Linux Australia conference delegate data exposed

Linux Australia president Joshua Hesketh, says that a "malicious individual" had used a RAT to access Linux Australia's main conference database resulting in a data breach.

Shellshock vulnerabilities exploited in the wild
Shellshock vulnerabilities exploited in the wild

The personal details of thousands of Linux conference delegates and users may have been leaked after open-software organisation, Linux Australia, admitted over Easter that it has suffered a data breach.

The organisation's president, Joshua Hesketh, said In a 4 April statement that a “malicious individual” had used a remote access Trojan (RAT) to access Linux Australia's main conference database.

[http://lists.linux.org.au/pipermail/linux-aus/2015-April/022049.html]

The hacker installed a botnet control system on the server and, while they had access, the organisation's conference data was dumped to disk – including the names, addresses, emails and hashed passwords of all the delegates attending its recent “internationally renowned” conferences and events.

Hesketh said: “Whilst there is no indication that personal information was removed from the server, the logical course of action is that we operate on a worst-case situation, and proceed on the belief that this has occurred.”

He insisted the at-risk data does not include any delegate's credit card or banking details, as these were processed elsewhere.

The number of attendees affected has not been revealed, but Linux Australia represents around 5,000 users and developers of free software and open technologies.

Linux Australia said it was formally giving details of the breach two weeks after it occurred on 22 March, following guidelines set by the Australian Information Commissioner.

It discovered the attack two days after it happened, and set up a three-person reponse team to investigate. But they still do not know how the attacker got in.

“The individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server,” Hesketh admitted.

So he has appealed for help from “relevant computer emergency response teams (CERTs) or accredited computer security experts to determine the method the attacker utilised to gain access to the system”.

Meanwhile, Linux Australia has shut down the compromised server and set up a new host, with tighter internet access controls and stronger security measures.

Hesketh added: “The new host will have a far more rigorous operating system updating schedule applied to it.”

Despite the breach, Linux Australia has won praise from UK-based cyber-security experts for its open response.

In an email to SCMagazineUK.com, Amar Singh, chair of the ISACA UK Security Advisory Group and founder of the Cyber Management Alliance, said: “Kudos to the Linux Australia team for being what appears to be fully transparent about the attack and their detailed response.

“No system will ever be 100 percent secure but the ability to respond and manage the breach is what makes the difference, both in terms of regulatory compliance and in maintaining and even building customer trust.”

Cigital principal consultant Paco Hope agreed, telling us via email: “Some firms try hard to limit information about the extent of breaches - RSA was notoriously slow to explain what happened in their 2011 breach.

“The Linux Australia breach reflects the value of openness in most Linux and open-source initiatives. They treat security data like any other data, and make it available broadly rather than hiding it.”

Hope said the organisation's response was in line with most international government advice on breaches which favour disclosure to end users, including US President Obama's recommendations in January for stricter disclosure laws.

In terms of what Linux Australia – and other organisations – could do to protect against breaches, Singh said: “What stands out, again, is that businesses need to focus more on the basic principles, basic control measures such as rigorous patching schedules, log analysis, and a comprehensive vulnerability management regime that should also include penetration testing activities.”

The data exposed in the breach was held on Linux Australia's ‘Zookeepr' conference management system and related to its 2013-2015 annual conferences and its 2013 and 2014 PyCon events on the Python programming language.

Hesketh advised the delegates concerned: “We strongly encourage you change your passwords on other web services if the same password may have been used when registering for our conferences. This would also include your Mozilla Persona accounts if you have chosen to use this method for authentication.

“In the interests of improving your online security, it is recommended that a one-time password service be used in the future for any accounts you may create on any web services, including Linux Australia's conference websites.”