Jira at apache.org was hacked

The Apache Infrastructure Team Incident Report 04/09/2010 released today 13. April 2010 about the hack of jira.apache.org.

Thank you guys for this helpful disclosure.

There is no clear information available today what was the root cause of the Atlassian security breach (published yesterday).

Today we got detailed information from Apache Infrastructure Team about the breakin at jira.apache.org:

1. We notified Atlassian of the previously unreported XSS attack in JIRA and contacted SliceHost. Atlassian was responsive. Unfortunately, SliceHost did nothing and 2 days later, the very same virtual host (slice) attacked Atlassian directly.
2. The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine.
3. Service isolation worked with mixed results. The attackers must be presumed to have copies of our Confluence and Bugzilla databases, as well as our JIRA database, at this point.

UNBELIEVABLE!

What todo now:

1. Checkout all background information about this vulnerability of JIRA.
2. Check and Upgrade all non-internal JIRA and other Atlassian systems world-wide to prevent these attacks.

And we all should never forget:
Install 3rd party applications as root and run them as user with limited privileges.

[1] Apache Infrastructure Team Incident Report (13 Apr 2010) related to jira.apache.org
[2] Max on Improving Web Security: Six Ways the Apache.org JIRA Attack Could Have Been Prevented by Better Cod (13 Apr 2010)

Atlassian security breach and customer support in real-time

About an hour ago customers of Atlassian (the company behind great tools like Jira and Confluence) got an email about a security breach and to change their password.

Be aware that this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian’s Crowd product. When you change your Atlassian account password using the procedure below, your Atlassian customer account details will be stored in our updated Crowd user management system, which will further minimise the chance of a security breach occurring in future.

[1] Source: Jason Winder Webnet IT Blog: Atlassian Stored Passwords in Cleartext?

Just after this email it seems that most people were not able to retrieve Atlassian’s service to react.

Now after one hour there was no official statement of Atlassian!

Guys @Atlassian ! Please use Twitter or Uservoice to react in our real-time live and give us some background information!

Update 1:

[2] @atlassian on Twitter at 7 00 PM GMT replied:

Atlassian had a security breach. Apologies for the confusion. Our site is experiencing heavy loads. We are working on getting back up ASAP.

[3] Zoli Erdos at Cloudave: Atlassian Security Breach and Warning

Update 2:
[4] Atlassian’s Mike Cannon-Brookes initial customer feedback today morning

The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.
Disclosure: in terms of the security breach itself, we will disclose the various attack vectors and what happened once we have a full picture. Expect this in the coming week.

Looking forward to it, so everybody can learn from such IT security mistakes.

Mobile – it is for communication

Today I came across a very good post by Helen Keegan on “There is no future on mobile”

We forget that the mobile phone is a communication device

It was designed for us to talk to each other. It was designed for us to be able to communicate with our friends, family, colleagues and lovers by voice, text, instant message, email, facebook, twitter, whatever. But it’s about communication. In every region of the world, mobile data traffic is largely driven by social networking – whether that’s Peperonity, Cyworld, Facebook, MySpace, Twitter – it doesn’t really matter. It does mean that it’s the human communication that’s important to us and drives the desire to explore mobile devices further in order to find other ways to communicate with loved ones.

The mobile phone is personal, it’s precious, it’s an object of desire and it’s our access to the outside world. It’s also a necessity and a basic tool to participate in UK society (according to the latest Joseph Rowntree report).

Gorbatchev about the war in South Ossetia

Mikhael Gorbachev wrote in washington post today:

Through all these years, Russia has continued to recognize Georgia’s territorial integrity. Clearly, the only way to solve the South Ossetian problem on that basis is through peaceful means. Indeed, in a civilized world, there is no other way.

Update:
Starts the cyber war around Georgia?
Has the today’s gmail outage something todo with the war?

Civil,ge, the Georgian news site, is “under permanent [cyber] attack.” So they’ve switched their operations to one of Google’s Blogspot domains, to keep the information flowing about what’s going on in their country.

Adobe AIR install under Ubuntu 64-bit fails

i tried to install my favorite twitter client Twhirl under Ubuntu 64-bit.

The fun ended with download error of Adobe AIR

otrs ticket system installation under ubuntu

It is very easy to install OTRS under Ubuntu Linux:

apt-get install otrs libgd-text-perl libgd-graph-perl aspell ispell libmail-audit-perl spellutils spell aspell-en aspell-de aspell-en wngerman wamerican mail-audit-tools