Red Hat Hacked, Company Issues Security Advisory

In a sign that hackers have no problem taking advantage of open source solutions, Linux-based product distributor Red Hat issued a "critical" security advisory on Friday, saying that its servers had been compromised.

In the advisory, Red Hat warned that hackers had somehow taken control of its systems by tampering with code. The attack was discovered last week. The intrusion was not systemic and didn't affect the company's content distribution programs. Consequently, malicious code was not uploaded to users of Red Hat's products.

There were early indications that something might be awry on the week of August 12, when scattered reports indicated that Red Hat's flagship Fedora OS was rebooting continually, causing intermittent outages. The culprits have yet to be identified.

The hackers got hold of a small number of OpenSSH packages relating only to Red Hat Enterprise Linux. OpenSSH, or Open Source Secure shell, is a set of programs that provide encrypted code transference over a network using secure shell protocol. OpenSSH is a free software alternative to a commercial solution produced by Finish IT company SSH Communication Security, which patented the SSH protocol technology.

Security experts say that this hack has lasting implications for the Linux movement and open source security.

"It's true that hackers can and will take advantage of a development and distribution program that's not like Windows," said Reuben Davis, a consultant for Affiliated Computer Services, a large IT services outsourcer. "Intruders capitalize on the geek factor of Linux and there are no licensing restrictions or elaborate security programs backed by big R&D teams; it's an anonymous community."

Microsoft Security Engineer Robert Hensing weighed in on the Red Hat security problem in his blog on Friday.

Hensing said he couldn't "imagine what the fallout would be" if programs such as Windows Update and Automatic Update servers "got pwnd [owned] like [RedHat]." 

"It's like the package signing server and stuff….[Red Hat] seems to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones," he added.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.