> It came to my attention, after reviewing the Debian report, that there are
> many mail systems out there, which use userland accounts for POP mail (not
> secure, but plaintext) that also have SSH logins enabled. I was guessing
> that this might've been how they got in with a "sniffed password".
Yes, this was my original thinking before Bob's message-- that they must
have had some non-encrypted service running on the box that allowed the
attacker to sniff a password that could be used for logins. Maybe not,
though.
> I don't know how they could get a keyboard sniffer on a developer's machine
> without first compromising that machine, in a similar fashion; so I'm
> assuming that something like a shared [plaintext] password was
> packet-sniffed initially... which still begs the question of where the
> packets were sniffed. Was an ISP compromised or some insider helping out?
> Maybe a developer was working via wifi, without considering the
> implications?
It's believable to me that the individual developers on the project do
exercise as much care and attention securing their home systems as the
project admins do when setting up the distro servers. One open hole
on a developer box and the attacker gets in and probably uses the same
kernel exploit to break root. Now you have a transitive security
problem, at least on the machines your developers have direct access to.
In a "real world" project, of course, you wouldn't allow the
developers anywhere near your "production" systems. The code
repository that they do check-ins to would live someplace "far away"
from the production boxes where public distributions, patch updates,
and announcements were done. Again, budget and overhead become a
factor, which is why I suspect most of the Open Source projects follow
the same model as the Debian folks and have everything sort of
clustered together.
--
Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED]
Network Connectivity and Security, Systems Management, Training
_______________________________________________
EuG-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
