Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Linode security email
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Linode security email

edited April 2013 in General

Anyone else get this?

Dear Linode customer,

Linode administrators have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

We have been advised that law enforcement officials are aware of the intrusion into this customer’s systems. We have implemented all appropriate measures to provide the maximum amount of protection to our customers. Out of an abundance of caution, however, we have decided to implement a Linode Manager password reset. In so doing, we have immediately expired all current passwords. You will be prompted to create a new password the next time that you log into the Linode Manager. We also recommend changing your LISH passwords and, if applicable, regenerating your API key.

The following represent best practices in creating new passwords:

Avoid using simple passwords based on dictionary words
Never use the same password on multiple sites or services
Never click on 'reset password' requests in unsolicited emails - instead go directly to the service
We apologize for the inconvenience. If you have any questions, please do not hesitate to contact our support team at [email protected].

+1 to Linode for transparency and honesty.

«1

Comments

  • LeeLee Veteran

    Yup. Sensible I suppose.

  • edited April 2013

    @MannDude said: Anyone else get this?

    Yea.

  • Again? Did they not learn after the bitcoin hack?

  • @superpilesos said: Again? Did they not learn after the bitcoin hack?

    You really can't read can you?

    @MannDude said: have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

  • @MrObvious said: You really can't read can you?

    If they were completely certain that everything was secure, they wouldn't make a password reset.

  • And sometimes it's better to err on the side of caution. Shit like this happens all the time, it's better to just force a password reset than to find out later that half of your shit gets wrecked.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    If they blocked an "attempt" to access a single client, then issuing password resets was an act of stupidity and not security. This email tells me that the offending person failed, thus the word "attempt" not followed by the word "succeeded."

    So I'm not sure that I'd be quick to call it honest and transparent. That or it is honest and they exercise caution to such a degree that they inconvenience clients for no reason.

  • Linode can't be trusted with passwords.

    What they need is other mechanisms in place, not these silly "Oh we were compromised and now you must jump through hoops theatrics".

  • jarjar Patron Provider, Top Host, Veteran

    Update: http://pastebin.com/raw.php?i=R5kRnxN9
    (I do not believe any information here presents a current security risk)

    Looks potentially legitimate, or could be a well executed hoax. Anyone else like to weigh in? Considering whether I should even be considering pulling my card from Linode and canceling it.

  • @jarland looks legit I'd say, pretty scary stuff.

    Besides the fact that sh*t does happen, I don't like the "covering up" part of it. I'd guess it will all come out as a tactic in working with law enforcement to get the attackers in jail and Linode was asked to play along etc etc... but still.

  • jarjar Patron Provider, Top Host, Veteran

    @unused said: Besides the fact that sh*t does happen, I don't like the "covering up" part of it. I'd guess it will all come out as a tactic in working with law enforcement to get the attackers in jail and Linode was asked to play along etc etc... but still.

    Agreed. Personally, I'd notify my clients first and if what happens second is compromised due to my first action, I'd say "too bad." I don't mean to talk myself up here, I say that I would do this because that is my expectation of others who hold the key to compromising my security. I can't imagine doing less than that.

  • "Thank you for contacting us. We have found no evidence that payment information of any customer was accessed. Although we use a secure non-retrievable method of storing passwords, we have enforced the password reset out of an abundance of caution. For our official announcement, please check the Linode Blog:

    http://blog.linode.com/2013/04/12/security-notice-linode-manager-password-reset/

    I hope this clears things up. Please let us know if you have any other questions or concerns."

  • Hello,

    Thank you for reaching out. We appreciate and understand your concerns. At this time the evidence suggest that this activity was targeting a specific customer. We are unable to release any additional details regarding this incident at this time, as there is an ongoing investigation.

    We have no comment regarding ryan*'s comments in #linode. You are of course free to take any steps you deem prudent or necessary to ensure the integrity of your online presence.

    I am sorry that we cannot provide more information at this time. As always feel free to contact us at any time with any future concerns.

    Regards,
    Quintin

    https://news.ycombinator.com/item?id=5553094

  • And here something more:
    http://seclists.org/nmap-dev/2013/q2/3

  • yomeroyomero Member
    edited April 2013

    @unused said: Well, there you have it:

    So, after reading that, and wondering how they do automatic charges, if each time that I order something they use the CC numbers, one of two: or the private key doesn't have a password, or the password is always in RAM or something =/

    Or there is another method to apply charges against a card without... using the full number?

    Now I wonder what should I do about my CC info there.

  • If they were smart they would have been using a token system with a payment processor rather than keeping the CC details on file. Boneheaded move really.

  • @FRCorey said: token system

    How this works?

  • @yomero said: Or there is another method to apply charges against a card without... using the full number?

    I'm thinking the same... don't know much about credit card transactions and such.

    @yomero said: Now I wonder what should I do about my CC info there.

    Consider it out there. Once you'll get a bad charge, get a new card :-)

  • @yomero said: @FRCorey said: token system

    How this works?

    Basically the form you fill out with your credit card details posts directly to the credit card processor via SSL, and a token is generated representing the card using a hash of the number, date of transaction, and a few other details and that is what gets put into our database. Then when it's time for renewal we present the token along with a password hash to tell the processor to charge the card and they send us the results.

  • @mpkossen said: Once you'll get a bad charge

    And I won't get my money back, because I use a debit card

    @FRCorey said: Then when it's time for renewal we present the token along with a password hash to tell the processor to charge the card and they send us the results.

    Interesting things.
    Hopefully that's how they do it or we are f*d...
    I am still wondering why the heck they don't use another payment methods, I don't like to share my card details to anyone

  • jarjar Patron Provider, Top Host, Veteran

    This kind of thing right here goes to show you that a large and well funded operation doesn't offer a shred of safety over a competent small operation. Sure, I've made mistakes. Some of them were pretty stupid too. I've learned valuable lessons and applied them. I'm sure every small provider here would say the same.

    But how many of us can afford to hire full time security experts?

    Time for someone at Linode to get fired.

  • @jarland said: Time for someone at Linode to get fired.

    Like the suppossed staff guys that knew about this issues and make a deal with that hacking group...

    I am afraid of that day May,1 :S

  • @jarland said: This kind of thing right here goes to show you that a large and well funded operation doesn't offer a shred of safety over a competent small operation. Sure, I've made mistakes. Some of them were pretty stupid too. I've learned valuable lessons and applied them. I'm sure every small provider here would say the same.

    But how many of us can afford to hire full time security experts?

    Time for someone at Linode to get fired.

    This ++

  • @yomero said: And I won't get my money back, because I use a debit card

    Ouch.

  • If it's a visa debit card you will be protected. I am not sure about other debit cards.

Sign In or Register to comment.