Canonical downplays Ubuntu hacks
It says affected servers were running old, unpatched versions of Ubuntu and insecure Web applications
TechWorld.com - Canonical Ltd., the commercial sponsor of the Ubuntu Linux, said that recent compromises of most of its local community servers do not reflect on the distribution's security or corporate-readiness.
The company said such criticisms were wide off the mark, since the affected servers were running old, unpatched versions of Ubuntu, as well as a number of insecure Web applications.
The compromises affected five of the eight Local Community (LoCo) hosting servers, which are sponsored by Canonical for the use of local area Ubuntu developer communities but hosted outside the company.
Canonical was at pains to point out that the servers did not host downloadable software, but mainly news pages, blogs and localized documentation.
The problem came down to the fact that responsibility for the security of the machines didn't clearly belong to either Canonical or the communities using the servers. The systems were all located outside Canonical's own data center.
The problem first came to light when Canonical received reports that one of the LoCo servers had been compromised, and an investigation found four more of the servers had been hacked.
"Since it was reported that they were actively attacking other machines ... the decision was taken to shut the machines down," said James Troup, head of Canonical's system administration team, in a report on the breaches that was published on Ubuntu newslists.
The systems could have been breached in several ways, Troup said, since they were being accessed using FTP without SSL and were running more than a dozen Web software packages, all of which were out of date and missing security patches.
What's more, the systems were running a version of Ubuntu Linux that is no longer receiving security updates from Canonical, meaning there was no way of fixing more recent security issues.
That's because more recent versions of the operating system failed to work with the servers' network hardware, Troup said.
"This probably allowed the attacker to gain root," he said.
The communities affected will have the choice of moving their servers into the Canonical data center, where they'll be kept up to date but will have stricter limits on how they're used, or sticking with outsourced servers but taking on the full responsibility for administration.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Linux and Unix White Papers | Webcasts