IF YOU WERE busy downloading stuff from Gentoo last week rather than enjoying the Great British heatwave, you’re probably already aware of the GitHub mirror compromise that saw the site’s pages changed and e-builds replaced.
At the time, Gentoo admitted that an attacker gained control of the open source project, with “unknown individuals” modifying the content of repositories. It, therefore, warned users who had used Gentoo in the 24 hours previously to delete any downloaded files until it investigated the issue and gauged the scale of the impact.
Gentoo has finally issued a report laying out the magnitude of the attack, which took place on 28 June and saw the distribution site unable to use GitHub for approximately five days.
According to the report, it all comes down to basic security, as with most hacks these days.
Gentoo said a lack of two-factor authentication was the main cause, as the attacker was able to guess an admin’s password, which ultimately led to trouble for the organisation.
“The attacker gained access to a password of an organisation administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated web pages,” the incident report read.
Once the attacker gained access, Gentoo said it was lucky that the attack was “loud”, noting that a quieter attacker could have lurked for longer. The report added that by force pushing commits that attempted to remove all files, the attacker made “downstream consumption more conspicuous”.
As you can imagine, Gentoo now has a requirement for two-factor authentication to join its GitHub organisation.
Nevertheless, it doesn’t seem like the hack caused too much damage.
“We do not believe the private keys of the account impacted were at risk, and so the Gentoo-hosted infrastructure was not impacted by this incident,” said the report.
However, according to logs, a number of GitHub accounts were probed for nearly 20 days in the lead-up to the attack.
“We are still working to determine the exact extent and to regain control of the organisation and its repositories,” Gentoo added. “All Gentoo code hosted on GitHub should for the moment be considered compromised. µ
Source : Inquirer