Hello, welcome to the Friday, July 6, 2018 edition of the Science Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from New York City, New York.

Going to be another shorter podcast today, given still the short holiday week here in the US.

One real nice item is that Gentoo published a very detailed

write-up on the incident had recently where someone took over their GitHub repository.

Like always with these write-ups, the great thing is that this really helps you to learn for yourself before and without you actually having an incident like this.

So whenever someone shares these kind of details, it's important to look at the lessons learned and make sure that you hopefully incorporate these lessons learned in your own organization

and hopefully avoid an incident this way.

The GENTOO team had some luck here in the sense that the attacker didn't really try to be stealthy.

The hacker modified the read-me file in the GitHub repository as very early on in the process.

But the hacker also tried very typical steps to retain access to the repository

even after they got discovered.

For example, they added a couple of new administrator accounts to the GitHub project.

They also removed some existing administrators from the project to make it more difficult to recover.

The root cause of all of this appears to be as so often a weak password.

In this case, now they don't really say exactly what the password was, but the way

I read their write-up is that the password was sort of guessable if you know other passwords that

this particular user had. So what some users do is they have sort of one common password,

and they just append the site name like you know

GitHub password or Facebook password and such so if I know that your password is you know

Facebook gopher then I know your GitHub password is probably GitHub gopher and that's probably

how they guessed the password that's at least sort of my reading of this report.

...