Wednesday, August 27, 2008

To trust or not to trust Red Hat, that is the question

I like Linux. I like Red Hat and Fedora Linux. I use them every day. What I don't like, though, is not knowing what's what with the recent security break-in into the RHEL (Red Hat Enterprise Linux) and Fedora file servers.

What happened, we're told by Paul W. Frields, the Fedora project leader, "some Fedora servers were illegally accessed" during the week of August 11th. OK, fair enough, Web servers are broken into all the time. Frields then added, "The intrusion into the servers was quickly discovered, and the servers were taken offline." OK, that's what they should have done, but then things get more interesting.

As a result of the Fedora break-in, Red Hat checked into its RHEL servers and, Frields wrote, "Detected an intrusion of certain of its computer systems and has issued a communication to Red Hat Enterprise Linux users." Excuse me, your people found out that your community Linux servers had been compromised before they found out that there were problems with the business Linux servers?

In a critical Red Hat security advisory, Red Hat security team, wrote, "While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers."

But, the "intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)." OpenSSH, for those of you aren't administrators or remote users, is an extremely important secure remote connectivity Linux/Unix program. If you use OpenSSH with a known signature, a hacker who knows the signature can easily pick your network locks and gain access to your systems. In others words: Not Good.

Now, Red Hat has issued a way to detect OpenSSH files that have been tampered with. In addition, Red Hat has issued fixed OpenSSH files. There is no evidence, wrote Frields, that any Fedora was compromised, but to stay on the safe side, " we have decided to convert to new Fedora signing keys."

OK, so Fedora and Red Hat have done most of the right stuff. What they haven't done, though -- and I've asked -- is explain how the servers were broken into in the first place. That bugs me.

I hammer on proprietary software companies, like VMware and Microsoft when their systems blow up, so I can't just ignore this situation with Red Hat. So, while I'm very pleased that Red Hat is patching any possibly violated files, I still would like to know 1) How the sites were breeched in the first place and 2) What steps Red Hat will be taking to make sure it doesn't happen again.

This isn't too much to ask for. After all, it's exactly what I ask of proprietary vendors when they blow it. To fully trust Red Hat, I'd really like answers to my questions.


source: Steven J. Vaughan-Nichols

Cyber Cynic

No comments: