Linode probe into 2015 crack finds fake 2FA creds flaw
New API, policies and open source manager added to ward off future stolen creds attacks
Hosting outfit Linode has announced a slew of changes to its user procedures after a long analysis of the attack that led to a system-wide password reset in January. It's also determined that the breach was the result of customer credential theft.
The company's post-mortem of the issue, published here, notes that the December 2015 breach – and an earlier breach in July 2015 – both appeared to have resulted from stolen customer credentials being used by fraudsters.
One new breach revealed by the investigation is that an attacker somehow worked out a way to generate valid two-factor authentication keys, something which the company says “significantly changed the seriousness of our investigation”, even though it doesn't seem to have been related to any logins.
“After examining the image from our July investigation, we discovered software capable of generating TOTP* codes if provided a TOTP key. We found software implementing the decryption method we use to secure TOTP keys, along with the secret key we use to encrypt them. We also found commands in the bash history that successfully generated a one-time code,” the post states.
(*TOTP is the Time-based One-time Password Algorithm-based method, used by systems like Google Authenticator to generate 2FA tokens. In November, a security researcher warned that if the TOTP implementation used the NTP daemon as its time input, it might be vulnerable at the sysadmin level, by someone manipulating the time the daemon offers to TOTP.)
Back to Linode: in both cases, its investigation supports the idea that someone is successfully stealing credentials, rather than stealing them through vulnerability in the data host's infrastructure.
However, the investigation also identified places where processes needed hardening, so Linode's announce the following:
- Authentication – the company says it's replaced SHA-256 salted hashing of passwords with bcrypt. It's also created an “authentication microservice” that completely separates customer applications from customer credentials. Instead, credentials are split off into the microservice, and an application asking for authentication receives only “yes” or “no”.
- Credit card tokenisation – the company says credit cards haven't been compromised, but this feature adds another layer of protection.
- Policies – the company is revamping its own security policies based on the NIST framework, most particularly to create security zones in its infrastructure, cutting the number of employees with access to “sensitive systems and data”.
Other changes over time will include new Linode Manager Notifications, adding a new “senior level security expert” to the company's team, and a new API it expects to reveal as in alpha in the next few weeks.
That API will be supported by an open-source version of its Linode Manager.
The company also noted that the DDoS attack it suffered in December/January still seems unrelated to the customer credential theft, and nobody seems to have exploited the SSH bug it discovered in February. ®