Apache Foundation Attacked, Passwords Stolen - Slashdot

Slashdot

Apache Foundation Attacked, Passwords Stolen 214

Posted by CmdrTaco on Tuesday April 13 2010, @12:27PM
from the yeah-we-meant-to-do-that dept.

Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."

This discussion has been archived. No new comments can be posted.

Apache Foundation Attacked, Passwords Stolen

Search 214 Comments Log In/Create an Account

Comments Filter:

obviously advanced Linux users (Score:2, Informative)

by Anonymous Coward writes: on Tuesday April 13 2010, @12:30PM (#31833752)

"The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights"

Share
twitter facebook
Re:Naturally, the passwords were not in clear (Score:5, Informative)

by Arancaytar (966377) writes: <arancaytar.ilyaran@gmail.com> on Tuesday April 13 2010, @12:34PM (#31833820) Homepage

Addendum: Never mind, sorry - unlike the summary implies by "all users" the attack was targeted at capturing passwords from users who logged in while the site was compromised.
Naturally, simple hashing is no protection against that.

Parent Share
twitter facebook
Re:Naturally, the passwords were not in clear (Score:2, Informative)

by FallinWithStyle (1474217) writes: on Tuesday April 13 2010, @12:35PM (#31833838)

The passwords were stored as hashes (message-digest or otherwise) with randomized salt, right? I mean, they have a clue about security, surely.
Right?
From the article: "The passwords were encrypted on the compromised servers (SHA-512 hash) but Apache said the risk to simple passwords based on dictionary words "is quite high" and urged users to immediately rotate their passwords."

Parent Share
twitter facebook
Re:Naturally, the passwords were not in clear (Score:4, Informative)

by Luke has no name (1423139) writes: <lukehasnoname@@@gmail...com> on Tuesday April 13 2010, @12:36PM (#31833854)

After RTFA, yes, the passwords were stored using SHA-512. However, for three days the login form for one of the compromised services was altered, possibly allowing clear-text passwrod grabbing.
Is Apache a valuable target? I'm interested in what people would crack this site for, if not for fun or proof of concept.
Also, inb4 "Ubuntu sucks" or similar trolls. Linux haters would be in here if it were Ubuntu or Red Hat. Netcraft would be trolling if FreeBSD were the host OS. And God Forbid Apache had been using Server 2008.

Parent Share
twitter facebook
Damage contained through one-time passwords. (Score:4, Informative)

by helixcode123 (514493) writes: on Tuesday April 13 2010, @12:39PM (#31833908) Homepage Journal

FTFA: Apache said the use of one-time passwords was a "lifesaver" because it limited the damage and stopped the attack from spreading to other services/hosts. Nice that the damage was contained. What would be the motivation(s) for hacking Apache, anyway? It's not like it's Citibank.

Share
twitter facebook
TinyURL Previews (Score:5, Informative)

by The MAZZTer (911996) writes: <megazztNO@SPAMgmail.com> on Tuesday April 13 2010, @12:42PM (#31833968) Homepage

Turn them on, so you can see where they go.
http://tinyurl.com/preview.php [tinyurl.com]

Share
twitter facebook
Re:Respect (Score:3, Informative)

by Lisandro (799651) writes: on Tuesday April 13 2010, @12:45PM (#31834032)

Apache is a foundation, not a company. I otherwise agree - they handled this really well in my opinion.

Parent Share
twitter facebook
Re:and windows is insecure... (Score:2, Informative)

by lordmatrix (1439871) writes: on Tuesday April 13 2010, @12:55PM (#31834238)

Operating system has nothing to do with this attack. Web server has nothing to do with this attack. JIRA has to do with this attack. If a session cookie is stolen and is valid when used by the 3rd party, it's the application's fault. The solution would be a better, more secure session manager in JIRA. Additional solution would be using HTTPS.

Parent Share
twitter facebook
Re:Naturally, the passwords were not in clear (Score:5, Informative)

by not already in use (972294) writes: on Tuesday April 13 2010, @01:09PM (#31834484)

Here is the actual e-mail they sent out, which unfortunately, I received:
Dear ____________,

You are receiving this email because you have a login, '________', on the Apache JIRA installation, https://issues.apache.org/jira/ [apache.org]
On April 6 the issues.apache.org server was hacked. The attackers were able to install a trojan JIRA login screen and later get full root access:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010
We are assuming that the attackers have a copy of the JIRA database, which includes a hash (SHA-512 unsalted) of the password you set when signing up as '________' to JIRA. If the password you set was not of great quality (eg. based on a dictionary word), it should be assumed that the attackers can guess your password from the password hash via brute force.
The upshot is that someone malicious may know both your email address and a password of yours.
This is a problem because many people reuse passwords across online services. If you reuse passwords across systems, we urge you to change your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime examples might be gmail or hotmail accounts, online banking sites, or sites known to be related to your email's domain, gmail.com.
Naturally we would also like you to reset your JIRA password. That can be done at:
https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=_________
We (the Apache JIRA administrators) sincerely apologize for this security breach. If you have any questions, please let us know by email. We are also available on the #asfinfra IRC channel on irc.freenode.net.
Regards,

The Apache Infrastructure Team
So, yeah. They were storing the passwords unsalted, which means that it is susceptible to a simple dictionary crack.

Needless to say, I'm quite disgusted with the Apache foundation right now.

Parent Share
twitter facebook
Re:Respect (Score:1, Informative)

by Anonymous Coward writes: on Tuesday April 13 2010, @01:36PM (#31835030)

Apache is a foundation, not a company. I otherwise agree - they handled this really well in my opinion.
They're a 501(c)(3) corporation, and are subject to some pretty similar regulations as companies and then some, but yeah I know what you mean.

Parent Share
twitter facebook
Re:Naturally, the passwords were not in clear (Score:4, Informative)

by Sorthum (123064) writes: on Tuesday April 13 2010, @01:39PM (#31835100) Homepage

Oh man. This, a day after Atlassian itself got breached:
http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html [atlassian.com]
Their fault or not, having their name linked to two breaches in as many days has gotta be unpleasant at best for Atlassian.

Parent Share
twitter facebook
Re:Naturally, the passwords were not in clear (Score:1, Informative)

by Anonymous Coward writes: on Tuesday April 13 2010, @03:13PM (#31837056)

unsalted pws bad, but it is no biggie if you don't reuse!

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

29 commentsCitrix Moves Away From OpenStack For Apache

Only the hypocrite is really rotten to the core. -- Hannah Arendt