The Debian GNU/Linux project today admitted a hacker had compromised one of its internal servers. “Early this morning we discovered that someone had managed to compromise gluck.debian.org,” Debian developer James Troup wrote in an e-mail to the Debian community. “We’ve taken the machine offline and are preparing to reinstall it,” Troup continued, noting a number of key services were currently offline as a result.
I think it is great that they have let this news out.. If anything is just goes to prove how secure a Debian system can be… How many times has microsoft acknowledged something happening like this?
It was very irresponsible of this article, or the Debian devs, or wherever the choke on info took place not to go into further detail about this hack. The article makes it sound like they have a specific exploit in mind as the vector, and yet it gives no information on what it was, or even where it was (kernel, services, which service, which version, etc.)
Now that I think about it, not going into detail is very conducive to FUD, isn’t it? Debian was hacked, therefore Debian is insecure. Debian is Linux, therefore Linux is insecure. Names are tarnished and money is made for the advertiser in the scrolling text in the upper right. Another fine “Microsoft doesn’t have the monopoly on swiss cheese” article.
Now that I think about it, not going into detail is very conducive to FUD, isn’t it? Debian was hacked, therefore Debian is insecure. Debian is Linux, therefore Linux is insecure.
Calm down – this is no FUD. The server was compromized, so the article says the truth. With comments like this you just feed the MS trolls. There are no details because the analysis is not done yet. It may take days or weeks until is clear how that happened. But stay assured that Debian will disclose the whole information about it.
You may take a look at http://www.debian-administration.org/articles/417 but it does not say much more. I hoped I’ll find an isightful comment but sill no avail. Hopefully in a couple of hours, though…
From the article: Troup added Debian would commence securing its other servers from “what we suspect is the exploit used to compromise gluck”.
Tell us what you suspect! If I were running important services on Debian, I’d want to know exactly where the point of vulnerability is. It just seems to me they should be a lot more open source about their investigation. A lot of people rely on Debian. Give them some heads up here.
And I know the article isn’t in itself fud; I was just suspicious of the way it was reported and began to wonder if ZDNet had the same leanings as C|Net. Turns out that much was the Deb dev’s fault, so I’ll turn the sword around: it’s very bad for credibility and trustworthiness to act this way in response to a flaw, namely reporting that you’ve got your own servers under control but not telling anyone else how they might go about doing the same with theirs.
Just clarifying. The lack of detail in this article struck several different nerves. Thanks for the link. Be sure to post any new info.
The lack of detail in this article struck several different nerves.
I’m not sure with what level of detail in an article one could come up after reading the announce about the server beeing owned:
http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html
I have no doubt that this email is the source for the article. Yes – we are all sensitive about such news. But what do you expect to read if the problem has been announced yesterday? I do not have any doubt that we will be able to read more as soon as the debian developers know more about the problem.
James Troup states in his email:
We’re still investigating exactly what happened and the extent of the damage. We’ll post more info as soon as we reasonably can.
And this is definitely better than specultaions about what might have been happened, right?
You have to look at frequency. This kind of stuff happens regularly in the windows world.
It happens once…. *once* to a debian server an all of a sudden linux is insecure.
Nothing is perfect, but you’re making a very big stretch here.
You have to look at frequency. This kind of stuff happens regularly in the windows world.
sure, but you can’T compare it to all the insecure desktops out there. you have to compare it with microsoft, msn or hotmail getting hacked. and when was the last time this happened?
sure, but you can’T compare it to all the insecure desktops out there. you have to compare it with microsoft, msn or hotmail getting hacked. and when was the last time this happened?
Probably because they’re running on BSD.
Hotmail migrated from BSD some time ago. It took them awhile, but they did it. They have some papers about the migration, and surprisingly enough, the first one is about why it failed the first time.
quoting smashit”sure, but you can’T compare it to all the insecure desktops out there. you have to compare it with microsoft, msn or hotmail getting hacked. and when was the last time this happened?”
Incidentally microsoft and msn use akamai which uses a combination of linux, windows and other servers.
hotmail uses a proprietary edition of windows unavailable to the public.
Don’t Microsoft’s servers(via akamai) run linux?
It happens once…. *once* to a debian server an all of a sudden linux is insecure.
Well… hum… actually it happened _twice_. A couple of years ago (more or less) it happened the same.
more actually…
“Debian was hacked, therefore Debian is insecure.”
this is a logical fallacy that does not follow.
a server runs debian, and it is hacked. does not automatically mean that debian is insecure, Someone could have had physical access to the machine. or it could have been set up incorrectly. or mabey someone with access got their password stolen. All reasons why debian would not be at fault.
“Debian is Linux, therefore Linux is insecure.”
another logical fallacy. this one really doesn’t follow. not only because the first one diddn’t. but where your train of thought is going you could just say, linux runs on computers therefore computers are insecure. Computers run banks, therefore banks are insecure. There is no logic to such a conclusion, and its the same illogical links that you used to say that debian or linux is insecure.
Are people actually mad at me because I predicted the trolling before it happened, or because they think I’m actually saying this? They seem to appreciate your useless post, so I guess the latter. I really don’t like it when people patronize each other in forum posts, but my god, here is your clue: I’m not actually saying that. I’m saying that an incomplete story leads to rumor, generalization, and misinformation. I called this reasoning FUD right before I spelled it out. I’m sorry mere text didn’t allow for a flashing neon sign.
“People might get the wrong idea and think this…”
“But that thinking is wrong in the following four ways…”
Duh! That’s the whole point!
Nothing wrong getting hacked… what is important restoring of data back and fixing the system not get hacked again.
“We will not hide problems”. That is Debian social contract #3.
Indeed, Debian documented exactly what happened and how they restored compromised servers last time this happened. Visit http://www.wiggy.net/debian/.
So I expect them to do the same again. Let’s wait.
James Troup posted some clarifications!
Check this out:
http://lists.debian.org/debian-devel-announce/2003/11/msg00012.html
You will find all your answers there.
I suggest you check the date on that email, or look at the url, or in the very least read some of it yourself, such as these parts:
“Wednesday 19th November (2003)” and “Date: Fri, 28 Nov 2003 01:04:00 +0000”
James Troup posted some clarifications!
Check this out:
http://lists.debian.org/debian-devel-announce/2003/11/msg00012.html
You will find all your answers there.
I don’t think so. That post is from 2003.
I disagree that every post concerning Linux must be compared to Microsoft and vice-versa. As a NetBSD, Solaris and Windows user, if this were the same kind of post, my concern would be how the problem affects me and how to update my system.
The Debian GNU/Linux project today admitted a hacker had compromised one of its internal servers
I wouldn’t get too upset about this. Debian did the correct thing in disclosing (as opposed to admitting), that they have had a compromise.
Be thankfull that they are willing to do this. The best secure systems will evenually get a hack or 2. It is good that Debian found out. I doubt Debian had any secrets hidden for the hacker.
And sometimes your a not hacked at all such as the OpenBSD project.
The OpenBSD got a compromise some time ago on its primay mirror, I think it was sunsite, running Solaris. Ok, granted, its not a developing machine and granted, they’re pretty tight on their code, but I don’t believe Debian got hacked just because they run linux. And yes, I’m an avid OpenBSD fan && user.
Shure no secrets… AFAIK is a cvs machine, so no private keys stolen, no backdooors commited to the sourcetree, none of the “I’m watching you since three months ago” will happen. Yeah shure.
Typical excuses when something like this gets to the news… “Microsoft is even worse”.
Maybe this is why Linux doesn’t take off on the desktop market? Linux zealots consolation is that even if their system is mediocre, “Microsoft one’s is even worse”.
They don’t care about quality… They just want to know that they’re better than Microsoft.
“They don’t care about quality… They just want to know that they’re better than Microsoft.”
And they are. See, did that take so long? Really, I don’t know what point you’re trying to make. Being better than MS is often exactly the point. Microsoft is a huge company with nigh-infinite R&D funding. If a smaller, independent, not-for-profit project like Debian can outperform the Microsoft equivalent, that’s news. It’s OS news! It’s a bragging point. It’s a compelling argument for change. It is the essence of “quality” to be better than something else. The dictionary says so.
If we follow your point to its conclusion, Linux(distros) would have to be flawless before they could make a quality claim at all. It just doesn’t hold up. The world record 100-meter sprinter isn’t the fastest piece of matter in the universe, but he’s faster than other humans attempting the same feat.
And guess what? As long as he holds the record and the fame, he’s got a big red bullseye on his tunic. I know Microsoft bashing seems childish (and it often is), but to not mention relative security just because the relative point (MS) is “low” is a tad ridiculous.
That’s why MS retaliates against the TCO argument so strongly. If a corporate, for-profit monoculture can come in under budget against a “free” alternative, that’s something to brag about. Of course, they still charge, but the argument is that they charge less, not nothing. It’s the very basis for choice-making.
The thought of how far Linux would have to fall to be worse than Microsoft gives me vertigo.
I know that’s why none of my family uses it. They read OSN everyday and just can’t stand the way linux users defend linux!
It goes to show that there could be no Linux thread without some comparison to Microsoft, and when that happens, the whole point is often missed.
This is horrible that a break-in occured at debian. In the days of compromises at tcpdump, irc client sites and the like, people were often afraid that the source or binaries downloaded were somehow changed. Today, its all about defending Linux despite the bad news. If a distribution leader’s systems can become compromised, what about the novices out there who know little about their system’s security and assume that just because its Linux its unhackable?
What debian did NOT disclose is what exactly was affected and how it could affect its users. Does anyone still want to defend them?
Edited 2006-07-13 12:22
Some troll throwing it out there does not change the subject or exonerate anybody from anything, they’ve admitted it and given what they know as they know it but hey I’m sure you could just glance at it and know exactly what and how it was compromised immediately. Why should they bother taking time with forensics or actually proving things when they could just half ass guess and make you happy.
On the contrary. The system was named *.debian.org, which could indicate that it runs some service relative to Debian. The least they could do is say that it is a system that has write accsess to their CVS repository or one that provides web services.
Either way, you would at least be cautioned that you should be careful downloading this or that from Debian as opposed to a false sense of security and “liking” they got hacked because it proves something superfluous to you
Since this is a developer/build machine…I am thinking this is probably something that requires local access.
The only real good exploits for Linux in quite a while have been ones that require you to first be logged in to the system.
Linux does not have nearly as many exploits that can be attacked from the outside, like that other OS we all love that more holes than a swedish bikini team.
Linux does not have nearly as many exploits that can be attacked from the outside, like that other OS we all love that more holes than a swedish bikini team.
That’s why not only the provider, but any responsible contracter will put that machine(s) way out of reach from the internet. If it won’t, then you really deserve to be hacked.
If I said I’m pleasantly surprised by every comment above mine, would you be able to guess why?
I think I was expecting too much
How many apologists there are for this.
“Nothing wrong getting hacked… what is important restoring of data back and fixing the system not get hacked again.”
“I wouldn’t get too upset about this.”
“You have to look at frequency. This kind of stuff happens regularly in the windows world. ”
Wow
You’d never read that in response to a MS or OS X hack.
Just what exactly do they have to apologise for? This as far as I’ve read so far is just one box, maybe not even an exploit, possible social engineering or someone leaving root password on a postit note.
In the realm of Linux users (or any group, for that matter), there are people who:
1. like to point fingers at their competitors, at every opportunity
2. like to defend their product, at every opportunity
It is to be expected that the people from group #1 will make the negative comments towards Windows and the people from group #2 will make defensive remarks towards Linux. It is only hypocritical if the comments you are referring to are coming from the same group.
I’m in group #2. So, I’m going to assume that the apologetic comments you are reading are not from the same people who have made negative comments
.
“In the realm of Linux users (or any group, for that matter), there are people who:
1. like to point fingers at their competitors, at every opportunity
2. like to defend their product, at every opportunity
…I’m in group #2.”
And the people attacking Debian are probably Windows users who are in group #1. I personally think being in either group #1 or #2 is bad as being in the other group. Instead, people should be neutral and lay blame when it belongs and defend against attacks when they aren’t deserved. IMHO, being hacked twice within a few years is very bad and is very close to being inexcusable.
Actually it’s pretty much exactly what you hear in response to OS X security problems.
I don’t really much care what people say in response to Windows hacks, so I wouldn’t know
.
I wonder if SELinux could have prevented this? I believe that Debian does not yet include SELinux, though perhaps it will in the future – does anyone happen to know?
Yes, SELinux would have very likely prevented this if properly configured. SELinux, hence Mandatory Access Control, limits the effects of root access. The “root” user falls under the basic Unix permissions scheme known as DAC or Discretionary Access Control. MAC is a security layer that sits on top of DAC and further limits what DAC priviliged software is capable of doing.
This very likely wouldn’t have happened on a redhat box due to SELinux configurations and proactive security like Exec-shield and SSP (gcc 4.1) compiled software.
Since you don’t know how the attack was carried out, you are not in a position to know whether SELinux would have prevented it.
Yes, SELinux would have very likely prevented this if properly configured.
A properly configured SELinux would have limited the damage a compromise can do. I can guarantee you a properly configured SELinux would have prevented the attacker from installing and using a rootkit.
Since you don’t know how the attack was carried out, you are not in a position to know whether SELinux would have prevented it.
If you know that then please tell us how the intruder got in, because that’s the only way you could say that.
I think you have to be guessing, and you act like you know.
Sure, SE’s magic will harden even the meekest secretary from social engineering.
`The best secure systems will eventually get a hack or two. It is good that Debian found out. I doubt Debian had any secrets hidden for the hacker.`
My wife’s Win box got hacked about three to four weeks ago. I believe it was something she downloaded as a `surf-by` attachment. She had all the `whiz-bang` programs from `anti-spy and malware` to firewall and it still corrupted her computer. Be carefull of myspace – it’s a crackers dream in more than one way.
A Linux box can get cracked as well as a Win box. I’ve noticed that if a Linux box `is` compromised the damage is generally limited in nature. Generally it limited to weak passwords and deletion of user data files.
So a) if a Linux box prompts for the root password your wife might not know it or b) your wife does know how to work with computers, just had tough luck on her windows machine.
If you don’t think deletion of user data dangerous (think – generally if you can delete it you can read it) you must be kidding.
It was a developer machine, lots of accounts as well as lots of services running on it! I find it shameful that anyone would hack a debian server, I thought you got more l33t points for knocking microsoft or at least linspire or xandros!
The “known” compromised and being corrected doesnt bother me it is the “unknown” compromised and not even noticed that worries me!
Doesn’t that strike anyone as strange? Why would you use an unencrypted password — or any password at all. On my home box, login is via SSH with a 4096-bit key only — no password access at all. Not that people don’t try to get into it, but the IPs get auto-blacklisted in response to the attempt.
So, if you have any insecure/vulnerable services working out their privilege escalation features, instead of stealing/rewriting passwords, the exploit only has to *guess* where you keep your keys
Probably there are many more unreported/uncaught cases. Migration to *BSD or Solaris must be taken into consideration.
“limiting access to DSA only, until they can be fixed for what we suspect is the exploit used to compromise gluck.”
Seems to be implying that the problem resulted from a weak security policy. Didn’t their previous server break-ins involve stolen login credentials? I won’t be as impressed if this was a repeat.
And this story shows after all the troubles a windows shop might encounter during a Windows to linux migration, the result may not look good
//You have to look at frequency. This kind of stuff //happens regularly in the windows world.
I suspect they were actually running a window server and no linux, that’s why it was compromised.
Yes, this is a box that has access to debian sources so you CAN conclude that Debian was hacked. This is not just a workstation that is being talked about. Making a conclusion that the sources are ok without any information is a dangerous assumption.
Taken from:
http://db.debian.org/machines.cgi?host=gluck
Host name: gluck.debian.org
Architecture: i386
Access: developer only
Disk space: 735Gb [6×147 RAID5]
Description: Primary web server, CVS server, People server
It appears the exploit was a combination of weak passwords and a local root vulnerability[1].
1. http://www.debian.org/News/2005/20060713
Your link is bad… here is the correct one:
http://www.debian.org/News/2006/20060713
even the most secure OS on earth can be hacked if the admin is an idoit. OK; i don’t want to say it so hard; but what I want to say is the following;
you can use the most secure os, but the human is the failure in it. So this says not very much about the security about debian; but enough about the quality of the network administrator. (imo)
The person wearing the network admin hat and the one wearing the system admin hat will tell you that developers and normal users routinely ask for more laxed security than they should get. Don’t blame them.
You would expect that a Debian server would require VPN access and no passwords would be used for authentication, only tokens of some sort or at least keys. To leave this open as is means the developer’s home system is also suspect.
Wow!! I just learned of this server today and can connect via ssh to it from my home system. Its asking me for a password instead of disconnecting me. It should throw me out because I don’t have a key, or a challenge response, or kerberos.
Let me guess:
ListenAddress 0.0.0.0:22
PasswordAuthentication=yes
Now all I have to do is read CVS annotation logs for developer names to get valid usernames for this system and go to town. I won’t but you would hope that Debian would know better.
The Debian explanation: “A recently discovered local root vulnerability in the Linux kernel has then been used to gain root access to the machine.”
May 18th isn’t terribly recent.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451
It’s like the Debian people saying, “Holy crap, we got cracked!” versus the MicSoft people mumbling, “Damn, cracked again.”
No, given the description on the Debian site, SELinux wouldn’t have made any difference at all.
And no, it’s not surprising that it turns on a compromised password. Nor that it happened before. Nor that there were other weak passwords on the system.
And no, requiring shared credentials doesn’t make a system more secure from weak password attacks. It merely changes the point at which the attack must occur to succede.
What we see here is a classic example of weakest link exploit. This is why things like SELinux make little or no differnce. They merely amount to adding armor to the strong points of the system. I count at least four social engineering related mistakes here, and none of them would have been addressable by SELinux.
On the other hand, having SELinux around is certainly giving some people a false sense of security.