The Linux world is in a bit of a security spinout at the moment.
Last month, the brains behind the Linux kernel discovered malware on the PC of at least one kernel maintainer, as well as on some of the kernel.org servers themselves.
Now, the Linux Foundation, a not-for-profit which bankrolls the main developers of Linux so that they can remain independent of any particular vendor or commercial group, is in the security soup, too.
The Linux Foundation sites have been replaced with holding pages since late last week, suggesting that finding out what actually happened hasn’t been as easy as the Foundation’s techies might have hoped.
Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.
The connection to the malware infection amongst the kernel maintainers themselves is echoed by the holding page for kernel.org, which says, simply, “Down for maintenance”. The Linux Foundation and Kernel.org sites are internet neighbours in the 140.211.169.0/25 network block.
In a creditable fit of caution, the Linux Foundation advises that you should consider the passwords and SSH keys used on its sites to be compromised. It also advises that “if you have reused these passwords on other sites, please change them immediately.” Of course, much better advice is never to reuse passwords on multiple sites in the first place.
(You might be wondering if this mention of possible password compromise means that the Linux Foundation failed to follow its own advice, and stored passwords in plaintext, rather than as an unreversible hash.
Remember, however, that this breach appears to involve a malware compromise, not merely the unauthorised retrieval of data from the servers. If a server is “owned” by malware, even the login process should be considered untrustworthy. Passwords could therefore have been stolen directly from memory during login, even though they were never written to disk.)
I’m still struggling to decide quite what the Loony Linux Lovers – those who insist that Linux is immune to malware – will make of this episode. Whilst Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system.
In a perversely back-handed sort of way, perhaps this incident is just what Linux needs to raise its profile outside the world of cloud service providers.
The “Linux has magic security smoke” proselytisers will be compelled to admit that insecurity isn’t just about Microsoft, and will be forced to improve their public attitude to security in general.
The “Linux is a nothing more than a hobby product” naysayers will be compelled to admit that the operating system really is part of the Big Time. Why else would kernel.org be in the sights of cybercrooks?
And Linux itself will emerge almost entirely unscathed because if any dodgy changes are found in the codebase, there will be a public record of them getting rolled back and order restored.
Mind you, the Linux brains trust could do with getting a move on fixing things.
In the meantime, if you’ve never considered it before, why not take a look at OpenBSD 🙂
