Results 1 to 25 of 42
Thread: Linode allegedly compromised
-
04-15-2013, 11:29 AM #1Aspiring Evangelist
- Join Date
- Apr 2008
- Location
- Tulsa, OK, USA
- Posts
- 376
Linode allegedly compromised
So, I have a Linode, right.
I woke up this morning and someone named 'ryan' told me that my financial information was compromised.
He provided this as proof: https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc ( mirrored at http://turtle.dereferenced.org/~neno...e/pastebin.png ).
There is also discussion of it on their IRC channel. I have snipped out the relevant part of the conversation.
Abridged: http://turtle.dereferenced.org/~neno...e-abridged.txt
Full log: http://turtle.dereferenced.org/~neno...ode/linode.log
I knew something was fishy when my 160 character generated password was claimed to be 'compromised'.
-
04-15-2013, 11:36 AM #2Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
Has Linode made a statement about this yet?
-
04-15-2013, 11:37 AM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I don't know but magically today my password expired on my dev account.
Edit: http://blog.linode.com/2013/04/12/se...assword-reset/Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-15-2013, 11:54 AM #4Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
Ouch I'm glad they took action and expired all passwords. Got to be hard to find someone has hacked they way in.
-
04-15-2013, 12:01 PM #5Web Hosting Master
- Join Date
- Mar 2011
- Posts
- 659
My understanding was that they were not compromised but needlessly reset everyone's passwords anyway.
See their wording:
"coordinated attempt to access the account of one of our customers"
"We have found no evidence that any Linode data of any other customer was accessed"
I'm quite confused as to how an "attempt" to access "one" customer's data effects anyone else. If I had to make a guess, I'd suspect that they left out some vital information. People ATTEMPT to access ALL of my clients EVERY day. I suspect any host around here who watches incoming malicious traffic could say the same. I don't force everyone to reset their passwords every day. What am I missing here?Ain't here to spam my signature, I'm not desperate for sales.
-
04-15-2013, 01:13 PM #6
Yeah, looks like linode expired everyone's passwords forcing them to update them as a security precaution. It seems even though this ryan kid claims the DB is on his computer, I would assume he cant do much with it as its probably encrypted.
█ SolaDrive - Enterprise Managed Server Solutions
█ Specializing in Managed NVMe VPS & Dedicated Servers in US & UK
█ Visit us at SolaDrive.com
-
04-15-2013, 01:43 PM #7Web Hosting Guru
- Join Date
- Dec 2012
- Location
- localhost
- Posts
- 295
The higher you are the harder you fall.
-
04-15-2013, 01:45 PM #8WHT Addict
- Join Date
- Sep 2012
- Posts
- 110
-
04-15-2013, 01:53 PM #9Web Hosting Master
- Join Date
- Mar 2011
- Posts
- 659
For Linode's sake, and my own, I hope they are PCI compliant. What bugs me is that here Linode is clearly telling me I have nothing to worry about, then taking an action that clearly implies that I do have something to worry about.
I don't know that I put much faith in this "Ryan" fellow but I would certainly urge him not to prove his point at our expense. If my billing data was compromised and Linode told me to reset my password for no reason, because even that wasn't compromised according to them, the amount of "upset" that I'll be wouldn't fit on any graph I've ever seen.Ain't here to spam my signature, I'm not desperate for sales.
-
04-15-2013, 01:55 PM #10Aspiring Evangelist
- Join Date
- Apr 2008
- Location
- Tulsa, OK, USA
- Posts
- 376
-
04-15-2013, 01:59 PM #11Aspiring Evangelist
- Join Date
- Apr 2008
- Location
- Tulsa, OK, USA
- Posts
- 376
I think it would be a very good idea to start making preparations to change card information.
Luckily, I was on a bi-yearly plan so my card information was already expired anyway (due to another host being hacked I already changed it unfortunately... how ironic).
-
04-15-2013, 02:15 PM #12New Member
- Join Date
- Jul 2012
- Posts
- 1
Found this thread being slashdotted.
But fortunately I don't have any plan with linode since years ago.
-
04-15-2013, 02:43 PM #13Web Hosting Master
- Join Date
- May 2003
- Location
- Scotland
- Posts
- 4,549
Perhaps Linode being Linode being super cautious just went for a full reset of the passwords to get people to think more about their choice when selecting a password.
Damned if they do and damned if they don't.
-
04-15-2013, 02:56 PM #14Web Hosting Master
- Join Date
- Mar 2011
- Posts
- 659
-
04-15-2013, 02:59 PM #15WHT Addict
- Join Date
- Sep 2012
- Posts
- 110
-
04-15-2013, 03:01 PM #16WHT Addict
- Join Date
- Sep 2012
- Posts
- 110
Judging by this search I wouldn't hold up too much hope:
http://slink.eu/linode
Paladine
-
04-15-2013, 03:02 PM #17Web Hosting Evangelist
- Join Date
- May 2010
- Location
- 10.0.0.17
- Posts
- 480
The IRC logs are interesting. A channel mod clearly pops in to ban the ryan chap several times, makes a noncommittal comment over his food, but vanishes whenever asked about the authenticity of the claims. Granted aye, of course they're going to look into the issue before making any type of public statement - but running off without so much as a "we're checking into it, stay tuned", especially when ryan dropped a paste of their docroot with valid/resolving files, just seems to authenticate the exploit.
-
04-15-2013, 03:05 PM #18Web Hosting Master
- Join Date
- Feb 2006
- Posts
- 5,393
Didn't Linode experience a hack at this same time last year? Spring must be an unlucky time of the year for them.
WHMEasyBackup.com - Take Control Of Your Backups!
Complete Backup Solution For WHM Reseller Accounts
-
04-15-2013, 03:19 PM #19Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-15-2013, 03:20 PM #20Web Hosting Master
- Join Date
- Mar 2011
- Posts
- 659
Well, the hope I am holding on to is that our strongest source is this Ryan guy in IRC. No one has been able to confirm the validity of his data that I've seen, publicly, beyond the visiting of URLs in the public web folder which can potentially be obtained by poor but mostly irrelevant security or a less severe exploit.
Anything beyond that could very well be an elaborate hoax. I could be very wrong. Gordon Lyon may be the current piece of the puzzle that squashes my hope.Ain't here to spam my signature, I'm not desperate for sales.
-
04-16-2013, 02:06 AM #21Aspiring Evangelist
- Join Date
- Nov 2009
- Location
- Neenah, WI
- Posts
- 392
This is concerning. I don't have an active VM with Linode at the moment (no problem with them LW managed is just a better fit for my needs at the current time), but have an active account with a valid credit card on file. It's my business card and would be a good deal of work to change the number and update it with all the vendors. I'd really like to know if it is necessary or not.
I've checked my mail and spam folders and I never even got a message from them about this. I logged into linode and can see my current credit card info and expiration date still listed on my account.
If payment information was compromised they need to notify everyone that has payment information on file, not just people who have active VM's. (I can only guess that the fact that I don't have an active Linode is the reason I didn't get a copy of the notification email)
I'm sure many other people also use Linode's for test projects, dev work, etc. and remove the linodes at times but still have current payment info on file.
I've always had a great deal of respect for linode, but am disappointed to learn about this problem via a SlashDot post made on Facebook. Also the lack of any real details about what happened or what was leaked is really inexcusable. If they have good reason to believe that financial information (credit cards) were leaked, they need to say so and not just force a password reset.
-
04-16-2013, 03:41 AM #22Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
This is concerning, whilst I generally champion Linode, I have also in the past been pretty critical of some of their practices and this will put them back on the re-evaluate radar.
The security issue last year was a good example where Linode didnt listen to the community, 2 factor should of came then but it didnt, instead some silly email notification and then some blog post about ~9-12 months ago about continued progress on security and then silence...
Although in comparison to the flavour of month VPS companies on WHT * they are still held in relative high regard in my perception. At least they arent committing atrocities like default password for VPSes (with ssh open already), emailing plain text passwords to customers (mean stored at best with symmetric encryption), non secure solusvm panels (non-https), running whmcs (quarterly security issues) and so forth.
-
04-16-2013, 05:14 AM #23Aspiring Evangelist
- Join Date
- Jun 2012
- Posts
- 423
According to the hackers, the LISH passwords were in plaintext, the CC data encryption keys were easily accessible.
Yesterday, on the IRC channel right before it was locked down, someone stating they represent the hackers appeared and started proving they hacked by telling the last 4 CC numbers of anyone that asked, they also apparently had usernames and emails of at least few users. Please note the bold words and do not read between the lines. I'm just describing what happened.
Now, whether all this is true or just an elaborate hoax and propaganda to discredit Linode, remains to be seen. Unfortunately, other than the rather shaky blog post from last Friday, we have no official info. And that's the biggest problem.
-
04-16-2013, 05:19 AM #24Aspiring Evangelist
- Join Date
- Jun 2012
- Posts
- 423
Oh, I stand corrected about no official info. Official update: http://blog.linode.com/2013/04/16/se...cident-update/
-
04-16-2013, 06:35 AM #25WHT Addict
- Join Date
- Sep 2012
- Posts
- 110
Note that they state:
"We have no evidence decrypted credit card numbers were obtained."
That is based on advice from the risk assessment manager or lawyer - in other words:
"The encrypted credit card details were obtained and the keys were present on the same server but we are hoping they cannot decrypt the passphrase we used to encrypt the private keys so we will keep our cards close to our chest on this for now."
You all better hope they used a damn good passphrase to encrypt those private keys. What is discouraging is that it seems they have used the same passphrase for all the private keys based on the wording of their update, so if HTP manage to decrypt a single key they will be able to decrypt them all.
All in all, the update is very worrying.
Paladine
Similar Threads
-
Linode - Does any shared hosting company use Linode's hardware?
By fast1 in forum Managed Hosting and ServicesReplies: 14Last Post: 01-26-2013, 01:14 PM -
Linode Management console compromised
By sellmestuff in forum VPS HostingReplies: 23Last Post: 03-02-2012, 06:43 PM -
Man Allegedly Tries to Hide Drugs in Box
By HakonHoy in forum Web Hosting LoungeReplies: 2Last Post: 04-03-2008, 09:11 PM -
Woman Allegedly Tries to Buy Pot From Cops
By Hiccups in forum Web Hosting LoungeReplies: 6Last Post: 02-16-2006, 09:07 PM