Posted by Dana Epp
How A Linux Distro Demonstrated That The Weakest Link In Online Security Is Still People
Recently, the tech world had another wake-up call regarding the importance of strong security in their online systems with a high-profile breach. Moreover, this didn’t happen to some random startup or to a large corporation only tangentially associated with technology. It happened to a group that, quite frankly, really should have known better.
We are, of course, referring to the recent takeover of the GitHub account owned by the Gentoo Linux distribution. First released in 2000, Gentoo Linux is a well-established and respected distro which openly bills itself as being targeted to network professionals. Further, one would expect that Linux devs, of all people, would have proper security measures in place.
However, that wasn’t the case. Instead, they became one more example of how people are almost always your weakest link in security – and how any company can overlook basic security measures.
How Gentoo Linux Became A Public Example Of Security Failures
On June 28, 2018, a group of “unknown individuals” gained access to Gentoo’s GitHub account. GitHub is one of the most popular online repositories for sharing, editing, and downloading source code. By gaining access to Gentoo’s GitHub account, these attackers had the power to directly alter the code in Gentoo’s own Linux distro, as well as any tools that might be shared among other Linux users.
Once the hackers gained access, they immediately locked out Gentoo’s official users, and set about compromising the code. They attempted to insert "rm -rf” commands into various application code bases that, if successfully run, would have resulted in mass data loss to the users of those apps. Fortunately for Gentoo, the hackers made changes that were quickly noticed, and Linux's own security systems made it unlikely their attempt at data destruction would have succeeeded.
So, how did it happen? The hackers guessed an admin password.
At this point, if you are wondering “Why was their password easy to guess? Why weren’t they using two-factor authentication?” then congratulations! You’ve got a higher security mindset. The entire incident could have been avoided if Gentoo had mandated strong passwords which weren’t related to existing passwords, utilized two-factor authentication or – preferably – both.
On top of that, Gentoo also did not have proper backups. They kept their backups... on GitHub.
As a result, they were unable to use their own GitHub account for roughly five days, and had to issue very publicly embarrassing warnings to users. Worse, should any user-side damage be proven as a result of this breach, Gentoo could – at least in theory – be held liable.
Because they are a non-profit entity, Gentoo was less inconvenienced by this than most businesses would be. For any for-profit public company, this would have been truly disastrous.
What You Can Do To Improve Your Human Security Situation
Obviously, we’re not here to judge Gentoo - after all, we don't know the full background on their security decisions. The purpose of this article is to highlight, once again, just how easily human error can compromise security in cloud systems and other shared online sources. Even a company deeply involved with security and networking matters can make mistakes that lead to serious problems. And it’s not just Gentoo. Estimates are that up to 90% of cyber-attacks are due to human behavior undermining system security.
Just from this incident, we can take some lessons:
1 – ALWAYS use two-factor authentication on critical systems
This should be a no-brainer. Two-factor authentication is one of the single best “safety nets” you can put into place, in regards to protecting your online assets. The very minor inconvenience involved is vastly outweighed by how many intrusions can be prevented.
2 – Require strong, hard-to-guess passwords
A lot of people have opinions on how to make a strong password which is also memorable. Here’s ours: Use a passphrase rather than a password, such as a small quote from a favorite book, poem, song, movie, etc. After all, even if a hacker knew that someone’s favorite play was Hamlet they would be deeply unlikely to guess “ArrowsOfOutrageousFortune” as a password. For extra security, add exclamation points, convert Os to zeros, or look for quotes that can use texting-style abbreviations. (ie, “4Score&7YearsAgo”)
3 – Keep your backups separated
Again, this is basic common sense. Your backups should be kept off-site, on a different storage system than your primary cloud infrastructure. If possible, keep multiple backups.
4 – Have well-defined emergency communication procedures in place
According to Gentoo’s Incident Report, they lacked centralized avenues of communication within their own team, and with their users. Their own communications failures contributed in part to the length of the attack, and the number of users potentially affected.
5 – Train your workforce on how to avoid revealing details of themselves online
Gentoo was circumspect on exactly how the attackers were able to guess the password, only saying “Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages.” Chances are, the admin in question was too public about aspects of themselves. Your workforce should understand personal identity protection online, how to stay away from websites that are potentially stealing information, and why they should avoid sharing personal details that might be compromising.
Audit Your Azure Access Controls With AuditWolf
If you think GitHub accounts are easy to compromise, have you considered the possibility of similar attacks on your Azure infrastructure? Take advantage of AuditWolf's account auditing controls, and identify weaknesses in your cloud environments which are similar to those Gentoo found at GitHub. Contact us to learn more!
Topics: Cloud Security