Page 1 of 2 12 LastLast
Results 1 to 25 of 42
  1. #1
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    370

    Linode allegedly compromised

    So, I have a Linode, right.

    I woke up this morning and someone named 'ryan' told me that my financial information was compromised.

    He provided this as proof: https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc ( mirrored at http://turtle.dereferenced.org/~neno...e/pastebin.png ).

    There is also discussion of it on their IRC channel. I have snipped out the relevant part of the conversation.

    Abridged: http://turtle.dereferenced.org/~neno...e-abridged.txt
    Full log: http://turtle.dereferenced.org/~neno...ode/linode.log

    I knew something was fishy when my 160 character generated password was claimed to be 'compromised'.

  2. Thread Summary Linode was indeed compromised:

    As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database.

    Contributors: Orien


  3. #2
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,748
    Has Linode made a statement about this yet?

  4. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,261
    I don't know but magically today my password expired on my dev account.

    Edit: http://blog.linode.com/2013/04/12/se...assword-reset/
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  5. #4
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,299
    Ouch I'm glad they took action and expired all passwords. Got to be hard to find someone has hacked they way in.

  6. #5
    Join Date
    Mar 2011
    Posts
    630
    My understanding was that they were not compromised but needlessly reset everyone's passwords anyway.

    See their wording:
    "coordinated attempt to access the account of one of our customers"

    "We have found no evidence that any Linode data of any other customer was accessed"

    I'm quite confused as to how an "attempt" to access "one" customer's data effects anyone else. If I had to make a guess, I'd suspect that they left out some vital information. People ATTEMPT to access ALL of my clients EVERY day. I suspect any host around here who watches incoming malicious traffic could say the same. I don't force everyone to reset their passwords every day. What am I missing here?
    MXroute - E-mail Hosting for Your Domain.

  7. #6
    Join Date
    Dec 2012
    Posts
    1,684
    Yeah, looks like linode expired everyone's passwords forcing them to update them as a security precaution. It seems even though this ryan kid claims the DB is on his computer, I would assume he cant do much with it as its probably encrypted.
    SolaDrive - Enterprise Managed Solutions
    Specializing in Managed SSD VPS & Dedicated Servers in US & UK
    Rated #1 Provider at Top 20 VPS Providers For Performance
    Visit us at SolaDrive.com

  8. #7
    Join Date
    Dec 2012
    Location
    localhost
    Posts
    294
    The higher you are the harder you fall.

  9. #8
    Join Date
    Sep 2012
    Posts
    81
    Quote Originally Posted by SolaDrive - John View Post
    Yeah, looks like linode expired everyone's passwords forcing them to update them as a security precaution. It seems even though this ryan kid claims the DB is on his computer, I would assume he cant do much with it as its probably encrypted.
    I would never assume such a thing. My experience of data breaches (which given I am a privacy guy is fairly substantial) is that it is more often than not that the data is NOT encrypted.

    Paladine

  10. #9
    Join Date
    Mar 2011
    Posts
    630
    Quote Originally Posted by Paladine View Post
    I would never assume such a thing. My experience of data breaches (which given I am a privacy guy is fairly substantial) is that it is more often than not that the data is NOT encrypted.

    Paladine
    For Linode's sake, and my own, I hope they are PCI compliant. What bugs me is that here Linode is clearly telling me I have nothing to worry about, then taking an action that clearly implies that I do have something to worry about.

    I don't know that I put much faith in this "Ryan" fellow but I would certainly urge him not to prove his point at our expense. If my billing data was compromised and Linode told me to reset my password for no reason, because even that wasn't compromised according to them, the amount of "upset" that I'll be wouldn't fit on any graph I've ever seen.
    MXroute - E-mail Hosting for Your Domain.

  11. #10
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    370
    Quote Originally Posted by jarland View Post
    For Linode's sake, and my own, I hope they are PCI compliant. What bugs me is that here Linode is clearly telling me I have nothing to worry about, then taking an action that clearly implies that I do have something to worry about.

    I don't know that I put much faith in this "Ryan" fellow but I would certainly urge him not to prove his point at our expense. If my billing data was compromised and Linode told me to reset my password for no reason, because even that wasn't compromised according to them, the amount of "upset" that I'll be wouldn't fit on any graph I've ever seen.
    They are not, read the IRC log on #linode:

    05:42 < ryan||> credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security

  12. #11
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    370
    I think it would be a very good idea to start making preparations to change card information.

    Luckily, I was on a bi-yearly plan so my card information was already expired anyway (due to another host being hacked I already changed it unfortunately... how ironic).

  13. #12
    Found this thread being slashdotted.
    But fortunately I don't have any plan with linode since years ago.

  14. #13
    Join Date
    May 2003
    Location
    Scotland
    Posts
    3,712
    Perhaps Linode being Linode being super cautious just went for a full reset of the passwords to get people to think more about their choice when selecting a password.

    Damned if they do and damned if they don't.

  15. #14
    Join Date
    Mar 2011
    Posts
    630
    Quote Originally Posted by W1H-Lee View Post
    Perhaps Linode being Linode being super cautious just went for a full reset of the passwords to get people to think more about their choice when selecting a password.

    Damned if they do and damned if they don't.
    That is an interpretation that I would accept. It did not come across to me that way so thank you for the alternate perspective.
    MXroute - E-mail Hosting for Your Domain.

  16. #15
    Join Date
    Sep 2012
    Posts
    81
    Quote Originally Posted by nenolod View Post
    They are not, read the IRC log on #linode:

    05:42 < ryan||> credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security
    Funny you should mention that I nearly stated in my last post "Either the data is not encrypted or the keys are stored in the same place as the data."

    You would be amazed how often it happens that way.

    Paladine

  17. #16
    Join Date
    Sep 2012
    Posts
    81
    Quote Originally Posted by jarland View Post
    That is an interpretation that I would accept. It did not come across to me that way so thank you for the alternate perspective.
    Judging by this search I wouldn't hold up too much hope:

    http://slink.eu/linode

    Paladine

  18. #17
    Join Date
    May 2010
    Location
    10.0.0.17
    Posts
    474
    The IRC logs are interesting. A channel mod clearly pops in to ban the ryan chap several times, makes a noncommittal comment over his food, but vanishes whenever asked about the authenticity of the claims. Granted aye, of course they're going to look into the issue before making any type of public statement - but running off without so much as a "we're checking into it, stay tuned", especially when ryan dropped a paste of their docroot with valid/resolving files, just seems to authenticate the exploit.

  19. #18
    Join Date
    Feb 2006
    Posts
    4,223
    Didn't Linode experience a hack at this same time last year? Spring must be an unlucky time of the year for them.
    WHMEasyBackup.com - Take Control Of Your Backups!
    Complete Backup Solution For WHM Reseller Accounts
    Download Trial

  20. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,261
    Quote Originally Posted by DWS2006 View Post
    Didn't Linode experience a hack at this same time last year? Spring must be an unlucky time of the year for them.
    http://www.theregister.co.uk/2012/03...bitcoin_heist/
    http://bitcoinmagazine.com/the-bitco...s-for-bitcoin/
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  21. #20
    Join Date
    Mar 2011
    Posts
    630
    Quote Originally Posted by Paladine View Post
    Judging by this search I wouldn't hold up too much hope:

    http://slink.eu/linode

    Paladine
    Well, the hope I am holding on to is that our strongest source is this Ryan guy in IRC. No one has been able to confirm the validity of his data that I've seen, publicly, beyond the visiting of URLs in the public web folder which can potentially be obtained by poor but mostly irrelevant security or a less severe exploit.

    Anything beyond that could very well be an elaborate hoax. I could be very wrong. Gordon Lyon may be the current piece of the puzzle that squashes my hope.
    MXroute - E-mail Hosting for Your Domain.

  22. #21
    Join Date
    Nov 2009
    Location
    Neenah, WI
    Posts
    388
    This is concerning. I don't have an active VM with Linode at the moment (no problem with them LW managed is just a better fit for my needs at the current time), but have an active account with a valid credit card on file. It's my business card and would be a good deal of work to change the number and update it with all the vendors. I'd really like to know if it is necessary or not.

    I've checked my mail and spam folders and I never even got a message from them about this. I logged into linode and can see my current credit card info and expiration date still listed on my account.

    If payment information was compromised they need to notify everyone that has payment information on file, not just people who have active VM's. (I can only guess that the fact that I don't have an active Linode is the reason I didn't get a copy of the notification email)

    I'm sure many other people also use Linode's for test projects, dev work, etc. and remove the linodes at times but still have current payment info on file.

    I've always had a great deal of respect for linode, but am disappointed to learn about this problem via a SlashDot post made on Facebook. Also the lack of any real details about what happened or what was leaked is really inexcusable. If they have good reason to believe that financial information (credit cards) were leaked, they need to say so and not just force a password reset.

  23. #22
    Join Date
    Nov 2000
    Location
    Thailand
    Posts
    3,367
    This is concerning, whilst I generally champion Linode, I have also in the past been pretty critical of some of their practices and this will put them back on the re-evaluate radar.

    The security issue last year was a good example where Linode didnt listen to the community, 2 factor should of came then but it didnt, instead some silly email notification and then some blog post about ~9-12 months ago about continued progress on security and then silence...

    Although in comparison to the flavour of month VPS companies on WHT * they are still held in relative high regard in my perception. At least they arent committing atrocities like default password for VPSes (with ssh open already), emailing plain text passwords to customers (mean stored at best with symmetric encryption), non secure solusvm panels (non-https), running whmcs (quarterly security issues) and so forth.

  24. #23
    Join Date
    Jun 2012
    Posts
    284
    Quote Originally Posted by MattF View Post
    At least they arent committing atrocities like default password for VPSes (with ssh open already), emailing plain text passwords to customers (mean stored at best with symmetric encryption), non secure solusvm panels (non-https), running whmcs (quarterly security issues) and so forth.
    According to the hackers, the LISH passwords were in plaintext, the CC data encryption keys were easily accessible.

    Yesterday, on the IRC channel right before it was locked down, someone stating they represent the hackers appeared and started proving they hacked by telling the last 4 CC numbers of anyone that asked, they also apparently had usernames and emails of at least few users. Please note the bold words and do not read between the lines. I'm just describing what happened.

    Now, whether all this is true or just an elaborate hoax and propaganda to discredit Linode, remains to be seen. Unfortunately, other than the rather shaky blog post from last Friday, we have no official info. And that's the biggest problem.

  25. #24
    Join Date
    Jun 2012
    Posts
    284
    Oh, I stand corrected about no official info. Official update: http://blog.linode.com/2013/04/16/se...cident-update/

  26. #25
    Join Date
    Sep 2012
    Posts
    81
    Note that they state:

    "We have no evidence decrypted credit card numbers were obtained."

    That is based on advice from the risk assessment manager or lawyer - in other words:

    "The encrypted credit card details were obtained and the keys were present on the same server but we are hoping they cannot decrypt the passphrase we used to encrypt the private keys so we will keep our cards close to our chest on this for now."

    You all better hope they used a damn good passphrase to encrypt those private keys. What is discouraging is that it seems they have used the same passphrase for all the private keys based on the wording of their update, so if HTP manage to decrypt a single key they will be able to decrypt them all.

    All in all, the update is very worrying.

    Paladine

Page 1 of 2 12 LastLast

Similar Threads

  1. Linode - Does any shared hosting company use Linode's hardware?
    By fast1 in forum Managed Hosting and Services
    Replies: 14
    Last Post: 01-26-2013, 01:14 PM
  2. Linode Management console compromised
    By sellmestuff in forum VPS Hosting
    Replies: 23
    Last Post: 03-02-2012, 06:43 PM
  3. Man Allegedly Tries to Hide Drugs in Box
    By HakonHoy in forum Web Hosting Lounge
    Replies: 2
    Last Post: 04-03-2008, 09:11 PM
  4. Woman Allegedly Tries to Buy Pot From Cops
    By Hiccups in forum Web Hosting Lounge
    Replies: 6
    Last Post: 02-16-2006, 09:07 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •