> 06:00 < AlexC_> ryann: So, are you saying CC details have also been compromised?
> 06:00 < ryann> Yep
> 06:00 < AlexC_> ryann: And you plan on releasing these?
> 06:00 < ryann> They did try to encrypt them, but using public key encryption doesn't work if you have the public and private key in the same directory
Jesus Christ. I agree, there is something very wrong with how Linode is treating this situation. Cperciva's comment a couple of days back about the doubletalk in the official statement seems especially precinct, and the new claim about both the private and public keys for the credit card info being stored in the same place... appallingly incompetent if true.
The CEO has already stated that the private key had passphrase encryption, which is strong, and only stored in their heads. You have to take their word on that, but I don't see any proof of CCs being decrypted.
i cannot imagine that a remembered passphrase would take too long to brute-force on a few multi-GPU setups. unless they did something meaningful like making it a long sentence rather than some short-but-complex-for-humans 15 char string. http://xkcd.com/936/
07:52 < HTP> the CCrypter class of the linode application
context was accessable from outside the wwwroot using
undocumented ColdFusion methods. i was fully able to
decrypt the ccs using the in-memory privkey that they
supplied the password for.
Notably seclists/nmap is (was?) hosted on Linode and was tampered with in this attack.
Apparently, the hackers looked up a Quora list of notable sites hosted on Linode and went after those [2], suggesting that the attackers wanted to burn a 0day for some notoriety or to damage Linode/Coldfusion reputation.
05:21 -!- mode/#linode [+b !ryan@54.228.197.*] by akerl
05:24 -!- ryan| [~violator@37.235.49.168] has joined #linode
05:24 < ryan|> quite rude of you
05:25 -!- ryan| was kicked from #linode by akerl [ryan|]
05:27 -!- root__ [~h@vmx13318.hosting24.com.au] has joined #linode
05:27 -!- root__ is now known as ryan||
05:27 < ryan||> Quite rude out of you
05:27 < ryan||> To ban me like that
Really puts into perspective the difference in the levels of skill involved.
When dealing with someone of this level, they really should have just notified everyone immediately. There's no telling what info these people have now.
The speed at which he switches hosts implies he's got quite a sophisticated tool chain set up for this. The level of skill really becomes parent if you read the rest of the log though.
There are several minutes of delay in there. I could just about set up a brand new VPS, ssh to it, install irssi and connect within that amount of time. Let alone logging into a system I already had set up.
I agree...
Then the skid chose the nick "root_" in an attempt at appearing to have "rooted" some box...
It's no difficult task to ssh into another server and reconnect, and if "ryan" is who I think it is, he's a bot herder who enjoys DDoS attacks on those who upset his false sense of superiority.
He's well versed in server management, but exploiting other's servers is what he's working towards, and he failed to crack a server belonging to some friends of mine, so his only recourse was a DDoS.
20 comments
[ 3.2 ms ] story [ 49.3 ms ] threadI was interested in setting up a Linode account but I think it's best to wait for some more information at this point. Thoughts?
The price is reasonable: $21/month for a 512 MB instance, and free 20,000 GB bandwidth!
In addition, they offer freaking 2-factor authentication! That says a lot when the only ones I know of offering such are AWS and SoftLayer.
I don't work for Joyent, and I just signed up for them 2 days ago. Apologies if my post seemed like blatant advertising.
> 06:00 < ryann> Yep
> 06:00 < AlexC_> ryann: And you plan on releasing these?
> 06:00 < ryann> They did try to encrypt them, but using public key encryption doesn't work if you have the public and private key in the same directory
Jesus Christ. I agree, there is something very wrong with how Linode is treating this situation. Cperciva's comment a couple of days back about the doubletalk in the official statement seems especially precinct, and the new claim about both the private and public keys for the credit card info being stored in the same place... appallingly incompetent if true.
The password is most likely cracked by now.
Note that he states all information was deleted. They had claimed earlier that CC info would be released on May 1st.
note: temp account because I accidentally set noprocrast delay to 1 week. Whoops!
Uh... which comment was this?
I wonder what they were after if not money. What are people hosting ?
Apparently, the hackers looked up a Quora list of notable sites hosted on Linode and went after those [2], suggesting that the attackers wanted to burn a 0day for some notoriety or to damage Linode/Coldfusion reputation.
1. Technical info: http://arstechnica.com/security/2013/04/coldfusion-hack-used...
2. http://seclists.org/nmap-dev/2013/q2/40
05:24 -!- ryan| [~violator@37.235.49.168] has joined #linode
05:24 < ryan|> quite rude of you
05:25 -!- ryan| was kicked from #linode by akerl [ryan|]
05:27 -!- root__ [~h@vmx13318.hosting24.com.au] has joined #linode
05:27 -!- root__ is now known as ryan||
05:27 < ryan||> Quite rude out of you
05:27 < ryan||> To ban me like that
Really puts into perspective the difference in the levels of skill involved.
When dealing with someone of this level, they really should have just notified everyone immediately. There's no telling what info these people have now.
It does not impress me in the slightest bit.