SoylentNews

18/07/07/0033228 story

Gentoo GitHub Repo Hack Made Possible by These 3 Rookie Mistakes

posted by mrpg on Saturday July 07 2018, @10:35AM   
from the hunter2 dept.

MrPlow writes:

Submitted via IRC for BoyceMagooglyMonkey

The developers of Gentoo Linux have revealed how it was possible for its GitHub organization account to be hacked: someone deduced an admin's password – and perhaps that admin ought not to have had access to the repos anyway.

The distro's wiki has added a page describing the SNAFU. It describes the root cause of the cockup as follows:

The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages.

Original link: Gentoo GitHub repo hack made possible by these 3 rookie mistakes

Another link: Gentoo Linux Github Organization repo hack was down to a series of security mistakes

Gentoo report: Project:Infrastructure/Incident Reports/2018-06-28 Github

---

Original Submission

• They got lucky. They got lucky. (Score: 3, Interesting) by Anonymous Coward on Saturday July 07 2018, @01:01PM (2 children)

  by Anonymous Coward on Saturday July 07 2018, @01:01PM (#703788)

  2018-04-08 - 2018-06-27

  Logs indicate that various GitHub accounts were probed looking for vulnerable accounts.

  2018-06-28

          20:05 2nd to last known legimate commit to gentoo/gentoo. Matches git.gentoo.org/repo/gentoo.git
                  Auto-pushed by mirror bot.
                  Commit ID 38281f4252f89e3ef9cbae54dfc1ad553d296979
          20:08 Last known legimate commit to gentoo/musl. matches git.gentoo.org/proj/musl.git.
                  Commit ID 60461ca1385809bacf6a114a7f1ecfe22f6da47f
          20:19 Attacker tries a bad password on the account.
          20:19 Attacker successfully gains administrative access
          20:25 Attacker invites a dummy account to the org
          20:25 Attacker creates a dummy account with administrative access.
          20:25 Last known legimate commit to gentoo/gentoo. Matches git.gentoo.org/repo/gentoo.git
                  Auto-pushed by mirror bot.
                  Commit ID 73b724093b9c2a8756b8c35d3e09793342fa9ca9
                  Does NOT appear in the GitHub audit log for the org.
          20:25 Attacker starts removing valid users
          20:26 Earliest email timestamp of someone being removed from the organization.
          20:29 First person notices that something is going on with the GitHub organization
          20:30 Attacker invites a second malicious user.
          20:32 Attacker adds second malicious user with admin privileges.
          20:34 Malicious commit to gentoo/gentoo, 73b72409->fdd8da2e
                  adds readme.me file with racist text.
          20:36 First report to Infra that something is going on with the GitHub organization.
          20:38 Malicious commit to gentoo/gentoo, fdd8da2e->49464b73.
                  adds rm -rf /*& at the top of skel.ebuild
          20:39 >b?Attacker changes billing email, the first time.
          20:45 Malicious commit 49464b73 is first noticed
          20:48 Attacker changes billing email, the second time
          20:49 First abuse report to GitHub support
          20:50 Malicious commit to gentoo/gentoo, 49464b73->afcdc03b.
                  adds rm -rf /* at the top of every ebuild.
          20:51 Infra's informal contact to GitHub via multiple personal channels
          20:53 Second abuse report to GitHub
          20:55 Malicious commit to gentoo/gentoo, afcdc03b->e6db0eb4, force-push.
                  Squash of entire history as of afcdc03b (rm -rf /* in ebuilds)
          20:56 Malicious commit to gentoo/musl, 60461ca1->e6db0eb4. Force-push.
                  Same history as gentoo/gentoo in a squashed commit.
          21:00 (approx) GitHub informal report that they are starting to look
          21:05 Infra's formal ticket to GitHub Support
          21:07 Malicious commit to gentoo/systemd, bf0e0a4d->50e3544d.
                  Payload: slightly obfuscated rm -rf $HOME ~/ at the top of the configure script.
          21:11 Malicious commit to gentoo/systemd, 50e3544d->c46d8bbf. Force-push.
                  Revert of previous commit bf0e0a4d squashed with commit 50e3544d.
          21:28 GitHub support responds; Gentoo GitHub org frozen.
          22:14 Gentoo emails GitHub requesting activity logs.
          22:45 GitHub locks suspected entry point

  Just some kiddy messing about.

  action-item: prod gentoo-infra members to start using local password managers (pass, gopass, etc.)

  Ask github to implement a security feature where they produce a random password and the user has to use it. And the only way to change the password, is to another random password they provide. Then mark accounts that use that turn on the feature AND allow organizations to disallow users based on the usage of it. So, if an account sets a custom, not github-generated password, they immediately get kicked/locked out of the organization.

  Basically, a light version of two factor auth / strong passwords enforcement that can be optional per organization. It won't invalidate existing accounts. Just temporarily freeze their push rights until they get their shit together.

  • Re:They got lucky. (Score: 0) by Anonymous Coward on Saturday July 07 2018, @09:42PM

    by Anonymous Coward on Saturday July 07 2018, @09:42PM (#703954)

    Then Microsoft github would know your password, you stupid fuck.

    Parent

  • Re:They got lucky. (Score: 2) by TheRaven on Sunday July 08 2018, @10:46AM

    by TheRaven (270) on Sunday July 08 2018, @10:46AM (#704173) Journal

    The FreeBSD compromise a few years ago turned out to be a result of a developer not securing a VM that they were doing some experiments on and not realising that it had a copy of their SSH private key with no passphrase. When the VM was compromised, script kiddies were able to get access to a load of project infrastructure. It doesn't matter how strong the password is if, as in this and the Gentoo case, the attacker first compromises the endpoint.

    FreeBSD was lucky because the kiddies logged in, tried to run some GNU-flavoured commands, and then gave up when they didn't work. From the audit logs, it doesn't look as if they ever realised that they had commit access to the project's svn repo (or even what FreeBSD is). The Gentoo compromise seems a bit more deliberate.

    --
    sudo mod me up

    Parent

• Prior pwnerhip on another site (Score: 0) by Anonymous Coward on Saturday July 07 2018, @08:07PM

  by Anonymous Coward on Saturday July 07 2018, @08:07PM (#703908)

  We previously had a story about the Linux Mint site getting pwned.

  We followed that up with another story about how Clem and his guys reacted after their ISOs got corrupted/malware'd.
  tonyPick [soylentnews.org] had a good comment on that.

  In that case, their big problem boiled down to
  -using closed-source software for their site.
  -not updating that stuff. (They said that that was on their ToDo list, it just wasn't a priority.)
  -the top guy not delegating responsibilities|not calling in help (which they ended up doing).

  -- OriginalOwner_ [soylentnews.org]

• Openness is good (Score: 0) by Anonymous Coward on Sunday July 08 2018, @02:52PM

  by Anonymous Coward on Sunday July 08 2018, @02:52PM (#704222)

  I like how they are open about what happened. It shows that they (hopefully) learned from the experience, and it gives others insight to avoid falling to similar. The turnaround time to rectify was great too, unlike other corporate organistions we read about which stay compromised for months or years on end.

  I use Gentoo linux on some of my machines, I will continue to use it, and I will continue to trust them far more than any closed-source software company even after this mishap.

• Use a password manager (Score: 2) by darkfeline on Monday July 09 2018, @10:28AM

  by darkfeline (1030) on Monday July 09 2018, @10:28AM (#704486) Homepage

  See, this is why you use a password manager.

  One of the arguments against is that you can come up with a pattern for every site. That way you can use a different password for each site, you don't need a password manager, and your password is just as unguessable as a random password.

  Wrong! Patterns reduce your password entropy, and you are not as clever as you think; many other people have come up with the same pattern, and that pattern has already been added to password crackers.

  Rookie mistake number 0: not using a password manager.

  Slightly longer elaboration:

  The two greatest threats to your password are: 1. website compromise and 2. phishing. You must use different passwords for each site because websites will get compromised, and you do not want to go change the password for every single account. The only viable way to remember a random password for each site is a password manager.

  Your password manager should also have integration with your web browser. Phishing is wildly successful, even among people who are technically knowledgeable. You will not thoroughly check the URL and certificate on every page you log in to, because you are human. A password manager takes care of that for you, and will alert you if the URL/cert is wrong.

  Bonus: you should use 2FA when it is an option. The best option is a physical key (e.g. Yubikey), next is an app on your phone. SMS sucks, but it's better than nothing. "2FA" services like Authy completely defeat the point of 2FA, so avoid them.

  --
  Join the SDF Public Access UNIX System today!

• Google Chrome OS based on Gentoo (Score: 2) by DannyB on Monday July 09 2018, @02:06PM

  by DannyB (5839) on Monday July 09 2018, @02:06PM (#704555) Journal

  Google Chrome OS based on Gentoo [installgentoo.com]

  Considering how much trouble Google has gone to in order to harden Chrome OS, it only makes sense that trying to compromise the upstream code would be make cents.

  --
  If you eat an entire cake without cutting it, you technically only had one piece.