Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linode Hacked, Credit Cards and Passwords Leaked

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."

16 of 112 comments (clear)

  1. Oh FFS by kernelpanicked · · Score: 4, Insightful

    Linode hacked again!? Seriously, for the premium they're charging, beefing up security might do well to be added to their todo list.

    --
    Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
    1. Re:Oh FFS by Anonymous Coward · · Score: 4, Informative

      Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

      Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.

    2. Re:Oh FFS by SteveSommers · · Score: 2

      Based on the limited information released, I'm not sure how anyone could make the claim "was beyond their direct control and was a flaw in cold fusion." I use ColdFusion everyday and most of the "vulnerabilities" reported can be avoided by using best practices -- the biggest being to remap the CFIDE directory to an empty directory and then add a virtual SCRIPTS directory under it pointing it back to the original CFIDE/SCRIPTS location. This one best practice prevents 99+% or the ColdFusion vulnerabilities. Most likely, preventing the breach was in their control.

    3. Re:Oh FFS by SteveSommers · · Score: 2

      ...Linux can't be hacked.

      @Anonymous Coward, With this statement alone you lost any and all credibility you might have had.

  2. Re:Almost signed up Friday morning, too... by Anonymous Coward · · Score: 3, Funny

    Dreamhost

    Out of the frying pan...

    Well, at least Dreamhost is pretty open about when they fuck up.

  3. Re:Almost signed up Friday morning, too... by NitzJaaron · · Score: 2

    I've used them for shared hosting for years, and it's been a hell of a frustration. That said, however, their VPS service actually has a good record. For the discounted price they offered me (based on the absolutely horrific service for the last few months) I couldn't refuse. It was a really good deal.

  4. Some more details by Necroman · · Score: 5, Informative

    Some details that people have been able to find so far.

    1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html

    This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
    This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388).

    2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html

    3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3

    4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

    --
    Its not what it is, its something else.
  5. So-called "Cloud" still not trustworthy by Anonymous Coward · · Score: 2

    There has to come a point in time where the law holds responsible online providers. Security is a process, not a product. It should be law that ALL companies must audit their code and processes at least twice a year. Look at OpenBSD, for example. Yes, it's an operating system, but they have the almost perfect record they have because of audits. Banks have audits. Companies fall under audit regulations. NIST 800-53 needs to be required of every company doing business on the Internet that holds or processes personal data.

  6. Re:Nonsense by cheater512 · · Score: 2, Informative

    ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

  7. Re:Nonsense by Anonymous Coward · · Score: 2, Insightful

    ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

    Your friends at Adobe published a lockdown guide that Linode ignored and patched this exploit months ago (also ignored by Linode) Adobe has done their part, but they can't force admins to secure their servers properly and install patches.

  8. Re:So-called "Cloud" still not trustworthy by Ambassador+Kosh · · Score: 2

    Are you willing to pay higher fees to have that auditing done? What I have seen is that when given a choice a customer chooses the lowest cost option no matter what. They won't pay for security audits and that means if someone else is willing to give up on security they can charge less and you will lose the business.

    --
    Computer modeling for biotech drug manufacturing is HARD! :)
  9. Capital One - not in my wallet! by dclozier · · Score: 3, Informative

    I used to think the same thing until I ended up paying for some charges I didn't make. Capital One's team of investigators concluded that the charges were my responsibility. I've been running Linux on the desktop for over 10 years now so I know it wasn't a trojan or some other malware on my end giving up the card number - it had to be an online service somewere that was hacked. I never found out who or how. I only ended up owing money for iPower Web hosting (would never in a million years use their service to start with), various gourmet coffee that was delivered to my house (ok I do like coffee but still wouldn't have ordered it online), video professor videos on using Microsoft Office (you know, if I should ever go back to Windows this may be handy???) and colon cleanser. WTF? I don't think they really did any investigating - just waited for a bit and then said it was my fault. Capital One offers no protection.

    1. Re:Capital One - not in my wallet! by MyHair · · Score: 2

      Have to give props to AMEX here. While traveling for a living I apparently got my card skimmed shortly before a flight home Friday. They called me at my connecting airport, we discussed which charges were mine and which weren't. They canceled my card and had a replacement card ready to pick up within a few miles of my house on Saturday so when I flew out Sunday night I had my new card for the rent car and hotel. (It was a corporate card; I don't know if that makes a difference.) I was briefly concerned when the fraudulent charges showed up on my balance on the website, but they took them off again before I started getting antsy about the fraudulent-claim window.

      I suppose it might have helped my case that my travel was on the East coast, I live in TX and the fraudulent charges were in CA.

      (And btw...traveling for a living sucks!)

  10. Seriously, whats Linode? by Gothmolly · · Score: 3, Insightful

    What is Linode? Would it kill an editor to include that in TFS?

    --
    I want to delete my account but Slashdot doesn't allow it.
  11. Re:Nonsense by drinkypoo · · Score: 2

    Why drop a productive platform when all you need is to configure correctly and stay patched?

    Good question. What does it have to do with this case? They're using ColdFusion.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Coincidence... or not. by angst_ridden_hipster · · Score: 2

    Over the weekend, I got a lot of spurious charges on the credit card I use for my Linode account. Charges from several different countries, for various amounts that looked like automated "is this card valid?" type probes. The bank shut it down, but not before I got paged a bunch of times.

    Then again, the odds are just as good that a waiter at some restaurant uploaded my number to some IRC channel to get back at me for my guest's order being too complicated or something.

    --
    Eloi, Eloi, lema sabachtani?
    www.fogbound.net