Forgot your password?
typodupeerror
Security

Linode Hacked, Credit Cards and Passwords Leaked 112

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."
This discussion has been archived. No new comments can be posted.

Linode Hacked, Credit Cards and Passwords Leaked

Comments Filter:
  • Oh FFS (Score:4, Insightful)

    by kernelpanicked (882802) on Monday April 15, 2013 @03:56PM (#43455021)

    Linode hacked again!? Seriously, for the premium they're charging, beefing up security might do well to be added to their todo list.

    • by Anonymous Coward

      There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

      • Re:Oh FFS (Score:4, Informative)

        by Anonymous Coward on Monday April 15, 2013 @04:57PM (#43455769)

        Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

        Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.

      • by gl4ss (559668)

        There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

        it wasn't their fault for using cold fusion? "Get a server running in seconds with your choice of Linux distro, resources, and node location.
        Servers on demand. Support that cares." for all the LINUX YEEHAA!!! you'd think that they could have gone with something else..

      • Based on the limited information released, I'm not sure how anyone could make the claim "was beyond their direct control and was a flaw in cold fusion." I use ColdFusion everyday and most of the "vulnerabilities" reported can be avoided by using best practices -- the biggest being to remap the CFIDE directory to an empty directory and then add a virtual SCRIPTS directory under it pointing it back to the original CFIDE/SCRIPTS location. This one best practice prevents 99+% or the ColdFusion vulnerabilities.
  • I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Dreamhost

      Out of the frying pan...

      Well, at least Dreamhost is pretty open about when they fuck up.

      • I've used them for shared hosting for years, and it's been a hell of a frustration. That said, however, their VPS service actually has a good record. For the discounted price they offered me (based on the absolutely horrific service for the last few months) I couldn't refuse. It was a really good deal.
        • Wait you'd continue using a host that gives you horrific service?
          I hope guaranteed support times were in the deal.

        • Dunno about their VPS service but for a few months* we were using a dedicated server from them for raspbian and we had "fun" with it. It seems they have some management crap installed and if you try and customise the server (specifically in our case we wanted nginx rather than apache) it's easy to break it and render the machine unable to boot and bring up networking. Dreamhost support were able to bring the machine up manually but the only fix they could offer was a reimage (which we declined).

          Amusingly we

    • by vegge (184413)

      I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.

      I you don't mind my asking, who were your top candidates, besides Linode? Did any service really impress, in terms of security and stability?

    • Fuck VPS when you can get a i3/8GB server for 39 Canadain.

      • by Anonymous Coward

        Sounded promising, until I noticed they do something very suspicious with their IP routing where ICMP (and UDP-based too!) traceroute, as well as classic ICMP ping, get dropped even before making it to the border of their network. I tested this from two different connections: a Comcast residential connection in northern California (gets to San Jose California then gets dropped), and an ARP Networks VPS in southern California (doesn't even get to hop 2). Neither of the two providers I listed off filter ICM

        • Lots of providers block ICMP these days. I think it's a dumb practice, because nobody even tries to use ICMP for DDoS attacks anymore, and there are much more effective ways of taking out a host. Some hosts block ICMP because they actually believe doing so is equivalent to some kind of "cloaking" practice, which is worse from the perspective of trusting the host to know the first thing about security.

          All this said, trusting ICMP for server monitoring over anything more than a LAN is a questionable practice

  • Some more details (Score:5, Informative)

    by Necroman (61604) on Monday April 15, 2013 @04:27PM (#43455431)

    Some details that people have been able to find so far.

    1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html [adobe.com]

    This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
    This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388).

    2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html [linode.com]

    3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3 [seclists.org]

    4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

    • by nametaken (610866)

      4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

      Yeah all I saw was this:

      05:42 [that ryan guy] credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security

      Though I've been unable to find any specific proof regarding CC#'s. A directory listing for a management console doesn't worry me so much as being able to decrypt cc's.

      I guess people will have to wait to hear from linode.

      • One reason I like using my credit card... I am not liable for fraudulent charges
        • by dclozier (1002772) on Monday April 15, 2013 @06:49PM (#43456759)
          I used to think the same thing until I ended up paying for some charges I didn't make. Capital One's team of investigators concluded that the charges were my responsibility. I've been running Linux on the desktop for over 10 years now so I know it wasn't a trojan or some other malware on my end giving up the card number - it had to be an online service somewere that was hacked. I never found out who or how. I only ended up owing money for iPower Web hosting (would never in a million years use their service to start with), various gourmet coffee that was delivered to my house (ok I do like coffee but still wouldn't have ordered it online), video professor videos on using Microsoft Office (you know, if I should ever go back to Windows this may be handy???) and colon cleanser. WTF? I don't think they really did any investigating - just waited for a bit and then said it was my fault. Capital One offers no protection.
          • by Anonymous Coward

            My card was just compromised last night. For the second time. I'm fairly sure the culprit is the local sushi establishment's website. Both times I was compromised happened shortly after I used their site. And once when I had just gotten the new card I accidentally entered in the wrong information and they had to call. That time there was no compromise. (Also some of the charges were for businesses local to me.)

            Mine was an AMEX card. The first time it happened Amazon called me to confirm and I found out that

          • by whoever57 (658626)

            You need to dump your CC company and get a new one.

            My CC has been compromised several times, once for over $3k (plus foreign transaction fees). Every time, my CC company has cancelled every penny of the charges.

            I think the source of the compromise was a local gas station that has old pumps that I believe are vulnerable to skimmer installation. Haven't had a problem since I stopped using that gas station.

          • by MyHair (589485)

            Have to give props to AMEX here. While traveling for a living I apparently got my card skimmed shortly before a flight home Friday. They called me at my connecting airport, we discussed which charges were mine and which weren't. They canceled my card and had a replacement card ready to pick up within a few miles of my house on Saturday so when I flew out Sunday night I had my new card for the rent car and hotel. (It was a corporate card; I don't know if that makes a difference.) I was briefly concerned when

          • by MaineCoon (12585)

            Switch to Chase, they're very good about this. Recently, someone got hold of my CC# and was trying to buy gas with it several states away. They emailed me immediately, and I saw this notification within minutes and called them up. They went over recent charges with me, marked them as fraudulent, then asked me if I saw any other suspicious charges (I spotted one other from 2 weeks before), which they also immediately flagged. Then they closed out the card and sent me new cards via overnight courier, and

    • That y_key_ file is a yahoo verification file. It's likely included in some page somewhere. Doesn't mean that they were hacked. Give me an hour to write a web crawler and I can come up with a similar listing. Notice he didn't post any actual proof that linode was hacked.
  • by Anonymous Coward

    There has to come a point in time where the law holds responsible online providers. Security is a process, not a product. It should be law that ALL companies must audit their code and processes at least twice a year. Look at OpenBSD, for example. Yes, it's an operating system, but they have the almost perfect record they have because of audits. Banks have audits. Companies fall under audit regulations. NIST 800-53 needs to be required of every company doing business on the Internet that holds or processes p

    • Are you willing to pay higher fees to have that auditing done? What I have seen is that when given a choice a customer chooses the lowest cost option no matter what. They won't pay for security audits and that means if someone else is willing to give up on security they can charge less and you will lose the business.

      • If you regulate an industry, ALL must do it. There is no cheap alternative because it is mandatory. The free market isn't going to do it because taking the risk is worth pennies to most consumers who are NOT thinking of all the potential risks involved if they even are aware of a couple of the long list of risks.

        Making people do something across the board always raising BS opposition but when it is applied uniformly (it usually is) there is no impact on the market (because the added costs are usually too

        • by Etherwalk (681268)

          If you regulate an industry, ALL must do it.

          Not very familiar with the services section of craigslist or the spousal-support taxless gray market cash economy, I see.

          • Simply because somebody breaks the law is not an argument for not having any law in the 1st place. Now for drugs... a HUGE number of people break the laws and if this were a democracy the representatives would reflect the citizens better.

            Most transactions are within the regulated systems and it is not a big deal until a significant number of transactions happen. You do realize food labels were a heavily fought battle or pollution??

        • That is what I actually like about engineering. It is a regulated field and you can't just go somewhere else to get something underbid. It is one of the many reasons I am getting out of regular programming. Customers will try to have one part of a project done very cheaply by someone in another country but then when it breaks or never works to begin with they want someone here to fix it but they also want it to be super cheap because that other company in india was able to do it for almost nothing. Programm

  • Title: "credit cards and pass"
    TFS: "hashes of passwords leaked

    That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.

    Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the p
  • Seems light on proof and heavy on speculation.
  • I'm certainly glad when I was looking for a VPS, Linode was quite a bit more expensive than the one I was recommended. For the price they charge, I'd expect better security.

    • by Yosho (135835)

      Out of curiosity, who were you recommended? I've got a Linode (1 GB RAM, 8 cores, $20/month) that I use as a small personal server. It's more than powerful enough for my needs, but I shopped around a little bit, and EC2 and Rackspace's low-end offerings were both more expensive than Linode's.

      Of course, I've also been pretty happy with Linode's security so far. Note that the summary is wrong; so far there's no reason to believe that any credit card info was leaked, and at worst password hashes were leaked,

      • by GrBear (63712)

        Sorry for the late reply. I'm using DigitalOcean.

      • by GrBear (63712)

        I'm using the $40/mon plan, it's speedy enough that I'm running it as a private mail server, minecraft server, mumble server.. and occasionally as a TF2 server.

  • by Gothmolly (148874) on Monday April 15, 2013 @08:39PM (#43457401)

    What is Linode? Would it kill an editor to include that in TFS?

  • by angst_ridden_hipster (23104) on Monday April 15, 2013 @08:56PM (#43457489) Homepage Journal

    Over the weekend, I got a lot of spurious charges on the credit card I use for my Linode account. Charges from several different countries, for various amounts that looked like automated "is this card valid?" type probes. The bank shut it down, but not before I got paged a bunch of times.

    Then again, the odds are just as good that a waiter at some restaurant uploaded my number to some IRC channel to get back at me for my guest's order being too complicated or something.

    • by Anonymous Coward

      Yeah, it's probably the Linode leak. Same thing happened to me.

      • by Aurix (610383)

        My card doesn't appear to have any charges on it. I've sought a new card number anyway. Linode hasn't responded squarely to the allegations in the IRC logs that the decryption/encryption keys to credit cards were stored insecurely.

  • by Anonymous Coward

    A bit of comment would be nice...

  • by Anonymous Coward

    I got the email. It's not enough.

    I realize that nobody can or should waste their breath every time someone runs their mouth off on IRC. But for better or worse, this guy is indirectly being quoted on Slashdot. Someone called you out, and it's IN PUBLIC now. Linode needs to either admit or rebut some of the claims "ryan" made, above and beyond the mere fact that a Lish compromise happened.

    My monthly emails of the bills only go back to 2007 but I think I've been using Linode since 2004. Not sure. But as

  • http://blog.linode.com/2013/04/16/security-incident-update/ [linode.com] However I'm not knowledgeable enough wrt security to say if it's just damage control or not.

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...