Canonical bares breach details as Apple continues security silence

Canonical bares breach details as Apple continues security silence

Summary: With two operating system developers experiencing attacks on the same weekend, one has opened up, shared exactly what it knows, and returned its services to life, while the other has stayed silent.

SHARE:
TOPICS: Security, Apple, Linux, Ubuntu
44

Canonical has addressed concerns over a data breach on its forums, explaining what information was stolen and which systems have not been compromised.

Earlier this month, the company's Ubuntu Forums were the subject of a breach, with hackers stealing user information and defacing the website. At the time of the attack, Canonical said that its Ubuntu One, Launchpad, and other Ubuntu/Canonical services were not affected by the breach. However, despite it being clear that the web-forum software vBulletin was to blame, many incorrectly believe that the Linux operating system itself was compromised.

In its latest announcement, Canonical broke down its understanding of how it believes it had been breached.

The initial attack happened on July 14, with a moderator account used to post an announcement on the forum. The announcement itself is believed to have contained a cross-site scripting (XSS) attack, designed to steal the login session information from the victim's browser cookie. The compromised moderator account was then used to message three of the boards' administrators, allowing the attacker to hijack an administrator's login session.

Once armed with the administrator's privileges, the attacker then inserted a "hook" in the vBulletin web-forum software to allow them to execute arbitrary code. This hook was in turn used to upload two shell kits, giving the attacker the same privileges on the server as the process running vBulletin — in this case, it was limited to www-data, an account with restricted access to the server, commonly used only for web services.

While this account doesn't provide root access to the rest of the server, it did allow the attacker to dump user information, making off with the usernames, email addresses, and salted and md5-hashed passwords for 1.82 million users.

The missing pieces of the puzzle are how the attacker originally gained access to the moderator account, and what XSS attack was used as one of the administrators deleted the post that triggered it.

Cleaning up its breach, Canonical has reset all system and database passwords, rebuilt the servers running vBulletin, informed all users, and moved to its Ubuntu Single Sign On system for logins. It has also closed off the ability for hooks to be modified or added, disabled the ability for moderators to potentially post code that could allow XSS attacks, and implemented the automatic expiry of inactive moderator and administrator accounts.

Other good housekeeping measures include reviewing and hardening its server configuration and firewall policies, and forcing HTTPS for administrators and moderators.

Although the forums are now back up, Apple, in contrast, is still having difficulty in bringing its services back online after its Developer services suffered a security breach on the very same weekend.

Despite stating that it was informing customers of the breach "in the spirit of transparency", it has not revealed any information on how the attackers attempted their intrusion. Initially, the company took down its developer centre for two days for no apparent reason, telling users that it was "undergoing maintenance for an extended period". Users later began to suspect foul play when they received unauthorised password reset emails.

Apple has managed to bring more of its services back online today; however, as of the time of writing, four of its 15 services are still not available. It earlier promised to overhaul its developer systems, update its server software, and rebuild its entire database.

Topics: Security, Apple, Linux, Ubuntu

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • That was very informative.

    "However, despite it being clear that the web-forum software vBulletin was to blame, many incorrectly believe that the Linux operating system itself was compromised."

    I wonder how many of those people falsely blaming Linux were frequenting these message boards?
    Zogg
    • Re: people falsely blaming Linux

      Calling Lovedog Rabidson...
      ldo17
      • @ldo17

        I don't think he believed what he said. It's more like he wants to spit venom on Linux. However, few of my friends are foolish enough to blame that Linux is at fault because of it's openness. Go figure.
        spicycheeks
        • open source software does have a weakness in security

          If malicious person gained root access on the machine, and replace some software on the machine, you will be hard to detect such change.
          With open source, malicious person is easy to download the source code, make some changes, generate binaries, and use the modified one to replace the one install on the system. It just doesn't make sense if you use also open source file integrity monitoring software to detect whether software installed on the system got changed or not.
          wzis
          • Re: you will be hard to detect such change

            That happened to a machine belonging to one of my clients once. It was my first exposure to a rootkit. I spotted it after a total of maybe a couple hours' use.
            ldo17
          • There is no clear evidence that open source software is more or less secure

            Probably it's the same, on one side people knows all about the code, on the other side there are more "good" eyes looking at it.

            There are many different ways of doing the same with the same success, in IT, politics, ...
            AleMartin
          • At least you can be sure there are no NSA backdoors...

            With China, Russia and USA all using Linux in critical environments you can be sure they will monitor each others code changes very very well... resulting in neither side beeing able to implement backdoors or malcicious code.
            On the other hand, MS has a NSA-backdoor in it's online services - therefore it is not unlikely at all they implemented a backdoor in Windows as well!
            hacho
          • Initially, the open source Linux system could be more secure

            It's true, when you install RHEL Linux in US, you can trust its security. But if some malicious person gained root access on the system, and replace some software packages with modified version, for example the PAM, or ls, or ..., how many of you can detect such change?
            Of course, if you install a closed source software made by your enemy country's security agency, you have very good reason to suspect that program could have a backdoor, and in that sense, open source software will be better.
            But for malicious person to attack a software, open source will make it easier to achieve the target. Just an example: the openssh's ssh-agent's source code is available, so malicious person could study the code, then when you use it to store the private key, the malicious person on the machine with root access, could steal the un-encrypted private key from the ssh-agent's memory. But for SSH.com's ssh-agent, as its source code not publicly available, malicious person will find it harder to understand where the key is stored, and steal the key.
            wzis
          • Re: It just doesn't make sense if you use also open source file integrity..

            It makes more sense than your opinion.

            Being open source, does not change any piece of software's integrity. Fact is, open source is way easier to audit and fix.

            For some reason, you got confused in your premises. The technique to upload source code and compile software has nothing to do with open source. It has more to do with attacking unknown or weird architectures. It is just as easy and widely practiced to compile the code outside the targeted system for both "closed" and "open" source platforms.

            Finally, good practice is for production systems to not contain any compilers etc.
            danbi
          • wzis: "If malicious person gained root access"

            Root access is highly overrated. And it's not relevant to this incident.

            Did you not read that the miscreants absconded with "usernames, email addresses, and salted and md5-hashed passwords for 1.82 million users"? The non-root account compromised was the www-data user.

            And just to drive this point a bit further, at Pwn2Own, the hackers win prizes by owning the user account rather than the Administrator, System or root accounts (depending on the OS involved). Whether a smartphone, tablet, desktop or server, the data lives in user accounts.
            Rabid Howler Monkey
          • It's a big IF

            >>If malicious person gained root access
            If someone gets a root access to ANY machine, all your bases on this machine belong to him/her.
            eulampius
          • Physical security

            Yes any machine you got to be able to control physical access to have a secure machine. No security at all without.
            Altotus
          • "open source software does have a weakness in security"

            So Wzis,

            I take it from your post that compilers aren't available for closed source programs, where a knowledgeable individual couldn't create a functionally equivalent system program (ping and nslookup and tracert anyone?), with a few extra "features" thrown in?
            phobet@...
          • wrong

            patching the binary with malicious code results in a different binary size and breaks the package checksum, which makes it easily detectible by the security features of the package manager.
            On the other hand, it is also possible to patch Windows binaries or, even easier, just name the malicious program as a common windows process (as it is frequently done anyways).
            Blaming Linux for its openess is either a total ignorance of facts, FUD or just dumb.
            hacho
    • People are idiots

      If an Apple or Microsoft forum got hacked they would do the same thing.
      Dreyer Smit
    • @Zogg

      Very few, I would say ;-)
      spicycheeks
    • Linux Security Modules

      While the vulnerability [unknown] used by the exploit is in the vBulletin sotware, have a look at the OS hardening Canonical has implemented as a result of this attack (linked in the article):

      o "We’ve confined vBulletin with an AppArmor profile"

      AppArmor is a Linux kernel feature known as a Linux Security Module (LSM). DTS is right, folks. Use LSMs to harden your Linux systems and protect against arbitrary code execution whether smartphone, tablet, desktop or server.
      Rabid Howler Monkey
      • would like to

        point you to the fact that vBulletin is a proprietary software. Shame on Canonical to use it in the first place. Moreover, I believe they still are using it.
        eulampius
        • My thoughts too

          What are they thinking using vBulletin. First it is proprietary software, second it is a big hacker target (likely sloppy coding). When the news first broke I went to you tube and did a search for "vBulletin" and found a wealth of howtos on the subject. As I pointed out on the first article thread, the Ubuntu Forum for Italy had switched from vBulletin a year ago to the opensource phpbb. I would have thought that the international forum would follow that move too.
          DancesWithTrolls
          • they are changing to an other forum software

            it seems they are planing to change it with an other open source forum software (like new generation of forums) but it stills not very widly used (may volunerable to many attacks), now it's still on beta testing by canonical at http://test.ubuntu-discourse.org/
            Moez Bouhlel