[Linux-aus] Linux Australia archived wiki data leak

Joshua Hesketh president at linux.org.au
Sun Nov 22 13:43:36 AEDT 2015

Dear Linux Australia Members,

It is with regret that we write to inform you of a data leak from one of
Linux Australia's servers. The incident has resulted in the release of a
limited amount of personal information and this communication provides
full disclosure of the nature of the leak and the actions undertaken by
Linux Australia.

We wish to be very clear from the outset that only a very small number
of individuals have been affected by this in any way (See below).
However, in accordance with our values of transparency and openness, we
believe it is correct to share this with the wider community as a matter
of best practice.

Am I affected (tl;dr)?

This data leak impacted Linux Australia's legacy wiki system, which was
only used by a small number of current and non-current members (Approx
0.5%). We are contacting these members individually with specific
details. If you are not contacted separately by a member of the Linux
Australia Council regarding this data leak, you will not have had an
account (or other info) on the archived wiki and the data leak will not
affect you.

Further Details:

In line with guidelines provided by the Office of the Australian
Information Commissioner, specific information regarding the data leak,
and the data which may have been disclosed, is outlined below.

Whilst the nature of this leak is small and the majority of our members
are not impacted, the Linux Australia council believe that making these
issues public is the correct approach. Security is a continual journey
and when issues are discovered, we believe transparency is critical in
maintaining the trust of our membership. We encourage all organisations
to be open and transparent when faced with similar incidents, no matter
how trivial they may seem.

What was the nature of the leak and how did the leak occur?

The council maintained a wiki which contained both public and private
information - pages such as conference HowTo's, council minutes and
(limited) contact details. Some years ago (around 2011) the council
moved to a new mediawiki system and archived the existing wiki on a
separate site for historical reference.

Within the last 6-12 months the archived wiki deployment was
misconfigured and apache directory listings was enabled. Due to the
nature of the wiki system used, this exposed all of the wiki data, both
pages and system information.

What type of personal information was disclosed?

The council have meticulously combed through all data contained in the
website in order to determine exactly what was made available.

At a high level, all of the archived wiki data was exposed including,
but not limited to:
 - All wiki pages, including protected ones. These were examined
individually for potentially sensitive data.
 - Account information including email addresses and hashed passwords.

Please note that the accounts are NOT the user IDs and passwords for the
Linux Australia membership system or associated Conference/Event sites
(eg linux.conf.au or PyConAU). This is limited only to those people who
had logons to the wiki.

How was the leak identified, investigated and validated?

The council was alerted to the data leak by a community member. Since
the wiki was unused it went unnoticed for a period of time.

Once alerted the admin-team and council immediately took the website
offline. This removed access to the exposed data. From there an
inspection of the data took place.

What are the implications of the data leak and what should I do?

If you had an account on the wiki, your email address and hashed
password may have been exposed. These accounts however were only created
by a limited number of Linux Australia members and we are reaching out
individually to people who are affected by this. If you are not
contacted separately by us and don't specifically recall creating a wiki
account, it is highly unlikely that you are impacted.

How did Linux Australia respond to the leak?

The Admin Team immediately removed the website, including contents.

Once the website was removed, the Council examined the data to identify
each page of the archived wiki that may be deemed sensitive or reveal
personal information.

Was this related to the earlier linux.conf.au breach?

No. The events are entirely unrelated. Unfortunately this has been a
tough and busy year for the council and admin-team. The archived wiki
leak is partially the result of limited human resources we have helping
maintain both the systems and content of our websites and services. If
you would like to help out, please contact us (see below).

What steps were taken to prevent the threat of a similar leak in the future?

The Linux Australia Council invites members to assist with the
upkeep/maintenance of our webpages and the current wiki. We are a
volunteer organisation and many hands do make for light work.

The Linux Australia Council and Admin Team are currently reviewing  or
have completed the following:

 - Moved sensitive information into a secure password database.
 - Identified and started the shutdown of unused services such as our
current wiki.
 - A review of our current websites is underway with the view to update,
upgrade and/or deprecate unused features.
 - The identified exposed data has been taken offline
 - A Motion by JOSHUA HESKETH was passed unanimously during the Council
   Face-to-face meeting: "At least once per year the council will review
all websites that contain sensitive information including how the data
is being stored and secured. Following this, a determination will be
made around whether the current methodology is still adequate or if
processes need to be improved. All information that is no longer
required will be deleted or moved into an offline archive."

Who should I contact for more information?

Thank you for your patience, understanding and support. If you have any
questions, concerns or wish to express interest in assisting us with the
maintenance of our services, please do not hesitate to contact the Linux
Australia Council at council at linux.org.au or if you would like speak in
camera please contact the Secretary at secretary at linux.org.au [0].

The Linux Australia Council

[0] Please note that this is an archived email address but steps will be
taken to protect your privacy.

More information about the linux-aus mailing list