How Linux Australia Handled Its Recent Data Breach

How Linux Australia Handled Its Recent Data Breach

Data breaches have sadly become more common, though organisations are slowly beginning to learn the best way to handle them. Rather than hide the fact from those affected, Linux Australia has provided an extremely detailed and transparent account to its members explaining how its servers were hacked, what information was taken and how it has responded.

Photo by Kurt Bauschardt / Flickr, licensed under Creative Commons 2.0

In an email, Linux Australia revealed that its servers where compromised during the morning of 22 March. Over the course of a few hours, the organisation believes its databases containing conference information were dumped to an external source. A “currently unknown vulnerability” caused a buffer overflow that allowed the hacker to acquire root access.

In terms of the data stolen, Linux Australia reports “there is no indication that personal information was removed from the server”, however, it has approached the issue from the position of the “worst case situation”. Potentially, the intruder could have access to names, addresses — both electronic and physical — phone numbers and hashed passwords of conference attendees.

The organisation has taken the following actions as a result of the breach:

  • The Admin Team immediately suspended all non-admin system accounts on the Zookeepr server to quarantine all information relating to the attack.
  • The remote access software and botnet software were isolated and the init scripts removed from the system for later assessment.
  • The ‘rkhunter’ software was installed for the first time, and multiple test scans were run.
  • The system underwent a number of reboots to ensure the software installed by the attacker was removed.
  • The modification time of shell history files were checked, and then the file contents were inspected to ascertain the activities of the attacker
  • Logs were checked in an effort to ascertain the method the attacker used to gain access.
  • All other Linux Australia servers hosted on the hardware were assessed and where required, their security measures were increased.

In addition, it has instigated a number of protective measures:

  • The compromised host is being decommissioned.
  • A new host was built, and the PyCon Australia 2015 production instance was re-deployed onto the new Zookeepr host.
  • This new host is enforcing key-based logins only, and a number of other security measures have been applied to attempt to limit the attack surface.
  • The new host will have tighter restrictions for services facing the internet
  • The new host will have a far more rigorous operating system updating schedule applied to it.
  • Logs are duplicated to a central log server where a log analysis tool has been installed, this will alert the Admin Team to suspicious activity when detected.
  • System user accounts on the new server will be expired 3 months after the conference ends (with special arrangements for PyCon Australia’s 24-month cycle).
  • and PyCon Australia sites will be converted to HTML copies 6 months after the conclusion of the conference. The conference’s Zookeepr database will then be archived and stored on a separate server, and the database deleted from the ZooKeepr server.

There’s a lot of detail there for those who are technically minded, but given the audience, it’s entirely appropriate and even welcomed. While such information would be lost on the average user, other companies could learn from Linux Australia’s forthright approach.

If you have further concerns, are a Linux Australia member or have attended conferences held by the organisation in the past, contact [email protected].