이것은 갤러웨이 경찰서의 훌륭한 남성과 여성과 함께 Linode 직원들이 오늘 오후에 처리해야했던 것입니다 - SWAT 팀이 Linode 사무실을 습격하여 건물 방을 청소하는 동안 약 한 시간 동안 모든 사람을 강제로, 폭발물 스니핑 개 (매우 행복했다). 그들은 이런 식으로 응답하도록 자극 거짓 보고서를 받았다 – 그리고 그것은 결국, 보고서에 응답하는 그들의 일이다, 그것은 사기로 판명경우에도. 그들은 훌륭했고, 나는 그들에게 감사드립니다.
우연찮게도 작년에 발생한 사건에서 얻은 오래된 포럼 자격 증명을 사용하여 오래된 개인 서버에 데이터베이스에 액세스한 사실을 알게 된 시기와 거의 같은 시기에 저희는 이 사실을 알게 되었습니다. 이 서버는 Linode 인프라에서 아무런 역할을 하지 않기 때문에 보안팀에서 관리하지 않습니다. 하지만 안타깝게도 이 서버에는 2010년 3월 3일의 phpBB 포럼 데이터베이스가 복원되어 있었습니다. 그 당시에 존재했고 그 이후로 자격 증명을 변경하지 않은 포럼 사용자는 자격 증명이 해지되었으므로 자격 증명을 재설정해야 합니다. 이러한 일이 발생한 것에 대해 유감스럽게 생각하며 부주의한 점에 대해 사과드립니다. 이와 같은 상황을 해결하기 위한 새로운 보안 정책을 논의할 예정입니다.
보안에 관한 주제에 대해 작년에 우리는 다른 모든 개발을 중단하고 6 개월 이상 보안에 초점을 맞추었습니다. 우리는 인터넷 을 향한 발자국을 크게 줄이는 것부터 앞으로의 관행과 정책을 정의, 테스트 또는 개선하는 것부터 타사 침투 테스트에 이르기까지 우리가 생각할 수 있는 모든 것을 다했습니다. 우리는 문제를 해결하고 추구할 아이디어가 부족할 때까지 이 작업을 수행했으며 보안 팀은 인프라와 서비스를 지속적으로 사전에 평가합니다. 이것은 기념비적인 노력과 이야기할 가치가 있는 이야기였지만, 이러한 노력과 그 결과는 자신들의 게시물에 속합니다. 지켜.
우리는 투명성이 얼마나 중요한지, 그리고 과거에 어떻게 더 나은 일을 해야 하는지 알고 있습니다. 이것은 이야기입니다.
언제나 처럼, 당신은 어떤 질문이있는 경우 저희에게 연락 주시기 바랍니다.
-크리스
크리스토퍼 S. 에이커
리노드 설립자 겸 CEO
댓글 (26)
Heh, and they posed and all. Oh well, stuff happens.
Basic rule of computer security – there is no such thing as a “low risk” machine. In corporate environments (eg banks) all desktops, all laptops, all services (even DEV machines) need to be secure. If it’s on the network then it’s a risk and needs security. If it was on the network and isn’t any more then it needs proper decomminissioning (disk wipe, etc).
Similarly backups; any backup tape needs security; any machine that has a backup restored to it needs security.
BYOD means segmented networks and virtual desktops (never ever plug a BYOD device into your main WAN/LAN).
And so on. Basically every single bit of data needs to be secured.
You can’t play games. Every single one of your machines *MUST* be under the remit of your security team.
Security is hard. Security is expensive. But you need to do it.
Sounds like a great goal guys, exactly what I’m hoping you’ll improve!
Increased security is great, but where’s your transparency report? I want to know about the the people who breach your systems in the courts in addition to through the firewall.
This is the most confusing article I’ve ever read. Looks like somebody swatted you guys, and you seem to be happy about it
“Basic rule of computer security – there is no such thing as a “low risk” machine.”
The rallying cry of amateurs everywhere.
You have to prioritize, or you’ll get nothing done. At most, you might say that the server should have been under the remit of the security team, but the end result may have legitimately been the same: “this machine is not a major priority due to the low potential impact of an attack against it”.
How were the passwords hashed? From what I can tell from the phpBB sources, it’s using md5.
http://sources.debian.net/src/phpbb3/3.0.12-1/includes/functions.php?hl=459#L459
If the passwords taken were md5 hashed, then they can be trivially unmasked, and this is a major breach. Burying it in the middle of an unrelated article is a very strange thing to do.
“The rallying cry of amateurs everywhere.”
*gigglefit*. I _am_ a security professional working in a bank.
Data needs to be classified. Even the lowest classification of data isn’t allowed out of the bank. Production data _never_ goes to UAT or DEV. You segment and firewall. Restore prod data to another machine and that server is now classified as PROD.
Servers with customer data on it (even if it’s just a forum) is considered holding PII data and is under higher scrutinity.
Every single machine is behind a firewall. BYOD _is_ on a segmented network.
Every single server (approx 100,000 servers) has centralised monitoring and controls. Every single desktop (approx 250,000) is locked down. You plug your own device in… disciplinary action.
Yes, we’re a bank; we have to take this shit seriously.
I’ve been doing this for 20 years; the one thing I ain’t is an “amateur”.
All that said; yes you need to prioritise; this is “high risk”, this is “medium risk”, this is “low risk”; “this is a risk we accept because the probability is low (firewalled; controlled access; etc) and the consequences are minor (developers can’t work for a day)”, “this is a risk we’ll fix in 3 months (higher chance of it happening, no customer impact)”, “this is a risk we’ll fix tomorrow (shit, panic!)”.
BUT caker wrote “We did this until we ran out of things to fix and ran out of ideas to pursue”. I gave a tonne more ideas to pursue. Security never stops. If you run out of ideas then you’re not doing your job as a security professional because there are _always_ more things to do.
>This server is not under the umbrella of our security team because this server plays no role in Linode infrastructure. Unfortunately, it did have a restore of the phpBB forum database on it from 2010-03-03.
So is it normal that Linode takes database dumps and puts them on servers outside of the Linode infrastructure?
If I worked at Amazon and took a database dump of one of their systems and loaded it up on a server outside of their control, I’m pretty sure I’d be fired.
This has got to be the dopiest most out of shape looking SWAT team I have ever seen. Which is saying something since ever rinky dink cop dept has one now.
Thank you for allowing us to place our backdoors into your enterprise systems. –NSA
So the SWAT had access to all customer data and servers? Yeah … but I guess I cancel my Linode account.
“You have to prioritize, or you’ll get nothing done.”
Well said @cwillu!
Banks are different in that they have so much money efficiency is not an issue. It’s not a business model you could copy in any another line of business. Least of all the innovative business of cloud servers 🙂
You focused on security and yet the 2-factor authentication for the Linode app doesn’t include it. That’s basic stuff that was either overlooked or not addressed…
Securty policy – blah (linode.com fall)
When you do security there are no such term as “low risk”. Example – Linode.com. Somebody install phpBB and Linode just got two step attack. Get out everyone by falser report Attack old forum – get it. So, questions are: does Linode employes doesn’t
Chris,
I know you guys are relieved that the SWAT visit turned out to be a false alarm, but the alarm your users feel about the data breach is very real.
I’m concerned about the flip and casual nature of your dismissal of the database that was exposed, as well as the fact that it was exposed at all. The “oh, BTW, this happened too, but it’s not a big deal” attitude IS a big deal to us.
I’m sure you understand that we have to have confidence in you the same way that you have to have confidence in your service providers. How comfortable would you feel if one of the service providers you absolutely depend on posted about a data breach in this fashion?
If your attitude toward security mirrors the overall tone of this announcement then we all have something to worry about.
James
Call me Paranoid IT guy but…
Check every keyboard and keyboard cable for keyloggers. Check the insides of every computer for anything that should not be there. Check every network port in the wall, under the floor, and in the ceiling for signs that anything has been put in there. Check every inch of cable you can physically get access to. Then reflash the BIOS on every machine they could have had physical access to. That includes printers, switches, and anything else that has an IP stack.
The NSA has shown they are willing to go to extreme lengths to steal data and Linode holds quite a lot of foreign data.
Someone sends a false report in to generate a SWAT response and people seem OK with that?
Call me crazy but I’m far more concerned with the casual attitude taken toward heavy handed police responses than I am about some ancient server sitting in a corner with an ancient database on it.
Why mix up the two unrelated (yet both serious) incidents in this post? Looks like you’re trying to hide the DB server snafu by posting SWAT team pix.
I’m just going to be another voice that echoes those before me.
This rather obvious playing down of a data breach is very worrying. Linode’s history regarding security is not exactly good, add on to that a flippish attitude toward a security breach, and you have me seriously doubting my choice of provider.
I am thoroughly disappointed in Linode.
Although it’s entirely possible there’s a hardware keylogger somewhere in Linode’s offices right now, I seriously doubt it.
I can’t imagine what they were going to use the high powered rifles for.
Were they going to shoot the bomb when they found it?
Does that pooch eat penguins?
Was it the green car they drove to check you guys out.?
Thanks for being transparent. Means a lot
So, sounds like everyone here is an expert at something…
Sorry, not to minimize your credentials, but I’m guessing that the people who know best how to secure the Linode systems are the people who work with them daily. A bank security specialist and the NSA security gurus probably have different tasks (which have almost nothing to do with securing Linode), but what kills me – is the morons who are criticizing the police officers who had nothing to do with the security breach at all.
@Samson: “heavy handed” police response? Wow – you must have known it was a false report before the police even did – so you can sit back in your chair like you know what you’re talking about when it comes to policing all, and not actually providing any solutions to your perceived concerns. Way to go champ.
@Freedom: Your comment is just way under-supported with actual fact. Love the expert critique you must have on the swat teams though. Sounds like you are in one to know these details. Actually, the photo does not even look like a swat team to me (class A pants, no swat identifiers, etc), probably just a bunch of cops who happen to be on-duty at the time of the call, some who may be on a swat team also.
@Linode: Thanks for the information. Most Internet companies would not have even bothered to track down a security problem like this or disclose it to their customers. I think this response was appropriate and justified. Keep up the good work! We all know Linode is a highly visible target.
-My “credentials” include 21 years of IT Security at a multinational ISP, 9 years on a SWAT team.