[go: up one dir, main page]
|
|
Log in / Subscribe / Register

MySQL.com Hacked to Serve Malware (PC World)

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 26, 2011 20:42 UTC (Mon) by mmcgrath (guest, #44906)
In reply to: MySQL.com Hacked to Serve Malware (PC World) by dlang
Parent article: MySQL.com Hacked to Serve Malware (PC World)

I'm not sure what being open source has to do with it. This is happening everywhere. Besides, these days MySQL is barely open source.

to post comments

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 26, 2011 21:10 UTC (Mon) by dlang (guest, #313) [Link] (10 responses)

the number of opensource servers that have been hit recently is significantly higher than any other similar timeframe I can think of.

this may just be a coincidence, or it could be a change in focus on the part of the attackers. It would be negligent to assume it's just a coincidence.

I agree with you about MySQL, but it still retains the reputation.

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 26, 2011 21:35 UTC (Mon) by Kluge (subscriber, #2881) [Link] (9 responses)

"this may just be a coincidence, or it could be a change in focus on the part of the attackers."

Or it may be that open source projects are more honest and thorough in their disclosure.

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 26, 2011 21:41 UTC (Mon) by dlang (guest, #313) [Link] (4 responses)

two things

I'm not saying that they are not attacking other targets, I'm just pointing out that the rate of attacks against opensource hosts has jumped significantly recently

Attacks this blatant (where the site itself attacks browsers connecting to it) don't give the host much chance to avoid disclosure.

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 26, 2011 22:02 UTC (Mon) by tialaramex (subscriber, #21167) [Link] (3 responses)

Actually I've seen the administrator and owner of a web site strongly deny that it was or even could be infected with this type if thing. They even got some positive feedback from other people in the affected community, assuring those complaining that they must be mistaken... until the complainers cited chapter and verse of exactly where the malware was, and how to fix it, then it was silently fixed and no further discussion was permitted.

Inside the Free Software community shutting people up doesn't work very well. But outside, there are a lot of reasons for people to stay quiet or toe the line, even if they're smart enough to figure out the truth.

This particular type of attack is usually automated, some compromised machine out there is banging away at some known vulnerability and using it to install the scripts. There can even be a cascade, machine #1 compromised by hand is trying SSH password dictionaries, when it gets into machine #2 this way, it runs a program that uses the machine #2 to try to find vulnerable web sites. When machine #2 finds a web site, running on machine #3 it inserts the Javascript, and when the ordinary user operating machine #4 visits the site, he gets malware injected. Now machine #4 is sending spam email advertising a "cheap Viagra" site. The bad guys broke into one machine, and soon they have a hugely profitable botnet, without a stroke of additional work!

hushed up

Posted Sep 26, 2011 22:16 UTC (Mon) by tialaramex (subscriber, #21167) [Link] (1 responses)

Oh, another great example of how different other communities are, at the risk of compromising some future work planned at my company...

The video game World of Warcraft has been very popular. Blizzard -- the company which owns it -- has enormous problems with "account theft" where third parties obtain a user's email address and password and log into the game. This is frustrating for the user, who may find their much loved characters stripped of their belongings, or deleted altogether, and it's bad for the economy of the wider game. So Blizzard spend a fortune trying to educate users to avoid the problem, and developing countermeasures.

There are a large number of third party web sites either providing a service related to the game, or providing news and discussion forums. As with most such sites on any topic, they have their own user database, with email addresses in it, but they don't reveal their users' addresses to the public.

I signed up for a LOT of these sites, including some of the most famous and well respected. Each time I used a unique and unlikely-looking email address, one which never receives spam etc. Typically within a few weeks, and never more than a month, these previously never contacted addresses begin receiving very carefully tailored phishing emails, targetting World of Warcraft login credentials.

Each time this happened, I used the "feedback" forms, and forums to explain what's happened, and ask for an explanation. I have never received even the courtesy of acknowledging my comment. Where the complaint itself is public, it is usually deleted.

Are all these sites being "broken into"? Or do their administrators cheerfully hand over contact details about users to criminal "businessmen" for a slice of the profit? I don't know. But either way, nobody wants to talk about it or have it be talked about.

hushed up

Posted Sep 27, 2011 17:01 UTC (Tue) by k8to (guest, #15413) [Link]

Yeah, same experience. Each time I report it to the site where it happened (no response), and to Blizzard (canned response), as well as the larger community. My stance to Blizzard has generally been "look, you cannot trust third party sites, and need to internalize most of these services around your game unless you want to keep deal with people being hacked.

Of course I used different credentials each time, so nothing protectable was compromised, but it is still disturbing.

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 27, 2011 11:02 UTC (Tue) by aggelos (subscriber, #41752) [Link]

I don't know... The mysql website (especially the docs section) must have a higher than usual ratio of admins to casual readers in its visitors. And admins usually have more valuable keys loaded in their ssh-agent (and descriptive entries in their ~/.ssh/config). Not saying this wasn't automated (no info either way at this point), just pointing out that the mysql website would probably be a very attractive stepping stone for someone who is interested in high-profile targets.

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 26, 2011 21:48 UTC (Mon) by PaulWay (guest, #45600) [Link] (3 responses)

Quote: Or it may be that open source projects are more honest and thorough in their disclosure.

I totally agree. As Lulzsec showed, private companies will try to ignore, cover up, or deny security problems. We in the open source community know that that's a losing game - the eventual discovery will always be worse than if you just come clean to start with.

And I also think that this isn't really a trend against open source websites, more that the net for malware installation is being cast wider and the attacks used against websites are becoming more sophisticated. We can't afford to leave ssh listening to everyone on standard ports or run standard packages like Drupal with the common defaults any more.

Have fun,

Paul

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 27, 2011 1:19 UTC (Tue) by Duncan (guest, #6647) [Link] (2 responses)

I too believe FLOSS sites tend to be more openly honest when they get cracked, but I think that's sidestepping the point that was being made.

Either all these FLOSS sites suddenly "got the openness religion" at the same time, themselves, and started reporting the cracks that have been going on all along...

OR, there's a quite recent and rather large wave of these cracks, all happening within weeks of each other either due to some new development, or due to pure chance.

The first possibility, that these sites all suddenly "got religion" and started reporting successful cracks that have been happening all along, seems rather unlikely.

That leaves the second (compound) possibility, that they're suddenly getting attacked more. While this could /indeed/ be mere chance, it does suggest some currently still without direct public evidence targeting as well, or why so close together now, instead of six months or a year ago, when most of these sites were running more or less the same security as they are now?

Now it's reasonable to note that for most of the community it doesn't really matter whether there's some sort of conspiracy or not, just as for most, it doesn't matter whether then VP Chaney was involved in some 9/11 conspiracy or not -- the effect on those involved and the wider world was the same either way, for them, it didn't and doesn't MATTER. So the debate is in this regard rather academic... for most people at least.

But regardless of the reason, conspiracy or simple chance, the fact is that there's now at least THREE headline FLOSS sites that have been penetrated within weeks of each other. Linux.com and the Linux Foundation, kernel.org, and now MySQL.com (which tho it is arguably heading more open-core than truly open source, it still has the FLOSS profile and reputation).

And dlang's point stands. This really SHOULD serve as a wakeup call to the FLOSS community as evidently one was needed. LOCK DOWN YOUR SERVERS! Regardless of whether it was simply luck before, or whether we're being deliberately targeted now, IT'S HAPPENING NOW! The FLOSS community was all too complacent before, and now our sites are being cracked open left and right. If you're in a FLOSS project that hasn't been cracked yet, consider yourself lucky, not blessed. If there was ever a time for vigilance and going over those security policies one, or ten, more times, this is it. It doesn't hurt to get a pair of eyes from outside the project to take a look as well.

Talking about which... We have the Software Freedom Law Center and various other cooperative legal endeavors. And there's freedesktop.org, the FHS and LSB, POSIX, etc, on the technical interoperative side. But I'm not aware of any formal FLOSS-based organization that helps individual FLOSS sites and organizations with their security, providing a trusted set of outside eyes to look at security procedures, etc, and make recommendations for tighter security, preferably on a quid-pro-quo or at least lower than security consultant market rates, for what are after all often partially or fully volunteer operations with relatively low budgets.

Now certainly, both the Linux foundation and kernel.org have a reasonable donation base, and MySQL.com has its new corporate masters. But consider, how long would it have taken an outside pair of eyes to nail the formerly hundreds of shell access accounts at kernel.org, one per git repo, and recommend pretty much exactly what they're doing now, gitolite, instead? Kernel.org has been hosting git accounts for long enough now, that surely, a timely review six months or a year ago might well have prevented the situation as it is today.

And evidently, if inside eyes saw it, they didn't carry the necessary urgency and weight to do anything about it. One would hope that an official opinion from someone coming in from an external organization dedicated to providing just this sort of external eyes security review services would have carried the necessary additional weight and urgency, instead of having it forced on them by hindsight.

So indeed, there's community organizations for legal support and technical interoperability; where's the community organization providing site security audit support, etc?

Duncan

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 27, 2011 1:51 UTC (Tue) by dlang (guest, #313) [Link]

to be fair to the kernel.org admins. there was a legitimate reason for all those users to have accounts. While there are ways to be more secure (like what they are now implementing), those ways also restrict things that are very legitimate to do. I don't blame them for not pushing harder for this. Remember that kernel.org was one of the first places to start hosting git repositories, and as a result (combined with who they are being hosted for :-) there are probably more oddball things being done with git there than anywhere else.

Also, far too many people, especially security and audit types, fall into the trap of thinking "SSH is used == Secure"

SSH is only as good as your authentication. If you are relying on pre-shared keys for your authentication, it is only as good as the security on the remote machine (you know, the one you as an admin _don't_ control)

SSH has been used as a conduit for attacks for years, exactly because people overly trust the remote machines connecting to them (and given a chance, most people extend this trust when they can, all in the name of convenience)

David Lang

Possible explanation for the rash, contagion.

Posted Sep 27, 2011 19:20 UTC (Tue) by jmorris42 (guest, #2203) [Link]

Anyone considered this rash might be more a contagion? What are the odds any stolen login data from one open source site probably has at least one account using the same info on a different open source site? So somebody got into one and is using the stolen info to leapfrog from site to site. A lot of sites are secure enough to keep an outside attacker out but given local access there are plenty of local root exploits and those don't get nearly enough attention.

So you know what to do. Time to force a password/key change.

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 27, 2011 6:40 UTC (Tue) by lkundrak (subscriber, #43452) [Link] (1 responses)

Besides, these days MySQL is barely open source.
What are smoking? 
~$ rpm -q --qf '%{license}\n' mysql
GPLv2 with exceptions

MySQL.com Hacked to Serve Malware (PC World)

Posted Sep 27, 2011 13:09 UTC (Tue) by mmcgrath (guest, #44906) [Link]

Just smokin the news:

http://arstechnica.com/business/news/2011/09/oracle-may-f...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds