OpenSSL site defacement traced to use of insecure passwords by hosting provider

Tools

The homepage of OpenSSL was defaced in an attack on Dec. 29, raising initial concerns over the possibility of attackers slipping a backdoor into the OpenSSL library. The software code is widely used by web servers to provide HTTPS encryption for web pages, and the ability to weaken or install a backdoor would have severe repercussions around the world.

As it is, the terse statement by officials in the wake of the attack raised some eyebrows due to its implications of a serious flaw in hypervisor software. As reported by Ars Technica, officials said "the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration."

However, further investigations have revealed the cause as the use of insecure passwords by the hosting provider. It turns out that the www.openssl.org website is hosted on a shared server that is managed from a hypervisor management console. Unidentified hackers were apparently able to gain access to its management console and modify the index.html page of the OpenSSL project.

An updated advisory published by the OpenSSL gives these pertinent details: "The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP. Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server." Source repositories were also audited and found to be untouched.

For more:
- check out this article at Ars Technica

Related Articles:
Google beefs up password security on latest build of Chromium
New research validates use of password strength meters
What you know about password security is probably wrong