Apache Foundation Attacked, Passwords Stolen 214
Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."
Respect (Score:5, Insightful)
Nothing but absolute respect for how Apache is handling this. Were there issues that became apparent as a result of this? Yes. But have they discovered the flaws, acknowledged them, and are looking to close those holes? Yes.
It's a shame more companies can't operate with such...transparency I guess you'd call it. However, consumers respond differently to different types of companies.
I, for one, am proud to see a company take this seriously instead of trying to sweep it under the rug.
Re:Damage contained through one-time passwords. (Score:5, Insightful)
Hmm, let's see:
Implanting a back door in any one (if not all) of the Apache products, so that when Citibank does an upgrade...
Far fetched, yes. But not out of the realm of possibility...
Re:Serious Question (Score:3, Insightful)
Re:Naturally, the passwords were not in clear (Score:3, Insightful)
AFAICT, web servers themselves aren't commonly hacked these days - and indeed that seems to be the case here.
The foolish thing is - and it's downright stupid, make no mistake - while most modern web servers are fairly secure, the same is most definitely not true of the applications and frameworks that commonly run on them. And because it's quite common to find a password for one application works for others (either by a user using the same password or by design, eg. using a common backend such as LDAP), you only need one stupid application which doesn't take countermeasures against brute-force attacks and doesn't log failed logins (making fail2ban ineffective) and the whole damn lot is cracked open.
Re:Naturally, the passwords were not in clear (Score:3, Insightful)
Also, inb4 "Ubuntu sucks" or similar trolls. Linux haters would be in here if it were Ubuntu or Red Hat. Netcraft would be trolling if FreeBSD were the host OS. And God Forbid Apache had been using Server 2008.
Yeah, I'd forsee twice the number of comments by this time if this was IIS with half of them saying "switch to a real OS!!"
Re:Damage contained through one-time passwords. (Score:4, Insightful)
I can think of a couple.
It's a very prestigious target (if you're the sort that would do this for some sort of prestige). It's also a poster-child for a solid OSS product - what better way to spread FUD?
Re:don't be stupid, it's design failure (Score:3, Insightful)
Of course it is - one shared (at some point in time), by all browsers, amongst other software.
That's why it's "stupid" to trust your systems 100%
You yourself don't have a quick look at a link, especially one from an unknown source, before blithely clicking?
Especially if you're logged on with root or admin rights?
Re:Damage contained through one-time passwords. (Score:4, Insightful)
Or upload a trojan into the hosted Apache installers.
Re:Correction (Score:3, Insightful)
Sorry, but that distinction has long since been lost... if it was ever popular to begin with. These days we have good hackers and we have evil hackers.
Re:Naturally, the passwords were not in clear (Score:1, Insightful)
If someone can edit the Apache source tree without being detected and insert some subtle method of a backdoor (something far more subtle than this where uid=0 is in the code when uid==0 is meant), that would mean a LOT of money for the blackhat group, because so many Web servers run Apache that selling a possible backdoor to so many sites would be very lucrative, now, and years to come, as a hole put in now may allow for more targeted attacks in the future.
Re:Damage contained through one-time passwords. (Score:3, Insightful)
Re:Naturally, the passwords were not in clear (Score:3, Insightful)
Here is the actual e-mail they sent out, which unfortunately, I received:
https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=_________
The Apache Infrastructure Team
Since their servers were hacked, how do you know this was from really Apache? Did you click ona link in an email?
Re:Damage contained through one-time passwords. (Score:1, Insightful)
I can think of a couple.
It's a very prestigious target (if you're the sort that would do this for some sort of prestige). It's also a poster-child for a solid OSS product - what better way to spread FUD?
Nice! Even when an OSS project gets broken into, it's mention of its insecurity is still "FUD". What a jackass...
Re:Serious Question (Score:3, Insightful)
You really think my reaction is way overblown? So you're saying a code audit shouldn't happen? Maybe a few months is too long but some sort of audit should happen and it should be done by the people who, you know, maintain the actual code.
Take your sarcasm somewhere else. A code audit is not unreasonable given the situation.