Red Hat’s signing key compromise

Systems responsible for digitally signing binary distributions are an obviously high-value targets for attackers. Red Hat recently detected such an intrusion, and it was determined that the intruder was able to sign a small number of OpenSSH packages. (Red Hat has released a script to detect the affected packages)

I haven’t seen an analysis yet, but you have to assume those packages have a high probability of malicious intent…

eWeek has a good overview, Red Hat Digital Keys Violated by Intruder, and related coverage is easy to find. This is a good example of the PR and systems impact of such breeches, and an excellent reminder that our notion of “malicious insider” has to include the people trusted by the people we trust. (or the systems trusted by the systems we trust)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s