Linode Hacked, Credit Cards and Passwords Leaked 112
An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."
Oh FFS (Score:4, Insightful)
Linode hacked again!? Seriously, for the premium they're charging, beefing up security might do well to be added to their todo list.
Re: (Score:1)
There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.
Re:Oh FFS (Score:4, Informative)
Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.
Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.
Re: (Score:2)
There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.
it wasn't their fault for using cold fusion? "Get a server running in seconds with your choice of Linux distro, resources, and node location.
Servers on demand. Support that cares." for all the LINUX YEEHAA!!! you'd think that they could have gone with something else..
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
...Linux can't be hacked.
@Anonymous Coward, With this statement alone you lost any and all credibility you might have had.
Almost signed up Friday morning, too... (Score:1)
Re: (Score:3, Funny)
Dreamhost
Out of the frying pan...
Well, at least Dreamhost is pretty open about when they fuck up.
Re: (Score:2)
Re: (Score:1)
Random downtime once or twice a year. Must be a real serious business web site. What a recommendation!
Re: (Score:2)
Wait you'd continue using a host that gives you horrific service?
I hope guaranteed support times were in the deal.
Re: (Score:2)
Dunno about their VPS service but for a few months* we were using a dedicated server from them for raspbian and we had "fun" with it. It seems they have some management crap installed and if you try and customise the server (specifically in our case we wanted nginx rather than apache) it's easy to break it and render the machine unable to boot and bring up networking. Dreamhost support were able to bring the machine up manually but the only fix they could offer was a reimage (which we declined).
Amusingly we
Re: (Score:2)
I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.
I you don't mind my asking, who were your top candidates, besides Linode? Did any service really impress, in terms of security and stability?
OVH.ca (Score:2)
Fuck VPS when you can get a i3/8GB server for 39 Canadain.
Re: (Score:1)
Sounded promising, until I noticed they do something very suspicious with their IP routing where ICMP (and UDP-based too!) traceroute, as well as classic ICMP ping, get dropped even before making it to the border of their network. I tested this from two different connections: a Comcast residential connection in northern California (gets to San Jose California then gets dropped), and an ARP Networks VPS in southern California (doesn't even get to hop 2). Neither of the two providers I listed off filter ICM
Re: (Score:2)
Lots of providers block ICMP these days. I think it's a dumb practice, because nobody even tries to use ICMP for DDoS attacks anymore, and there are much more effective ways of taking out a host. Some hosts block ICMP because they actually believe doing so is equivalent to some kind of "cloaking" practice, which is worse from the perspective of trusting the host to know the first thing about security.
All this said, trusting ICMP for server monitoring over anything more than a LAN is a questionable practice
Re: (Score:2)
No, it's not awful advice, but your advice is pretty bad. MTR is a great tool for certain situations, most notably internal troubleshooting as an initial sanity check, but it frequently fails to provide meaningful insights into issues beyond many local networks for exactly the reasons I outlined above. Attempting to appeal to your experience here fails, as mine exceeds yours.
If you're not monitoring services and you don't have access to internal stats for the server (frequently VM these days) hosting the se
Some more details (Score:5, Informative)
Some details that people have been able to find so far.
1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html [adobe.com]
2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html [linode.com]
3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3 [seclists.org]
4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.
Re: (Score:2)
4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.
Yeah all I saw was this:
05:42 [that ryan guy] credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security
Though I've been unable to find any specific proof regarding CC#'s. A directory listing for a management console doesn't worry me so much as being able to decrypt cc's.
I guess people will have to wait to hear from linode.
Re: (Score:1)
Capital One - not in my wallet! (Score:4, Informative)
Re: (Score:1)
My card was just compromised last night. For the second time. I'm fairly sure the culprit is the local sushi establishment's website. Both times I was compromised happened shortly after I used their site. And once when I had just gotten the new card I accidentally entered in the wrong information and they had to call. That time there was no compromise. (Also some of the charges were for businesses local to me.)
Mine was an AMEX card. The first time it happened Amazon called me to confirm and I found out that
Re: (Score:2)
You need to dump your CC company and get a new one.
My CC has been compromised several times, once for over $3k (plus foreign transaction fees). Every time, my CC company has cancelled every penny of the charges.
I think the source of the compromise was a local gas station that has old pumps that I believe are vulnerable to skimmer installation. Haven't had a problem since I stopped using that gas station.
Re: (Score:3)
Have to give props to AMEX here. While traveling for a living I apparently got my card skimmed shortly before a flight home Friday. They called me at my connecting airport, we discussed which charges were mine and which weren't. They canceled my card and had a replacement card ready to pick up within a few miles of my house on Saturday so when I flew out Sunday night I had my new card for the rent car and hotel. (It was a corporate card; I don't know if that makes a difference.) I was briefly concerned when
Re: (Score:2)
Switch to Chase, they're very good about this. Recently, someone got hold of my CC# and was trying to buy gas with it several states away. They emailed me immediately, and I saw this notification within minutes and called them up. They went over recent charges with me, marked them as fraudulent, then asked me if I saw any other suspicious charges (I spotted one other from 2 weeks before), which they also immediately flagged. Then they closed out the card and sent me new cards via overnight courier, and
Re: (Score:1)
So-called "Cloud" still not trustworthy (Score:2)
There has to come a point in time where the law holds responsible online providers. Security is a process, not a product. It should be law that ALL companies must audit their code and processes at least twice a year. Look at OpenBSD, for example. Yes, it's an operating system, but they have the almost perfect record they have because of audits. Banks have audits. Companies fall under audit regulations. NIST 800-53 needs to be required of every company doing business on the Internet that holds or processes p
Re: (Score:3)
Are you willing to pay higher fees to have that auditing done? What I have seen is that when given a choice a customer chooses the lowest cost option no matter what. They won't pay for security audits and that means if someone else is willing to give up on security they can charge less and you will lose the business.
point: example for Regulation (Score:2)
If you regulate an industry, ALL must do it. There is no cheap alternative because it is mandatory. The free market isn't going to do it because taking the risk is worth pennies to most consumers who are NOT thinking of all the potential risks involved if they even are aware of a couple of the long list of risks.
Making people do something across the board always raising BS opposition but when it is applied uniformly (it usually is) there is no impact on the market (because the added costs are usually too
Re: (Score:2)
If you regulate an industry, ALL must do it.
Not very familiar with the services section of craigslist or the spousal-support taxless gray market cash economy, I see.
Re: (Score:2)
Simply because somebody breaks the law is not an argument for not having any law in the 1st place. Now for drugs... a HUGE number of people break the laws and if this were a democracy the representatives would reflect the citizens better.
Most transactions are within the regulated systems and it is not a big deal until a significant number of transactions happen. You do realize food labels were a heavily fought battle or pollution??
Re: (Score:2)
That is what I actually like about engineering. It is a regulated field and you can't just go somewhere else to get something underbid. It is one of the many reasons I am getting out of regular programming. Customers will try to have one part of a project done very cheaply by someone in another country but then when it breaks or never works to begin with they want someone here to fix it but they also want it to be super cheap because that other company in india was able to do it for almost nothing. Programm
Hashes aren't passwords (unless they're DES) (Score:2, Informative)
TFS: "hashes of passwords leaked
That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.
Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the p
Re: (Score:2)
Re: (Score:2)
$5$NhJlA5yUIk62$CC6DlreELmUVwagQqpPsEcZQoihQTCYklQz8y1me/p6
Re: (Score:2)
Password123
Re: (Score:1)
Yes, nobody ever cracks hashes.
http://contest-2012.korelogic.com/stats.html [korelogic.com]
http://threatpost.ca/en_us/blogs/anatomy-lulzsec-attack-singles-out-web-20-weakness-052312 [threatpost.ca]
http://franx47.wordpress.com/2013/01/31/using-hashcat-to-crack-hash-password/ [wordpress.com]
Bottom line - people pick useless passwords. The time required to brute force a hash given that you have a significant number of hashes to play with is sadly trivial. The various defcon contests are proof of this.
Until users start using random passwords, you don't wan
No but the LISH passwords are stored in plain text (Score:2)
According to the linked chat log Linode is storing the lish passwords in plain text!!
I'd suggest you at least change your lish password...
This saddens me a lot, I had much more faith in Linode and make me look like a fool for recently recommending them to others.
I really wish Linode would come forward with the whole facts on this saga, and let us users know what has really been exposed/compromised.
Source? (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Seriously, whats Linode? (Score:3, Insightful)
What is Linode? Would it kill an editor to include that in TFS?
Coincidence... or not. (Score:3)
Over the weekend, I got a lot of spurious charges on the credit card I use for my Linode account. Charges from several different countries, for various amounts that looked like automated "is this card valid?" type probes. The bank shut it down, but not before I got paged a bunch of times.
Then again, the odds are just as good that a waiter at some restaurant uploaded my number to some IRC channel to get back at me for my guest's order being too complicated or something.
Re: (Score:1)
Yeah, it's probably the Linode leak. Same thing happened to me.
Re: (Score:2)
My card doesn't appear to have any charges on it. I've sought a new card number anyway. Linode hasn't responded squarely to the allegations in the IRC logs that the decryption/encryption keys to credit cards were stored insecurely.
#linode is now +m (Score:1)
A bit of comment would be nice...
We need a better statement from Linode (Score:1)
I got the email. It's not enough.
I realize that nobody can or should waste their breath every time someone runs their mouth off on IRC. But for better or worse, this guy is indirectly being quoted on Slashdot. Someone called you out, and it's IN PUBLIC now. Linode needs to either admit or rebut some of the claims "ryan" made, above and beyond the mere fact that a Lish compromise happened.
My monthly emails of the bills only go back to 2007 but I think I've been using Linode since 2004. Not sure. But as
Statement from Linode (Score:2)
Re: (Score:1)
A raw amount doesn't mean much. What PERCENT of your income did you pay in taxes?
Re: (Score:1)
A raw amount doesn't mean much. What PERCENT of your income did you pay in taxes?
Or even better, how much cash does he have to live on after paying taxes?
Re: (Score:3, Informative)
ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.
Re: (Score:2, Insightful)
ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.
Your friends at Adobe published a lockdown guide that Linode ignored and patched this exploit months ago (also ignored by Linode) Adobe has done their part, but they can't force admins to secure their servers properly and install patches.
Re: (Score:1)
Yeah, and there's nothing stopping Linode from dropping a product that insecure. It hasn't stopped any of us.
Try and apologize it away all you want but they're at fault here as well.
Re: (Score:1)
Oh, I'm not defending Linode. I'm simply pointing out that ColdFusion is not an inherently insecure product. I've used it for over a decade with no issue. Linode neglected to follow best practices and they also failed to stay patched. You can't blame Adobe for either of those. Why drop a productive platform when all you need is to configure correctly and stay patched? Of course, their crypto snafus are also equally damning. If this is how they wrote their CFML, imagine what they'd do with PHP.
Re: (Score:3)
Why drop a productive platform when all you need is to configure correctly and stay patched?
Good question. What does it have to do with this case? They're using ColdFusion.