GNU Savannah Site Compromised 99
Trailrunner7 writes "A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material. The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings."
Re:But Linux is TEH SAFEZORZ! (Score:4, Informative)
It was a GNU project it was running on HURD not Linux.
Umm.. this wasn't a LINUX issue it was an SQL injection attack on a website. Are just trying to troll or do you really not know the difference?
Nothing new (Score:3, Informative)
Red Hat/Fedora servers had been hacked compromising the private signing key http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html [pcworld.com]
Ubuntu repositories hacked http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html [pcworld.com]
And don't forget the Debian SSL key debacle....
Re:Encrypted passwords? (Score:3, Informative)
SHA1 is highly vulnerable to brute force through optimized attacks. That's why NIST (among others) are recommending moving away from SHA1. Ditto for MD5.
Re:Encrypted passwords? (Score:3, Informative)
A salt + a good hash will prevent against bruteforcing. Encryption will allow the attacker to get the original password back which can be used on other websites etc. Any web site worth it's salt (pun unintended) hashes the passwords instead of encrypting them. Cmon, this is Web Security 101 stuff.
Re:Encrypted passwords? (Score:5, Informative)
Add to that that gcc is hosted.
GCC's code respositories are hosted on gcc.gnu.org, a machine also known as sourceware.org, which is owned and operated by Redhat and provides hosting for basically the entire GNU toolchain (automake, autoconf, binutils, GCC, gdb, glibc, and libstdc++)[1].
This attack therefore would not be able to modify the GCC sources.
[1] Notably not present are GNU's bison, libtool, m4 and make.
Re:Encrypted passwords? (Score:2, Informative)
Holy shit, they're actually seriously considering MD5. This is embarrassing.
Guys, there's a reason [cert.org] for why I'm saying that MD5 is a Very Bad Idea.
That's straight MD5. Password hashes, using PHK@FreeBSD's algorithm, is a bit more complicated (e.g., a thousand iterations with a salt):
http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme
Most Linux distributions still use the MD5-based hash for their shadow files. Of course using a new algorithm is probably better, but we're (hopefully) not talking about straight MD5, but rather the crypt/PHK variant.
Re:Encrypted passwords? (Score:3, Informative)
Various Unixes, including Linux distributions like RHEL / CentOS include a modern algorithm inspired by PHK that uses the later SHA family algorithms, and has variable rounds.
But keep in mind that despite all the tutting from know-nothings on Slashdot who react to keywords like 'MD5' even the original DES-based Crypt remains remarkably secure. While a Windows password or MD5 rainbow table is something you can get from any Torrent site, crypt tables still don't exist. While Windows brute forcers can chew through eight alphanumerics while you wait for your pizza to cook, crypt will take weeks.
Basically, other systems spent the early 21st century catching up to where Unix was in the 1970s.
And none of this helps you when a user picks something dumb like 'linux' or 'opensesame' as a password.