Security
For Linode manager, are you doing something a bit more than a salt and md5 (are you even doing a salt?).
And onto social engineering:
If I email in saying crap forgot my password and cant reset via email because the account is lost/hacked/closed etc.. what do you do to verify?
What if someone calls with the id etc.. asking for special support? How do you verify the person is legit?
What if you received a forged email from me - easy to fake email headers?
16 Replies
Linode seems to take security pretty seriously. Exhibit A: When Firesheep made waves a couple months back, several major VPS providers were vulnerable. Linode, however, has had SSL enabled across 100% of the manager for as long as I can remember.
As far as account verification goes… Based on some conversations "overheard" in IRC, it seems they want (at least) some portion of the credit card number on the account (more than just the last 4, which is pretty easy to figure out), and the billing address. That seems pretty reasonable to me…
Have you checked out the Account Security options in the Linode Manager? It lets you set up a whitelist of IP addresses that are allowed to access the manager. If an IP that's not on that list tries to log in, you can either block them entirely, or have a warning e-mail sent. That way, even if someone compromises your password, you will know about it.
I have no idea how passwords (or representations of passwords) are stored, but given the examples above, I assume they take that just as seriously.
> … Based on some conversations "overheard" in IRC, it seems they want (at least) some portion of the credit card number on the account (more than just the last 4, which is pretty easy to figure out), and the billing address. That seems pretty reasonable to me…
Sounds incredibly weak. So basically any of the 132 merchants that I use, if any were hacked (if ==> when) that have billing and part of the CC (most respectables wont store CVS), but regardless enough for a hacker to sabotage a linode infrastructure. How do I know I run a linode? well maybe i got
In terms of corporations, just look up the registered address - whois.sc, or company registrar (freely available), or here is an idea any contact us page and/or most footer disclose registered address. Now any of the merchants we used, or any of the suppliers that have our CC on card, can in theory take down our infrastructure.
Okay Im a cynic, and you might concern these far fetched but Ive seen both happen.
> Sounds incredibly weak. So basically any of the 132 merchants that I use, if any were hacked (if ==> when) that have billing and part of the CC (most respectables wont store CVS), but regardless enough for a hacker to sabotage a linode infrastructure. How do I know I run a linode? well maybe i got
We have no control over the security of information stored at other merchants. First, for what you've described to be a genuine concern with respect to gaining unauthorized access to your Linode Manager account, someone would most likely already have to have a sincere interest in targeting you. There are probably easier ways to gain authorized access to your server resources, starting with targeted attacks on the specific services you're operating on your servers.
However, to directly address your concern that it's theoretically possible, you can simply use a separate credit/debit card to purchase Linode services. If no other merchant has that billing information, you don't have to worry about it anywhere else, unless of course your financial institution were to suffer some sort of catastrophic compromise. In that event, you probably have bigger problems.
Yes, it probably does sound paranoid, but I've seen some pretty easy attacks before, in space of social engineering, for no other reason than I suspect competitor sabotage. I'd rather play it out in speculation on the cautious side than be shocked when scenarios become a reality.
I like the approach Google Apps takes where by you have a separate support PIN for when support is requested via phone/snail mail. This additional piece of information is unique to that vendor, so you lock it safely away. Unfortunately it not always possible for most people to use a different card, either due to number of cards (in terms corporate cards), or the lack of one-time number (these are minority bear in mind). or Amazon EC2 where you have to paste PEM.
But glad to see stuff like XSS are prevent in Linode Manager with the form based anti-forgery tokens, unlike another VPS provider I recently tried.
@vonskippy:
…it's the tarnish that makes tinfoil hats ineffective against the Mark IV or higher thought control waves.
Now that most "tinfoil" is actually manufactured using the element aluminium it only blocks Mark III or lower. Use real tin, 1/2 inch thick or more, for the best results. See my avatar for an example diagram of how this is best done - and I'm not the only one that wears this design.
Snorting large amounts of powdered tin daily helps protect against leakage from the bottom of the brain out through the sinuses as well. Tarnish actually has very little to do with it, that would be silly.
James
@pclissold:
Tin is not sufficiently dense to protect against the latest generation of attacks. My hat is made out of alternating layers of depleted uranium and tungsten.
Ah, but what are you snorting?
James
@JshWright:
Have you checked out the Account Security options in the Linode Manager? It lets you set up a whitelist of IP addresses that are allowed to access the manager. If an IP that's not on that list tries to log in, you can either block them entirely, or have a warning e-mail sent.
and let me tell you, it can be annoying when you're at a hotel, need access to the manager, and the stupid hotel internet keeps changing your IP!
@glg:
@JshWright:Have you checked out the Account Security options in the Linode Manager? It lets you set up a whitelist of IP addresses that are allowed to access the manager. If an IP that's not on that list tries to log in, you can either block them entirely, or have a warning e-mail sent.
and let me tell you, it can be annoying when you're at a hotel, need access to the manager, and the stupid hotel internet keeps changing your IP!
Turn it off when you're in a hotel then
@JshWright:
(Note: I'm just a happy customer)
Have you checked out the Account Security options in the Linode Manager? It lets you set up a whitelist of IP addresses that are allowed to access the manager. If an IP that's not on that list tries to log in, you can either block them entirely, or have a warning e-mail sent. That way, even if someone compromises your password, you will know about it.
Whoa! Where is this? I just clicked around the account manager for a while and didn't see an "Account Security Options" page. Let alone anything where I could configure restricted access. This is definitely something that looks like a great idea.
Scott–
@AggieScott:
@JshWright:(Note: I'm just a happy customer)
Have you checked out the Account Security options in the Linode Manager? It lets you set up a whitelist of IP addresses that are allowed to access the manager. If an IP that's not on that list tries to log in, you can either block them entirely, or have a warning e-mail sent. That way, even if someone compromises your password, you will know about it.
Whoa! Where is this? I just clicked around the account manager for a while and didn't see an "Account Security Options" page. Let alone anything where I could configure restricted access. This is definitely something that looks like a great idea.
Scott–
Click "my profile" near the logout link, top right. Then it's at the bottom of the screen.
@obs:
Click "my profile" near the logout link, top right. Then it's at the bottom of the screen.
Found it, thanks!
@zunzun:
@pclissold:Tin is not sufficiently dense to protect against the latest generation of attacks. My hat is made out of alternating layers of depleted uranium and tungsten.
Ah, but what are you snorting?
James
I have a mutant spider, crossed with a silk worm to snort the uranium. It produces web strings that are 1 atom thick, which are spun into a nicely decorated full cat suit.
@graq:
@zunzun:
@pclissold:Tin is not sufficiently dense to protect against the latest generation of attacks. My hat is made out of alternating layers of depleted uranium and tungsten.
Ah, but what are you snorting?
James
I have a mutant spider, crossed with a silk worm to snort the uranium. It produces web strings that are 1 atom thick, which are spun into a nicely decorated full cat suit.
I want photographic proof!