Linux Australia Hacked
Linux Australia, the group that hosts the continent’s yearly Linux Conferences and serves as a hub for its Linux User Groups, suffered a buffer overflow attack on one of its servers on March 22nd. A buffer overflow attack is a known possibility on many systems and can be conducted in a variety of interesting ways.
In this case, according to Joshua Hesketh, who’s been president of the organization since 2013, the exploit in question utilized a “currently unknown vulnerability.” It affected the server hosting the Zookeepr conference management systems for the 2013, 2014, and 2015 national conferences as well as two PyCon installations of the same.
In a message to the Linux-aus mailing list nearly two weeks after the attack, Hesketh wrote:
[…] the server was subject to an attack by a malicious individual. It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. […] A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia’s automated backup processes ran, which included the dumping of conference databases to disk.
Membership Data Possibly Leaked
The job of the president is to reassure the members, but certainly there is no reason to believe the attacker did not acquire personal information while he or she retained control of the system. To this end, the President stated:
The database dumps that occurred during the breach include information provided during conference registration – First and Last Names, physical and email addresses, and any phone contact details provided, as well as a hashed version of the user password.
He then goes on to mitigate this statement with a more hopeful one:
Whilst Linux Australia do not believe this was a targeted attack against the Zookeepr conference management system, nor an attempt to harvest details from the system, we are taking the necessary precautions […]
If this data was not the target of the server specifically hosting it, then what was? Luckily, however, credit card details were not stored on the server at all.
As Zookeepr uses a third party credit card payment gateway for credit card processing, the database dumps do not contain any credit card or banking details.
However, experienced identity thieves can work with very little to build up a profile on a person and use it to exploit their identity. It is well-documented that for some purposes a name and an address are all that are needed. This is not to say that the purpose of this hack was specifically as much – this cannot be known unless or until the hacker goes public and says why they did this. For all anyone knows, perhaps weren’t “malicious” at all, but rather penetration-testing an organization that should know better, in their view.
A number of fixes the organization had undertaken were then listed, and a call for help from security experts as well as Computer Emergency Response Teams to help “determine the method the attacker utilised to gain access to the system.” This would, of course, be a very valuable bit of information at this point.
Membership Satisfied With Handling
Thus far, no member of Linux Australia has expressed outrage or otherwise negative feelings about the organization’s handling of the matter. In fact, they lauded the president for transparency and disclosure. Let this be a lesson in server administration, then: sometimes even when you think you’ve covered all your bases, you haven’t.
Images from Shutterstock and OpenClipArt.org