GNU Savannah Site Compromised

Trailrunner7 writes "A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material. The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings."

Not the first time.

[molo]

GNU Savannah was hacked in 2003 also. http://news.cnet.com/2100-7344-5117271.html [cnet.com]

"We expect to take measures in the aftermath of the Savannah incident," said Eben Moglen, general counsel for the Free Software Foundation, which maintains the GNU Project, a source of freely available software for Unix and Linux systems. Among the measures, the project leaders will force developers to digitally sign any code they submit, and they plan to introduce additional features to freely available source-code maintenance systems--the best known being the Concurrent Versions System, or CVS--to check developers' digital signatures before accepting changes.

"We believe (adding digital signatures) is the single most useful technical change to tighten these systems to assure the integrity of the code they contain," Moglen said.

Does anyone know if the changes described here came to be? Did they help at all in this attack?

-molo

Re:Encrypted passwords?

[tlhIngan]

You kidding? That has absolutely everything to do with the hash function used!

SHA1 is highly vulnerable to brute force through optimized attacks. That's why NIST (among others) are recommending moving away from SHA1. Ditto for MD5.

That's if you want to intelligently brute force a SHA1 hash. If however the test material is short (e.g., passwords), then it doesn't matter if you use SHA1, SHA2, whatever. Just do a simple dictionary attack first to see if you can get easy passwords.

Re:Brace yourself for the wikileaks post!

[sumdumass]

Nah, wikileaks only seems interested in harming the US government and the US economy.. That would seem to be beneath them as it could potentially help.

Re:Obilgatory

[Anonymous Coward]

Does it look to you like this GNU code [gnu.org] was written by a wise old neckbeard? It's 780 lines of unreadable crap. This [bell-labs.com] is what the code of a wise old neckbeard looks like.

Re:Not the first time.

[jrumney]

They changed CVS and other version control systems hosted on savannah to require ssh key based logon for write access. It's not quite what is quoted, but a big step in that direction that was immediately achievable without waiting for the changes in CVS and other programs. They did change the FTP upload process to require GPG signatures for all uploads.

However the web based system that was hacked this time around has a password based login, and allows users to change their authorized SSH keys. It also allows users to register a GPG key, but this is just to allow project members to share their keys (and probably intended for future use when signed commits is available and working), the FTP keyring is more tightly controlled.