25.01.2011, 08:24, "Jose Manimala" <josemanimala@xxxxxxxxx>: > Awesome work and happy that nothing bad has happened. > > One question is should a password length and secure password creation > check be enforced on the FAS system. Like regular expression checks > and stuff. I know this is asking a lot, the current implementation > allows me to have a simple password if I remember(need to check) been > long. And password expiry? :) > > On Tue, Jan 25, 2011 at 1:14 PM, Jared K. Smith > <jsmith@xxxxxxxxxxxxxxxxx>; wrote: > >> Summary: Fedora infrastructure intrusion but no impact on product integrity >> >> On January 22, 2011 a Fedora contributor received an email from the Fedora >> Accounts System indicating that his account details had been changed. He >> contacted the Fedora Infrastructure Team indicating that he had received >> the email, but had not made changes to his FAS account. The Infrastructure >> Team immediately began investigating, and confirmed that the account had >> indeed been compromised. >> >> At this time, the Infrastructure Team has evidence that indicates the account >>> credentials were compromised externally, and that the Fedora Infrastructure was >> not subject to any code vulnerability or exploit. >> >> The account in question was not a member of any sysadmin or Release Engineering >> groups. The following is a complete list of privileges on the account: >> * SSH to fedorapeople.org (user permissions are very limited on this machine). >> * Push access to packages in the Fedora SCM. >> * Ability to perform builds and make updates to Fedora packages. >> >> The Infrastructure Team took the following actions after being >> notified of the issue: >> 1. Lock down access to the compromised account >> 2. Take filesystem snapshots of all systems the account had access to >> (pkgs.fedoraproject.org, fedorapeople.org) >> 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the >> present >> Here, we found that the attacker did: >> * Change the account's SSH key in FAS >> * Login to fedorapeople.org >> The attacker did not: >> * Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in >> any way >> * Generate a koji cert or perform any builds >> * Push any package updates >> >> Based on the results of our investigation so far, we do not believe that any >> Fedora packages or other Fedora contributor accounts were affected by this >> compromise. >> >> While the user in question had the ability to commit to Fedora SCM, the >> Infrastructure Team does not believe that the compromised account was used to >> do this, or cause any builds or updates in the Fedora build system. The >> Infrastructure Team believes that Fedora users are in no way threatened by this >> security breach and we have found no evidence that the compromise extended >> beyond this single account. >> >> As always, Fedora packagers are recommended to regularly review commits to >> their packages and report any suspicious activity that they notice. >> >> Fedora contributors are strongly encouraged to choose a strong FAS password. >> Contributors should *NOT* use their FAS password on any other websites or >> user accounts. If you receive an email from FAS notifying you of changes to >> your account that you did not make, please contact the Fedora Infrastructure >> team immediately via admin@xxxxxxxxxxxxxxxxxx >> >> We are still performing a more in-depth investigation and security audit and we >> will post again if there are any material changes to our understanding. It could be done by compromising his email address. BTW, you don't have to register in FAS to figure out the address. Just connect to IRC Freenode and message Zodbot: .fasinfo [nickname] -- Best regards, Misha Shnurapet, Fedora Project Contributor https://fedoraproject.org/wiki/Shnurapet shnurapet AT fedoraproject.org, GPG: 00217306 _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure