Re: Security incident on Fedora infrastructure on 23 Jan 2011

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Awesome work and happy that nothing bad has happened.

One question is should a password length and secure password creation
check be enforced on the FAS system. Like regular expression checks
and stuff. I know this is asking a lot, the current implementation
allows me to have a simple password if I remember(need to check) been
long. And password expiry?  :)

On Tue, Jan 25, 2011 at 1:14 PM, Jared K. Smith
<jsmith@xxxxxxxxxxxxxxxxx> wrote:
> Summary: Fedora infrastructure intrusion but no impact on product integrity
>
> On January 22, 2011 a Fedora contributor received an email from the Fedora
> Accounts System indicating that his account details had been changed. ÂHe
> contacted the Fedora Infrastructure Team indicating that he had received
> the email, but had not made changes to his FAS account. The Infrastructure
> Team immediately began investigating, and confirmed that the account had
> indeed been compromised.
>
> At this time, the Infrastructure Team has evidence that indicates the account
> credentials were compromised externally, and that the Fedora Infrastructure was
> not subject to any code vulnerability or exploit.
>
> The account in question was not a member of any sysadmin or Release Engineering
> groups. The following is a complete list of privileges on the account:
> Â* SSH to fedorapeople.org (user permissions are very limited on this machine).
> Â* Push access to packages in the Fedora SCM.
> Â* Ability to perform builds and make updates to Fedora packages.
>
> The Infrastructure Team took the following actions after being
> notified of the issue:
> 1. Lock down access to the compromised account
> 2. Take filesystem snapshots of all systems the account had access to
> Â (pkgs.fedoraproject.org, fedorapeople.org)
> 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the
> Â Âpresent
> Â Here, we found that the attacker did:
> Â Â* Change the account's SSH key in FAS
> Â Â* Login to fedorapeople.org
> Â The attacker did not:
> Â Â* Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in
> Â Â Âany way
> Â Â* Generate a koji cert or perform any builds
> Â Â* Push any package updates
>
> Based on the results of our investigation so far, we do not believe that any
> Fedora packages or other Fedora contributor accounts were affected by this
> compromise.
>
> While the user in question had the ability to commit to Fedora SCM, the
> Infrastructure Team does not believe that the compromised account was used to
> do this, or cause any builds or updates in the Fedora build system. The
> Infrastructure Team believes that Fedora users are in no way threatened by this
> security breach and we have found no evidence that the compromise extended
> beyond this single account.
>
> As always, Fedora packagers are recommended to regularly review commits to
> their packages and report any suspicious activity that they notice.
>
> Fedora contributors are strongly encouraged to choose a strong FAS password.
> Contributors should *NOT* use their FAS password on any other websites or
> user accounts. ÂIf you receive an email from FAS notifying you of changes to
> your account that you did not make, please contact the Fedora Infrastructure
> team immediately via admin@xxxxxxxxxxxxxxxxxx
>
> We are still performing a more in-depth investigation and security audit and we
> will post again if there are any material changes to our understanding.
>
> --
> Jared Smith
> Fedora Project Leader
> --
> announce mailing list
> announce@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/announce
>

-- 
Cheers
Jose
http://josemanimala.eu.org/blog
Ph: +64221033100
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux