Open source has grown up.
A few years ago, when I was getting my feet wet on the open source beat, open source could claim “security through obscurity.” Desktop Linux was a joke, many open source projects had only a few hundred or few thousand users, everyone knew the big illegal opportunities lay in compromising Microsoft software and systems.
That's not true any longer. Consider the recent directed attack against Sourceforge a wake-up call.
Now, don't get me wrong. Microsoft remains a target. “Patch Tuesday” is an important date on every sysadmin's calendar. It comes as regular as happy hour. (Call it unhappy hour.) But open source is also a rich target environment for evil-doers. For good reasons.
- There's more open source out there than ever before. Linux' market share is ginormous.
- Who needs “desktop Linux” when you have Android? Holy market share.
- Many open source sysadmins just aren't careful.
This last may be most important.
Black Duck has long been concerned with open source security. It's why they bought Spikesource last year. The sad fact is many companies which use open source don't update their software as they should. If you're running old code, it's far more likely to be insecure, to have unpatched vulnerabilities bad guys can exploit.
And there are lots of bad guys out there.
The aim of the attack, which caused Sourceforge to disable basic services like CVS, ishell, file uploads, and project web updates as a precaution, then to force changes to user passwords,, included a hacked SSH daemon modified to do password capture. The aim was to give bad guys direct access to projects, allowing them to insert malware that would infect users at the next update, potentially enabling the gang to take control of every computer using a particular project before that project director knew anything was wrong.
Sourceforge has not been the only big repository targeted. Fedora, the Red Hat community Linux, was attacked as well. This attack appears to have been more limited , seeking a single password, which could have been then used to do some real mischief had it not been discovered. An attack against the server hosting ProFTPD , an important file transfer project, went undetected for three days, and included installation of a backdoor allowing root access to unauthenticated users. The Free Software Foundation's GNU Savannah repository has been attacked. So has Apache.
You get the picture. Bad guys are on the march. Open source is no longer obscure. Which means you need to take the same precautions Microsoft sysadmins have been forced to take. Secure your systems, and just as important, make sure all your open source software is up-to-date and as secure as its makers can make it.
Don't be the next victim.
