Page 1 of 2 12 LastLast
Results 1 to 40 of 42
  1. #1
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    372

    Linode allegedly compromised

    So, I have a Linode, right.

    I woke up this morning and someone named 'ryan' told me that my financial information was compromised.

    He provided this as proof: https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc ( mirrored at http://turtle.dereferenced.org/~neno...e/pastebin.png ).

    There is also discussion of it on their IRC channel. I have snipped out the relevant part of the conversation.

    Abridged: http://turtle.dereferenced.org/~neno...e-abridged.txt
    Full log: http://turtle.dereferenced.org/~neno...ode/linode.log

    I knew something was fishy when my 160 character generated password was claimed to be 'compromised'.

  2. Thread Summary Linode was indeed compromised:

    As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database.

    Contributors: Orien


  3. #2
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,748
    Has Linode made a statement about this yet?

  4. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    I don't know but magically today my password expired on my dev account.

    Edit: http://blog.linode.com/2013/04/12/se...assword-reset/
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  5. #4
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,387
    Ouch I'm glad they took action and expired all passwords. Got to be hard to find someone has hacked they way in.

  6. #5
    Join Date
    Mar 2011
    Posts
    635
    My understanding was that they were not compromised but needlessly reset everyone's passwords anyway.

    See their wording:
    "coordinated attempt to access the account of one of our customers"

    "We have found no evidence that any Linode data of any other customer was accessed"

    I'm quite confused as to how an "attempt" to access "one" customer's data effects anyone else. If I had to make a guess, I'd suspect that they left out some vital information. People ATTEMPT to access ALL of my clients EVERY day. I suspect any host around here who watches incoming malicious traffic could say the same. I don't force everyone to reset their passwords every day. What am I missing here?
    MXroute - E-mail Hosting for Your Domain.

  7. #6
    Join Date
    Dec 2012
    Posts
    1,837
    Yeah, looks like linode expired everyone's passwords forcing them to update them as a security precaution. It seems even though this ryan kid claims the DB is on his computer, I would assume he cant do much with it as its probably encrypted.
    SolaDrive - Enterprise Managed Solutions
    Specializing in Managed SSD VPS & Dedicated Servers in US & UK
    Rated #1 Provider at Top 20 VPS Providers For Performance
    Visit us at SolaDrive.com

  8. #7
    Join Date
    Dec 2012
    Location
    localhost
    Posts
    294
    The higher you are the harder you fall.

  9. #8
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by SolaDrive - John View Post
    Yeah, looks like linode expired everyone's passwords forcing them to update them as a security precaution. It seems even though this ryan kid claims the DB is on his computer, I would assume he cant do much with it as its probably encrypted.
    I would never assume such a thing. My experience of data breaches (which given I am a privacy guy is fairly substantial) is that it is more often than not that the data is NOT encrypted.

    Paladine

  10. #9
    Join Date
    Mar 2011
    Posts
    635
    Quote Originally Posted by Paladine View Post
    I would never assume such a thing. My experience of data breaches (which given I am a privacy guy is fairly substantial) is that it is more often than not that the data is NOT encrypted.

    Paladine
    For Linode's sake, and my own, I hope they are PCI compliant. What bugs me is that here Linode is clearly telling me I have nothing to worry about, then taking an action that clearly implies that I do have something to worry about.

    I don't know that I put much faith in this "Ryan" fellow but I would certainly urge him not to prove his point at our expense. If my billing data was compromised and Linode told me to reset my password for no reason, because even that wasn't compromised according to them, the amount of "upset" that I'll be wouldn't fit on any graph I've ever seen.
    MXroute - E-mail Hosting for Your Domain.

  11. #10
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    372
    Quote Originally Posted by jarland View Post
    For Linode's sake, and my own, I hope they are PCI compliant. What bugs me is that here Linode is clearly telling me I have nothing to worry about, then taking an action that clearly implies that I do have something to worry about.

    I don't know that I put much faith in this "Ryan" fellow but I would certainly urge him not to prove his point at our expense. If my billing data was compromised and Linode told me to reset my password for no reason, because even that wasn't compromised according to them, the amount of "upset" that I'll be wouldn't fit on any graph I've ever seen.
    They are not, read the IRC log on #linode:

    05:42 < ryan||> credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security

  12. #11
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    372
    I think it would be a very good idea to start making preparations to change card information.

    Luckily, I was on a bi-yearly plan so my card information was already expired anyway (due to another host being hacked I already changed it unfortunately... how ironic).

  13. #12
    Found this thread being slashdotted.
    But fortunately I don't have any plan with linode since years ago.

  14. #13
    Join Date
    May 2003
    Location
    Scotland
    Posts
    3,728
    Perhaps Linode being Linode being super cautious just went for a full reset of the passwords to get people to think more about their choice when selecting a password.

    Damned if they do and damned if they don't.

  15. #14
    Join Date
    Mar 2011
    Posts
    635
    Quote Originally Posted by W1H-Lee View Post
    Perhaps Linode being Linode being super cautious just went for a full reset of the passwords to get people to think more about their choice when selecting a password.

    Damned if they do and damned if they don't.
    That is an interpretation that I would accept. It did not come across to me that way so thank you for the alternate perspective.
    MXroute - E-mail Hosting for Your Domain.

  16. #15
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by nenolod View Post
    They are not, read the IRC log on #linode:

    05:42 < ryan||> credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security
    Funny you should mention that I nearly stated in my last post "Either the data is not encrypted or the keys are stored in the same place as the data."

    You would be amazed how often it happens that way.

    Paladine

  17. #16
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by jarland View Post
    That is an interpretation that I would accept. It did not come across to me that way so thank you for the alternate perspective.
    Judging by this search I wouldn't hold up too much hope:

    http://slink.eu/linode

    Paladine

  18. #17
    Join Date
    May 2010
    Location
    10.0.0.17
    Posts
    475
    The IRC logs are interesting. A channel mod clearly pops in to ban the ryan chap several times, makes a noncommittal comment over his food, but vanishes whenever asked about the authenticity of the claims. Granted aye, of course they're going to look into the issue before making any type of public statement - but running off without so much as a "we're checking into it, stay tuned", especially when ryan dropped a paste of their docroot with valid/resolving files, just seems to authenticate the exploit.

  19. #18
    Join Date
    Feb 2006
    Posts
    4,773
    Didn't Linode experience a hack at this same time last year? Spring must be an unlucky time of the year for them.
    WHMEasyBackup.com - Take Control Of Your Backups!
    Complete Backup Solution For WHM Reseller Accounts
    Download Trial

  20. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by DWS2006 View Post
    Didn't Linode experience a hack at this same time last year? Spring must be an unlucky time of the year for them.
    http://www.theregister.co.uk/2012/03...bitcoin_heist/
    http://bitcoinmagazine.com/the-bitco...s-for-bitcoin/
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  21. #20
    Join Date
    Mar 2011
    Posts
    635
    Quote Originally Posted by Paladine View Post
    Judging by this search I wouldn't hold up too much hope:

    http://slink.eu/linode

    Paladine
    Well, the hope I am holding on to is that our strongest source is this Ryan guy in IRC. No one has been able to confirm the validity of his data that I've seen, publicly, beyond the visiting of URLs in the public web folder which can potentially be obtained by poor but mostly irrelevant security or a less severe exploit.

    Anything beyond that could very well be an elaborate hoax. I could be very wrong. Gordon Lyon may be the current piece of the puzzle that squashes my hope.
    MXroute - E-mail Hosting for Your Domain.

  22. #21
    Join Date
    Nov 2009
    Location
    Neenah, WI
    Posts
    388
    This is concerning. I don't have an active VM with Linode at the moment (no problem with them LW managed is just a better fit for my needs at the current time), but have an active account with a valid credit card on file. It's my business card and would be a good deal of work to change the number and update it with all the vendors. I'd really like to know if it is necessary or not.

    I've checked my mail and spam folders and I never even got a message from them about this. I logged into linode and can see my current credit card info and expiration date still listed on my account.

    If payment information was compromised they need to notify everyone that has payment information on file, not just people who have active VM's. (I can only guess that the fact that I don't have an active Linode is the reason I didn't get a copy of the notification email)

    I'm sure many other people also use Linode's for test projects, dev work, etc. and remove the linodes at times but still have current payment info on file.

    I've always had a great deal of respect for linode, but am disappointed to learn about this problem via a SlashDot post made on Facebook. Also the lack of any real details about what happened or what was leaked is really inexcusable. If they have good reason to believe that financial information (credit cards) were leaked, they need to say so and not just force a password reset.

  23. #22
    Join Date
    Nov 2000
    Location
    UK
    Posts
    3,507
    This is concerning, whilst I generally champion Linode, I have also in the past been pretty critical of some of their practices and this will put them back on the re-evaluate radar.

    The security issue last year was a good example where Linode didnt listen to the community, 2 factor should of came then but it didnt, instead some silly email notification and then some blog post about ~9-12 months ago about continued progress on security and then silence...

    Although in comparison to the flavour of month VPS companies on WHT * they are still held in relative high regard in my perception. At least they arent committing atrocities like default password for VPSes (with ssh open already), emailing plain text passwords to customers (mean stored at best with symmetric encryption), non secure solusvm panels (non-https), running whmcs (quarterly security issues) and so forth.

  24. #23
    Join Date
    Jun 2012
    Posts
    389
    Quote Originally Posted by MattF View Post
    At least they arent committing atrocities like default password for VPSes (with ssh open already), emailing plain text passwords to customers (mean stored at best with symmetric encryption), non secure solusvm panels (non-https), running whmcs (quarterly security issues) and so forth.
    According to the hackers, the LISH passwords were in plaintext, the CC data encryption keys were easily accessible.

    Yesterday, on the IRC channel right before it was locked down, someone stating they represent the hackers appeared and started proving they hacked by telling the last 4 CC numbers of anyone that asked, they also apparently had usernames and emails of at least few users. Please note the bold words and do not read between the lines. I'm just describing what happened.

    Now, whether all this is true or just an elaborate hoax and propaganda to discredit Linode, remains to be seen. Unfortunately, other than the rather shaky blog post from last Friday, we have no official info. And that's the biggest problem.

  25. #24
    Join Date
    Jun 2012
    Posts
    389
    Oh, I stand corrected about no official info. Official update: http://blog.linode.com/2013/04/16/se...cident-update/

  26. #25
    Join Date
    Sep 2012
    Posts
    87
    Note that they state:

    "We have no evidence decrypted credit card numbers were obtained."

    That is based on advice from the risk assessment manager or lawyer - in other words:

    "The encrypted credit card details were obtained and the keys were present on the same server but we are hoping they cannot decrypt the passphrase we used to encrypt the private keys so we will keep our cards close to our chest on this for now."

    You all better hope they used a damn good passphrase to encrypt those private keys. What is discouraging is that it seems they have used the same passphrase for all the private keys based on the wording of their update, so if HTP manage to decrypt a single key they will be able to decrypt them all.

    All in all, the update is very worrying.

    Paladine

  27. #26
    Join Date
    Oct 2009
    Posts
    854
    we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.
    Am I the only one who chuckles at the ridiculousness of referring to a bug that was patched a week ago as a "zero-day vulnerability"? That's more of a "incompetent-server-managers-who-didn't-patch-a-known-bug-for-seven-days vulnerability".
    Your faithful student,
    Twilight Sparkle

  28. #27
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by aeris View Post
    Am I the only one who chuckles at the ridiculousness of referring to a bug that was patched a week ago as a "zero-day vulnerability"? That's more of a "incompetent-server-managers-who-didn't-patch-a-known-bug-for-seven-days vulnerability".
    If we are to believe the IRC chat logs, they were hacked several weeks ago (before Adobe issued the patch) but from what I have read on the Slashdot story, Linode failed to follow the documented "Best Practise" security configuration anyway which is allegedly what led to the vulnerability in the first place.

    Paladine

  29. #28
    Join Date
    Oct 2009
    Posts
    854
    Quote Originally Posted by Paladine View Post
    If we are to believe the IRC chat logs, they were hacked several weeks ago (before Adobe issued the patch) but from what I have read on the Slashdot story, Linode failed to follow the documented "Best Practise" security configuration anyway which is allegedly what led to the vulnerability in the first place.
    Hmm. Fair enough on the zero-day then, but assuming that they used a strong passphrase that will be prohibitively expensive to crack before all the credit card information expires; if they were hacked several weeks ago, what are the odds that the passphrase wasn't entered and captured in that time?
    Your faithful student,
    Twilight Sparkle

  30. #29
    Join Date
    Sep 2012
    Posts
    87
    Quote Originally Posted by aeris View Post
    Hmm. Fair enough on the zero-day then, but assuming that they used a strong passphrase that will be prohibitively expensive to crack before all the credit card information expires; if they were hacked several weeks ago, what are the odds that the passphrase wasn't entered and captured in that time?
    How much is hideously expensive to a "group" if they have access to botnets with millions of nodes? How safe is the passphrase then? How many well constructed passphrase attacks can a massive botnet conduct per minute?

    I would not put any faith in their "Honest, the private keys are totally safe." crap if I were a customer.

    Paladine

  31. #30
    Join Date
    Oct 2009
    Posts
    854
    Quote Originally Posted by Paladine View Post
    How much is hideously expensive to a "group" if they have access to botnets with millions of nodes? How safe is the passphrase then? How many well constructed passphrase attacks can a massive botnet conduct per minute?

    I would not put any faith in their "Honest, the private keys are totally safe." crap if I were a customer.
    For all intents and purposes, the credit card database should absolutely be considered compromised, but that's primarily due to the possibility that the passphrase was captured at some point.

    Brute-forcing the passphrase is of course a concern, but it is quite possible to have a passphrase long and complex enough that all the computer power on earth would not be able to crack it in our lifetime. Still, I wouldn't put my faith in it.
    Your faithful student,
    Twilight Sparkle

  32. #31
    Join Date
    Jun 2012
    Posts
    389
    Quote Originally Posted by aeris View Post
    For all intents and purposes, the credit card database should absolutely be considered compromised, but that's primarily due to the possibility that the passphrase was captured at some point.
    I'd say it's primarily because of the progression of "no evidence" posts. Last week it was no evidence any data was compromised. Now it's okay, some data was, but no evidence that CC data is compromised.

    At any rate, yeah, the CCs should be considered compromised and banks promptly notified.

  33. #32
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    6,746
    Please forgive me of I've got this wrong - I got and acted upon the password reset email in the early hours of the morning, and I've got a banging headache today, so my memory of what happened may be flawed. However, Linode's instructions went:

    we have immediately expired all current passwords. You will be prompted to create a new password the next time that you log into the Linode Manager.
    As I remember it, I used my username and old password to access the "what's your new password" screen. I entered a new password, and that was it.

    If someone's got access to the username/old password data, what's to stop them doing the same and taking over accounts with new passwords (and then changing the customer email address to their own) so that the real customer is locked out, cannot use the password reset via email option, and the "villains" have complete control?

    Please tell me that Linode are not assuming that only genuine customers will access that screen? Surely the correct way of doing it would be to have customers log in with username and old password, and then email a unique password reset link to the account holder's email address on file?

    Again, apologies if my memory of the process is flawed (and can someone throw a couple of Paracetemols in my direction please?).
    There's no such thing as an unmanaged server - It's actually self-managed. Worth remembering next time you're looking for someone to complain to.
    DATA VALUATION SERVICE: Your data's value is linked directly to your backup strategy. If YOU don't have your own backups then YOU value your data at ZERO. So why should anyone else care when you lose it?

  34. #33
    Join Date
    Jun 2012
    Posts
    389
    Quote Originally Posted by F-DNS View Post
    Again, apologies if my memory of the process is flawed (and can someone throw a couple of Paracetemols in my direction please?).
    Ouch... sorry about your headache, I know how that feels, Paracetamols are the only stuff that work for me

    Anyway, yeah, you got the gist of it. Despite of the wording, Linode did not reset any passwords, just forced their expiration, that's all.

    A reset would mean the old pass is useless no matter what, and the user has to reauthenticate with a tokenized link or something else. That was not the case here.

  35. #34
    Join Date
    Sep 2012
    Posts
    87
    Now let's wait and see if their "supersecureprivatekeypassphrase!#@" turns up in a .bash_history log on a pastebin somewhere...

    Paladine

  36. #35
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    6,746
    Quote Originally Posted by HaronMedia View Post
    Anyway, yeah, you got the gist of it. Despite of the wording, Linode did not reset any passwords, just forced their expiration, that's all.

    A reset would mean the old pass is useless no matter what, and the user has to reauthenticate with a tokenized link or something else. That was not the case here.
    Well that's just jeffing marvelous then

    I'll go fix that now with a reset for starters, and that reset email better land here or I'm going to do my humpty-dumpty dance (and you do NOT want to see me do my humpty-dumpty dance!).

    Quote Originally Posted by Paladine View Post
    Now let's wait and see if their "supersecureprivatekeypassphrase!#@" turns up in a .bash_history log on a pastebin somewhere...
    Oh please don't. Some of us already have banging headaches
    There's no such thing as an unmanaged server - It's actually self-managed. Worth remembering next time you're looking for someone to complain to.
    DATA VALUATION SERVICE: Your data's value is linked directly to your backup strategy. If YOU don't have your own backups then YOU value your data at ZERO. So why should anyone else care when you lose it?

  37. #36
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,908
    People still use ColdFusion? Jeez, I though that died off years ago!
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  38. #37
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    372
    As an update, the hacker was once again in IRC and said he made a dump of the coldfusion JVM's memory image, allowing him to extract the unencrypted private key material.

    So yes, if you're smart you should consider the database compromised regardless of what Linode is claiming...

    See this particular pastebin: http://pastebin.com/7WXRDyAg line 75 onward.

  39. #38
    Join Date
    Aug 2012
    Posts
    158
    What I find somewhat disappointing (and worrying) is that I (as many others in this thread did) received an e-mail saying I had nothing to worry about.


    I did not receive any other e-mail regarding this matter, until I read the announcement in a German news site. I don't follow the blog, why would they announce that I have "nothing to worry about", but not announce what the actual scope of the breach is?

  40. #39
    Join Date
    Oct 2009
    Posts
    854
    Quote Originally Posted by sewi View Post
    I did not receive any other e-mail regarding this matter, until I read the announcement in a German news site. I don't follow the blog, why would they announce that I have "nothing to worry about", but not announce what the actual scope of the breach is?
    My guess would be.. brand damage control? Or possibly, simple denial.

    Besides, "we lost all your credit card info lol" probably didn't pass muster with marketing.
    Your faithful student,
    Twilight Sparkle

  41. #40
    Join Date
    Apr 2013
    Location
    Maryland
    Posts
    33
    It's a shame some little kids with script kiddie tools can damage and cause so much problems to a very good service provider. Yeah, they should improve their security, and fix a list of issues mentioned here in this thread to prevent bigger things to happen then what has already occurred.

    But, I personally still like Linode and would trust them again for my services I've used them for in the past again, even with this situation. I just know to be cautious about what information I leave on file with them.

Page 1 of 2 12 LastLast

Similar Threads

  1. Linode - Does any shared hosting company use Linode's hardware?
    By fast1 in forum Managed Hosting and Services
    Replies: 14
    Last Post: 01-26-2013, 01:14 PM
  2. Linode Management console compromised
    By sellmestuff in forum VPS Hosting
    Replies: 23
    Last Post: 03-02-2012, 06:43 PM
  3. Man Allegedly Tries to Hide Drugs in Box
    By HakonHoy in forum Web Hosting Lounge
    Replies: 2
    Last Post: 04-03-2008, 09:11 PM
  4. Woman Allegedly Tries to Buy Pot From Cops
    By Hiccups in forum Web Hosting Lounge
    Replies: 6
    Last Post: 02-16-2006, 09:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •