
The story around the Linode hack - foofoobar
http://straylig.ht/zines/HTP5/0x02_Linode.txt
======
RoboTeddy
Here's an attempt at an explanation/translation:

HTP ("Hack The Planet") is a group that likes to break into things. Another
(unnamed) group of people impersonated a third group of people ("ac1db1tch3z")
and tried to cause trouble for HTP.

The impersonators located HTP by examining one of HTP's botnets (a collection
of compromised computers that are used to launch things like denial of service
attacks). Botnets have to receive instructions (e.g., targets to attack) from
somewhere, so it's likely that the impersonators followed the path taken by
commands to the botnet, and found the network(s) that HTP uses to organize
themselves.

HTP realized this, and wanted to get back at the impersonators. They found out
that the impersonators used an IRC channel (chat room) hosted on a network
called SwiftIRC. If HTP could break into SwiftIRC (which is hosted on Linode),
they could cause all sorts of trouble for the impersonators. So HTP decided to
break into Linode, so they could break into SwiftIRC, so they could break into
the group of impersonators.

To break into Linode, HTP broke into their domain name registar (name.com).
They planned to secretly take control of linode.com, and replace it with a
version of linode.com would look and feel and work correctly, but had one
additional feature -- it would collect the login information that people typed
in. HTP probably hoped to gain the login for SwiftIRC directly, or collect the
logins for Linode admins and obtain SwiftIRC's login from there.

But, before they enacted the domain takeover (a maneuver that would likely be
somewhat difficult to employ without being noticed), an HTP member discovered
a new vulnerability in ColdFusion, the server software used by Linode. The
ability to discover a new exploit on demand implies a high level of skill
within the group. Using this exploit, HTP obtained direct access to Linode.
They proceeded to gain access to SwiftIRC, as well as other sites hosted on
Linode, including a well-known security site, nmap.org

The FBI apparently had a mole in HTP, and they alerted Linode that HTP had
access to nmap.org. This posed a bit of a problem for HTP: if it became public
knowledge that they had obtained access to Linode, then perhaps they wouldn't
have time to go after the impersonators using their newfound access to
SwiftIRC. So, HTP tried to strong-arm Linode into staying quiet until May 1st.
HTP had obtained the customer information and credit cards of all the Linode
customers. HTP threatened to widely publish all this sensitive information if
Linode didn't stay quiet. If Linode complied, then HTP would just delete all
the info.

Linode, though, was forced by the FBI to announce that they'd been broken
into. HTP told Linode to just publicly acknowledge that HTP was the group that
broke into Linode, and they'd delete the sensitive info. Linode did so
(<https://blog.linode.com/2013/04/16/security-incident-update/>).

HTP conducted an internal investigation to determine which group member(s)
were working with the FBI. HTP broke into the mole's computer and turned on
their webcam, and saw an FBI employee looking over the shoulder of the mole.
They kicked the mole out of the group, so the FBI doesn't have access to HTP
anymore.

(Remember, this is the story according to HTP.)

~~~
davidw
> tried to cause trouble for HTP.

Here's hoping the FBI "causes trouble" for the lot of them. Breaking into
other people's stuff is not cool. If I leave my door open by mistake, yes,
that makes me a bit absent minded, or foolish, but it does not give anyone the
right to wander into my house.

~~~
conductor
Well then you are not a hacker. And I hope FBI can not cause trouble for them,
they did not do anything unethical in my POV. The server is not a house. Black
hat hacking is a mixture of art and politics (I never support hackers who hack
for stealing money), and if you want the analogy, they just spotted a fancy
lock on the door of some institution (not a private house), lock-picked it and
looked what's behind the doors. This may be illegal, but this is the way they
can confront the forces they don't like and outline their position. They did
not brake or delete anything (no vandalism).

~~~
canttestthis
Please give me the password to your regular email account so I can read your
emails. I won't delete any of them, but your email server is not a house, and
I should have the right to read your emails.

~~~
conductor
A right? I didn't say they have a right. They hacked into. Did the US/Israel
have a _right_ to use Stuxnet against Iran? No. They hacked into. When did you
accuse the US secret service or hope that they will be punished? Double
standards?

I won't give my email or its password to you, but if you can find it, hack it
and decrypt my emails, then it would be only my fault, and you will have my
respect.

~~~
bradleyland
You're not getting it. No one is saying that Stuxnet was "right". That
conversation is set in an entirely different context than the Linode hack.
Iran is seeking to produce a nuclear weapon with the openly stated goal of
launching it against another country. There is no segue from Stuxnet to this
Linode hack.

"Fault" is not in question here either. Let's say I leave my front door
unlocked. If you enter my home without my permission, you have trespassed and
can be charged with a crime. The only thing I would be "at fault" for is
making a lackluster attempt at securing my home. I don't forfeit protection
from trespass under the law for that act though.

You see, locks are not what govern access; laws are. HTP is clearly in the
wrong here. They forced entry in to Linode's systems, then attempted to extort
Linode in an effort to achieve their goals. Swap out Linode's servers for
Linode's offices, and there's no question that HTP are operating outside the
boundaries of ethical behavior.

~~~
conductor
I admit Stuxnet was a bad analogy to black hat hacking. But either is the
analogy of hacking into a server and physically trespassing into a private
property.

The main goal of my comments is to object to the opinion that hacking is
somewhat comparable to physical break and enter actions. This is an age where
one can find himself in prison for tens of years for hacking and getting
access to information (the prospects of Aaron) or even for IP violations, as
it were a murder or rape.

Being in an underground hackers crew is much fun and possibilities to learn
things for young men who are smart and different than their friends. Those
guys and gals are the future top-class engineers at Google and other IT giants
and I want them to continue hacking and growing personally and professionally,
not rotting in the prison.

~~~
bradleyland
You keep getting buried because you've hitched your wagon to the wrong horse.
Your core argument seems to be that punishment for hacking is often
disproportionate to the crime committed.

For example, poorly written laws make even simple port scanning a risky
activity. I agree that this is ridiculous, but you needn't defend HTP here in
order to take that position. If anything, HTP are to blame for the
overreaction from policy makers. They are having a very difficult time
distinguishing between mischief and mayhem.

The law should take context in to account. If you were caught exploring an
old, abandoned warehouse, you might end up with a misdemeanor trespass charge
(hopefully), but if you're caught probing a corporate server, the current
climate seems to dictate that you'll land a felony in short order. You've got
groups like HTP to thank for that because of their extortion activities and
willingness to leverage the well being of innocent people in their trivial
games.

------
ghshephard
There is a lot of inside-baseball in this, but the one they keep talking
about, is, "shred customer data" - as in,

" Recognizing their situation, we instead told them that if they acknowledged
HTP in their analysis, we'd go ahead and shred their customer data anyway."

Do they honestly, for a single second, think that any LEA, corporation, or,
well, anyone would believe that once the information was compromised, that
there was no putting the genie back in the bottle? Also - I suspect there are
probably disclosure laws that had to be followed by Linode anyways.

~~~
nathanb
What choice did they have?

Comply, and trust the honor of black hat hackers?

Or refuse, and have customers' data appearing on FTP and torrent sites within
the day?

As a Linode customer, I would rather them choose the latter. Not to try and
sweep the incident under the rug (to your point about disclosure) but to
prevent the data from being scraped by groups who exist solely for extracting
credit card details from releases by groups like HTP (note the reference to
"carders" in the article) and then being sold.

(According to Linode's own post, the CC data were encrypted, meaning that it
should be intractable to actually extract usable CC numbers from the data. But
why would Linode _not_ accept those terms, even if they believed that HTP were
lying? At least it would give them until 1 May to get their house in order.)

------
antihero
The ColdFusion hack...wow. How is CF engineered so badly? What person nowadays
would still think to take paths of _anything at all ever_ in the request
parameters? I can sort of understand pre 2003 or something, but CF10 was
released in 2012, for Pete's sakes.

Also makes you wonder, if there are holes like this, how many more holes like
this are there? Especially if this is a pattern across the system.

~~~
druiid
There is a bunch of holes in CF like this. Look at their bug/security fix list
for Coldfusion (Pretty much any version), and half of the security fixes are
targeted to CFIDE based vulnerabilities. Any CF admin worth their salt
disallows access to CFIDE as a matter of course.

------
mappu
Definitely worth reading the full zine, some scary stuff in there (including
very readable python LFI-based exploits for unpatched MoinMoin and
ColdFusion).

Highlights: 1900+ days uptime on a sparc box somewhere in sourceforge.net,
root on ICANN, root on Debian repositories..

~~~
psutor
Link to full zine: <http://straylig.ht/zines/HTP5/>

~~~
cheapsteak
Any chance someone saved a copy? Link seems dead from here

------
tiredofcareer
Some hopefully-helpful clarifications of the inside baseball talk from just
the overview (I haven't read the full zine), enhanced with inside and general
knowledge I've gained in my travels on this mortal coil:

\- HTP claims to have{, had} access to name.com, which Linode currently uses.
This access enables an unauthorized party to update authoritative nameservers
for your domain; i.e., if you host at Amazon, very likely your authoritative
nameservers are Route 53 on your account. HTP would not have access to modify
the zone directly through the registrar and would instead have to hijack the
entire domain with a working, completely-transferred zone on their own
nameservers. For this to go down entirely unnoticed is extraordinarily
difficult. I won't say impossible, but damned close without a copy of the zone
in hand and with Linode running AXFR disabled (you should be too). There are
subzones of linode.com; they wouldn't have gotten them all, and it would have
been noticed within minutes.

\- In order to attack SwiftIRC, to get back at some script kiddies DoS
attacking them after their last release (because you know, that's a good
target to burn _registrar_ access on and all), HTP decided to backdoor
SwiftIRC via their nameservers which are hosted at Linode. That's not the same
as the registrar nameservers discussed above, but is instead the DNS data
actually stored _on_ a Linode on SwiftIRC's account. They do not hint what
they were going to do with it once they had hijacked the nameservers, and I
will not theorize. I could guess, though.

\- Before utilizing their registrar access (from the first bullet point) to
hijack the linode.com zone and intercept manager logins silently by
redirecting traffic via DNS -- _also_ fairly difficult to pull off without a
good linode.com certificate in hand, in terms of keeping the TLS session non-
suspicious to a browser -- they instead discovered a zero-day in ColdFusion
(Linode's stack) and got in that way. That's much quieter and much more likely
to not be noticed. If we take the FBI's actions at HTP's word, the FBI was the
only reason Linode was made aware of this outside of HTP's control; a DNS
hijack would have been immediately noticed by Linode administrators.

\- Knowing what I know (let's leave it at that), a successful exploit on
Linode's ColdFusion stack entails a database of Linodes, DNS, credit cards,
e-mails, addresses, and keys to decrypt the actual card numbers, and a lot
more data. You have to decide whether to take HTP at their word that they
deleted credit cards. Consider your credit card _and_ all prior credit cards
compromised if it were in the system before April.

\- The access that HTP obtained _does not_ , full stop, lead to root on Linode
instances without _at least one shutdown job_ or change of root password job
showing up in your Linode's history that you did not ask for. Your Linode's
root password is not stored in any Linode system aside from on your Linode
itself. Your LISH password, as they say, is, and according to them is stored
in plaintext; if you see things on your Linode's console (located under the
Remote Access tab) that you did not type, that access was used upon you. If
not, it wasn't. If you used the same root password on your Linode that you did
for your LISH password, consider that password compromised. I'm suspicious of
the claim that they rooted all those (assuming) customers without any of them
noticing their Linode being rebooted to apply the new root password to allow
HTP in, and I would read that as "potential access" instead of "access". They
probably bounced some nmap.org servers to reset their root passwords -- a
Linode system requirement -- without fyodor noticing. Which is interesting for
a couple reasons.

\- Also, the access they obtained does _not_ lead to root on the Linode host
fleet itself, unless they are holding back some extra access they obtained
such as a shared password between the ColdFusion stack and administrator
credentials for Linode systems, which I consider unlikely for a couple
reasons. With several days to get familiar with the architecture, HTP could
have used their database write access to do things on the hosts, but it's a
fairly limited set of things. Dumping Linode's database is bad, but root on
their hosts is far, _far_ worse, and by indications, I don't think they got
it.

\- How does this relate to the Bitcoin hacks of yesteryear, you ask? The
Bitcoin hackers probably got in the exact same way -- Linode hinted at a
compromised admin credential, which is close enough to do everything HTP was
able to do -- then shut down and reset root passwords on the Bitcoin Linodes
they were after, which then gave them filesystem access.

So ends clarifications, thus begins conclusions:

\- _PAY ATTENTION WHEN YOUR SERVERS ARE REBOOTED WITHOUT YOUR COMMAND._

\- _PAY ATTENTION WHEN YOUR SERVERS ARE REBOOTED WITHOUT YOUR COMMAND._

\- Linode added a feature that shoots you an e-mail when your Linode is
manipulated in any way via jobs, such as resetting your Linode's root password
(a la Bitcoin/HTP hacks). It's depressing they had to do this, but pay
attention if you get the mail. External monitoring like Nagios that pages you
when your server goes down is also a good idea, as long as it is hosted at
another provider.

\- EDIT: After reading the zine, yet again, /CFIDE is the vector. There's no
excuse for not hiding your administrative tools, generally the soft underbelly
of the whole smash, from the Internet. None. It's one rewrite in nginx. Match
/CFIDE<anything> from the public, redirect to /. Done.

\- EDIT: Again, after looking at how trivial the exploit was, it's probably
time to reconsider using Adobe ColdFusion from a business continuity
standpoint. Half Linode's fault for not hiding /CFIDE, half Adobe's fault for
the engineering missteps that lead to this capability for a remote attacker.
We should be just as hard on ColdFusion as we are on Rails.

\- SwiftIRC is a den of inquity, up there with EFnet; if you run a hosting
provider, think twice about permitting SwiftIRC anywhere near you. To
reiterate that, Linode was a casualty of someone going after SwiftIRC. Delink
their nodes, cancel them, and kick them to the curb if you're interested in
preserving your business. Not worth the money. Same with damned near all the
IRC networks except OFTC and, to a far lesser extent, Freenode. There will
always be targets but harboring SwiftIRC is probably a malicious-actor magnet.

\- Registrars (and CAs, though that's outside this discussion) are the weak
point in the entire system. This is not the first time they have been shown to
be so. Linode could be Fort Knox of digital security but if name.com falls
over, it's all over; that's entirely outside of Linode's, and your, control.
Currently, the registrar market is heavily profit-centric and, personally, I
think people spend far too little on a domain in the general case. I would
happily pay a registrar a lot more money -- hundreds a year or more -- if
their offering were run competently, as it is fairly obvious name.com isn't.
Compare your hosting bill to your registrar bill; what's wrong with that
picture?

\- HTP is apparently fairly easy to troll into using valuable access for
vengeance purposes. Shameful target selection and a burn of a good hack just
to root SwiftIRC. That's like pissing in the ocean for a good time.

\- Linode got railroaded here and the general reaction by folks is a little
overdone. You know that's true when even the hackers' overview of the hack
specifically calls out people bitching about Linode security on Twitter. All
it takes is one zero-day, and you will all be hit by one in your career, so
cut Linode a little slack.

~~~
tomjen3
I don't give a shit about my (former) linode servers and never want to have
anything to do with the bastards again.

I just want to know one thing: did or didn't they leak the credit cards?

~~~
zoul
> _I just want to know one thing: did or didn't they leak the credit cards?_

Does it really matter? If your card was used with Linode, it should have been
blocked by now anyway.

~~~
tomjen3
Yes, because it is a huge pain to go through for no reason.

------
runn1ng
I... don't actually understand most of what they wrote there.

------
jameswyse
There's more info about HTP5, including working mirrors of the files linked at
the end of the linode document here: <http://straylig.ht/zines/HTP5/>

~~~
dantiberian
HTP5 stands for Hack The Planet 5, the fifth issue of the zine linked in the
parent comment.

------
kouiskas
Looking at the hash found in the query HTP ran, 9gag's name.com password was
"harry1" at the time of the exploit. It also tells us name.com stores the
passwords as unsalted MySQL 4.1 PASSWORD() hashes...

------
AndyKelley
What I want to know is, what kind of hacker uses hard tabs in their zero day
python script.

~~~
peterwwillis
Hackers are [in general] shittier coders than a Windows server admin.

~~~
alan_cx
Yeah, dogs are shittier cats than .... cats.

------
blacktulip
I am not familiar with the crackers' terms. So does this mean that name.com is
not safe? All my domains are there...

~~~
JonnieCache
The point is, when you're dealing with people of this level of supposed skill,
they can just walk into pretty much any network. They're all vulnerable on
some level if you're capable of actually breaking them yourself in novel ways.

The only real solution is either to not depend on any single network, or to
make it clear that you will simply kill anyone who troubles you. Or just
remain innocuous enough that nobody will care to.

~~~
twistedpair
They had skilz, no doubt, but it does not appear the CF hack was the zen apex
of hacking. It was a well known exploit you could drive a truck through.
Writing Stuxnet, now that was mad skilz.

------
robk
That seems somewhat scary if they've compromised domain registrars and are
intercepting login data from client sites that way.

~~~
jrockway
It's more scary if they've compromised a SSL CA. A simple DNS attack won't
stop your browser from displaying a broken certificate warning. (Though they
can always not redirect from http to https and most users won't notice,
sadly.)

~~~
blibble
it's very easy to get your own https cert once you control the dns for a
domain, you just set up own nameserver that proxies requests to the original
NS (except very specific ones, say those from Verisign), request your "domain
control validation" https cert, and bam! valid https cert!

------
sp332
Anyone care to speculate how likely this account is to be true?

~~~
piggity
The only question I'm really interested in...

And Linode isn't saying anything new

------
driverdan
Some of their claims seem a bit far-fetched. Hacking name.com, Xinnet,
MelbourneIT, and Moniker? That would be huge. Why haven't we heard more from
them?

> We identified which users on HTP were involved with the FBI, and promptly
> gained access to one of their cams.

Not sure what they mean here. FBI camera? User's laptop camera? Either way
this also seems far-fetched.

If everything they said was actually true it's very impressive.

~~~
rashkov
Not so far fetched. They've posted hack logs of MelbourneIT, name.com, and
Moniker in the same zine.

------
bestham
So Much Drama in the HTP

~~~
d23
It's kinda hard bein' L I N O D E

------
peterwwillis
I can't think of a better classification for a terrorist than people who sit
around all day working to destroy credibility of corporations and expose
personal and financial information for the sake of their own fucked up moral
code and amusement.

It would be nice if we had internet role models. IRC is full of low-life
degenerates who perpetuate the vitriol that reinforces this way of life as an
acceptable pastime. If there were well respected hackers who spoke publicly
against this kind of behavior it might make some people think twice.
(Unfortunately, most well respected hackers used to be these kids before they
got real jobs)

HN is full of individuals who try to take the high road, versus the kind of
anonymous internet idiocy that exists in nearly every forum and chatroom. I
love this about HN. I wish more of the internet took it as an example.

~~~
saraid216
IRC is a communication medium. Could we please not vilify it? It's like saying
people who use burner phones are bad people.

~~~
peterwwillis
It's also a machine that generates dumbed-down conversation. The natural slant
on IRC is away from intelligent discourse and toward a cross between texting
and one-line jokes with friends. There's nothing inherently wrong with this.
But it does foster negativity much of the time.

I know hundreds of people who dedicate their lives to the drama and bullshit
that is spawned solely by being in an IRC channel. If it went away, these
people _might_ just find something productive or positive to do with their
lives.

~~~
BCM43
_The natural slant on IRC is away from intelligent discourse and toward a
cross between texting and one-line jokes with friends._

What? I could name 20 channels of the top of my head this is not true for.

~~~
hderms
tech-oriented channels? Care to name any?

~~~
X-Istence
Tech oriented indeed. You know, all of the Open source IRC channels on
Freenode are a good start.

IRC is nothing like you've described, at least to me.

~~~
peterwwillis
_IRC is nothing like you've described_

User hderms didn't describe them, I did. And I can show you hundreds of
thousands of channels like I describe, on most popular IRC networks (Freenode
is a tiny network in comparison).

Also, I challenge you to show me proof of intelligent discourse in _any_
Freenode channel. It's simply not easy, especially in a channel with 5 or more
active participants in conversations. Try taking your time to make intelligent
points and either people get bored with you or your points get lost in the
scrollback.

------
amitdugar
Slightly OT, Is it possible to have a web application (using popular tech like
RoR, PHP etc.) that cannot be cracked by anyone ?

~~~
EvilLook
Only if the server is switched off and disconnected from the network.

~~~
amitdugar
Ha :) I guessed so .. It is impossible to make an un-crackable system .. not
sure if that is a good thing or bad ...

~~~
ihsw
Every lock has a key. ~Hacker's motto

------
rip747
i'll never understand why way back in the day, someone thought that it would
be a good idea to put all the scripts for the extension tags (like cfform)
under the same parent directory (CFIDE) as the administrator.

------
rth
These kind of hacks improving the world. Thanks for to the hacks (not for
stealing CCs or usernames) that they showed up again there is no f.cking
security in the world.

------
orthecreedence
First mistake: using Coldfusion. Second mistake: keeping it.

------
hexonexxon
Nobody remembers the Linode bitcoin "hack" where it was assumed by bitcointalk
that an admin was looting accounts? Im surprised anybody still uses them.

~~~
tiredofcareer
It's discussed elsewhere in this thread, and bitcointalk assumed incorrectly.

------
arthulia
The site appears to be down now, so...

<http://pastie.org/private/xedrpvi9lbcfwnz7wvb1a>

------
whoowy
This story can make a movie

------
rweir
and today name.com emailed customers admitting they'd been pwned.

------
orokusaki
The ability for "hackers" to thrive is a necessary price to pay to secure our
rights on the Internet. Trading freedom for security pays nothing, and never
will. Let the FBI work their asses off to try to bust these people.

