Following the kernel.org hack earlier this month, now it seems that the Linux Foundation infrastructure (including Linux.com and linuxfoundation.org) also got hacked on September 8, 2011.
I wasnt going to blog about it because I figured many, many sites would have this covered by now, but I havent read a single post about this from a Linux Foundation or Linux.com user, and I find it very alarming that as of today (September 12, 2011) Linux Foundation’s website and services hasn’t been restored.
On the Linux Foundation announcement about this they state that the attack is very likely to be connected to the Kernel.org attack (which is still down as I write this).
What worries most people is the fact that if the kernel servers got hacked, the attackers can be able to inject some malicious code into the kernel and then have it redistributed across the entire world, potentially infecting millions of computers. Achieving this is an almost impossible task, because the Kernel itself has a checksum, that gets recalculated every time someone commits a change to the kernel source, so if the hacker(s) that went in the servers try to change something, all the kernel developers would notice a change in the checksum and wont push the update.
Also remember that the kernel source is spread among millions of servers across the globe, so one single attack on one server isn’t going to be catastrophic.
The Linux Foundation is auditing all systems and they say services will become available in the coming days, just so the announcement doesn’t get lost when the website comes back online, I will paste it here:
Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.
We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.
We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.
Please contact us at firstname.lastname@example.org with questions about this matter.
The Linux Foundation
We want to thank you for your questions and your support. We hope this FAQ can help address some of your inquiries.
Q: When will Linux Foundation services, such as events, training and Linux.com be back online?
Our team is working around the clock to restore these important services. We are working with authorities and exercising both extreme caution and diligence. Services will begin coming back online in the coming days and will keep you informed every step of the way.
Q: Were passwords stored in plaintext?
The Linux Foundation does not store passwords in plaintext. However an attacker with access to stored password would have direct access to conduct a brute force attack. An in-depth analysis of direct-access brute forcing, as it relates to password strength, can be read athttp://www.schneier.com/blog/archives/2007/01/choosing_secure.html. We encourage you to use extreme caution, as is the case in any security breach, and discontinue the use of that password if you re-use it across other sites.
Q: Does my Linux.com email address work?
Yes, Linux.com email addresses are working and safe to use.
Q: What do you know about the source of the attack?
We are aggressively investigating the source of the attack. Unfortunately, we can’t elaborate on this for the time being.
Q: Is there anything I can do to help?
We want to thank everyone who has expressed their support while we address this breach. We ask you to be patient as we do everything possible to restore services as quickly as possible.
Kernel.org site just greets you with a “Down for maintenance” page.
I would love to know who is to blame for this, a hacker group? some 15 year old geek trapped in a basement?
Lastly, here some stuff I advice you to do if you are a Linux user:
- If you pull kernel updates from kernel.org, change it immediately! choose another mirror and continue pulling updates on your system normally. If you are an Archlinux user I advice you use the reflector tool to pull the fastest and closest mirrors.
- If you are a Linux Foundation member or registered user, change the password as soon as the site becomes available again, also if you are one of those people who tend to use one password for all your accounts everywhere, change all of them right NOW.
- If the above point applies to you, please STOP doing it, the better way to protect yourself online is to use different passwords for ALL the services you use. You will say its impossible to know 15 or so different passwords, but you can do it, the trick is to just come up with a password scheme, so you have a method of defining your passwords instead of using a single password every time.