Re: [PLUG] Time Warner and Linode report possible password breaches

JP Vossen on 7 Jan 2016 10:29:46 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Time Warner and Linode report possible password breaches

From: JP Vossen <jp@jpsdomain.org>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Time Warner and Linode report possible password breaches
Date: Thu, 7 Jan 2016 13:29:41 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

Yeah, what Brent said.  More inline.

On 01/07/2016 12:57 PM, brent timothy saner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 01/07/2016 12:18 PM, Doug Stewart wrote:
>> Based on what I've read, it's really bad. Looks like maybe a former
>> employee either is directly responsible or perhaps sold off login
>> credentials to malicious third parties who have been targeting the
>> Linode Manager in particular with the DDoS to make it even harder for
>> Linode customers to process their password resets.
>>
>> We're looking to get any of our gear that's on Linode off.
>>
>> HN thread, so take it with a grain of salt, but
>
> Yeah, I don't trust a word from HackerNews. Everyone in InfoSec knows
> they're a bunch of jokes. Trust their accuracy as much as you would The
> Guardian, Daily World News, etc. (I'm still convinced it's secretly an
> attempt at a security professional's The Onion, but I digress.)

<snicker>

> I do, however, have a long-standing personal friendship with several
> current Linode employees. The "PR-spun" post at
> https://blog.linode.com/2016/01/05/security-notification-and-linode-manager-password-reset/
> is as transparent as can be without revealing more information than
> you'd need. To answer your specific question, the passwords are salted
> and hashed well.
>
> Personally, I love and support Linode. They try hard. I'm not bothered
> by this notice. Why? Because *they caught it* and *are responding to it*
> and *alerted customers to it*, and *are enforcing password rotations to
> customers even though it's not necessary*. Why?

Yes, they try very hard and are as transparent as possible.

[...]

> In other words, I'm infinitely more happy to find out about a compromise
> from a blog post and/or email from my provider than finding out about it
> via a pastebin dump.

I'm surprised any of this is "news" to this group, else I'd have said
something days ago.  They've been under DDoS since late December, and
that (and the password issue) have both been  on Slashdot.  The DDoS has
significantly affected my Linode server (in Atlanta), which affects my
web site, DNS and the only actually important part, my mail relay.  I've
had huge amounts of spam from my Nagios monitoring, and some of their
mitigation has affected that monitoring (I can't ping my node's upstream
default gateway anymore).  I know other PLUG-ers have Linodes so I
figured everyone who needed to know already knew.

Coincidentally, I had a FiOS DHCP change and when I updated DNS the
change only propagated to some of their servers.  That led to even more
mail relay problems that were tricky to track down until I noticed the
IPA discrepancy (some new, some old).

Does all of this bug me?  Yes.  Is it Linode's fault?  I don't think so,
because *everything* else that I've seen that I have any kind of clue
about they have done Right.  I have no reason to think they did
*everything* else right *except*' the magical things that led to these
current problems.  And as noted they have always been very transparent
about everything else.

So they are getting screwed by some bad actor, (former) employee or not,
and they are taking all kinds of steps to mitigate it now and for the
future.  (It is an arms race, after all.)  I'm not going to leave, but I
admit I have more flexibility and tolerance for issues than other folks,
so no judgment.

> - From what I've heard from actual current Linode employees, it really
> isn't all that bad and the accounts that were compromised were not
> practicing good security measures. And I trust them, because these are
> people I've gotten drunk with before and know fairly well. But of
> course, let's all buy into media frenzy, by all means.

I also feel sorry for all the Linode folks that have been working 24x7
on all of this since mid-late December and missed the holidays.

My $0.02,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Time Warner and Linode report possible password breaches
  - From: JP Vossen <jp@jpsdomain.org>

References:
- [PLUG] Time Warner and Linode report possible password breaches
  - From: Justin Reans <jreans@gmail.com>
- Re: [PLUG] Time Warner and Linode report possible password breaches
  - From: Mike DePaulo <mikedep333@gmail.com>
- Re: [PLUG] Time Warner and Linode report possible password breaches
  - From: Doug Stewart <zamoose@gmail.com>
- Re: [PLUG] Time Warner and Linode report possible password breaches
  - From: brent timothy saner <brent.saner@gmail.com>

Prev by Date: Re: [PLUG] Time Warner and Linode report possible password breaches
Next by Date: Re: [PLUG] Time Warner and Linode report possible password breaches
Previous by thread: Re: [PLUG] Time Warner and Linode report possible password breaches
Next by thread: Re: [PLUG] Time Warner and Linode report possible password breaches
Index(es):
- Date
- Thread