Re: [PLUG] Gentoo hacked on Github

Rich Freeman on 29 Jun 2018 08:51:36 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Gentoo hacked on Github

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Gentoo hacked on Github
Date: Fri, 29 Jun 2018 11:51:18 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Fri, Jun 29, 2018 at 10:34 AM jeff <jeffv@op.net> wrote:
>
> https://nakedsecurity.sophos.com/2018/06/29/linux-distro-hacked-on-github-all-code-considered-compromised/
>

The headline is a bit sensationalized.  Obviously the entire
compromised org was taken down, but the reality is that almost nobody
would be using it for anything but contributing pull requests.  Also,
the modifications don't appear to be likely to actually work - they
were clearly not tested (not that bad things couldn't have been done -
just that it probably wasn't super-planned-out and what was done was
buggy).  Three repos were ultimately tampered with.  However, the
article does get right that the situation was handled conservatively
to minimize the risk of any impact to users/etc, and was announced
about as quickly as possible once the people busy containing the
damage had set things in motion to actually shut things down.

The somewhat-more-detailed running update is at:
https://infra-status.gentoo.org/notice/20180629-github

As I understand it the account used to compromise the org was secured
by github, and has been returned to the rightful owner, and the org
will be configured to require 2FA.  Another dev's password was
evidently also compromised but he was using 2FA so there was only a
failed 2FA attempt on the account.  The bigger concern was how the
passwords were obtained in the first place - whether they were just
super-weak (not many failed attempts were logged), or if they were
sniffed somewhere.  I doubt it was sniffed off of Gentoo's own servers
because if they were they'd already have access to do much worse
attacks than the one against github that mainly impacted people
submitting PRs and such.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Gentoo hacked on Github
  - From: jeff <jeffv@op.net>

Prev by Date: [PLUG] Gentoo hacked on Github
Previous by thread: [PLUG] Gentoo hacked on Github
Index(es):
- Date
- Thread