The attack was discovered on Thursday, and the foundation is still conducting a full audit of the affected sites. "We are in the process of restoring services in a secure manner as quickly as possible," it said in a notice posted on the front page of the Linux Foundation website.
For now, the foundation doesn't know the full extent of the intrusion, and recommended that users change their passwords when the site comes back online. "As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised," it said. It also warned Linux Foundation users who might have reused their passwords on other websites to change those passwords immediately.
Given the password warning, did the Linux Foundation fail to secure the passwords, for example by storing them as plain text, rather than salting and hashing them? Not necessarily, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post "This breach appears to involve a malware compromise, not merely the unauthorized retrieval of data from the servers. If a server is 'owned' by malware, even the login process should be considered untrustworthy. Passwords could therefore have been stolen directly from memory during login, even though they were never written to disk."
The Linux Foundation thinks that the attack on its website is related to last month's kernel.org intrusion, which likewise remains offline while its administrators audit the site, working with authorities in the United States and Europe.
In a statement that was previously posted to the site, the Linux Kernel Organization said it discovered that on August 28, a number of its servers had been compromised, with an attacker gaining root access. "While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure," according to the statement.
Both kernel.org servers, as well as the computer of at least one person who helps maintain the kernel, were infected with malware, according to The Register, in a breach that lasted at least 17 days before being detected. While that might sound alarming, Linux experts said that Kernel.org doesn't house the code base, but rather only distributes it.
In addition, no changes could be made to the distributed code without alarms sounding. "The code for the kernel (and for many other projects) is managed with the 'git' source code management system. And git does not allow the code to be modified by third parties without people knowing about it," said Jonathan Corbet, executive editor of LWN.net, in a blog post.
Notably, a 160-bit cryptographic hash is generated for every set of Linux code changes. "The key to the hash function is that, if the contents of the file change, the hash will change too," said Corbet. "Creating any new file matching the hash of an existing file is not really possible; if you want that new file to look like the old one with the exception of a bit of hostile code, the challenge is even bigger."
Still, he said, as a member of the Linux kernel development community, "I can say that this episode is disturbing and embarrassing."
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)