Password-Guessing Was Used to Hack Gentoo Linux Github Account


Your daily selection of the hottest trending tech news!

According to The Hacker News (This article and its images were originally posted on The Hacker News July 5, 2018 at 06:29AM.)

Maintainers of the Gentoo Linux distribution have now revealed the impact and “root cause” of the attack that saw unknown

hackers taking control of its GitHub account

last week and modifying the content of its repositories and pages.

The hackers not only managed to change the content in compromised repositories but also locked out Gentoo developers from their GitHub organisation.

As a result of the incident, the developers could not be unable to use GitHub for a total of five days.

What Went Wrong?

Gentoo developers have revealed that the attackers were able to gain administrative privileges for its Github account, after guessing the account password.

The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account.

“The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated web pages,” Gentoo wrote in its incident report.

Besides this, Gentoo developers did not also have a backup copy of its GitHub Organization detail. What’s more? The systemd repo was also not mirrored from Gentoo but was stored directly on GitHub.

What Went Well? (Luckily)

However, Gentoo believed the project got lucky that the attack was “loud,” as knocking all other developers out of the targeted GitHub account caused them to be emailed.

Quick action from both Gentoo and Github put an end to the attack in about 70 minutes.

“The attack was loud; removing all developers caused everyone to get emailed,” the Gentoo maintainers said. “Given the credential taken, it’s likely a quieter attack would have provided a longer opportunity window.”

Moreover, the report also added that by force pushing commits that attempted to remove all files, the attacker made “downstream consumption more conspicuous,” which could have eventually “blocked git from silently pulling in new content to existing checkouts on ‘git pull’.”

As the project previously said, the main Gentoo repositories are kept on Gentoo hosted infrastructure, and Gentoo mirrors to GitHub in order to “be where the contributors are.”

Therefore, the private keys of the account were not impacted by the incident, and so the Gentoo-hosted infrastructure.

Impact of the Cyber Attack

As a result of the incident, the Gentoo Proxy Maintainers Project was impacted as many proxy maintainers contributors use GitHub to submit pull requests, and all past pull requests were also disconnected from their original commits and closed.

The attackers also attempted to add “rm -rf” commands to various repositories, which if executed, would have deleted user data recursively. However, this code was unlikely to be executed by end users due to various technical guards in place.

rm is a Unix command which is used for removing files, directories and similar, and rm -rf denotes a more forcible removal, which “would cause every file accessible from the present file system to be deleted from the machine.”

Steps Taken to Prevent Future Cyber Attacks

Following the incident, Gentoo has taken many actions to prevent such attacks in the future. These actions include:

  • Making frequent backups of its GitHub Organization.
  • Enabling two-factor authentication by default in Gentoo’s GitHub Organization, which will eventually come to all users the project’s repositories.
  • Working on an incident response plan, particularly for sharing information about a security incident with users.
  • Tightening up procedures around credential revocation.
  • Reducing the number of users with elevated privileges, auditing logins, and publishing password policies that mandate password managers.
  • Introducing support for hardware-based 2FA for Gentoo developers

Currently, it is not known who was behind the Gentoo Hack. Gentoo did not say if the incident has been reported to law enforcement to hunt for the hacker(s).

Continue reading…

  • Got any news, tips or want to contact us directly? Feel free to email us: esistme@gmail.com. To see more posts like this please subscribe to our newsletter by entering your email. By subscribing you’ll receive the top trending news delivered to your inbox.

__

This article and images were originally posted on [The Hacker News] July 5, 2018 at 06:29AM. Credit to Author  and The Hacker News | ESIST.T>G>S Recommended Articles Of The Day.

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: