Linode the cloud
.. where security does not exist.
Crooks claim they gained access to server hosting biz Linode's customer passwords and credit card numbers. On Friday, Linode said someone tried to compromise one of its clients' machines, but insisted no financially sensitive information was leaked. Linode reset all account passwords as a precautionary measure. The virtual …
I've been with many web hosts through the years, and even worked for a decade at a major web host. Linode remains my favorite of them all - highest uptime, fastest servers, best customer service. They frequently upgrade things and pass the upgrades along to existing users (e.g., periodic disk and RAM increases) at no additional cost. One minor security snag and everyone wants to crucify them... I stand by them for their past service, and it sounds like the security breach itself was beyond minor. People do love to overreact.
I'm betting the "skillz" used by HTP amounted to watching the security sites for news of a new security hole, then scanning the Web for any servers slow to patch the hole, using the proof code from the security warning to "exploit" the Linode server, then claiming 1337 skillz. Skiddies. Real black hats wouldn't be blowing their own horns as loudly as possible.
"we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago"
It says "less than a week" so it must be a less-than-a-week-a-day? Centrally not zero day :)
From what I've read it seems that a simple file permission setting would have prevented all of this, it also sounds that linode is trying to downplay this incident I'm not too convinced that credit card data has not been compromised.
I'm curious (genuinely - not taking a swipe at a well respected vendor): given that so many payment processors allow token recurring payments, why would Linode need to store full customer credit card numbers in any form?
Is there a major cost saving associated with directly transmitting card numbers every month to a bank that would outweigh the risk of keeping full card details in your own systems?
We use them and are billed monthly on our card. I'm not aware of a way of doing this without storing the card details. Generally they're pretty good, but if someone recovered the private key encrypting these I'm less happy as we're now relying on the password resisting brute force.
I guess we find out on the first of may, according to the transcript that's when they're releasing the hacked db.
/Nips off to change root password....
That's the point, these days you can simply make a first 'authorisation' payment with the three digit security code (which you cannot store under PCI regs), and 3D secure if you want, then receive a 'token' unique to that merchant, which you then use to perform any further recurring billing. The token is effectively useless if stolen, and there is no need for a card number to be stored once the token has been issued.
I canceled my account because they didn't even tell me that there was even a remote possibility that my credit card number, encrypted or not, was leaked. They still haven't announced the breach on their front page or sent an email detailing the full extent of the breach to their users. Furthermore, they shouldn't have made any such deals with the hackers. How can you trust a black hat?
I would've probably stayed with them had they actually alerted me that an encrypted copy of my credit card number might have been obtained in the breach, but their PR downplayed the event as much as possible. Sorry, but a coverup is worse than a breach.
There has been some discussion in regards to the validity and merits of ColdFusion as an application server. Let me say that I use both PHP and ColdFusion. They both have pluses and minuses. The ColdFusion server--and it's open source brethren Ralio--are essentially java application servers and in recent years have adopted/borrowed from java frameworks like hibernate (which is 100x easier in CF). If you are OO programming in ColdFusion, it can be quite sophisticated. It also can be very rudimentary if you are programming with traditional cfml tags in a procedural fashion. PHP is much the same way. OO PHP can be very sophisticated and procedural PHP very Neanderthal. Although as a VPS Linux host you would think that they would opt for PHP, Ruby, or Python as a programming language that is native to Linux.
Where Linode screwed up is that they DID NOT, remotely, follow best security practices regarding their ColdFusion server. Which is odd considering the lengths they go to inform web admins on how to lockdown their instances. For one, there should have never been public access to the CF administrator. Simply restricting by IP in htaccess would have done the trick. Additionally, it is advised that even with IP restriction, that the administration files should not even be in the admin directory when not in use. There are some components in the directory where the administration files reside--CFIDE--but only those scripts and dependent classes should be in there on a production server. Lastly, this one is tough because Adobe only labeled the hot fix that plugged this exploit (and the follow up hot fix which came on April 9) as moderate back in January, they were not running a fully patched/up to date ColdFusion server. Adobe, to their discredit, has some times been slow to react to bugs and low priority security issues (obviously this is no longer low priority), but a massive security oversight none the less by Linode.
I'm not sure why Linode was so lax in their security and administration. Maybe it was the assumption that with CF being more obscure that it wouldn't be subject to attack. Relying on security by obscurity, but obviously this was a massive fail on their part.
FYI, I read the entire IRC transcript last night, and I have to say that Ryan fellow is a douche. These "hackers" have as much subtlety as a bull in a China shop. He kept insisting as they were trying to "help" Linode and were going to not make public the breech, but Linode involved the authorities. It hasn't been said, but I have a sneaking suspicion that this group HTP was trying to blackmail Linode, and Linode called their bluff.
host your own on your own connection... it doesn't take all that much and one can easily set up a LAMP server and be operational in a 30 minutes or less if all the pages are already coded and simply need to be uploaded somewhere... then the security is on you and you have no one to blame if tings go sideways... i've never understood putting the important stuff in someone else's hands... if you want a job done right, do it yourself ;)
Biting the hand that feeds IT © 1998–2019