WordPress Hacked, Attackers Get Root Access

An anonymous reader writes "A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"

the cloud

[stoolpigeon]

and that's why I don't want everything in the cloud.

Re:the cloud

[doconnor]

Why do you think keeping data on your own computers makes it more secure? Big break-ins make news, but that doesn't mean they are the most common.

Re:the cloud

[Touvan]

Or stored on anything connected to the net at all? Do you really think most people's personal computing equipment (including - maybe especially - their smart phones) is more secure than a cloud service?

If I were betting on which, as a class of internet connected storage - cloud services, or personal hardware - is more secure, I'd bet on cloud services.

Re:the cloud

[iluvcapra]

"Keep webservers off the cloud!" is a strange rallying cry.

Re:the cloud

[dominious]

huh? wordpress is "cloud" ? From the site: "WordPress is web software you can use to create a beautiful website or blog"

Re:the cloud

This isn't an exploit for Wordpress itself, it's the Wordpress.com site getting hacked. This headline seems to be more attention-grabbing than it should be.

Re:the cloud

[zill]

Care to point out how "the cloud" is involved in this case? Nowhere in the summary or TFA does it mention that the compromised servers were cloud-based.

Re:the cloud

[postbigbang]

And once again, the importance of data security and professionalism means you protect whatever, wherever, to the same high standard.

Your suggestion that you don't want to have anything in the cloud is moronic. Most of what you do is on the Internet. The Internet is the cloud. Wordpress is hosted, just like this site. With luck, the venerable staff hosting this stuff has been responsible enough to protect us. If not, we'll be upset.

Re:the cloud

[lennier1]

wordpress.COM is a hosting service service which offers Wordpress blog setups out-of-the-box.
wordpress.ORG is where the software itself is published.

Re:the cloud

[Zapotek]

Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop.
That's why the parent is right.

Re:the cloud

Oblig. http://xkcd.com/538/

In short... It's more secure because nobody cares about his private data, and even if some hacker did care about his data specifically, whether or not it is on his own computer makes no difference.

On a large system, such as WordPress, each individual user's data is of insignificant value, but the whole of it may have some value.

It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

Re:the cloud

Everything that had an internet connection nowadays is being called "in the cloud".
Do you know you PC is now at this very moment connected to the slashdot cloud? Heck even I'm in the cloud. Although that is the cloud of smoke for me ;)

Re:the cloud

It does seem that "the cloud" simply means, to most people, "storage and apps on the web". With that common definition I'd have a hard time seeing how it wasn't cloud based. In fact, that's probably why they were hacked. The hackers were looking for that silver lining that every cloud has.

Re:the cloud

[John+Hasler]

It doesn't follow that the impact on any one user is greater, though.

Re:the cloud

[bongey]

For a good technical person yes, for average person no. The safeguards, intrusion detection, and dedicated people to monitor a server makes it easy to know if something went wrong. The school I went to a tier 1 school, someone in the alumni relations decided to store credit card numbers/ssns for the entire school in an excel spreadsheet. Machine was bonneted, someone malicious got a hold of the file and went on spending spree. My parents almost got hosed , someone one attempted to purchase 6k in computers, but my parents didn't have the funds so it bounced. Only when the bank came calling that their purchase of new computers didn't go through , did we find out. It was pretty clear on the attempted purchase it was linked to school, it said "XXXX University " ,along with the address of the school. The school never disclosed the breach, only because I had connections in the IT groups did I find out. It was some intern that had put it on her desktop in the alumni relations office.

Re:the cloud

[unity100]

precisely.

Re:the cloud

[icebraining]

But it makes it far more probable.

Re:the cloud

It doesn't follow that the impact on any one user is greater, though.

It hurts your odds when the target is higher-profile and higher value, and therefore more tempting.

Re:the cloud

[stoolpigeon]

I never said I didn't want "anything" in the cloud. In fact the word I used was "everything". I also placed that word in italics to emphasize that I meant some things I would rather maintain on my own machines, but not all things.

One of us has rather poor reading skills. That may be the one that is "moronic".

Furthermore, you have no idea what I do or where most of it takes place. To assert that you do is, well, rather short sighted. One might almost be inclined to say moronic.

And to decide that the security of one's data is properly handled should be a matter of luck. There has to be a good word for that view, let me think on it a bit and I'm sure it will come to me.

Oh, and if being called moronic makes you feel bothered at all, I'd recommend keeping that in mind when you throw the word at others. I'm no rocket scientist but that kind of slur really isn't called for.

Re:the cloud

[lymond01]

"If not, we'll be upset."

And that's all you will be. Free hosted services have no service agreement, no liability, no enforced responsibility to secure or protect your data.

Until hosted services need to compensate you for their screwups, many places would prefer to handle their data in house (where they can fire people).

Re:the cloud

I hate the term "cloud'. It makes it sound like something new and special.

Give me a hard drive that erases itself.

Re:the cloud

[OakDragon]

It's slower, but so much safer: Google Classic

Re:the cloud

[postbigbang]

I stand by my description.

To look at "cloud" in any way that's different than any system on any network, including the network, is to bash the people that do hard work to protect online public and private resources.

You can store locally, but your use of the Internet is global, and differentiation with "cloud resources" is to damn professionals and not put the blame where it's due: sysadmins at Wordpress that need a really good spanking.

Re:the cloud

[petteyg359]

Your suggestion that you don't want to have anything in the cloud is moronic. Most of what you do is on the Internet. The Internet is the cloud.

Your usage of the common ignorant fool's definition of "cloud" is moronic.

Re:the cloud

Your logic: banks gets robbed at a rate of something like 25 armed robberies a day in the US so don't keep cash with banks. Might work for some.

Re:the cloud

[postbigbang]

No, that's not really true. There are serious sysadmins out there that take it seriously. Whether FOSS volunteers or paid people, people are supposed to take this seriously. There are consequences, both legal liability and criminal.

It's fine to keep data on your own host in your own data center with your own firewall and your own ass covered. Disconnect. Or try and raise the standard.

Re:the cloud

[postbigbang]

I heard of one of those recently. Save you from having to smash it with a hammer.

Re:the cloud

[xystren]

It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

It is more efficient to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

Fixed it for ya. The number of users doesn't make it easier, it just makes the potential return on the effort more significant.

Re:the cloud

[postbigbang]

Ok, chump, since you want to continue the disinformation. I have cloud resources at AWS, Rackspace, GoGrid, and a lot of 'cloud' providers.

What are you computing on? Do you know if it's hosted at an MSP/ISP? Unlikely-- save for the hosts that you personally know of.

Wordpress by one definition, is in the cloud. Most hosted stuff can be considered cloud. Cloud is nebulous. Cloud is SaaS. Cloud is raw VMs on the hoof. Cloud are 100 instances that I can spin up in about 30sec.

So fuck off about your definition of the cloud, because the cloud is completely nebulous-- representing hosted services. You must be in marketing.

Re:the cloud

[element-o.p.]

But even if it is harder to break into a cloud service, the reward:effort ratio is much, MUCH higher for the cloud service.

Break into Joe Luser's home PC, and you get his porn collection, the e-mail addresses in his address book, and *maybe* the user names and passwords to get into his financial accounts. Repeat for a sufficiently large number of home PCs and you might have something of value...if you don't get caught first.

Break into facebook/wordpress/$RANDOM_CLOUD_SERVICE and you get that information for *EVERY USER ON THAT SERVICE*...and you only had to get root access on one host.

Re:the cloud

[Tetsujin]

Why do you think keeping data on your own computers makes it more secure? Big break-ins make news, but that doesn't mean they are the most common.

The distinction here is if you maintain your own data on your own system, you're (probably) a small target. Aggregating a large number of small targets onto a single site makes that site a big target.

Re:the cloud

[Touvan]

> But even if it is harder to break into a cloud service, the reward:effort ratio is much, MUCH higher for the cloud service.

That's a darn good point.

Re:the cloud

[Cwix]

You were wrong, you read his post badly. Perhaps you just wanted somewhere to place your opinion. Start a new post in that situation.

Re:the cloud

[Skuld-Chan]

So your solution to keeping websites from being hacked is to store the website at home on your desktop pc?

Re:the cloud

[oneofthose]

Exactly. Put most of your stuff on a freedom box.

Re:the cloud

[larry+bagina]

huh? wordpress is "cloud" ? From the site: "WordPress is web software you can use to create a beautiful website or blog"

I'm going to need a citation on the beautiful part.

Re:the cloud

Actually, it does.

If you are in the market to buy/sell information, it's much more attractive to have a huge bundle of thousands of users' information than individual information. That makes it not only more probable that an individual will get burnt THAT way (as opposed to targeted as an individual), but it makes the value of the breach higher, and therefore more likely that it will then disseminate and be used.

Re:the cloud

[pasv]

Try reliably exploiting thousands of browsers on several different platforms and different environments to get at info. Or just send one well crafted email to a low-level employee of a company that controls the targeted information on a cloud and start a spear phishing campaign. Hrm.. Which is harder to do?

Re:the cloud

[geekmux]

Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop. That's why the parent is right.

The collective computing (and bargaining) power of several thousand computers is FAR greater than a single server, hence the proliferation of botnets.

This is why BOTH of you are right, and why the ONLY safe place for ANY of your personal information is wrapped nicely in strong crypto.

Re:the cloud

You misunderstood parents post and then made a spiteful reply. You may consider an apology, it certainly wouldn't hurt.

Re:the cloud

[dotfile]

I wouldn't say my machine is more secure than that of WordPress -- although, since theirs has been compromised and mine has not, I guess that's open for debate. One big difference is, I know what and where my vulnerabilities are, and I have my fingers in there daily so I'll know pretty quickly if and when someone breaks in. When hosting stuff on Other Peoples' Servers, you never really know for sure if they are secure, how secure they are, etc. Until you find out the hard way, of course.

As for my actual sensitive data, the stuff that would actually be inconvenient to have someone else see... yes, keeping it on my own system makes it more secure, for a number of reasons. None of which I'm ever likely to discuss.

Re:the cloud

[dhavleak]

The impact is the same -- your data is pwned. The incentive for an attacker to go after cloud storage is greater (many people's data vs. 1 person's data). Therefore, the odds of a targeted attack are vastly higher for a cloud service.

Re:the cloud

[Fjandr]

Nowhere in that response is an objection to your description of what "cloud" means. In fact, it seems as though the post implicitly agrees with your definition.

What it does say is that your claim of "Your suggestion that you don't want to have anything in the cloud is moronic." is entirely incorrect. Which it is.

Re:the cloud

Guys, you are arguing on slashdot on the internet. That's retarded hypocube.

Re:the cloud

Yep. I run my web site from a server sitting in my house. My broadband connection is plenty fast enough and I have a lot more confidence in my ability to lock down a system than any of these companies/organizations run by idiots.

Re:the cloud

That's what most TFAs linked in /. seem to do.

Re:the cloud

[jd]

Ah, that's a good question. In theory, central servers will have better security than Joe Average will know how to install. In practice, N times as many users will make the target f(N) times as inviting (where f() depends on who is doing the evaluating). This means that it is f(N) times as likely to be attacked by a human but equally likely to be attacked by zombies, worms and maybe the occasional vampire, since those won't care about N or f().

If you are concerned about human crackers, then f(N) becomes the dominant factor and your server has to be f(N) times as secure in order to maintain the same equivalent risk per person. (More attackers x more attention per attacker != Comfy Sofa.)

If you are concerned about the total number of attacks, then f(N) will never become significant in comparison to the automatic attacks. Since security has risen by more than the total number of attacks, the risk per person goes down.

Both of these ways of looking at the problem are valid, but they are also dependent on context. Automatic attacks against a hardened Linux box, OpenBSD or VMS are unlikely to succeed. I'd be much more worried about human attackers against those. Windows boxes, on the other hand, are harder to secure well and the total number of attacks rather than the potential haul for a successful break-in becomes important.

Re:the cloud

[PopeRatzo]

Why do you think keeping data on your own computers makes it more secure?

Well, I can pull the ethernet plug out whenever I want, for one thing.

Two of my busiest computers aren't even connected to the Internet except during rare occasions, during which most of my important storage is not exposed because I pulled those plugs, too.

I trust myself more than I do a bunch of people I don't know, "in the cloud". And if I screw up, I know who to blame.

Re:the cloud

[WrongSizeGlass]

Care to point out how "the cloud" is involved in this case?

Clearly the security admin's head was in the clouds ... I mean, where else could it have been? ;-)

Re:the cloud

[Skuld-Chan]

Which makes your home pc a cloud server...

Re:the cloud

Did you actually RTFA?!

Re:the cloud

[jd]

Yes, for human attackers (who are the biggest threat in data theft for the time being, but expect zombies to get better at it). An automatic attack can't tell if a.b.c.d has one user or a million, it's just an IP address that the code will scan and attack if it has the script for it.

Also, if the increase in security exceeds the increase in temptation, you're better off aggregating. Which means, however, that there's a practical limit to how far you should ever aggregate (since the practical limit on how secure a system can get is equal to the security you can buy for how much you stand to lose on average per break-in). If it costs $D per break-in per year, but also costs $D per year to prevent a break-in, a company will put the money in the bank. Always. The interest rate, no matter how low, will always make screwing the user over the better deal for them - even if the cost of cleaning up the mess afterwards by those users and other organizations swamps the costs of improving the security. It isn't their money.

When you push data into the cloud, you're hoping that the company at the other end did NOT put the money in the bank but actually invested it in security fixes and audits. (If using code they can audit, that would include code audits as well.) With the cloud, and even with gridded systems, you cannot possibly know what the other person did. This enters the realm of the Prisoner's Dilemma (quote from Wikipedia: 'In this game, as in most game theory, the only concern of each individual player (prisoner) is maximizing his or her own payoff, without any concern for the other player's payoff'). And game theory suggests that "betrayal" (in this case, the cloud provider not investing in security proportionally to the increase in risk) is the most likely outcome.

The cloud users are unlikely to be too bothered by this, because of a perversity in economics - when something becomes a status symbol, it grossly inflates in value. The fashion world, and apparently British universities, rely heavily on this. All the normal "common sense" aspects of economics go to hell in a handbasket, the Invisible Hand gets roaring drunk and you end up with a complete mess.

This is one reason I am for (appropriate) oversight and regulation. When it is appropriate (has such a thing ever happened?) the individual player's payoff becomes tied to the payoff of the others such that the whole Prisoner's Dilemma argument doesn't hold. Likewise, it has to keep enough market flexibility that no option becomes so overwhelmingly attractive that it destroys the market it is in. However, too far over that threshold and the regulations themselves destroy the markets. And since nobody has a bloody clue what the threshold even looks like, let alone where it is or how they'd know it if they found it, we end up with companies that resemble a trampoline QA facility.

Re:the cloud

[postbigbang]

"and that's why I don't want everything in the cloud." (italics not preserved).

I go on to equate most all external activities with "the cloud", the cloud being a nebulous term for most things online. You can divide them into categorical definitions the size of an enormous post.

Let's use some simple exclusionary math here, and damn the passive-aggressive italics. My reply is that the cloud deserves the same responsible behavior that your own machine does, or any system-- the same high standard. People were asleep at Wordpress. So damn the cloud, which is more or less everything past your router, is to assert that the whole freaking Internet is some sort of sinking ship, which amazingly, it is not. It's riddled with holes, and irresponsible people, just like a highway you might drive down tonight.

The current implication that somehow "cloud" is unsafe is like damning the highway, because there might be drunk drivers there. I hate to use automotive analogies, but the implication that "the cloud" is some sort of homogenous thing that can be good or bad is beyond comprehension. It's like saying New York is a bad place because people get mugged there. Using one focal point, a Wordpress outage, to vilify "the cloud" is horseshit of the highest smell.

Re:the cloud

[Darinbob]

I know a place where no one's lost,
I know a place where no one cries,
Crying at all is not allowed,
Not in my castle on a cloud.

Re:the cloud

And once again, the importance of data security and professionalism means you protect whatever, wherever, to the same high standard.

Your suggestion that you don't want to have anything in the cloud is moronic. Most of what you do is on the Internet. The Internet is the cloud. Wordpress is hosted, just like this site. With luck, the venerable staff hosting this stuff has been responsible enough to protect us. If not, we'll be upset.

That's a poor design. Someone should fix it.

The idea that my data needs to live somewhere else is a broken concept. I know that running an HTTP server and installing WordPress or whatever is far too much to ask for most people. There should be software and protocols that make serving your own data easy (likely involving mirrors of your "web sites" on other computers).

Re:the cloud

Um, because I wouldn't run Wordpress on my own computer? wordpress.com's biggest problem is that they eat their own dog food.

Re:the cloud

[postbigbang]

Ok. Let's let it live somewhere close to you. Let's say your hard drive.

Perchance is it on Windows 2008R2? Do you have the current stack of 228 updates and fixes installed?

Maybe it's Linux on SUSE 11. Did you do the 51 kernel updates? How about the other apps?

Is your router up to date? Cisco? Extreme? F5? Updated? Not using a firewall, are you--- silly to imagine that there are secure perimeters.

Watching all of the traffic on your backbone and local nets for interesting destinations to say, Rumania? Have any Gabon destinations recently?

I like the concept of mirrored data. I'm backed up as of last night. My NOC has a backup. You can kill my email host, my web host, and I'll be up in about an hour, less if I have coffee nearby. But it's not foolproof. Nor is hosted data. That's why diligence is needed everywhere you compute, from the phone in your pocket up to your fattest cluster.

Was Wordpress bad? Yes. More onerous is that there's someone out there that needs to find himself/herself in front of a judge having a very bad day.

Re:the cloud

[Sloppy]

Why do you think keeping data on your own computers makes it more secure?

Because SUCK is not a rigid requirement of my own computers, handed down by some PHB without regard for what the poor bastard engineer guys think about it. I don't have any conflicts where I need to put other parties' interests above the user (me).

For example, I don't ever even think about going to extra trouble to make my computers less secure, in order to make them "CALEA compliant." I don't ever even think about implementing a denial-of-service attack against myself, just because someone in billing says my account is overdue. I don't ever even think about making sure my intranet sites bring in all kinds of weird extra javascript for Google Analytics or Comscore tracking.

These things don't mean that a user's own computers will be better than a commercial service provider's, but the user is going into the situation with a tremendous comparative advantage.

Re:the cloud

[kiore]

You must be new here. This is Slashdot, people don't read the articles before posting.

Re:the cloud

[rusl]

It doesn't follow that the impact on any one user is greater, though.

So??? Are you an atomic superman not impacted by society or other people!? Seriously, this individualist free market ideology is pretty far-flung now. Now we think that it's OK if all those around us have problems as long as we don't? Ever trade goods much? No job?

Re:the cloud

[PNutts]

Give me a hard drive that erases itself.

I'll run down to Fry's and pick you up a Seagate.

Re:the cloud

[exomondo]

I wouldn't say my machine is more secure than that of WordPress -- although, since theirs has been compromised and mine has not, I guess that's open for debate. One big difference is, I know what and where my vulnerabilities are, and I have my fingers in there daily so I'll know pretty quickly if and when someone breaks in. When hosting stuff on Other Peoples' Servers, you never really know for sure if they are secure, how secure they are, etc. Until you find out the hard way, of course.

Not to mention they have a myriad of processes so going through and exploiting just one of those through social engineering will probably net you something. On my system no-one else needs access to it, whereas 'cloud' businesses are built on many people having access to the system so naturally that's an easier social engineering target.

Re:the cloud

No, it does not.

Re:the cloud

[sjames]

The rewards for hacking thousands of sites in one go are much greater that the rewards of hacking a single user site. For that reason, the big site will be the one facing the most attacks by the most sophisticated black hats..

Re:the cloud

No, it only makes it a "cloud" server for remote users. For me it's a local machine.

Re:the cloud

[AmiMoJo]

Blah blah blah, cloud or not what are we going to do about this sort of thing?

I think we now have to assume that any data stored in the cloud is vulnerable. How do you protect it while still allowing it be accessed anywhere by humans and applications?

Re:the cloud

[Fjandr]

Unsafe for everything no. Unsafe for some things, yes. At least, much more unsafe than other alternatives which are not cloud-based. All things are relative, and what is an acceptable risk for you is not an acceptable risk for others.

Highways are unsuitable and extremely unsafe for activities that are safe elsewhere. Nobody is saying it's "good" or "bad," only that it's good or bad for certain things. To use an extreme analogy that will probably be bogged down in irrelevant pedantry, Big Wheels don't belong on highways. You're stuck on the fact that saying cloud storage is potentially a really bad place to store thing X equates to it being somehow generally bad. Nobody here said the latter, at least as far as I've read. The former is completely true and eminently reasonable in many circumstances.

Asking for high standards is one thing. Expecting all organizations to adhere to the highest possible standards, for which there are good reasons for some to pay and others to not, is another entirely. The latter expectation is ludicrous beyond all belief. There are differing service levels and pricing for different applications and security concerns. One size does not fit all, and there are things that cloud storage does not fit. If that concept hasn't sunk in by now, there's not much more I can add to this. We'll have to agree to disagree.

Re:the cloud

[lennier1]

You're just taking the wrong approach. It's called "cloud" because of all the smoke marketing guys are blowing up the asses of investors.

Re:the cloud

[postbigbang]

This is why we have best practices. This is why we educate youth. This is why work hard: to make it safe for civilians, your grandmother, the kid down the street, and so on.

We know that some organizations won't adhere to them, or they'll screw off and not patch or update something. When we find them, we try and bring them up. Barring that, we use other motivators. If we all screw off, the whole thing falls apart. Diligence, and unwavering diligence, gets it done. Yeah, sounds almost military, yet if we evolve standards and expect people to adhere to them, one of the motivators will also be embarrassment. So, Wordpress gets their dishful.

The rented "cloud" has standards. Test environments have standards. This is why we have protocols. Cloud storage should be protected. Data in cloud storage has some value. No data is cheap. Those that believe that data value is cheap are fools, and don't understand the basics.

Re:the cloud

"and that's why I don't want everything in the cloud"

Such as blog posts, hmm?

Re:the cloud

[mhelander]

And why is that argument not applicable to any cloud server (it will be local for someone)?

Re:the cloud

If that data is mine and that someone is not me, then it doesn't matter.

Re:the cloud

[IAmGarethAdams]

You keep using that word. I do not think it means, what you think it means.

The citation was given as the wordpress.org website

Re:the cloud

Some data is cheap, some is not. Those who don't understand that are fools.

Re:the cloud

[petteyg359]

The cloud is a puffy white thing in the sky. Who's in marketing?

Facebook? Twitter?

[Jeremiah+Cornelius]

The Word Press devs promoting integration with Facebook is like handing Sweeney Todd the razor and saying "Shave away, whatever you like."

It starts with FB managing the identities and next, the discussion threads, and slowly creeps throughout - until WP is a hollow frame on which to drape FB parts.

Eviler than Google. And that's saying a lot.

Re:Facebook? Twitter?

Hey, not my weenie Sweeny!

Re:Facebook? Twitter?

[JaredOfEuropa]

Remember why Facebook offers such integration: to Facebook, you are not a customer; you're the product. A product generating data to be sold to marketeers. That is the real purpose of their offering of integration, Facebook currency, Like buttons, and soon to come: what is called the social layer on the WWW. It's all meant to generate valuable data, and it'll get worse and more pervasive as FB moves from the Grow and Consolidate phases to the Cash-in phase. And that is why I am staying well clear of Facebook, despite the fact that it does offer some value to its products, I mean customers.

Color me surprised

:-|

Spammers?

[joesteeve]

If obtaining API keys was the target, then we are gonna have a fresh wave of spam. Shyte.

beyond that...

[hxnwix]

They stole everything, but, "beyond that, however, it appears information disclosed was limited."

Re:beyond that...

[xMrFishx]

Quick, if we shut our eyes we can't see anything being stolen!

Re:beyond that...

Yrah. Nut, hoe dp i reply wioth my eyed c;loserd>

Re:beyond that...

well, what's beyond everything?

Whoa

[Grindalf]

Leet! Leet! Leet! Leet! Leet! Leet! Leet! Leet! Leet! Can I get an autograph?

Automattic

[asvravi]

So low level break-ins are automatic now?

'Automatic had a low-level (root) break-in to several of our servers'

WTF?

>> Eviler than Google. And that's saying a lot.

Er.. Anything from Apple|Microsoft|Oracle|Sco might have made slightly more sense. But then, if you had taken your medicine today on time, we wouldn't have had this discussion. Just saying...

Re:WTF?

Google owns you and you're too dumb to see it.

Re:WTF?

It doesn't matter how much you keep trying, Mr. Beck, Slashdot won't hire you after your gig at Fox News is done.

Re:WTF?

Only if I let Google do that. And BTW, google was the only one who fought against the order asking them to reveal user information while all others just caved in. Also, just the previous story was about Google investing in some solar power plant, while Steve Jobs is stealing others' livers.

Are you really that stupid?

Wait a second - it seemsI am on digg. Never mind. Please continue babbling.

Re:WTF?

[Dishevel]

But they don't own me they though rent me with really cool shit.
Even after they rented me they kept improving the shit they rented me with.
They win too. The serve me up small text ads. Ones that kind of hang back and allow me to see the stuff I want to see.
Because they rented me they also can do a better job of making those unobtrusive text ads sometimes useful.
If they fuck us over then their flock runs away. Then their profits go down. They do not want to do that.
What they want is to continue to serve me really good ads that make them shitloads of money.
What I want is really cool shit and ads that don't make me want to tear my eyes out.
That is why me and Google get along so well.

Refreshing honesty?

[slackzilly]

Many (most?) companies try to lie about the severity of the hack. Looks to me like they are saying it like it is. I like that.

Re:Refreshing honesty?

[yincrash]

99% of the comments on the wordpress post are exactly like yours. Everyone is treating it like it's not even a problem.

Re:Refreshing honesty?

[slackzilly]

I didn't say it's not a problem.

why rob banks?

that's where the money is.

say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.

individuals are gonna get hit one at a time... the cloud is a really big juicy target

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation.
my method will be different from my neighbor

if we are both on amazon cloud-- you only gotta get in once.

Re:why rob banks?

[xMrFishx]

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation. my method will be different from my neighbor

Though in the terms of most consumers all that means is your key is under the mat, his is in the plant pot. I keep mine in a hornet's nest but leave the back door open incase I can't get past the hornets.

Re:why rob banks?

that's where the money is.

say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.

individuals are gonna get hit one at a time... the cloud is a really big juicy target

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation. my method will be different from my neighbor

if we are both on amazon cloud-- you only gotta get in once.

uhm.. are you saying banks are being robbed more than homes and people?

Re:why rob banks?

Yes because robbing people, hones and banks compares to breaking into a network so well....

Re:why rob banks?

[Cwix]

Lets expand on your analogy a little.

Someone gaining root access has the potential to access ALL information. Therefore someone breaking into a bank could take everything.

So the modified analogy would go like this:
If a thief could take everything from the place he breaks into would he break into my apartment, or into a bank?

I'm going to guess he'll break into the bank.

So.. to wrap it up, as I see it the robber would much rather make off with 10,000 peoples assets then 1 persons. Which makes the bank a much bigger target.

Re:why rob banks?

[Isaac+Remuant]

heh, You make me wish there was a "really bad analogy" moderation option. XD

Yo ,

"Automatic had a low-level (root) break-in to several of our servers,"

-- The victims know the attacker by name?

Saw some unusual activity this week

I was seeing some unusual activity on my blog hosted there. I opened a ticket and they thanked me for the info but never got back to me. Just emailed them regarding the ticket to see if they were related. Good thing I immediately went and changed my password for them. I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file... I'll probably also have to prepare for more spam as well since this is a different emaill addy from last weeks Epsilon breach...

-Brad

Re:Saw some unusual activity this week

[v1]

I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file..

If they raided the entire fridge, even if it was encrypted, they'd have the keys and thus all the passwords on a silver platter.

I think what you meant to say is you hope the passwords were hashed .

Re:Saw some unusual activity this week

[joost]

Yes, the passwords on wordpress.com are hashed:

Matt

April 13th, 2011 at 5:27 pm

WordPress passwords are hashed and salted using phpass.

http://en.blog.wordpress.com/2011/04/13/security/#comment-124231

Re:Saw some unusual activity this week

[hedwards]

Personally, I like my hash salted. But that's just me.

Re:Saw some unusual activity this week

[blair1q]

never mind. hashing = encryption, here. they've changed the terminology since the last time i cared.

Re:Saw some unusual activity this week

[dave420]

Hmm. Usually it's a hash of the password that is stored. The entered password is then hashed the same way, and if the result is the same, access is granted. Encrypted data can be unencrypted, but hashed data can't be unhashed.

Re:Saw some unusual activity this week

[blair1q]

Yeah, I figured that out after reading through some links. Even posted a demurral but I don't see it here. Could just be /.'s new fucked-upedness taking over.

Been a while since I did anything with passwords and the linguistic shift from encrypted to hashed is just reaching Barsoom.

Re:Saw some unusual activity this week

[slaad]

So having the key is irrelevant.

Having the "key" is entirely relevant. If an attacker doesn't have the key, they can't even begin to attempt a brute force crack. Once the key has been obtained it becomes possible.

Furthermore, many people use stupidly simple passwords. The attacker will be able to find these passwords within just hours. Without the key though, even a crappy password is unbreakable.

Of course, that doesn't just leave everyone's password out in the open, the passwords still have to be guessed. But there's a wide gap between impossible and may take a while but is doable for many passwords. Having the key is completely relevant.

Re:Saw some unusual activity this week

Personally, I like my hash in a pipe. But that's just me.

Re:Saw some unusual activity this week

[bruno.fatia]

I prefer mine with sugar.

Re:Saw some unusual activity this week

[xtracto]

Have you heard about one way encryption?

Re:Saw some unusual activity this week

Personally, I like my hash salted. But that's just me.

They are salted. They are using http://www.openwall.com/phpass/. phpass includes the salt in the hash.

Re:Saw some unusual activity this week

[dkf]

The attackers gained access to all information on the site, so it's entirely possible that they've got enough information to work at breaking passwords at their leisure. OTOH, the site is using a salted hash for their passwords, so the only approach that can be used is a simple brute-force test, one password at a time, one user at a time. Weak passwords are under threat, but strong ones should be OK (at least for some time).

It's still a good idea for users to change everything that uses the same password to use something else. The most secure option would be to go to using a different password for each site, as that limits the exposure of future breaches, but the downside is that far more passwords need to be remembered...

Re:Saw some unusual activity this week

[dkf]

hashing = encryption, here. they've changed the terminology since the last time i cared.

There's a formal difference. Encryption is reversible (if you have the decryption key) whereas hashing is not (it formally loses information from long input values). Theoretically, hashing is less strong because there could be other values that hash to the same thing (this is one of the principles behind rainbow tables) but with a good crypto hash algorithm, finding two values that collide is really hard.

Re:Saw some unusual activity this week

[v1]

It certainly is amazing how many people don't understand the difference, or more specifically, that there is a difference.

The other important factor is that hashing is not 1:1 input for output. Block digest functions are a good illustration of that. But in this specific case that's not important.

The only important thing here is that given a full site dump (or outright theft of the gear) it's not possible for the attacker to determine cleartext passwords short of brute force. (or rainbow table if the implementers are idiots)

Terrible summary

[whh3]

Where did the anonymous reader get information regarding the hacker's access to "passwords/API keys for Twitter and Facebook accounts"? On a related note, it appears that the anonymous reader cannot properly copy and paste; It is Automattic and not Automatic.

Re:Terrible summary

It is Automattic and not Automatic.

Well, I do not know where you are from, but even Firefox's spell check feature agrees. It is Automatic. One t, not two. Phonetically, two t's maybe fine, but so would aughtoemat-tik, but no one uses that... yet.

Re:Terrible summary

[nyfle]

Uh, no. We're not talking English spelling here; Automattic as in Automattic, Inc., the company behind http://automatic.com/

Terrible attacks'

I've more than 10 websites in Wordpress.... the number of attacks is giant :S
I'll try to install some plugins to defense all of them.
Best regards,
Dan
http://www.chinelospersonalizados.org

CGI systems

[hackus]

Surprise!! Another CGI system is breached. Yes, I am one of those guys that thinks php is stupid!

Along with the whole idea of CGI based native call methods built as plugins directly into a web server.

Why don't you just give everyone the root password on your webserver and save them the effort and you the embarrassment?

At least that way you can say I knowingly did it instead of admitting you run CGI crud in the 21st century.

A century where VM technology makes such drivel totally unrequired.

So use virtual machines, and do not tie executable code to the native environment accepting the connections or call interfaces from direct URL's.

That means any CGI or language plugin for Apache. The only way today I would run a website is with a web server on the outside with no hard disk, and a java virtual machine executing the URL references on a completely separate networked machine using the apache tomcat plugin.

-Hack

Re:CGI systems

[GeorgeMonroy]

Please explain how to do this. I have no idea what you are talking about but it does sound like you are giving good advice.

Re:CGI systems

The only way today I would run a website is with a web server on the outside with no hard disk, and a java virtual machine executing the URL references on a completely separate networked machine using the apache tomcat plugin.

Wow! You could serve TENS OF USERS with that rig!

Re:CGI systems

[binford2k]

Aw, Hack, did you forget your meds again?

Re:CGI systems

[lennier]

Got Geometrodynamics? Awe, too hard to figure out? Too bad.

John Wheeler cries! Then giggles. Then cries some more.

Re:CGI systems

[H0p313ss]

Aw, Hack, did you forget your meds again?

I don't think he forgot them, I think he just took a little too much this morning.

Re:CGI systems

So how's that unemployment check coming along?

Re:CGI systems

[Ash-Fox]

So use virtual machines, and do not tie executable code to the native environment accepting the connections or call interfaces from direct URL's.

That didn't stop someone exploiting my tomcat powered website, downloading copies of the databases.

Re:CGI systems

[simoncpu+was+here]

Just use jail/chroot and don't run your web server as root. Problem solved.

Re: twitter/fb-This has been happening everywhere

Login: Half the sites I visit these days have a facebook login option to access that site's account. A subset of which no longer really -have- an account management of their own.

Discussion threads: Almost every site that has discussions threads seems to use Disqus these days.

Avatars / Profile pictures: Thanks to the use of Disqus, that'll be Gravatar, but even sites that still have their own commenting system seem to be jumping to Gravatar; including WordPress.com .

I'm not sure who knows more about people anymore.. Google or that little conglomeration of services.

Re: twitter/fb-This has been happening everywhere

[hedwards]

I refuse to sign up for sites like that. I played around with OpenID for a bit, but stopped pretty quickly. A single point of failure is really not a good thing.

Re: twitter/fb-This has been happening everywhere

[TheRaven64]

The gravatar one is the one that irritates me the most. Ohloh.net uses it, and they don't even let you point to an avatar on your own web server. I can sort of understand them not wanting to have to host everyone's avatar (although, given that they're 10KB or so each... not really), but a service forcing you to use a third-party service to make some features work seems really stupid to me.

They have no idea what was taken

They have no idea what data was taken/probed.Even if they don't think that their encryption keys were taken. They were. This attack will happen again, and now that Wordpress has got some press off this, they are going to be securing stuff even more. All thats this is going to do, is make more and more people. Probe and push down attacks on their site.

Bad choice guys. If you get hacked, Don't publish it.

Re:They have no idea what was taken

[HomelessInLaJolla]

If you get hacked, Don't publish it.
Most people don't even know about it. If the people who have pwned your system allow you to discover it is only because they are setting you up.

Re: twitter/fb-This has been happening everywhere

Gravatar is particularly bad because it is uniquely* identifying to your e-mail address.
(* as far as MD5 is unique for the purposes)

If you were ever silly enough to use your e-mail address on some random blog to make an anonymous post - falsely trusting that the site wouldn't make this public - and that site decides to add Gravatar -without- making sure it only adds this for non-Anonymous posts... bam. exposed.

In addition, of course, Gravatar knows who you are, at least by e-mail address (not sure what other information you have to give up). Because Gravatar hosts the avatar images but gets referenced from the original site (or via Disqus), Gravatar essentially knows where you have posted comments.

That's just two of the security/privacy issues with Gravatar - a websearch will yield many more. But users typically don't care.. they just think it's great that they can go to Gravatar, upload a new profile image, and that's instantly updated on every service you use. That's useful to some. Webmasters also generally don't care, because they believe that -all- their users are the aforementioned type of user. This happened recently at a site and after a short explanation in the discussion system there (not Disqus, thank goodness), many agreed that the webmaster made a booboo and the webmaster made it opt-in a few days later; but the damage was already done. Gravatar essentially had a list of everybody who ever commented there - people who are typically customers of that site - the moment people started viewing pages. And that's presuming Gravatar doesn't immediately scrape the site for datacollection - I know I would if I were evil.

I've long given up the idea that there's anything I can do completely anonymously - but it still saddens me to see that privacy is yanked away so readily and without any consent, thanks to the masses.

Sure glad...

[ugen]

Sure glad now I used a "shitty unimportant level" password for my wordpress.com account. Whoever it is, is welcome to keep it.

Re:Sure glad...

Instead of "shitty unimportant level" passwords--you should be using a password manager and lots of great unique passwords.

Perhaps, rather, something was PLANTED in

Not STOLEN out?

APK

P.S.=> Everyone automatically seems to assume it's only "all about stealing something out of the server", when it may very well be inserting something ONTO THE SERVERS as well!

(Just some "Food 4 Thought"/something to consider)... apk

Re:Perhaps, rather, something was PLANTED in

Stop inserting your bullshit, you dumb fuck.

Re:Perhaps, rather, something was PLANTED in

big man behind your anonymous coward post with your big words. I would like to see you try saying that to his face or anyone else's for that matter you do this to. I bet you're the type of goof that got the crap beaten out of himself in highschool for acting how you do, and now you're a real big man online where you think nobody can touch you. Do you know what people think of worms like yourself? Not much.

Re: twitter/fb-This has been happening everywhere

[Jeremiah+Cornelius]

Facebookâ(TM)s New Realtime Analytics System: HBase to Process 20 Billion Events Per Day

Via: High Scalability:

The need for such a high powered analytics system is driven by Facebook's brilliant plan for world wide web domination via the viral propagation of social plugins, all tying the non-Facebook web back into Facebook and the Facebook web back into the non-Facebook web. Basically anything that people can do is captured and fed back through Facebook and anything done on Facebook can be displayed on your website, building closer relations between the two.

What have I learned here?

[__aayuzx6098]

If large, well-funded companies, even those that specialize in security (!), or whose business depends upon keeping their proprietary info safe, cannot keep their servers secure, what chance does a Mom and Pop operation like mine have?

This year I spent 4 weeks studying the OS X Server Security Config (400 pp.), and implementing those recommendations. I've looked at best practice guides for all the underlying FOSS tools I use. I monitor logs.

But it's seems never enough to keep out a determined, skilled hacker. Do I despair? Give up? What lessons can I take from this?

Re:What have I learned here?

[John+Hasler]

You don't hear about the companies that do keep their servers secure, do you?

Lesson: don't do business with wordpress.com.

Re:What have I learned here?

[Mazzie]

What lessons can I take from this?

If you jump off the roof of your house, you will hit the ground. If you have a really expensive house with like 5 stories, or a penthouse on 5th avenue, it may take you longer to hit the ground, but eventually.... splat.

Re:What have I learned here?

[hedronist]

Take-aways from this:

• 1. If it's on the Net then, sooner or later, it will be compromised. This is Rowell's Corollary to Fudd's First Law of Opposition. FFLoO is: If you push something hard enough it will fall over.
• 2. Have a complete, offsite (off-server) backup ... and test it.
• 3. Hashing passwords only works up to a point. Use a password system that yields a different one for each system.
• 4. Don't keep any important information (e.g. credit card numbers) on the server if you can possibly avoid it — store it on another system that has a very narrow relationship with the net-facing system.
• 5. When there is a root compromise, anything encrypted on the system which can be auto-decrypted is suspect and / or assumed to be copied elsewhere along with the keys.
• 6. The Bad Guys® are as smart as (or smarter than) you are. And there are no extradition treaties where they live.

Re:What have I learned here?

I've looked at best practice guides for all the underlying FOSS tools I use. I monitor logs.

^^^--- They don't or someone slips up. It happens. Your a FAR smaller target as well.

Re:What have I learned here?

But it's seems never enough to keep out a determined, skilled hacker. Do I despair? Give up? What lessons can I take from this?

The lesson is just like everything else, nothing is 100% safe and security cost money. You can pay $100,000 to secure a real store and it can still be broken into by someone who knows what he's doing.

Welcome to the club.

Re:What have I learned here?

[Lisias]

Pray.

And keep reading that 400pp manual of yours.

Re:What have I learned here?

[jovius]

You don't hear about the companies that do keep their servers secure, do you?

There are also reasons why the most secure organisations do not publicise breaches.

Re:What have I learned here?

SInce you're using Apple, you're terribly screwed because of their laughable patching policy and security update response times anyway.

Re:What have I learned here?

You probably spend a lot more time securing your systems than they do. Since they're a large company, they most likely have shitty admins -- it's a generalization, I know, but from my experience it's very often true.

Re:What have I learned here?

I remember reading this blog by a security/hacker guy. His blog is long gone, but in one of his posts he summarized that you can never have a secure server. A determined hacker will always find a way in. The best thing you can do is limit what a hacker can do, once he's gotten into your system. If you only focus on keeping him out, the guys who find a way in will have free access to everything.

Re:What have I learned here?

Bad things happen, deal with it.

If you are watching your steps when you cross the road, it will increase your chances of getting to the other side in one piece. But it won't help much if someone is really out to get you.

You're keeping the kids out, try not making too many enemies and you'll be safe.

Re:What have I learned here?

[Joopsy]

Have to say, I agree with you. The whole state of computer security is fairly depressing. (I don't work in security, but I think about it quite a bit) When I ponder this sometimes... I think that the main advantage defenders have is "prepared ground". The attackers do not know the details of your system. In order to get the details of your system, they will have to explore, and poke around and do things. Noticing their investigation before they can do damage or extract data could turn a terrible situation into a merely very bad one. (I guess I am saying that the last line of defence of a defence in depth, is to minimise their damage if they do get in). Obviously still need to completely rebuild. J. ps.. Unfortunately doing anything like this is probably very much out of the reach of a mom+pop shop. I think what you are doing is the best you can do. Learn, and keep your exposed surface area as small as possible (to minimise what you need to learn and stay current on)

Re:What have I learned here?

[psydeshow]

Do you store financial, personally identifiable, or other must-be-kept-private information?

If yes, hire a pro to audit your setup and cover your ass. You can call said pro when you do get hacked to help with cleanup. If no, stay small, don't piss off your users, and stay on top of those logs.

Oh, and in either case, make sure you have current, offline backups that can be used to recover from an incident.

Re:What have I learned here?

[matthew_t_west]

Obscurity isn't security, but if you are a Mom and Pop shop, depending on the sector, I don't think you have much to worry about. You've done your due diligence in safeguarding your server. As long as it's only exposed to the internets on specific ports (80, 442, etc.) you really don't have much to worry about. Patch your shit, keep it up to date. Upgrade when it's safe (i.e. - not going to bork your apps.)

You're OK. Now if you are a Mom and Pop shop with $Billions of loan documents floating through your server, I'd be a bit more worried. ;-)

Re:What have I learned here?

[Mista2]

Be carefull, be small, and stay under the radar. Never put client data whenere it can be openly accessed on your server, encrypt everything. Most attacks will actually come from your own staff, and most likely someone with authorised access anyway. What makes these sites jucy is the passwords they may contain for other sites, and email addresses for spam or identity theft. Keep your clients so anonympus, even you dont know who they are. Except if you live in France, then you have to keep everything anyone ever does on your site logged, and passwords in plain text.
8)

Obligatory

[El_Oscuro]

xkcd

How did they get in?

[Coppit]

Does anyone know how they got hacked? When I ran Wordpress it was like trying to plug a dike with bubble gum.

secret sauce

[porjo]

Oh no, I hope they didn't get the source code. Imagine what kind of security exploits and backdoors they may discover by having access to the source!!....oh wait

Re: twitter/fb-This has been happening everywhere

Stackoverflow use Gravatar. Which is why my SO account still has the default picture.

Great Spin Doctoring the TFS

low-level == root, man, that is some seriously good spin.

Gravatar Default Picture is just as evil

Stackoverflow use Gravatar. Which is why my SO account still has the default picture.

But said default picture is not an anonymous picture.

Just because it means I can't recognize your picture from another location.. say if you had uploaded a profile picture to facebook and used that same profile picture on gravatar, and then let a service like TinEye loose on it, doesn't mean your information isn't there.

Just as an example - I just posted to ICanHazCheesburger under the pseudonym of OneFineKitty. The page with the comment - if approved - is here:
http://icanhascheezburger.com/2011/04/13/funny-pictures-videos-kitten-jump-fail-2/#comment-1151745

The e-mail address I used - thinking the domain would be invalid or used by some squatter or whatever - is gravataratexmapledotcom (substitute where appropriate, and yes.. that's deliberately misspelled although apparently that domain does exist).

The URI it serves is:
0.gravatar.com/avatar/afef1d846a548af79a624df820c3535a?s=32&d=identicon&r=G

Note that this isn't just some blank query causing Gravatar to serve up a default image - the 'afef1d846a548af79a624df820c3535a' part is the md5.

So once that comment is approved, if anybody knew that e-mail address, they need but do a web search for that MD5 and ICHC should pop right up, exposing that I - or at least somebody using that e-mail address - posted there and what I posted there.

So if at one point in your life you were posting under the name "dhasjkj" but used your e-mail address, putting false trust in the website author to never expose that e-mail address (and using md5 in a resource query is a form of exposure!), but long since started posting under "qhoqdw" and believe that everybody looking for "qhoqdw" would never find "dhasjkj".. well, think again. Gravatar enables exactly that.

The more I think about it, the more I wonder if these kinds of services - or rather the sites that implement them - aren't in violation of EU privacy directives - which don't assume that everything you enter online is public by default and -do- require service operators to do their due diligence in protecting private information.

TomHudson & another "AC reply troll attack"?

".kcuf bmud uoy ,tihsllub ruoy gnitresni potS" - by Anonymous Coward on Thursday April 14, @08:03AM (#35816296)

?

LOL, and NO... I don't think so - I don't take YOUR orders, goofy... get it?

(How's that?)

APK

P.S.=> Ah, yes... another TomHudson anonymous reply attack on myself: So, does TomHudson do that? Well, take a read, & you tell me:

http://slashdot.org/comments.pl?sid=1646272&cid=32150544

(Oh, & it's kind of tough to hide yourself as AC tomhudson, when your own words give you & your pals away as doing that to myself, as shown in that URL above)... apk

Ummm, yeah

"potentially anything on those servers could have been revealed"

"Beyond that, however, it appears information disclosed was limited"