News: Developers take Linux attacks to heart:
"During the last four months, unknown intruders have breached the security around servers hosting programs and code published by the Linux kernel development team, the Debian Project, the Gentoo Linux Project and the GNU Project, which manages the development of many important programs used by Linux and other Unix-like systems. The attacks have convinced open-source project leaders to take another look at their security. "

"It is a definite eyebrow raiser that there has been this targeting of open-source servers and core open-source development servers," said Corey Shields, a member of the infrastructure team that overseas the distribution system for Gentoo Linux's code. "The worry is that if someone wanted to be malicious, they could change core software and users could be using corrupted packages."

Although the open-source model has led to immense progress in developing a competing operating system to Microsoft's Windows--long a target of hackers--it now seems to be a magnet for attackers itself. In a sort of backhanded compliment, attackers are aiming at the Linux OS and other open-source applications because of the software's popularity. Even developers who believe they've adequately secured their development systems are looking at the trend with some trepidation.

"It is one of those things where you have to hope you are not next and try to be one step ahead of the bad guys," said Jeremy Allison, co-founder and developer of the Samba Project, the programming effort for the popular open-source file server that seamlessly fits into Windows networks.

On Dec. 1, an attack on Gentoo Linux compromised one of 105 volunteer-run servers that make copies of Gentoo's source code available to users. The attack, however, didn't threaten the main source-code database. Moreover, security software on the targeted server detected the attack quickly and kept a detailed record of it.

The incident followed a November attack on the Linux kernel, which similarly happened because another system--this time a developer's--had been breached and used as a stepping-stone. The attacker used the developer's machine to submit code to a secondary server, code that could have been used by a later attacker to gain access to any systems that installed it. That attack also was detected within 24 hours.

Other incidents in the rash of attacks have been more serious.

Intruders gained access to the GNU Project's development system, Savannah, and in a separate incident, to four Debian Project servers used to manage development and community efforts for that Linux distribution.

Both attacks were similarly executed: An attacker managed to garner a legitimate user's log-in name and password and then used a recently discovered vulnerability in the Linux kernel to gain the rights and privileges of the system's owners. Both Debian and GNU Project leaders continue to keep the systems offline--and inaccessible to developers--until they can ensure they're secure.

The GNU Project said the latest attack, and another one that compromised the project's file transfer servers last March, had prompted its leadership to make changes.…

http://zdnet.com.com/2100-1105_2-5117271.html