Red Hat Hacked, Company Issues Security Advisory

• By Jabulani Leffall
• 08/25/08

In a sign that hackers have no problem taking advantage of open source solutions, Linux-based product distributor Red Hat issued a "critical" security advisory Friday, saying that its servers had been compromised.

In the advisory, Red Hat warned that hackers had somehow taken control of its systems by tampering with code. The attack was discovered last week. The intrusion was not systemic and didn't affect the company's content distribution programs. Consequently, malicious code was not uploaded to users of Red Hat's products.

There were early indications that something might be awry on the week of Aug. 12, when scattered reports indicated that Red Hat's flagship Fedora OS was rebooting continually, causing intermittent outages. The culprits have yet to be identified.

The hackers got hold of a small number of OpenSSH packages relating only to Red Hat Enterprise Linux. OpenSSH, or Open Source Secure shell, is a set of programs that provide encrypted code transference over a network using secure shell protocol. OpenSSH is a free software alternative to a commercial solution produced by Finish IT company SSH Communication Security, which patented the SSH protocol technology.

Security experts say that this hack has lasting implications for the Linux movement and open source security.

"It's true that hackers can and will take advantage of a development and distribution program that's not like Windows," said Reuben Davis, a consultant for Affiliated Computer Services, a large IT services outsourcer. "Intruders capitalize on the geek factor of Linux and there are no licensing restrictions or elaborate security programs backed by big R&D teams; it's an anonymous community."

Microsoft Security Engineer Robert Hensing weighed in on the Red Hat security problem in his blog Friday.

Hensing said he couldn't "imagine what the fallout would be" if programs such as Windows Update and Automatic Update servers "got pwnd [owned] like [RedHat]." 

"It's like the package signing server and stuff….[Red Hat] seems to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones," he added.