Canonical has addressed concerns over a data breach on its forums, explaining what information was stolen and which systems have not been compromised.
Earlier this month, the company's Ubuntu Forums were the subject of a breach, with hackers stealing user information and defacing the website. At the time of the attack, Canonical said that its Ubuntu One, Launchpad, and other Ubuntu/Canonical services were not affected by the breach. However, despite it being clear that the web-forum software vBulletin was to blame, many incorrectly believe that the Linux operating system itself was compromised.
In its latest announcement, Canonical broke down its understanding of how it believes it had been breached.
The initial attack happened on July 14, with a moderator account used to post an announcement on the forum. The announcement itself is believed to have contained a cross-site scripting (XSS) attack, designed to steal the login session information from the victim's browser cookie. The compromised moderator account was then used to message three of the boards' administrators, allowing the attacker to hijack an administrator's login session.
Once armed with the administrator's privileges, the attacker then inserted a "hook" in the vBulletin web-forum software to allow them to execute arbitrary code. This hook was in turn used to upload two shell kits, giving the attacker the same privileges on the server as the process running vBulletin — in this case, it was limited to www-data, an account with restricted access to the server, commonly used only for web services.
While this account doesn't provide root access to the rest of the server, it did allow the attacker to dump user information, making off with the usernames, email addresses, and salted and md5-hashed passwords for 1.82 million users.
The missing pieces of the puzzle are how the attacker originally gained access to the moderator account, and what XSS attack was used as one of the administrators deleted the post that triggered it.
Cleaning up its breach, Canonical has reset all system and database passwords, rebuilt the servers running vBulletin, informed all users, and moved to its Ubuntu Single Sign On system for logins. It has also closed off the ability for hooks to be modified or added, disabled the ability for moderators to potentially post code that could allow XSS attacks, and implemented the automatic expiry of inactive moderator and administrator accounts.
Other good housekeeping measures include reviewing and hardening its server configuration and firewall policies, and forcing HTTPS for administrators and moderators.
Although the forums are now back up, Apple, in contrast, is still having difficulty in bringing its services back online after its Developer services suffered a security breach on the very same weekend.
Despite stating that it was informing customers of the breach "in the spirit of transparency", it has not revealed any information on how the attackers attempted their intrusion. Initially, the company took down its developer centre for two days for no apparent reason, telling users that it was "undergoing maintenance for an extended period". Users later began to suspect foul play when they received unauthorised password reset emails.
Apple has managed to bring more of its services back online today; however, as of the time of writing, four of its 15 services are still not available. It earlier promised to overhaul its developer systems, update its server software, and rebuild its entire database.