Linode Hacked, Credit Cards and Passwords Leaked

An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."

Oh FFS

[kernelpanicked]

Linode hacked again!? Seriously, for the premium they're charging, beefing up security might do well to be added to their todo list.

Re:Oh FFS

There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

Re:Oh FFS

[Dunbal]

Actually Windows is a tough nut to crack also, nowadays. Most patches nowadays are for exploits that require local access to the machine. Of course Flash is another issue entirely...

Re:Oh FFS

Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.

Re:Oh FFS

[gl4ss]

There isn't a service on the internet that is un-hackable. You're a moron to think otherwise. Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

it wasn't their fault for using cold fusion? "Get a server running in seconds with your choice of Linux distro, resources, and node location.
Servers on demand. Support that cares." for all the LINUX YEEHAA!!! you'd think that they could have gone with something else..

Re:Oh FFS

[SteveSommers]

Based on the limited information released, I'm not sure how anyone could make the claim "was beyond their direct control and was a flaw in cold fusion." I use ColdFusion everyday and most of the "vulnerabilities" reported can be avoided by using best practices -- the biggest being to remap the CFIDE directory to an empty directory and then add a virtual SCRIPTS directory under it pointing it back to the original CFIDE/SCRIPTS location. This one best practice prevents 99+% or the ColdFusion vulnerabilities. Most likely, preventing the breach was in their control.

Re:Oh FFS

[SteveSommers]

...Linux can't be hacked.

@Anonymous Coward, With this statement alone you lost any and all credibility you might have had.

Almost signed up Friday morning, too...

[NitzJaaron]

I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.

Re:Almost signed up Friday morning, too...

Dreamhost

Out of the frying pan...

Well, at least Dreamhost is pretty open about when they fuck up.

Re:Almost signed up Friday morning, too...

[NitzJaaron]

I've used them for shared hosting for years, and it's been a hell of a frustration. That said, however, their VPS service actually has a good record. For the discounted price they offered me (based on the absolutely horrific service for the last few months) I couldn't refuse. It was a really good deal.

Re:Almost signed up Friday morning, too...

[vegge]

I'd just finished doing a week of research for a VPS and was literally going to sign up for Linode Friday AM when Dreamhost woo'ed me with a better deal. Geez.

I you don't mind my asking, who were your top candidates, besides Linode? Did any service really impress, in terms of security and stability?

Re:Almost signed up Friday morning, too...

[cheater512]

Wait you'd continue using a host that gives you horrific service?
I hope guaranteed support times were in the deal.

Re:Almost signed up Friday morning, too...

Random downtime once or twice a year. Must be a real serious business web site. What a recommendation!

Re:Almost signed up Friday morning, too...

[petermgreen]

Dunno about their VPS service but for a few months* we were using a dedicated server from them for raspbian and we had "fun" with it. It seems they have some management crap installed and if you try and customise the server (specifically in our case we wanted nginx rather than apache) it's easy to break it and render the machine unable to boot and bring up networking. Dreamhost support were able to bring the machine up manually but the only fix they could offer was a reimage (which we declined).

Amusingly we managed to fix it ourselves, turned out the only thing missing that their management software needed to successfully boot the system was one symlink.

* Between when we opened the repository to the public and when we got donated hosting from bytemark.

Some more details

[Necroman]

Some details that people have been able to find so far.

1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html

This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388).

2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html

3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3

4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

Re:Some more details

[nametaken]

4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

Yeah all I saw was this:

05:42 [that ryan guy] credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security

Though I've been unable to find any specific proof regarding CC#'s. A directory listing for a management console doesn't worry me so much as being able to decrypt cc's.

I guess people will have to wait to hear from linode.

Re:Some more details

[VeryBest52]

That y_key_ file is a yahoo verification file. It's likely included in some page somewhere. Doesn't mean that they were hacked. Give me an hour to write a web crawler and I can come up with a similar listing. Notice he didn't post any actual proof that linode was hacked.

So-called "Cloud" still not trustworthy

There has to come a point in time where the law holds responsible online providers. Security is a process, not a product. It should be law that ALL companies must audit their code and processes at least twice a year. Look at OpenBSD, for example. Yes, it's an operating system, but they have the almost perfect record they have because of audits. Banks have audits. Companies fall under audit regulations. NIST 800-53 needs to be required of every company doing business on the Internet that holds or processes personal data.

Re:Nonsense

[cheater512]

ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

OVH.ca

[future+assassin]

Fuck VPS when you can get a i3/8GB server for 39 Canadain.

Re:OVH.ca

Sounded promising, until I noticed they do something very suspicious with their IP routing where ICMP (and UDP-based too!) traceroute, as well as classic ICMP ping, get dropped even before making it to the border of their network. I tested this from two different connections: a Comcast residential connection in northern California (gets to San Jose California then gets dropped), and an ARP Networks VPS in southern California (doesn't even get to hop 2). Neither of the two providers I listed off filter ICMP, so this is something OVH is doing (and it's not the first time I've seen someone do it). The destination I was trying to reach was 213.186.33.5. They announce a /19, as tested from route-views:

route-views>show ip route 213.186.33.5
Routing entry for 213.186.32.0/19, supernet
    Known via "bgp 6447", distance 20, metric 0
    Tag 4826, type external
    Last update from 114.31.199.1 1w0d ago
    Routing Descriptor Blocks:
    * 114.31.199.1, from 114.31.199.1, 1w0d ago
            Route metric is 0, traffic share count is 1
            AS Hops 2
            Route tag 4826

Given that when it comes to servers/hosting of any kind, monitoring over the Internet is a necessity, I sure as hell would not trust a "dedicated server" provider who filters ICMP like this.

Re:OVH.ca

[philip.paradis]

Lots of providers block ICMP these days. I think it's a dumb practice, because nobody even tries to use ICMP for DDoS attacks anymore, and there are much more effective ways of taking out a host. Some hosts block ICMP because they actually believe doing so is equivalent to some kind of "cloaking" practice, which is worse from the perspective of trusting the host to know the first thing about security.

All this said, trusting ICMP for server monitoring over anything more than a LAN is a questionable practice at best, especially given the lower priority such traffic may be assigned on networks that do permit it. Monitor the services you're hosting instead.

Re:OVH.ca

[philip.paradis]

No, it's not awful advice, but your advice is pretty bad. MTR is a great tool for certain situations, most notably internal troubleshooting as an initial sanity check, but it frequently fails to provide meaningful insights into issues beyond many local networks for exactly the reasons I outlined above. Attempting to appeal to your experience here fails, as mine exceeds yours.

If you're not monitoring services and you don't have access to internal stats for the server (frequently VM these days) hosting the service, including at a minimum memory, disk IO, and CPU utilization, you're poorly equipped to explain most real world outages. When dealing with production environments more complicated than Bob's Blog that gets 100 hits a day, countless examples abound for cases where things in a given network path, including the destination, will happily respond to ICMP while the services you actually care about are flailing about while a server OOMs, runs out of disk on a critical volume, suffers from a badly executed code push from some half ass dev team that takes out a web app, poorly constructed SQL queries take minutes to return data, a marketing campaign succeeds but nobody bothered to tell IT that resources should be scaled up to support increased traffic, etc. Do you actually have any experience with that level of monitoring? Your post suggests you do not, and if I were your employer I'd can you as soon as I discovered that fact. You're espousing an overly simplistic and unreliable means of monitoring IT environments, but please feel free to continue your willful ignorance (read: stupidity) so long as you don't mislead others.

Hashes aren't passwords (unless they're DES)

[raymorris]

Title: "credit cards and pass"
TFS: "hashes of passwords leaked

That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.

Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the problems they created.

Re:Hashes aren't passwords (unless they're DES)

[Algae_94]

rainbow tables are only of use if you can store the table on disk. A rainbow table gets quite large quite quickly as the password length increases.

Re:Hashes aren't passwords (unless they're DES)

[raymorris]

Here's a "proper hash", as our customers use. have fun trying to crack it!
$5$NhJlA5yUIk62$CC6DlreELmUVwagQqpPsEcZQoihQTCYklQz8y1me/p6

Re:Hashes aren't passwords (unless they're DES)

[jriding]

Password123

Re:Nonsense

ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

Your friends at Adobe published a lockdown guide that Linode ignored and patched this exploit months ago (also ignored by Linode) Adobe has done their part, but they can't force admins to secure their servers properly and install patches.

Source?

[jaygridley]

Seems light on proof and heavy on speculation.

Thank gawd

[GrBear]

I'm certainly glad when I was looking for a VPS, Linode was quite a bit more expensive than the one I was recommended. For the price they charge, I'd expect better security.

Re:Thank gawd

[Yosho]

Out of curiosity, who were you recommended? I've got a Linode (1 GB RAM, 8 cores, $20/month) that I use as a small personal server. It's more than powerful enough for my needs, but I shopped around a little bit, and EC2 and Rackspace's low-end offerings were both more expensive than Linode's.

Of course, I've also been pretty happy with Linode's security so far. Note that the summary is wrong; so far there's no reason to believe that any credit card info was leaked, and at worst password hashes were leaked, but not clear passwords.

Re:Thank gawd

[Yosho]

Hm... their low-end prices are pretty good, although they only advertise "one CPU" with no indication of how fast that CPU is. And, to be fair, their data center is in Germany, which I've got a 133 ms ping to, as opposed to the 10 ms ping I have to Linode's data centers. I think I'll stick with Linode for now, but I'll keep them in mind to recommend to friends for whom $20/month is too expensive.

Re:Thank gawd

[GrBear]

Sorry for the late reply. I'm using DigitalOcean.

Re:Thank gawd

[GrBear]

I'm using the $40/mon plan, it's speedy enough that I'm running it as a private mail server, minecraft server, mumble server.. and occasionally as a TF2 server.

Re:Nonsense

Yeah, and there's nothing stopping Linode from dropping a product that insecure. It hasn't stopped any of us.

Try and apologize it away all you want but they're at fault here as well.

Re:So-called "Cloud" still not trustworthy

[Ambassador+Kosh]

Are you willing to pay higher fees to have that auditing done? What I have seen is that when given a choice a customer chooses the lowest cost option no matter what. They won't pay for security audits and that means if someone else is willing to give up on security they can charge less and you will lose the business.

Capital One - not in my wallet!

[dclozier]

I used to think the same thing until I ended up paying for some charges I didn't make. Capital One's team of investigators concluded that the charges were my responsibility. I've been running Linux on the desktop for over 10 years now so I know it wasn't a trojan or some other malware on my end giving up the card number - it had to be an online service somewere that was hacked. I never found out who or how. I only ended up owing money for iPower Web hosting (would never in a million years use their service to start with), various gourmet coffee that was delivered to my house (ok I do like coffee but still wouldn't have ordered it online), video professor videos on using Microsoft Office (you know, if I should ever go back to Windows this may be handy???) and colon cleanser. WTF? I don't think they really did any investigating - just waited for a bit and then said it was my fault. Capital One offers no protection.

Re:Capital One - not in my wallet!

My card was just compromised last night. For the second time. I'm fairly sure the culprit is the local sushi establishment's website. Both times I was compromised happened shortly after I used their site. And once when I had just gotten the new card I accidentally entered in the wrong information and they had to call. That time there was no compromise. (Also some of the charges were for businesses local to me.)

Mine was an AMEX card. The first time it happened Amazon called me to confirm and I found out that way. Checked and there were a handful of other charges. AMEX reversed them all (except one that was with a vendor with whom I have recurring payments which is still under investigation - but it's definitely not mine - doesn't match any of my bills and it's significantly more than even my highest bill).

The second time, AMEX called me immediately with the first fraudulent charge. That charge never went through.

I really think getting a credit card through your bank may be the way to go, though. At least if you have a reasonable amount of money. If they refuse to reverse charges, they face you packing up the rest of your money and going elsewhere.

Re:Capital One - not in my wallet!

[whoever57]

You need to dump your CC company and get a new one.

My CC has been compromised several times, once for over $3k (plus foreign transaction fees). Every time, my CC company has cancelled every penny of the charges.

I think the source of the compromise was a local gas station that has old pumps that I believe are vulnerable to skimmer installation. Haven't had a problem since I stopped using that gas station.

Re:Capital One - not in my wallet!

[MyHair]

Have to give props to AMEX here. While traveling for a living I apparently got my card skimmed shortly before a flight home Friday. They called me at my connecting airport, we discussed which charges were mine and which weren't. They canceled my card and had a replacement card ready to pick up within a few miles of my house on Saturday so when I flew out Sunday night I had my new card for the rent car and hotel. (It was a corporate card; I don't know if that makes a difference.) I was briefly concerned when the fraudulent charges showed up on my balance on the website, but they took them off again before I started getting antsy about the fraudulent-claim window.

I suppose it might have helped my case that my travel was on the East coast, I live in TX and the fraudulent charges were in CA.

(And btw...traveling for a living sucks!)

Re:Capital One - not in my wallet!

[MaineCoon]

Switch to Chase, they're very good about this. Recently, someone got hold of my CC# and was trying to buy gas with it several states away. They emailed me immediately, and I saw this notification within minutes and called them up. They went over recent charges with me, marked them as fraudulent, then asked me if I saw any other suspicious charges (I spotted one other from 2 weeks before), which they also immediately flagged. Then they closed out the card and sent me new cards via overnight courier, and informed me if when I check my statement if I see any other bad charges to let them know.

Re:Nonsense

Oh, I'm not defending Linode. I'm simply pointing out that ColdFusion is not an inherently insecure product. I've used it for over a decade with no issue. Linode neglected to follow best practices and they also failed to stay patched. You can't blame Adobe for either of those. Why drop a productive platform when all you need is to configure correctly and stay patched? Of course, their crypto snafus are also equally damning. If this is how they wrote their CFML, imagine what they'd do with PHP.

Seriously, whats Linode?

[Gothmolly]

What is Linode? Would it kill an editor to include that in TFS?

Re:Nonsense

[drinkypoo]

Why drop a productive platform when all you need is to configure correctly and stay patched?

Good question. What does it have to do with this case? They're using ColdFusion.

point: example for Regulation

[bussdriver]

If you regulate an industry, ALL must do it. There is no cheap alternative because it is mandatory. The free market isn't going to do it because taking the risk is worth pennies to most consumers who are NOT thinking of all the potential risks involved if they even are aware of a couple of the long list of risks.

Making people do something across the board always raising BS opposition but when it is applied uniformly (it usually is) there is no impact on the market (because the added costs are usually too low to matter, especially for large markets.)

Obviously, there are issues of making it FAIR and uniform in this age of global markets and we are not properly addressing these issues because of the propaganda and the resulting dysfunction. Most states lose income from sales tax and regulations because of their interstate commerce limitations. Either fix that or give up and raise revenue by other means.

Oh, BTW, drug lords are "job creators" who are not deterred by a war being waged against their business (can you get more severe than regulating the business is illegal? yeah, you can wage an unconstitutional war against it.) Somebody will want the money bad enough to provide the service to those willing to pay. The only real factor is how many customers will pay what it costs to support the industry. The regulations can be far more severe.

Re:point: example for Regulation

[Etherwalk]

If you regulate an industry, ALL must do it.

Not very familiar with the services section of craigslist or the spousal-support taxless gray market cash economy, I see.

Re:point: example for Regulation

[bussdriver]

Simply because somebody breaks the law is not an argument for not having any law in the 1st place. Now for drugs... a HUGE number of people break the laws and if this were a democracy the representatives would reflect the citizens better.

Most transactions are within the regulated systems and it is not a big deal until a significant number of transactions happen. You do realize food labels were a heavily fought battle or pollution??

Re:point: example for Regulation

[Ambassador+Kosh]

That is what I actually like about engineering. It is a regulated field and you can't just go somewhere else to get something underbid. It is one of the many reasons I am getting out of regular programming. Customers will try to have one part of a project done very cheaply by someone in another country but then when it breaks or never works to begin with they want someone here to fix it but they also want it to be super cheap because that other company in india was able to do it for almost nothing. Programming has become a race to the bottom.

Programming skills though are highly useful in a number of fields. That is why I am moving into the nanotech and biotech markets.

Coincidence... or not.

[angst_ridden_hipster]

Over the weekend, I got a lot of spurious charges on the credit card I use for my Linode account. Charges from several different countries, for various amounts that looked like automated "is this card valid?" type probes. The bank shut it down, but not before I got paged a bunch of times.

Then again, the odds are just as good that a waiter at some restaurant uploaded my number to some IRC channel to get back at me for my guest's order being too complicated or something.

Re:Coincidence... or not.

Yeah, it's probably the Linode leak. Same thing happened to me.

Re:Coincidence... or not.

[Aurix]

My card doesn't appear to have any charges on it. I've sought a new card number anyway. Linode hasn't responded squarely to the allegations in the IRC logs that the decryption/encryption keys to credit cards were stored insecurely.

#linode is now +m

A bit of comment would be nice...

We need a better statement from Linode

I got the email. It's not enough.

I realize that nobody can or should waste their breath every time someone runs their mouth off on IRC. But for better or worse, this guy is indirectly being quoted on Slashdot. Someone called you out, and it's IN PUBLIC now. Linode needs to either admit or rebut some of the claims "ryan" made, above and beyond the mere fact that a Lish compromise happened.

My monthly emails of the bills only go back to 2007 but I think I've been using Linode since 2004. Not sure. But as much as I want to give them the benefit of the doubt, the lack of comments on specifics, reads like an admission that this "ryan" guy is telling it like it is. Linode, really, you don't want me thinking that. It's been a reliable monthly payment for an almost wastefully-underused VPS, going back literally so many years that I can't remember. Don't let it end like this, with your silence.

No but the LISH passwords are stored in plain text

[Mr0bvious]

According to the linked chat log Linode is storing the lish passwords in plain text!!

I'd suggest you at least change your lish password...

This saddens me a lot, I had much more faith in Linode and make me look like a fool for recently recommending them to others.

I really wish Linode would come forward with the whole facts on this saga, and let us users know what has really been exposed/compromised.

Statement from Linode

[lbbros]

http://blog.linode.com/2013/04/16/security-incident-update/ However I'm not knowledgeable enough wrt security to say if it's just damage control or not.