The GitHub account of popular Linux distribution Gentoo was hacked late last week, the firm announced Thursday, with a malicious actor inserting code intended to delete files in the file systems of machines with the infected code. In the event the code somehow wound up on user systems systems, it does not execute as intended.
Of particular importance, the GitHub repositories of Gentoo are only downstream mirrors from the self-hosted Gentoo.org infrastructure, the announcement noted. This breach does not affect the systems Gentoo operates to distribute packages and updates, limiting the practical impact of this breach to only individuals who were specifically using GitHub to download code during a brief window.
From an organizational standpoint, Gentoo’s handling of the incident was prompt and professional. Gentoo released official statements promptly detailing the nature of breach, eriting that “the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected,” and that “Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” which, while being basic security hygiene, is an important fact to emphasize under these circumstances.
The postmortem timeline of the incident indicates that an abuse report was sent to GitHub within 30 minutes of the malicious actor gaining administrative access. The Gentoo GitHub was frozen 70 minutes after the malicious actor gained access, with the Gentoo Infrastructure team identifying the entry point and removing all access for that account from “primary Gentoo properties” as a preemptive security measure shortly thereafter. With the point of entry determined and fixed, the GitHub contents were reverted to their pre-breach state.
SEE: Linux distribution comparison chart (Tech Pro Research)
This should be considered the standard against which organizations are judged for handling security breaches. While the fact that a hack successfully occurred at all is certainly regrettable, the Gentoo team successfully recovered from it without incurring any further damage.
For contrast, the closest direct comparison to make is the February 2016 hack of Ubuntu fork Linux Mint, in which a hacker took control of their website, replacing the download link with one containing the Tsunami backdoor. The attack put “several hundred” systems with a fresh installation of Linux Mint within control of the hacker, according to an interview with ZDNet’s Zach Whittaker. The same hacker gained control of the Linux Mint user forum, copying the entire database, which the hacker made available for sale on the dark web. The website was reinstated from a backup copy, and was subsequently compromised shortly thereafter.
Gentoo is chiefly considered an enthusiast distribution, though is often the distribution of choice for use cases where performance tuning is a high priority, as well as supporting unique hardware or peculiar configurations. Gentoo officially supports x86 and x86-64, PA-RISC, Itanium, and 64-bit PowerPC, SPARC, DEC Alpha, as well as 32-bit ARM. Developmental versions exist for MIPS, Z/S390, SuperH, and the PS3 Cell processor. Gentoo’s Portage package manager, which offers robust support for board-specific image building, was incorporated into Chrome OS.
The big takeaways for tech leaders:
- The GitHub account of popular Linux distribution Gentoo was hacked late last week, though the practical risk to users is minimal, as the GitHub copy was a downstream mirror.
- The breach was identified and stopped after about 70 minutes, with the GitHub contents reverted to their pre-breach state the next morning