18 comments

[ 3.2 ms ] story [ 51.3 ms ] thread
Red Hat, I am very disappointed. We're all ISO27001 everywhere, separation of data, and separation of network resources. But you keep our data in your github repo?
You've got to look at ISO27001 from the perspective of the Sales Rep, not from an Engineer.

In theory, being ISO27001 means that you're environment follows best practices and has a somewhat sane security posture.

To the business people, a new customer demands that you have ISO27001 certification before they'll sign the $$$$ contract. The salesperson does not care HOW you get the certificate, just that you have it, they need this contract signed!

The department wasn't designed with security in mind, so implementing everything required by ISO will take many months. But sales needs $$$$ now! The CEO, CFO, and CTO are aligned: money now!

So, there's high pressure to pass the audit quickly. You implement what you can, you weasle your way around the things that will take too long. Those things are "out of scope" or "testing databases". You implement MFA while the auditor is auditing, but you know it breaks developers' workflows and there isn't a quick fix, so you turn MFA back off once the audit is complete....

TA-DA! We're ISO27001 certified! But we're no more secure than we were before.

> [..] The CEO, CFO, and CTO are aligned: money now!

"Aligned" :)) The IT terminology FTW! Very very realistic description. Of not delivering value to customers.

Was this a case in this RH breach ? Maybe. But just putting multiple "repos" and other client stuff in same place is modern IT insanity.

At least they could put that Navy stuff somewhere else. Resonable idea, right?

> Correction: After publishing, Red Hat confirmed that it was a breach of one of its GitLab instances, and not GitHub. Title and story updated.

> After publishing our story, Red Hat confirmed that the security incident was a breach of its GitLab instance used solely for Red Hat Consulting on consulting engagements, and not GitHub.

> While Red Hat did not respond to any further questions about the breach, the hackers told BleepingComputer that the intrusion occurred approximately two weeks ago.

GitLab, not GitHub. I think the distinction is that you can have a on-prem GitLab (as well as hosted online). The implication here being that RedHat probably had very relaxed account security.
"The hackers stated that they attempted to contact Red Hat with an extortion demand but received no response other than a templated reply instructing them to submit a vulnerability report to their security team."

Just hilarious

This whole process happening is exactly what happens in a quest in Cyberpunk 2077. There’s an e-mail chain where a gang tried to extort a corporation and gave up after being unable to reach a person.

I sincerely hope that the game doesn’t become prophetic in the manner Idiocracy has.

Telegram name: "thecrimsoncollective"
[flagged]
No this was all Red Hat. IBM would never let consultants use something convenient like GitHub, they would be forced to use some crappy internal webapp powered by watson.
Retired Red Hatter here.

I wouldn’t be quick to blame IBM. Red Hat and IBM both take security very seriously, and regard it as central to the mission. IBM also has deep enough pockets to devote serious resources to whatever they put their mind to.

Security is just hard. Procedures can be written, but people make mistakes, forget rules, etc. The procedures also have to be constantly updated to keep up with new and innovative attacks. It’s a never ending battle.

Sorry to see this happen to Red Hat. I am confident that right now all hands are on deck working on remediation.

(comment deleted)
[stub for offtopicness]

(title fixed now)

Before even reading the article, the title made me lol as I thought the open sourced code was stolen XD