From president at linux.org.au Sat Apr 4 16:42:38 2015 From: president at linux.org.au (Joshua Hesketh) Date: Sat, 04 Apr 2015 16:42:38 +1100 Subject: [Announce] Linux Australia server breach Message-ID: <551F79CE.8030601@linux.org.au> Dear Linux Australia Members and Conference Attendees, In accordance with our values of transparency and openness, we wish to inform you of a security breach of Linux Australia's servers. This incident has resulted in the possible, but not confirmed, release of personal information. This communication provides full disclosure of the nature of the breach, the actions undertaken by Linux Australia to remediate it, and the actions we now request you undertake to secure your personal data. In line with guidelines provided by the Office of the Australian Information Commissioner, specific information regarding the data breach, and the data which may have been disclosed, is outlined below. What was the nature of the breach and how did the breach occur? --------------------------------------------------------------- Between 0600 and 1100hrs (AEDT) on the 22nd of March, a large number of error reporting emails were sent by the Conference Management (Zookeepr) hosting server. This server hosted the conference systems for linux.conf.au 2013, 2014 and 2015, and for PyCon Australia 2013 and 2014. The error emails were generated by the automatic deployment of code merges to the various Zookeepr instances, and it is not uncommon for large numbers of these to be generated as generalised network routing or other issues occur. Upon investigation of the source of these error emails on the 24th of March, it was discovered that between 0400 and 0600hrs (AEDT) on the 22nd of March, the server was subject to an attack by a malicious individual. It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia's automated backup processes ran, which included the dumping of conference databases to disk. In response, Linux Australia have undertaken a number of steps to minimise the immediate damage. These are outlined below. Whilst there is no indication that personal information was removed from the server, the logical course of action is that we operate on a worst case situation, and proceed on the belief that this has occurred. What type of personal information was possibly disclosed? --------------------------------------------------------- The database dumps which occurred during the breach include information provided during conference registration - First and Last Names, physical and email addresses, and any phone contact details provided, as well as a hashed version of the user password. As Zookeepr uses a third party credit card payment gateway for credit card processing, the database dumps do not contain any credit card or banking details. The payment processing process on the Zookeepr system was specifically designed to send minimal information to the payment gateway, and as a result only receive back a payment success or failure code. All other payment details are handled by the payment provider's systems. Therefore, credit card information was not disclosed. How was the breach identified, investigated and validated? ---------------------------------------------------------- Linux Australia's experienced and respected Admin Team implements a separated three-person response protocol for all incidents. In this methodology, after the initial notification, one member of the Admin Team is removed from the assessment, and is not briefed on what the other two find in their collaborative assessment. Once this is complete, the third person then investigates the reported incident and develops their own assessment, without bias or prejudice. The results are then discussed and any anomalies are scrutinised and assessed by all three members, and, if needed, undergo further investigation until all members of the team have confirmed the discoveries and results. What are the implications of the security breach and what should I do? ---------------------------------------------------------------------- Whilst Linux Australia do not believe this was a targeted attack against the Zookeepr conference management system, nor an attempt to harvest details from the system, we are taking the necessary precautions to review, remediate and minimise the risk of exposure to attacks similar to this. How did Linux Australia respond to the breach? ---------------------------------------------- - The Admin Team immediately suspended all non-admin system accounts on the Zookeepr server to quarantine all information relating to the attack. - The remote access software and botnet software were isolated and the init scripts removed from the system for later assessment. - The 'rkhunter' software was installed for the first time, and multiple test scans were run. - The system underwent a number of reboots to ensure the software installed by the attacker was removed. - The modification time of shell history files were checked, and then the file contents were inspected to ascertain the activities of the attacker [0]. - Logs were checked in an effort to ascertain the method the attacker used to gain access. - All other Linux Australia servers hosted on the hardware were assessed and where required, their security measures were increased. What steps were taken to prevent the threat of a similar breach in the future? ------------------------------------------------------------------------------ - The compromised host is being decommissioned. - A new host was built, and the PyCon Australia 2015 production instance was re- deployed onto the new Zookeepr host. - This new host is enforcing key-based logins only, and a number of other security measures have been applied to attempt to limit the attack surface. - The new host will have tighter restrictions for services facing the internet - The new host will have a far more rigorous operating system updating schedule applied to it. - Logs are duplicated to a central log server where a log analysis tool has been installed, this will alert the Admin Team to suspicious activity when detected. - System user accounts on the new server will be expired 3 months after the conference ends (with special arrangements for PyCon Australia's 24-month cycle). - linux.conf.au and PyCon Australia sites will be converted to HTML copies 6 months after the conclusion of the conference. The conference's Zookeepr database will then be archived and stored on a separate server, and the database deleted from the ZooKeepr server. I'm a previous linux.conf.au/PyCon Australia attendee. What should I do? ------------------------------------------------------------------------ For your security, we strongly encourage you change your passwords on other web services if the same password may have used when registering for our conferences. This would also include your Mozilla Persona accounts if you have chosen to use this method for authentication[1]. In the interests of improving your online security, it is recommended that a one time password service be used in the future for any accounts you may create on any web services including Linux Australia's conference websites. Has assistance been offered to Linux Australia? ----------------------------------------------- No assistance has been offered, however Linux Australia is interested in working with relevant Australian based Computer Emergency Response Teams (CERT) or accredited computer security experts to determine the method the attacker utilised to gain access to the system. Who should I contact for more information? ------------------------------------------ Thank you for your patience, understanding and support. If you have any questions, concerns please do not hesitate to contact the Linux Australia Council at council at linux.org.au or if you would like speak in camera please contact the Secretary at secretary at linux.org.au [2]. Signed, The Linux Australia Council [0] Shell history files do not appear to have been modified or removed by the attacker, as a result of which the Admin Team were (to a large extent) able to interpret the activities undertaken on the machine during the incident. [1] Whilst Mozilla Persona provides a central authentication token that verifies the user identity in a way that does not expose the password to the system being authenticated to, it was necessary for users of Mozilla Persona to set a password on the Zookeepr system to be able to edit the conference wiki. [2] Please note that this is an archived email address but steps will be taken to protect your privacy. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From dtbell91 at gmail.com Wed Apr 22 20:44:25 2015 From: dtbell91 at gmail.com (David Bell) Date: Wed, 22 Apr 2015 20:44:25 +1000 Subject: [Announce] linux.conf.au 2016 dates and venue confirmed 1st-5th Feb 2016 Message-ID: The linux.conf.au 2016 Geelong - LCA By the Bay team is thrilled to confirm dates and venue for LCA 2016. The conference will happen between 1st-5th February at Deakin University?s architecturally spectacular Waterfront campus, situated just a block from the cafe and foodie precinct of Eastern Beach, and two blocks from Geelong?s vibrant CBD. The Call for Presentations (CfP) for linux.conf.au are expected to open in June. Potential Delegates and Speakers are encouraged to remain up to date with conference news through one of the following channels; Website: http://lcabythebay.org,au Twitter: @linuxconfau, hashtag #lca2016 Facebook: https://www.facebook.com/lcabythebay Google+: https://www.google.com/+LcabythebayOrgAu Lanyrd: http://lanyrd.com/2016/linuxconfau/ IRC: #linux.conf.au on freenode.net Email: info at lcabythebay.org.au Announce mailing list: http://lists.linux.org.au/mailman/listinfo/lca-announce We warmly encourage you to forward this announcement to technical communities you may be involved in. Kind regards, David -- David Bell Conference Director linux.conf.au 2016 @linuxconfau info at lcabythebay.org.au http://lcabythebay.org.au -------------- next part -------------- An HTML attachment was scrubbed... URL: