Matrix.org: We have discovered and addressed a security breach.
Matrix è (era?) un bel progetto open source. Al di là dei problemi di sicurezza del loro sistema che hanno permesso la compromissione, il fatto che abbiano rimosso le issue create su GitHub dall'hacker che li ha bucati (che spiegava come ha fatto e suggeriva correzioni al sistema) rappresenta uno splendido esempio di come NON gestire un breach di sicurezza. Ora matrixnotorg è stato rimosso da GitHub ma potete dare un occhiata sulla WaybackMachine https://web.archive.org/web/20190412145208/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145145/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145122/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145058/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145035/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... Segue un estratto dalla disclosure su https://matrix.org/blog/2019/04/11/security-incident/ TL;DR: An attacker gained access to the servers hosting Matrix.org. The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. As a precaution, if you're a matrix.org user you should change your password now. [...] # The security breach is not a Matrix issue. The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins). Homeservers other than matrix.org are unaffected. [...] # What user data has been accessed? Forensics are ongoing; so far we've found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised. [...] # Update 2019-04-12 The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again. [...] The attacker has also posted github issues detailing some of their actions and suggested remediations at https://github.com/matrix-org/matrix.org/issues/created_by/matrixnotorg. This confirms that GPG keys used for signing packages were compromised.
PS: la riga "Homeservers other than matrix.org are unaffected." significa che coloro che usavano il software sulle proprie macchine non sono stati compromessi. Questa è l'informazione più interessante per questa lista. Per quanto importanti siano le normative, nessuna legge può rendere sicuri i vostri dati. Solo un server sotto il vostro diretto (e _competente_) controllo può veramente garantirvi privacy e sicurezza. Giacomo On 12/04/2019, Giacomo Tesio <giacomo@tesio.it> wrote:
Matrix è (era?) un bel progetto open source.
Al di là dei problemi di sicurezza del loro sistema che hanno permesso la compromissione, il fatto che abbiano rimosso le issue create su GitHub dall'hacker che li ha bucati (che spiegava come ha fatto e suggeriva correzioni al sistema) rappresenta uno splendido esempio di come NON gestire un breach di sicurezza.
Ora matrixnotorg è stato rimosso da GitHub ma potete dare un occhiata sulla WaybackMachine
https://web.archive.org/web/20190412145208/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145145/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145122/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145058/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145035/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat... https://web.archive.org/web/20190412145008/https://github.com/matrix-org/mat...
Segue un estratto dalla disclosure su https://matrix.org/blog/2019/04/11/security-incident/
TL;DR: An attacker gained access to the servers hosting Matrix.org. The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. As a precaution, if you're a matrix.org user you should change your password now. [...]
# The security breach is not a Matrix issue.
The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins).
Homeservers other than matrix.org are unaffected. [...]
# What user data has been accessed?
Forensics are ongoing; so far we've found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised. [...]
# Update 2019-04-12
The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again. [...]
The attacker has also posted github issues detailing some of their actions and suggested remediations at https://github.com/matrix-org/matrix.org/issues/created_by/matrixnotorg.
This confirms that GPG keys used for signing packages were compromised.
participants (1)
-
Giacomo Tesio