Linode Resets Passwords as DDoS Attacks Continue

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.eweek.com/security/linode-resets-passwords-as-ddos-attacks-continue.html

Linode <https://www.linode.com/> is having a rough start to 2016. The cloud
hosting provider has been suffering from a series of distributed
denial-of-service attacks that were first reported on Dec. 25, impacting
multiple Linode data center locations, including Dallas; Atlanta; Newark,
N.J.; Fremont, Calif.; Singapore; Frankfurt, Germany; and London. Adding to
Linode's woes, on Jan. 5, after an unauthorized access was discovered, the
company informed its customers that they all need to reset their passwords.

The Linode status page <https://linode.statuspage.io/> provides a running
tally of the ongoing attacks and Linode's attempts to mitigate to the
issue. The company optimistically wrote on Dec. 26 that "the attacks have
subsided for long enough that we believe this incident can be considered
resolved." Unfortunately for Linode and its customers, attacks have
continued against various pieces of Linode's global footprint.

"Over the course of the last week, we have seen over 30 attacks of
significant duration and impact," Alex Forster, network engineer at Linode,
wrote. "As we have found ways to mitigate these attacks, the vectors used
inevitably change."

As Linode worked tirelessly to mitigate the DDoS attacks, it also
discovered unauthorized access into three user accounts. A security
investigation into the unauthorized access turned up another disturbing
detail—that an external machine had a pair of Linode user credentials on it.

"This implies user credentials could have been read from our database,
either offline or on, at some point," Linode warned in a status update
<https://linode.statuspage.io/incidents/ghdlhfnfngnh>. "The user table
contains usernames, email addresses, securely hashed passwords and
encrypted two-factor seeds."

To mitigate the risk of a user database breach, Linode is triggering a
password reset for its users. At this point, Linode is not aware of any
link between the potential user access breach and the ongoing DDoS attacks.

"We have not been contacted by anyone taking accountability or making
demands," Linode stated. "The acts may be related and they may not be."

Security experts contacted by *eWEEK* had mixed views about the Linode
security incident. Scott Petry, co-founder and CEO of Authentic8, said
Linode has had security-related issues in the past. "They had a similar
database breach in April of 2013 that forced a password reset for all their
users," Petry told *eWEEK*. "So I guess the thing that surprises me is that
they're still having these issues." Justin Harvey, chief security officer
at Fidelis Cybersecurity, is taking a positive spin on the incident, in
terms of how Linode is communicating to its users about what is happening.
"They [Linode] shared a lot of information and as an external observer,
they're doing all the right things: being upfront about the issues,
exposing their thought process and offering up the plan," Harvey told*
eWEEK*. "This is a great example of how it should be done."

Jake Kouns, chief information security officer at Risk Based Security,
echoed those positive sentiments, saying that it is good to see Linode
providing information about the incident to its customers and that the
company appears to be on top of issue. The Linode investigation found
unauthorized log-ins of just three accounts, which could be the result of
something as simple as Linode's customers being phished for credentials,
but it did lead to finding two credentials on some external machine, he
added.

"This makes it is seem quite small and contained on the surface," Kouns
told *eWEEK*. "However, if they have expired all customer passwords, then
there is likely evidence of a larger compromise or they aren't feeling 100
percent comfortable at this point and are taking the step as a precaution."

In terms of a possible link between the user access breach and the DDoS
attacks, Kouns noted that sometimes a DDoS attack is just what it appears
to be, an attempt to take a business offline.  That said, in other cases, a
DDoS attack can be a way to distract an organization's IT security staff
while some other sort of attack is launched, he said.

While a DDoS attack could be used to distract an organization, Marcus
Carey, CTO and founder of vThreat, said such an attack could also limit
attacker access to systems they have already compromised. He added that
most of the time attackers with access will keep it "low and slow" to avoid
the type of attention DDoS attacks attract.

"The more likely scenario is that the DDoS attacks have heightened Linode's
incident response senses, and they are leaving no stone unturned," Carey
told *eWEEK*. "As a result of the DDoS attacks, they'll be actively looking
for compromised accounts." For Linode users, there are only a few steps
that they can actually take. Kouns said Linode users will need to set a new
password when they log in next. "Impacted users shouldn't stop there
however, and if they are reusing passwords against better judgment, they
should also change the passwords at other services to something unique,"
Kouns suggested. Carey, in turn, is advocating that Linode customers make
use of the two-step authentication system that Linode has provided
<https://blog.linode.com/2013/05/02/linode-manager-two-step-auth/> to its
customers since 2013. "Since Linode said they securely hash passwords and
encrypt two-factor seeds, it significantly raises the difficulty of
cracking the passwords and the two-factor seeds," he said. "Whether people
use Linode or other services, they should be wise and set up two-step
authentication when available."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.