Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Linode security email
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Linode security email

edited April 2013 in General

Anyone else get this?

Dear Linode customer,

Linode administrators have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

We have been advised that law enforcement officials are aware of the intrusion into this customer’s systems. We have implemented all appropriate measures to provide the maximum amount of protection to our customers. Out of an abundance of caution, however, we have decided to implement a Linode Manager password reset. In so doing, we have immediately expired all current passwords. You will be prompted to create a new password the next time that you log into the Linode Manager. We also recommend changing your LISH passwords and, if applicable, regenerating your API key.

The following represent best practices in creating new passwords:

Avoid using simple passwords based on dictionary words
Never use the same password on multiple sites or services
Never click on 'reset password' requests in unsolicited emails - instead go directly to the service
We apologize for the inconvenience. If you have any questions, please do not hesitate to contact our support team at [email protected]

+1 to Linode for transparency and honesty.

vpsBoard.com - Now with over 450 members! A friendly community with active discussion. Come join us!

IRC.FREENODE.NET #vpsBoard - Drop by and say, 'Hello'.

Comments

  • LeeLee Member

    Yup. Sensible I suppose.

  • matt_securedspeedmatt_securedspeed Member, Provider
    edited April 2013

    @MannDude said: Anyone else get this?

    Yea.

    SecuredSpeed - Fast, Affordable, & Reliable VPS Solutions. Gigabit uplinks, SSD's, native IPv4/IPv6, & instant setup.
  • Again? Did they not learn after the bitcoin hack?

  • @superpilesos said: Again? Did they not learn after the bitcoin hack?

    You really can't read can you?

    @MannDude said: have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

    This is going to be interesting.

  • @MrObvious said: You really can't read can you?

    If they were completely certain that everything was secure, they wouldn't make a password reset.

  • And sometimes it's better to err on the side of caution. Shit like this happens all the time, it's better to just force a password reset than to find out later that half of your shit gets wrecked.

    This is going to be interesting.

  • jarjar Provider
    edited April 2013

    If they blocked an "attempt" to access a single client, then issuing password resets was an act of stupidity and not security. This email tells me that the offending person failed, thus the word "attempt" not followed by the word "succeeded."

    So I'm not sure that I'd be quick to call it honest and transparent. That or it is honest and they exercise caution to such a degree that they inconvenience clients for no reason.

    MagicSpam blackmails providers into buying their software, and ServerHub is a professional spam organization.

  • Linode can't be trusted with passwords.

    What they need is other mechanisms in place, not these silly "Oh we were compromised and now you must jump through hoops theatrics".

  • jarjar Provider

    Update: http://pastebin.com/raw.php?i=R5kRnxN9
    (I do not believe any information here presents a current security risk)

    Looks potentially legitimate, or could be a well executed hoax. Anyone else like to weigh in? Considering whether I should even be considering pulling my card from Linode and canceling it.

    MagicSpam blackmails providers into buying their software, and ServerHub is a professional spam organization.

  • @jarland looks legit I'd say, pretty scary stuff.

    Besides the fact that sh*t does happen, I don't like the "covering up" part of it. I'd guess it will all come out as a tactic in working with law enforcement to get the attackers in jail and Linode was asked to play along etc etc... but still.

    Retired!

  • jarjar Provider

    @unused said: Besides the fact that sh*t does happen, I don't like the "covering up" part of it. I'd guess it will all come out as a tactic in working with law enforcement to get the attackers in jail and Linode was asked to play along etc etc... but still.

    Agreed. Personally, I'd notify my clients first and if what happens second is compromised due to my first action, I'd say "too bad." I don't mean to talk myself up here, I say that I would do this because that is my expectation of others who hold the key to compromising my security. I can't imagine doing less than that.

    MagicSpam blackmails providers into buying their software, and ServerHub is a professional spam organization.

  • rrrrrr Member

    Freelance Web designer - I do animated banners, website designs, WordPress themes, WHMCS design integration.

  • "Thank you for contacting us. We have found no evidence that payment information of any customer was accessed. Although we use a secure non-retrievable method of storing passwords, we have enforced the password reset out of an abundance of caution. For our official announcement, please check the Linode Blog:

    http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/

    I hope this clears things up. Please let us know if you have any other questions or concerns."

  • Hello,

    Thank you for reaching out. We appreciate and understand your concerns. At this time the evidence suggest that this activity was targeting a specific customer. We are unable to release any additional details regarding this incident at this time, as there is an ongoing investigation.

    We have no comment regarding ryan*'s comments in #linode. You are of course free to take any steps you deem prudent or necessary to ensure the integrity of your online presence.

    I am sorry that we cannot provide more information at this time. As always feel free to contact us at any time with any future concerns.

    Regards,
    Quintin

    https://news.ycombinator.com/item?id=5553094

    Retired!

  • And here something more:
    http://seclists.org/nmap-dev/2013/q2/3

  • yomeroyomero Member
    edited April 2013

    @unused said: Well, there you have it:

    So, after reading that, and wondering how they do automatic charges, if each time that I order something they use the CC numbers, one of two: or the private key doesn't have a password, or the password is always in RAM or something =/

    Or there is another method to apply charges against a card without... using the full number?

    Now I wonder what should I do about my CC info there.

  • If they were smart they would have been using a token system with a payment processor rather than keeping the CC details on file. Boneheaded move really.

  • @FRCorey said: token system

    How this works?

  • @yomero said: Or there is another method to apply charges against a card without... using the full number?

    I'm thinking the same... don't know much about credit card transactions and such.

    @yomero said: Now I wonder what should I do about my CC info there.

    Consider it out there. Once you'll get a bad charge, get a new card :-)

    I recommend Prometeus, the best provider ever!

  • @yomero said: @FRCorey said: token system

    How this works?

    Basically the form you fill out with your credit card details posts directly to the credit card processor via SSL, and a token is generated representing the card using a hash of the number, date of transaction, and a few other details and that is what gets put into our database. Then when it's time for renewal we present the token along with a password hash to tell the processor to charge the card and they send us the results.

  • @mpkossen said: Once you'll get a bad charge

    And I won't get my money back, because I use a debit card

    @FRCorey said: Then when it's time for renewal we present the token along with a password hash to tell the processor to charge the card and they send us the results.

    Interesting things.
    Hopefully that's how they do it or we are f*d...
    I am still wondering why the heck they don't use another payment methods, I don't like to share my card details to anyone

  • jarjar Provider

    This kind of thing right here goes to show you that a large and well funded operation doesn't offer a shred of safety over a competent small operation. Sure, I've made mistakes. Some of them were pretty stupid too. I've learned valuable lessons and applied them. I'm sure every small provider here would say the same.

    But how many of us can afford to hire full time security experts?

    Time for someone at Linode to get fired.

    MagicSpam blackmails providers into buying their software, and ServerHub is a professional spam organization.

  • @jarland said: Time for someone at Linode to get fired.

    Like the suppossed staff guys that knew about this issues and make a deal with that hacking group...

    I am afraid of that day May,1 :S

  • @jarland said: This kind of thing right here goes to show you that a large and well funded operation doesn't offer a shred of safety over a competent small operation. Sure, I've made mistakes. Some of them were pretty stupid too. I've learned valuable lessons and applied them. I'm sure every small provider here would say the same.

    But how many of us can afford to hire full time security experts?

    Time for someone at Linode to get fired.

    This ++

    Retired!

  • @yomero said: And I won't get my money back, because I use a debit card

    Ouch.

    I recommend Prometeus, the best provider ever!

  • If it's a visa debit card you will be protected. I am not sure about other debit cards.

  • @ShardHost said: If it's a visa debit card you will be protected. I am not sure about other debit cards.

    MasterFag... lol

  • joepie91joepie91 Member, Provider

    @jarland said: This kind of thing right here goes to show you that a large and well funded operation doesn't offer a shred of safety over a competent small operation. Sure, I've made mistakes. Some of them were pretty stupid too. I've learned valuable lessons and applied them. I'm sure every small provider here would say the same.

    But how many of us can afford to hire full time security experts?

    Time for someone at Linode to get fired.

    I'd say the biggest problem is not the security, but the lack of transparency about it. They have posted an update to their blog that is clearly intended to be a "full disclosure" kind of thing, yet a fair amount of questions has been left unanswered, and nowhere near all the claims of 'ryan' have been responded to by Linode - neither a denial, nor an admission.

  • @ShardHost said: If it's a visa debit card you will be protected. I am not sure about other debit cards.

    MasterCard, too.

    Have peace of mind knowing that the financial institution that issued your MasterCard or Debit MasterCard card won't hold you responsible for "unauthorized purchases." Zero liability applies to purchases made in the store, over the telephone or online. As a cardholder, you will not be held responsible in the event of unauthorized purchases provided that the following conditions are met:

    • Your account is in good standing.
    • You have exercised reasonable care in safeguarding your card from any unauthorized use. Unauthorized use means that you did not provide, directly, by implication or otherwise, the right to use your card and you received no benefit from the "unauthorized" purchase.
    • You have not reported two or more unauthorized events in the past 12 months.
    "We are in a prison drama. This is like The Shawshank Redemption, only with more tunneling through shit and no fucking redemption."
  • @ihatetonyy said: MasterCard, too.

    Hopefully. I've heard bad stories from my bank about unauthorized charges =/
    Thanks for the info

Sign In or Register to comment.