Awesome work and happy that nothing bad has happened. One question is should a password length and secure password creation check be enforced on the FAS system. Like regular expression checks and stuff. I know this is asking a lot, the current implementation allows me to have a simple password if I remember(need to check) been long. And password expiry? :) On Tue, Jan 25, 2011 at 1:14 PM, Jared K. Smith <jsmith@xxxxxxxxxxxxxxxxx> wrote: > Summary: Fedora infrastructure intrusion but no impact on product integrity > > On January 22, 2011 a Fedora contributor received an email from the Fedora > Accounts System indicating that his account details had been changed. ÂHe > contacted the Fedora Infrastructure Team indicating that he had received > the email, but had not made changes to his FAS account. The Infrastructure > Team immediately began investigating, and confirmed that the account had > indeed been compromised. > > At this time, the Infrastructure Team has evidence that indicates the account > credentials were compromised externally, and that the Fedora Infrastructure was > not subject to any code vulnerability or exploit. > > The account in question was not a member of any sysadmin or Release Engineering > groups. The following is a complete list of privileges on the account: > Â* SSH to fedorapeople.org (user permissions are very limited on this machine). > Â* Push access to packages in the Fedora SCM. > Â* Ability to perform builds and make updates to Fedora packages. > > The Infrastructure Team took the following actions after being > notified of the issue: > 1. Lock down access to the compromised account > 2. Take filesystem snapshots of all systems the account had access to > Â (pkgs.fedoraproject.org, fedorapeople.org) > 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the > Â Âpresent > Â Here, we found that the attacker did: > Â Â* Change the account's SSH key in FAS > Â Â* Login to fedorapeople.org > Â The attacker did not: > Â Â* Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in > Â Â Âany way > Â Â* Generate a koji cert or perform any builds > Â Â* Push any package updates > > Based on the results of our investigation so far, we do not believe that any > Fedora packages or other Fedora contributor accounts were affected by this > compromise. > > While the user in question had the ability to commit to Fedora SCM, the > Infrastructure Team does not believe that the compromised account was used to > do this, or cause any builds or updates in the Fedora build system. The > Infrastructure Team believes that Fedora users are in no way threatened by this > security breach and we have found no evidence that the compromise extended > beyond this single account. > > As always, Fedora packagers are recommended to regularly review commits to > their packages and report any suspicious activity that they notice. > > Fedora contributors are strongly encouraged to choose a strong FAS password. > Contributors should *NOT* use their FAS password on any other websites or > user accounts. ÂIf you receive an email from FAS notifying you of changes to > your account that you did not make, please contact the Fedora Infrastructure > team immediately via admin@xxxxxxxxxxxxxxxxxx > > We are still performing a more in-depth investigation and security audit and we > will post again if there are any material changes to our understanding. > > -- > Jared Smith > Fedora Project Leader > -- > announce mailing list > announce@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/announce > -- Cheers Jose http://josemanimala.eu.org/blog Ph: +64221033100 _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
