Awesome work and happy that nothing bad has happened. One question is should a password length and secure password creation check be enforced on the FAS system. Like regular expression checks and stuff. I know this is asking a lot, the current implementation allows me to have a simple password if I remember(need to check) been long. And password expiry? :)
On Tue, Jan 25, 2011 at 1:14 PM, Jared K. Smith <[email protected]> wrote: > Summary: Fedora infrastructure intrusion but no impact on product integrity > > On January 22, 2011 a Fedora contributor received an email from the Fedora > Accounts System indicating that his account details had been changed. He > contacted the Fedora Infrastructure Team indicating that he had received > the email, but had not made changes to his FAS account. The Infrastructure > Team immediately began investigating, and confirmed that the account had > indeed been compromised. > > At this time, the Infrastructure Team has evidence that indicates the account > credentials were compromised externally, and that the Fedora Infrastructure > was > not subject to any code vulnerability or exploit. > > The account in question was not a member of any sysadmin or Release > Engineering > groups. The following is a complete list of privileges on the account: > * SSH to fedorapeople.org (user permissions are very limited on this > machine). > * Push access to packages in the Fedora SCM. > * Ability to perform builds and make updates to Fedora packages. > > The Infrastructure Team took the following actions after being > notified of the issue: > 1. Lock down access to the compromised account > 2. Take filesystem snapshots of all systems the account had access to > (pkgs.fedoraproject.org, fedorapeople.org) > 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the > present > Here, we found that the attacker did: > * Change the account's SSH key in FAS > * Login to fedorapeople.org > The attacker did not: > * Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in > any way > * Generate a koji cert or perform any builds > * Push any package updates > > Based on the results of our investigation so far, we do not believe that any > Fedora packages or other Fedora contributor accounts were affected by this > compromise. > > While the user in question had the ability to commit to Fedora SCM, the > Infrastructure Team does not believe that the compromised account was used to > do this, or cause any builds or updates in the Fedora build system. The > Infrastructure Team believes that Fedora users are in no way threatened by > this > security breach and we have found no evidence that the compromise extended > beyond this single account. > > As always, Fedora packagers are recommended to regularly review commits to > their packages and report any suspicious activity that they notice. > > Fedora contributors are strongly encouraged to choose a strong FAS password. > Contributors should *NOT* use their FAS password on any other websites or > user accounts. If you receive an email from FAS notifying you of changes to > your account that you did not make, please contact the Fedora Infrastructure > team immediately via [email protected]. > > We are still performing a more in-depth investigation and security audit and > we > will post again if there are any material changes to our understanding. > > -- > Jared Smith > Fedora Project Leader > -- > announce mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/announce > -- Cheers Jose http://josemanimala.eu.org/blog Ph: +64221033100 _______________________________________________ infrastructure mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/infrastructure
