JP Vossen on 30 Jan 2016 13:21:20 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Time Warner and Linode report possible password breaches |
Linode after action report: https://blog.linode.com/2016/01/29/christmas-ddos-retrospective/ On 01/07/2016 01:29 PM, JP Vossen wrote:
Yeah, what Brent said. More inline. On 01/07/2016 12:57 PM, brent timothy saner wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/07/2016 12:18 PM, Doug Stewart wrote:Based on what I've read, it's really bad. Looks like maybe a former employee either is directly responsible or perhaps sold off login credentials to malicious third parties who have been targeting the Linode Manager in particular with the DDoS to make it even harder for Linode customers to process their password resets. We're looking to get any of our gear that's on Linode off. HN thread, so take it with a grain of salt, butYeah, I don't trust a word from HackerNews. Everyone in InfoSec knows they're a bunch of jokes. Trust their accuracy as much as you would The Guardian, Daily World News, etc. (I'm still convinced it's secretly an attempt at a security professional's The Onion, but I digress.)<snicker>I do, however, have a long-standing personal friendship with several current Linode employees. The "PR-spun" post at https://blog.linode.com/2016/01/05/security-notification-and-linode-manager-password-reset/ is as transparent as can be without revealing more information than you'd need. To answer your specific question, the passwords are salted and hashed well. Personally, I love and support Linode. They try hard. I'm not bothered by this notice. Why? Because *they caught it* and *are responding to it* and *alerted customers to it*, and *are enforcing password rotations to customers even though it's not necessary*. Why?Yes, they try very hard and are as transparent as possible. [...]In other words, I'm infinitely more happy to find out about a compromise from a blog post and/or email from my provider than finding out about it via a pastebin dump.I'm surprised any of this is "news" to this group, else I'd have said something days ago. They've been under DDoS since late December, and that (and the password issue) have both been on Slashdot. The DDoS has significantly affected my Linode server (in Atlanta), which affects my web site, DNS and the only actually important part, my mail relay. I've had huge amounts of spam from my Nagios monitoring, and some of their mitigation has affected that monitoring (I can't ping my node's upstream default gateway anymore). I know other PLUG-ers have Linodes so I figured everyone who needed to know already knew. Coincidentally, I had a FiOS DHCP change and when I updated DNS the change only propagated to some of their servers. That led to even more mail relay problems that were tricky to track down until I noticed the IPA discrepancy (some new, some old). Does all of this bug me? Yes. Is it Linode's fault? I don't think so, because *everything* else that I've seen that I have any kind of clue about they have done Right. I have no reason to think they did *everything* else right *except*' the magical things that led to these current problems. And as noted they have always been very transparent about everything else. So they are getting screwed by some bad actor, (former) employee or not, and they are taking all kinds of steps to mitigate it now and for the future. (It is an arms race, after all.) I'm not going to leave, but I admit I have more flexibility and tolerance for issues than other folks, so no judgment.- From what I've heard from actual current Linode employees, it really isn't all that bad and the accounts that were compromised were not practicing good security measures. And I trust them, because these are people I've gotten drunk with before and know fairly well. But of course, let's all buy into media frenzy, by all means.I also feel sorry for all the Linode folks that have been working 24x7 on all of this since mid-late December and missed the holidays.
Later, JP -- ------------------------------------------------------------------- JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/ ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug