SourceForge repository's servers compromised
January 31, 2011
The servers of SourceForge have been recently the subject of a malicious attack. The open-source code repository has advised all its users to immediately change all their passwords following a concerted hacking attack that took place a few days ago.
Launched Jan. 26, the attack targeted the open source developer infrastructure and involved the compromise of all the servers at SourceForge.net. The non-profit detected the attack and quickly disabled CVSs, the ishell, all file upload capabilities and cancelled all project updates as a precaution against a potentially more serious compromise.
The open-source organization says it detected the attack before it got more serious. But analysis of various server log files after the attack revealed that an SSH daemon had been modified to carry out a password-sniffing attack.
SourceForge thinks it was unlikely that any developer passwords were actually compromised, although it can't be absolutely sure at this point. As a precaution, SourceForge applied an across-the-board password reset, as explained in an email to Linux application developers sent over the weekend.
"We recently experienced a directed attack on SourceForge infrastructure and so we are resetting all passwords in the sf.net database just in case. We're emailing all sf.net registered account holders to let you know about this change to your account," read the email.
"Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised yet, but what we definitely don't want is to find out in two months that passwords were compromised and we didn't take action soon enough," the email went on to say.
"So as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a new password," it said.
An update on the SourceForge blog, published on Saturday, provides a detailed update on the attack and SourceForge's response thus far. SourceForge hopes to fully restore services later this week.
It's still unclear who carried out the attack or what exactly their motives could have been, although uploading back-doored versions of open source software is the most obvious motive for such a stealthy and fairly sophisticated attack.
SourceForge is currently in the process of validating specific updates to guard against potentially nasty surprises in the near future. It is also in the process of locking down servers and adding extra defences as a precaution against further malicious attacks.
The attack against SourceForge.net followed days after an attack on Fedora, another open-source organization. Miscreants gained access through a team member's account, but there's no evidence that this compromised access was used to upload the rogue code at this time, however.
In November, the main source code repository of the Free Software Foundation was taken offline following a similar attack targeting website login credentials.
In other security news, a computer scientist has discovered yesterday a new security flaw in the latest version of Google's Android mobile operating system that can be exploited to reveal sensitive user information.
The data-stealing vulnerability in Android version 2.3 (dubbed Gingerbread) allows potential attackers to view and upload photos, voicemail and other data stored on a mobile handset's SD memory card said Xuxian Jiang, assistant professor in North Carolina State University's department of computer science.
The security hole, which is exploited when a user clicks on a booby-trapped link, also allows attackers to upload phone apps to a remote server and without the user knowing anything about it.
He said proof-of-concept code successfully carries out the attack on a standard Nexus S phone, which comes with Gingerbread already installed. It's not clear if the attack works on other brands that also run the latest operating system, however.
“We've already incorporated a patch for a security issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone,” a Google spokesman wrote in an email. “We're in constant communication with all our partners.”
The security patch will ship in an upcoming 2.3 maintenance release, Google said.
The information-disclosure threat is similar to one disclosed in November in Android 2.2 by researcher Thomas Cannon. Both security vulnerabilities disclose data only when an attacker knows the precise name and path of a file stored on an SD card.
But the exploit can't break out of the security sandbox, so system data and email, SMS messages and files stored on the phone itself remain off limits, at least for now.
The new but very serious security vulnerability discovered in November could allow hackers and Internet attackers to access private data from SD cards in Google smartphones and MIDs (mobile Internet devices).
Additionally, it would also be possible to retrieve a limited range of other private information and specific files stored on the Android phone using this vulnerability.
Redirects can then be used to post the data back to a malicious website.
Cannon has gone public ahead of a update to the Android OS he says will be necessary to fix the problem in order to warn other users of the security risk. He was very keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.
You can link to the Internet Security web site as much as you like.