In this case, according to Joshua Hesketh, who's been president of the organization since 2013, the exploit in question utilized a `currently unknown vulnerability.` It affected the server hosting the Zookeepr conference management systems for the 2013, 2014, and 2015 national conferences as well as two PyCon installations of the same.
a message to the Linux-aus mailing list nearly two weeks after the attack, Hesketh wrote:
the server was subject to an attack by a malicious individual. It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. … A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia's automated backup processes ran, which included the dumping of conference databases to disk.
The job of the president is to reassure the members, but certainly there is no reason to believe the attacker did not acquire personal information while he or she retained control of the system. To this end, the President stated:
The database dumps that occurred during the breach include information provided during conference registration – First and Last Names, physical and email addresses, and any phone contact details provided, as well as a hashed version of the user password.
He then goes on to mitigate this statement with a more hopeful one:
Whilst Linux Australia do not believe this was a targeted attack against the Zookeepr conference management system, nor an attempt to harvest details from the system, we are taking the necessary precautions …
If this data was not the target of the server specifically hosting it, then what was? Luckily, however, credit card details were not stored on the server at all.
As Zookeepr uses a third party credit card payment gateway for credit card processing, the database dumps do not contain any credit card or banking details.
However, experienced identity thieves can work with very little to build up a profile on a person and use it to exploit their identity. It is well-documented that for some purposes a name and an address are all that are needed. This is not to say that the purpose of this hack was specifically as much – this cannot be known unless or until the hacker goes public and says why they did this. For all anyone knows, perhaps weren't `malicious` at all, but rather penetration-testing an organization that should know better, in their view.
A number of fixes the organization had undertaken were then listed, and a call for help from security experts as well as Computer Emergency Response Teams to help `determine the method the attacker utilised to gain access to the system.` This would, of course, be a very valuable bit of information at this point.
Read original article
No comments:
Post a Comment