Security breach: Kernel.org and Linux Foundation remain "temporarily unavailable"

Filed Under: Data loss, Featured, Linux, Malware, Privacy

The Linux world is in a bit of a security spinout at the moment.

Last month, the brains behind the Linux kernel discovered malware on the PC of at least one kernel maintainer, as well as on some of the kernel.org servers themselves.

Now, the Linux Foundation, a not-for-profit which bankrolls the main developers of Linux so that they can remain independent of any particular vendor or commercial group, is in the security soup, too.

The Linux Foundation sites have been replaced with holding pages since late last week, suggesting that finding out what actually happened hasn't been as easy as the Foundation's techies might have hoped.

Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.

The connection to the malware infection amongst the kernel maintainers themselves is echoed by the holding page for kernel.org, which says, simply, "Down for maintenance". The Linux Foundation and Kernel.org sites are internet neighbours in the 140.211.169.0/25 network block.

In a creditable fit of caution, the Linux Foundation advises that you should consider the passwords and SSH keys used on its sites to be compromised. It also advises that "if you have reused these passwords on other sites, please change them immediately." Of course, much better advice is never to reuse passwords on multiple sites in the first place.

(You might be wondering if this mention of possible password compromise means that the Linux Foundation failed to follow its own advice, and stored passwords in plaintext, rather than as an unreversible hash.

Remember, however, that this breach appears to involve a malware compromise, not merely the unauthorised retrieval of data from the servers. If a server is "owned" by malware, even the login process should be considered untrustworthy. Passwords could therefore have been stolen directly from memory during login, even though they were never written to disk.)

I'm still struggling to decide quite what the Loony Linux Lovers - those who insist that Linux is immune to malware - will make of this episode. Whilst Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system.

In a perversely back-handed sort of way, perhaps this incident is just what Linux needs to raise its profile outside the world of cloud service providers.

The "Linux has magic security smoke" proselytisers will be compelled to admit that insecurity isn't just about Microsoft, and will be forced to improve their public attitude to security in general.

The "Linux is a nothing more than a hobby product" naysayers will be compelled to admit that the operating system really is part of the Big Time. Why else would kernel.org be in the sights of cybercrooks?

And Linux itself will emerge almost entirely unscathed because if any dodgy changes are found in the codebase, there will be a public record of them getting rolled back and order restored.

Mind you, the Linux brains trust could do with getting a move on fixing things.

In the meantime, if you've never considered it before, why not take a look at OpenBSD :-)

, , , , , , ,

You might like

10 Responses to Security breach: Kernel.org and Linux Foundation remain "temporarily unavailable"

  1. Caazak · 955 days ago

    Loony Linux vs whatever-t-f you are (BSD groupie? really?), who cares.

    • Paul Ducklin · 955 days ago

      I have no operating system religiosity, thanks. I'm not a Windows fan, because I've never much liked its GUI (and the difficulty of avoiding it), so I use it as little as possible at work and not at all at home, except for "research purposes". But I can get along with it OK.

      Oh, and I could never see the appeal in Symbian - not as a user and definitely not as a coder. I tried - honestly, I did - but it wasn't for me. Now, it seems, it's not for anyone. So perhaps I was right all along?

      Anyway...what's your point?

  2. Justin · 955 days ago

    I'm a linux user and do not claim that any OS is immune to malware and viruses. I'm of the opinion that anyone that uses a PC or laptop, or any mobile device needs to have a little common sense. Malware and viruses can affect any PC, laptop, OS... linux included and everyone needs to remember that malware and viruses can affect every OS, every PC, every mobile device... no matter how much security & protection you have. The best defense is a little common sense... which can go a long way to protecting you, but even then you can still get infected.

  3. Tourniquette · 954 days ago

    Of course it's not immune to malware, just better protected than windows. Same for any UNIX OS, OSX included...it's always better to be asked whether to install software by the OS rather than have all of the flaws of Windows. And totally agreed with Justin, common sense goes a hell of a long way. I use a dual boot OSX/Fedora 15 system btw. And good article, I didn't know about this hack happening.

  4. Sreekar · 954 days ago

    After seeing all these security fiascos,can't we conclude that humans are the weakest link in security?

  5. jephro · 954 days ago

    @sreekar

    isn't that typically the case?

  6. Bink · 954 days ago

    No worries here! I already use OpenBSD!

  7. nico · 949 days ago

    How does Linux not being affected by malware have anything to do with this type of network attack? I don't really see the need of transforming this episode in a Linux vs Windows match... it has nothing to do with it.

    And, by the way, they clearly specify passwords were NOT stored in plaintext.

  8. Mad Irish · 947 days ago

    I think the author is conflating "malware" and "rootkit" which is completely understandable, but then going on to conflate "malware" with "desktop virus/trojan". When Linux "groupies" say that Linux doesn't suffer from malware they mean desktop virus issues, which is largely true. However, rootkits and other operating system level malware packs, have been around since folks started breaking into Unix hosts over two decades ago. The difference is that if you're using Linux as your desktop operating system you're pretty immune to web site hosted drive by downloads, but if you're using it in your data center you're going to have to do a good job of security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog