert a portion of this on my site if I publish a reference to this webpage?

  17. machining ceramics

    December 25, 2012 at 12:10 pm

    Copyright ©2011-2012 All Rights Reserved.

  18. suplementy diety

    December 25, 2012 at 5:14 pm

    Valuation on beneficial information right here is much like cost of gold — excessive! Do you think about writer work? Because, in my opinion, you are one of the best writer worthwhile it!

  19. suplementy diety na odchudzanie

    December 26, 2012 at 4:00 am

    Did you know which felling when you trying to find new things, along with following number of hr of disappointment using garbage website an individual observed a real precious stone associated with net? Yes, it right now after that type in your blog! Very good job.. wow, so good.

  20. useful link

    December 31, 2012 at 11:33 pm

    One thing I’d like to say is before purchasing more computer memory, look into the machine in which it will be installed. In case the machine is definitely running Windows XP, for instance, the particular memory limit is 3.25GB. The installation of over this would basically constitute some sort of waste. Be sure that one’s motherboard can handle the upgrade amount, as well. Interesting blog post.

  21. Wayne Dock

    January 1, 2013 at 12:34 am

    you’re really a good webmaster. The web site loading speed is amazing. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have done a fantastic task in this subject!

  22. Cruz Rogian

    January 1, 2013 at 2:00 am

    Thanks – Enjoyed this blog post, is there any way I can get an alert email when you publish a new post?

  23. Bryon Tselee

    January 1, 2013 at 3:56 am

    I have learn several excellent stuff here. Certainly value bookmarking for revisiting. I surprise how much effort you put to make such a fantastic informative web site.

  24. chair mat

    January 1, 2013 at 11:51 am

    I believe that one of your current ads caused my internet browser to resize, you might well want to set that on your blacklist.

  25. internet chair mat

    January 1, 2013 at 2:32 pm

    An interesting post there mate . Thanks for the post !

  26. best chairmats

    January 2, 2013 at 5:22 am

    Just discovered this site through Google, what a way to brighten up my day!

  27. Johnie Collado

    January 2, 2013 at 5:53 am

    Excellent blog here! Also your web site loads up fast! What host are you using? Can I get your affiliate link to your host? I wish my web site loaded up as fast as yours lol

  28. Visit This Link

    January 2, 2013 at 9:49 am

    Some New Ideas On Issues For personal injury attorney boca raton

  29. Cameron Toplin

    January 2, 2013 at 10:03 am

    As a Newbie, I am continuously exploring online for articles that can help me. Thank you

  30. try chairmat

    January 2, 2013 at 11:02 am

    I tried viewing your site on my iphone and the page layout does not seem to be right. Might wanna check it out on WAP as well as it seems most cellular phone layouts are not really working with your web page.

  31. licorne

    January 3, 2013 at 4:29 am

    Thank you for another excellent post. Where else could anybody get that type of information in such an ideal way of writing? I have a presentation next week, and I am on the look for such information.

  32. electric motor repair dover nh

    January 3, 2013 at 12:59 pm

    I conceive this internet site contains some really great info for everyone :D. “When you get a thing the way you want it, leave it alone.” by Sir Winston Leonard Spenser Churchill.

  33. Milan Spennicchia

    January 3, 2013 at 5:52 pm

    When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three e-mails with the same comment. Is there any way you can remove people from that service? Bless you!

  34. Delbert Frechette

    January 3, 2013 at 11:07 pm

    I’m not that much of a internet reader to be honest but your blogs really nice, keep it up! I’ll go ahead and bookmark your website to come back later. All the best


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: