STE WILLIAMS

Encryption guru Phil Zimmermann is going after security conscious users with his new venture Silent Circle, a security start-up offering ultra-secure VoIP and texting services.

Silent Circle, which opened a UK office this week, charges a monthly subscription of $20 (£13) per month for a bundle of secure voice, text and video services.

Zimmermann, creator of the Pretty Good Privacy (PGP) program, told El Reg that he’s done with “trying to convince people that didn’t know about crypto that they needed to use encryption”. Instead Silent Circle is targeting US forces based overseas, businessmen visiting China and human rights workers: “who know that they need crypto because they are under high threat”.

Silent Circle chief exec and co-founder, Mike Janke, said the start-up had ambitions to target the business community as well as power users, thereby gaining a foothold into the enterprise through the industry-wide Bring Your Own Device Trend. Janke is an former Navy SEAL sniper who approached Zimmermann with the idea for a business that became Silent Circle around a year ago.

Silent Circle released a suite of iOS apps in October, and plans to release complementary Android apps in December. The “curated crypto apps”, as Zimmermann describes them, offer Silent Phone (secure VoIP), Silent Text (encrypted messaging) and Silent Eyes (desktop videoconferencing, initially only Windows compatible).

Silent Phone offers secure mobile video and voice. The technology uses the ZRTP encryption developed by Zimmermann, and is designed to work over mobile and WiFi networks.

A forthcoming Silent Mail product will be based on PGP Universal and designed to run on smartphones, tablets, and computers using your existing mail program (Outlook, Mac Mail). Secure business packages, calling plans and enterprise packages are also in the works.

Client to client communications using Silent Circle will offer end to end encryption. Users using Silent Circle apps to call from China to landlines in the West, for example, will get the benefit of encryption on the first leg of their journey, to Silent Circle’s dedicated servers in Canada. Crypto keys for VoIP calls are thrown away as soon as they are used and texts are encrypted on a device. Communications data, such as IP logs, are kept for 24 hours, and only used for debugging.

“Users don’t even have to trust us. They don’t have to be worried about Silent Circle being coerced into doing wiretapping,” Zimmerman explained.

Janke added that Silent Circle “retained the least amount of data possible” limited to username, email address, hashed password, short-term IP logs and 10 digit private phone number. Credit Card processor Stripe holds the customer credit card data, not Silent Circle.

Silent Circle’s site explains the benefits and limitations (the risk of shoulder surfing, malware etc) of its technology.

Our secure communications products use “Device to Device Encryption” – the keys that encrypt your communications are generated on your device and discarded when unneeded. The only exception is Silent Mail which either uses PGP keys you create and manage yourself or allows you to have our PGP Universal server generate them for you.

We do not have the ability to decrypt your communications across our network and nor will anyone else – ever. Silent Phone, Silent Text and Silent Eyes all use end-to-end encryption and erase the session keys from your device once the call or text is finished. Our servers don’t hold the keys.

The technology distinguishes itself from Skype and most mobile voice encryption products by publishing source code, something Janke said appealed to its potential government customers.

Faced with the challenge of intercepting the Skype and IM conversations of terrorist and criminal suspects, law enforcement agencies have increasingly decided to use Trojans as wiretapping tools rather than trying to decipher encrypted traffic. Both Janke and Zimmermann readily conceded that Silent Circle was “not a magic bullet” and wouldn’t protect users of compromised devices.

However Zimmermann said that Silent Circle’s trust model is specially designed to detect and block man in the middle digital certificate attacks such as the DigiNotar compromise that exposed the privacy of Gmail, Skype and Yahoo users in Iran last year.

The level of security offered by Silent Circle might have appeared to appeal to only a paranoid niche, who would probably have insisted on hardware-based encryption anyway, just a few years ago. But the desire to use the latest smartphones or tablets combined with growing concerns about industrial espionage and privacy have created a potential market for its services and technology.

The combination of the PGP founder teaming up with two Navy SEALs and three British SAS Special Forces communications experts* offers frankly unmatchable geek credibility. ®

Bootnote

*Perhaps actually from 18 Signals Regiment, the electronic warfare/SIGINT/ELINT/communications formation supporting the UK Special Forces. Though there are signaller specialists who are fully badged members of the SAS itself, 18 Regiment would probably have a higher level of corporate expertise.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/21/silent_circle/

A grey hat hacker has been found guilty of breaching ATT’s site security to obtain iPad customer data.

Andrew “Weev” Auernheimer, 27, from New York, was convicted of conspiracy to hack and identity fraud over his role in a 2010 exploit against an ATT account maintenance website that resulted in the leak of 120,000 email addresses of iPad owners, Reuters reports.

Auernheimer’s lawyer, Tor Ekeland, said that his client intended to appeal the verdict of a New Jersey jury, a point confirmed by Auernheimer.

The case is been closely watched in the information security community because Auernheimer recovered the data from the ATT website without bypassing any security controls. The appeal will therefore focus on whether the Computer Fraud and Abuse Act offences were committed by Auernheimer, an important point of law that has implications for both penetration testing and the reporting of security vulnerabilities.

Rob Graham of Errata Security has a suitably angry and fiercely argued blog post on the implications of the case here.

For now, Auernheimer is on bail pending the results of a sentencing hearing. Auernheimer, a self-described internet troll, was a member of the group of computer experts known as “Goatse Security” that went to Gawker with details of the breach after they had notified ATT of the problem.

Scripts developed by Goatse Security mined the names and email addresses of about 120,000 early adopter iPad owners, including White House staffers, celebrities, journalists and wealthy financiers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/21/ipad_hacker_conviction/

US-sponsored snoopers hacked into the computers of the Élysée Palace earlier this year ahead of the French presidential election and lifted top secret information, using what appears to be the notorious Flame malware, a French newspaper has alleged.

The attack, which occurred in May a few days before the second round of the election, was first revealed by French media in July, although the details have been largely suppressed until now by the Palace, according to L’Express.

The paper claims hackers gained entry to the computers thanks to simple social engineering on Facebook – befriending workers at the palace and then sending a link to a fake log-in page for the Élysée intranet thanks to which they managed to harvest access credentials.

Once inside, the attackers installed malware which moved around inside the network looking for the information it wanted – infecting the machines of several senior presidential advisors including Sarkozy’s secretary general, Xavier Musca. The president himself escaped as he didn’t have a networked PC, L’Express said.

The report fingers the US because of the relative sophistication of the attack – it apparently took the French information security agency (Anssi) several days to clean and restore the network, and servers on five continents were used to hide the attack’s origin.

In addition, much of the code recovered bears a striking resemblance to that of the infamous information-stealing Flame Trojan, which is thought to be a US-Israeli project designed to target Iranian computer systems.

US Homeland Security secretary Janet Napolitano told L’Express that Flame and Stuxnet had “never been linked to the US government” and when asked specifically about the Élysée attack, added the following, rather unconvincing response:

“We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

As to why the US may have been looking to infiltrate the networks of one of its allies, the report speculates that Sarkozy was instrumental in signing a number of key deals with Middle Eastern companies during his tenure.

“You can be on good terms with a ‘friendly country’ and still wish to ensure its continued support, especially in a period of political transition,” an unnamed official told the paper.

If true, the revelations will be more than a little embarrassing for the Obama administration, especially as it seeks to maintain the moral high ground over China in such matters.

US lawmakers and military leaders have stepped up the rhetoric against China’s state-sponsored cyber-espionage efforts over the past year or so, culminating in a recent House of Representatives report branding tech firms Huawei and ZTE a national security risk to the US.

Although most security experts acknowledge that cyber espionage goes on all the time, even between nominal allies, to make the mistake of being caught doing it is another matter.

The French are not completely blameless in this either, according to former home secretary David Blunkett.

He revealed last year that during the early 2000s, when he and then-opposite number Nicolas Sarkozy were negotiating over the future of the Sangatte refugee camp, the soon-to-be president admitted that his team had been able to read unencrypted emails between the Home Office and the British Embassy in Paris. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/21/us_flame_attack_elysee_palace_sarkozy/

Twelve year old hacktivists and journalists with infected laptops were the biggest info security threats to the London 2012 Games – an event which in the end was notable for the absence of a major cyber attack, BT has revealed.

The telco giant was in charge of supporting the official London2012.com site and the huge IP infrastructure which carried voice, cable TV, wireless and everything in between around the sites, according to BT’s global head of secure customer advocacy, Phil Packman.

Yet despite the dire warnings from Beijing and Vancouver officials, who told BT they’d “be run ragged”, the predicted massive onslaught never materialised, he told The Reg on a visit to Hong Kong this week.

“We geared up for complex attacks from various actors and the reality is they were unsophisticated and perpetrated by children,” he said.

Although a loosely-backed Anonymous DDoS attack was launched on the first day of the Games, in retaliation for the displacement of Occupy protesters from Stratford, BT’s four 10GB pipes and Akamai’s content distribution service meant taking down the infrastructure proved too difficult.

“Within one hour of the Anonymous attack the feedback was ‘we’re not getting anywhere, let’s attack the sponsors’,” Packman explained.

Kids with cyber guns

Although the speed with which hacktivists managed to co-ordinate and switch targets “would have been worrying”, the attacks themselves were relatively unsophisticated and easy to deflect, he said.

However, BT’s Cyber Defence Team was required to focus more resources on monitoring social media channels such as Twitter and Facebook for intelligence on the next attack.

“We were geared up specifically to look at something sinister and the reality was much more amateurish,” said Packman.

“But this brought its own challenges – the attacks were a lot more sporadic and less obvious. On day two or three they attacked the wrong company because they got the URL of a sponsor wrong.”

Monitoring these channels also offered an interesting snapshot into the background of said hacktivists, Packaman said. One apparently broke off a web chat because their mother was calling them down to tea, while another replied incredulously to a colleague giving them a hard time “what do you expect, I’m only 12?”

The only other major security challenge was heralded by the arrival of 25,000 journalists, all of whom required unfettered access to the network on their own devices.

With some of these devices infected and generating spam, that made for some fraught negotiations ensued between BT and some overzealous blacklisting companies worried about the spike in unusual traffic coming from the UK telco’s address space, said Packman.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/21/schneier_bt_olympics_no_cybergeddon/

An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.

The software nasty targets machines running 64-bit GNU/Linux and the nginx web proxy, and acts like a rootkit by hiding itself from administrators. A browser connecting to a website served by nginx on the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor’s machine.

Details of the attack first surfaced in a post to the Full Disclosure mailing list.

Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.

“The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy,” she wrote on her employer’s Securelist blog. “The binary is more than 500KB, but its size is due to the fact that it hasn’t been stripped (i.e. it was compiled with the debugging information).

“Perhaps it’s still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet.”

Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor’s PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.

What makes this Linux nasty extra crafty

The experimental Linux malware is indiscriminate: it doesn’t just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted on a compromised server that relies on the popular nginx web proxy. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown – not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.

As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.

The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server’s output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind’s command-and-control server.

“The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Janus explained.

“In order to obtain the actual injection payload, the malware connects to the CC server using an encrypted password for authentication.”

Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.

Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:

So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated – a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future

A detailed analysis of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.

“The rootkit at hand seems to be the next step in iframe-injecting cyber-crime operations, driving traffic to exploit kits,” Crowdstrike analysts concluded. “It could also be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail.”

Crowdstrike reckoned the malware is the work of a contractor, probably based in Russia.

“It appears that this is not a modification of a publicly available rootkit,” Georg Wicherski, senior security researcher at Crowdstrike wrote. “It seems that this is contract work of an intermediate programmer with no extensive kernel experience. Based on the tools, techniques, and procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/21/powerful_linux_rootkit/

Kiwi Googleplex comes clean on unauthorised data

• 
• 
• 

Waves certificate proving it has really, truly, wiped Wi-Fi trove

By Natalie Apostolou • Get more from this author

Posted in Security, 20th November 2012 21:52 GMT

Free whitepaper – Blue Coat Systems 2012 Malnet Report

The New Zealand Privacy Commissioner has confirmed that Google has finally destroyed the ill-gotten data scooped up from unsecured WiFi networks during its Street View filming across New Zealand.

The antipodean Googleplex had earlier claimed that that it had securely destroyed its payload information, but in early October, following further investigation, unearthed a further disk containing New Zealand and Australian data.

New Zealand Privacy Commissioner Marie Shroff said “we’re pleased to see the certificate from an independent agency verifying the irretrievable destruction of the New Zealand data.”

The Kiwi Privacy Commission has been chasing Google since December 2010 to destroy all the payload information, following the Commission’s findings that Google was in breach of NZ privacy law for hoovering the WiFi information.

In March last year Google produced an independent report verifying that the payload information destroyed, but in July 2012 several international privacy regulators were alerted that the illegally obtained data still existed.

The New Zealand Privacy Commissioner resumed the chase on Google locally which produced the revelation that further data was still in existence. ®

Free whitepaper – Forrester: Prepare For Anywhere, Anytime, Any-Device Engagement with a Stateless Mobile Architecture

• Send corrections
  
• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/20/google_nz_destroys_illegal_data/

A video games fan claims he accidentally hacked into the online environment (Miiverse) of Nintendo’s latest game console, the Wii U.

A gamer called Trike claims he stumbled across a secret debug menu in the Miiverse that gave him access to a list of administrators and a control panel, hours after the US release of the console on Sunday. Snapshots posted by the gamer suggest he might have inadvertently scored access to controls that would have allowed him to delete access rights to Japanese administrators of the network or re-issue passwords.

However Nintendo said that the supposed “debug menu” was actually a “mock-up”, not a live system.

“It has come to our attention that some people were able to access a mock up menu on Miiverse following the launch of Wii U in the US,” Nintendo told Games Industry International. “Please note that this was only a mock up menu and has now been removed and is not accessible.”

Trike said he made no attempt to abuse the supposed super-user rights he had inadvertently stumbled upon. Significantly, he also claims to have come across private message and pre-launch user forums in the Miiverse.

“At first it asked me to sign in, because my login information didn’t match,” Trike explained. “Then I pressed a button and it sent me to a list of admins anyway. They had buttons in the same row as the names, and I could “regenerate password” or “Delete Admin” or something along those lines. I didn’t do it it because I didn’t want to risk getting my god damn Wii U banned on day 1.”

Trike asked for help in passing on his surprise finding to Nintendo “directly without going through their customer service email crap”, as he put it. The gamer reported his discovery in a posts to the NeoGAF gaming forum, alongside snapshots taken from a mobile phone that appear to depict Miiverse control panels, as evidence of the apparent (since denied) security breach.

The gamer further claimed he was able to view private messages sent by other online gamers as well as hidden forums intended for discussion of upcoming (unannounced) games such as Yoshi’s Island Wii U.

Feedback to these posts was largely along the lines of “Delete everything, make yourself an admin and RULE THE MIIVERSE”, to quote one post.

Chris Boyd (AKA PaperGhost), senior threat researcher at GFI Software, and an expert in gaming security, played down the practical significance of the incident to game fans.

“On this occasion it’s probably nothing to worry about, although it’s unusual for such a menu to be so easily accessible – typically mock ups are kept on their own private network (sometimes requiring development kits to operate), or offline altogether” Boyd told El Reg.

Nintendo’s US tentacle announced it was running maintenance on its network on Monday morning, before later advising customers not to turn off their console during the update process.

So many Miis have jumped on Miiverse that some may be having problems connecting to the service. We are in the engine room getting it fixed!

This Twitter post makes no mention of removing access to the mock up menu but access to this facility was blocked following the update.

The security of gaming networks has become a bigger issue since the Playstation Network hack that spilled names, addresses, email addresses, birthdays and user login credentials of million of gamers last year. PSN was taken offline for more than a month to sort of the resulting mess.

The Nintendo breach is small beer by comparison, notes Graham Cluley of Sophos in a blog post on the apparent Miiverse snafu.

“Is the apparent security snafu damaging to Nintendo? Probably not. They appear to have resolved the issue quickly, and there is no suggestion that sensitive information was stolen from users, unlike last year’s Sony PlayStation network hack where hackers stole the personal data of millions of people,” Cluley writes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/20/miiverse_security_flap/

Boffins have worked out how to run quantum cryptography systems over a standard broadband fibre in a development that brings theoretically unbreakable encryption closer to mainstream use.

Traditionally it has been necessary to use dedicated fibre to send the single photons (particles of light) that are required for Quantum Key Distribution (QKD). This has restricted any applications of quantum cryptography technology to specialist and small-scale systems in banks and high-level government, essentially because of the extra inconvenience and cost required in allocating a dedicated fibre strand for quantum key distribution.

However, a breakthrough from Toshiba’s Cambridge Research Laboratory makes it possible to use existing telecoms networks to distribute secret keys, potentially slashing the price of using quantum cryptography in the process.

Researchers from Toshiba teamed up with boffins at Cambridge University Engineering Department to successfully create a rig that allowed them to extract the very weak signals used for quantum cryptography from ordinary telecom fibres, which transmit regular data traffic at a different wavelength.

The Cambridge team achieved their breakthrough using a detector that is sensitive only for a very brief window (100 millionths of a micro-second) at the expected arrival time of the single photon, which carries signals related to a quantum keys. The ultra-high shutter-speed snapshot detector responds largely to just the single photon signals and is insensitive to the scattered light caused by the other data signals. This allows the weak single photon signals to be recovered from the fibre.

Using the technique, the Cambridge team successfully ran quantum cryptography systems over ordinary telecom fibres while simultaneously transmitting data at 1Gbps in both directions. They demonstrated a secure key rate over 500kbps for 50km of fibre, about 50,000 times higher than the previous best value for this fibre length. The breakthrough was reported in the scientific journal, Physical Review X, on Tuesday.

Scattered light caused by the data signals would normally contaminate and overwhelm the single photon signals if sent along the same fibre. The disparity in the intensity of the signals is illustrated by the fact that one bit of data is carried by over one million photons in normal fibre optic networks, but one bit relates to just one polarised photon in quantum key distribution systems. Getting around the noise contamination problem without falling back on a dedicated fibre for quantum key exchange is therefore a massive breakthrough.

Dr Andrew Shields, assistant managing director at Toshiba Research Europe, said: “The requirement of separate fibres has greatly restricted the applications of quantum cryptography in the past, as unused fibres are not always available for sending the single photons, and even when they are, can be prohibitively expensive. Now we have shown that the single photon and data signals can be sent using different wavelengths on the same fibre.” ®

Boffin-note

Quantum Key Distribution (QKD) offers a high-security key exchange system that is theoretically uncrackable but still subject to potential implementation flaws. Secrets keys for one time key-pads are transmitted with one photon encoding one bit.

It is secure because any attempt by an eavesdropper to intercept and measure the photons alters their encoding, thanks to fundamental principals of quantum physics. This means that eavesdropping on quantum keys can be detected. Compromised key exchanges can be abandoned and the process repeated until a theoretically unbreakable key is exchanged.

The Toshiba QKD system is based on one-way optical propagation and the BB84 “Alice and Bob (PDF)” cryptography protocol with decoy pulses.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/20/quantum_crypto_breakthrough/

Security researchers have developed proof-of-concept malware that allows attackers to obtain remote access to smart card readers attached to compromised Windows PCs.

The experimental malware developed by Itrust Consulting allows hackers to share a USB-based smart card reader over the internet. As such the attack goes one step further than previous assaults, such as a recent variant of the Sykipot Trojan that hijacked US Department of Defense smart cards in order to access restricted resources. This so-called ‘smart card proxy’ attack was software specific, targeting PCs attached to smart card readers running ActivClient, the client application of ActivIdentity.

The experimental malware developed by Itrust Consulting ought to work with any type of smart card and USB-based smart card reader, at least in theory, so it promises to be both more flexible and powerful than that abused by the Sykipot Trojan.

The attack is due to be demonstrated by Paul Rascagneres, a security consultant at Luxembourg-based Itrust Consulting, at the MalCon security conference in New Delhi, India, on 24 November. A summary of the upcoming Smartcards Reloaded – Remotely! presentation sets the scene.

We showcase a new kind of malware that uses a self made driver that make USB over TCP/IP. So the malware shares the smartcard connected in USB of the victim directly to the command and control (cc) server in raw. The attacker can use the smartcard as if it is directly connected to his machine!

Smart cards are normally used in tandem with PIN codes or passwords for two factor authentication (secure login using something you have – the token, and something you know, a PIN). The prototype malware comes bundled with a key-logging component capable of stealing such login credentials, providing they are entered into an infected PC attached to a smart card reader.The credential stealing attack would not work in cases where users enter their PIN into a physical keyboard included with a smart card reader, IDG reports.

Rascagneres and his team tested their malware prototype with smart cards issued by Belgian banks and the electronic identity card (eID) issued in Belgium.

The drivers created by the researchers are not digitally signed, one way that the attack might be detected. However bad guys might be able to get around detection by either using stolen digital certificates or using malware (such as the TDL4 rootkit) capable of disabling the driver-signing policy on 64-bit versions of Windows 7. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/20/smart_card_reader_malware/

Hackers broke into two FreeBSD project servers using an SSH authentication key* and login credentials that appear to have been stolen from a developer, it has emerged.

Developers behind the venerable open-source operating system have launched an investigation and have taken a few of the servers offline during their probe, but early indications are that the damage might have been far worse.

None of the so-called base repositories – stores of core components such as the kernel, system libraries, compiler and daemons (server software) – were hit. And only servers hosting source code for third-party packages were exposed by the attack, which was detected on 11 November and announced on Saturday, 17 November, following a preliminary investigation. The intrusion itself may have happened as far back as 19 September.

On Sunday 11 of November, an intrusion was detected on two machines within the FreeBSD.org cluster. The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution.

We have found no evidence of any modifications that would put any end user at risk. However, we do urge all users to read the report available at http://www.freebsd.org/news/2012-compromise.html and decide on any required actions themselves. We will continue to update that page as further information becomes known. We do not currently believe users have been affected given current forensic analysis, but we will provide updated information if this changes.

No Trojanised packages have been uncovered, at least as yet. But FreeBSD users have been urged to carefully check third-party packages installed or updated between 19 September and 11 November nonetheless, as a precaution.

The FreeBSD.org team has promised to tighten up security, in particular by phasing out legacy services such as the distribution of FreeBSD source via CVSup, in favour of the “more robust Subversion, freebsd-update, and portsnap distribution methods”. The hack was “not due to any vulnerability or code exploit within FreeBSD”, according to devs.

The whole incident raises troubling questions since it seems that the unknown attackers behind the hack managed to steal both SSH (remote administration) key file and passwords from a developer. Analysis of the attack can be found in an informative blog post by Paul Ducklin of Sophos here.

Attacks on open-source repositories are far from unprecedented. Kernel.org was suspended for a month last year following a much more serious malware attack and a server compromise. A month later a breach on MySQL.com website left visitors exposed to malware.

But perhaps the most similar attack to the FreeBSD hack occurred three years ago, with a breach against the Apache Software Foundation, also facilitated by the misuse of SSH keys. ®

* SSH, or secure shell, a method of encrypted communication, is the predominant remote-access protocol for non-Windows systems. There’s more on how SSH keys work in the Sophos post.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/20/freebsd_breach/