Hackers break into Linux Australia server, plant malware, steal personal information

Graham Cluley

Linux Australia has warned its members and conference attendees that their personal information may have fallen into the hands of online criminals, following a breach of the organisation’s servers.

In a mailing list posting, Linux Australia Joshua Hesketh confirmed that a malicious hacker attacked the site between 04:00 and 06:00 local time on 22 March using what is described as a “currently unknown vulnerability”.

As a consequence, it is said, the attacker was able to gain root level access to the server which hosted the group’s Linux conferences over the last three years, and the Pycon Python programming conference in 2013 and 2014.

Linux aus breach

Disappointingly, I could find no mention of the data breach on the main Linux Australia website. That seems a shame, as I would think it was important for a group “representing free software and open source communities” to be more proactive in telling members of those communities that their details may have fallen into the hands of hackers.

Of course, the message was posted this weekend on the Linux-aus mailing list, but it would seem to me that they have missed an opportunity to reach out further.

After installing a remote access tool and subsequently botnet command-and-control software, the malicious hacker was able to extract information from conference databases including names, physical and email addresses, phone numbers and hashed passwords.

Fortunately, the Linux conference’s management software – known as ZooKeepr – uses a third party gateway system for processing credit card details, so there was no financial information for the hackers to steal.

Zookeepr 600

According to Linux Australia’s statement, they don’t believe they are victims of a targeted attack. Nonetheless, it’s easy to imagine how the contact information could be exploited by opportunistic spammers and carefully-crafted phishing campaigns in an attempt to dupe the unwary.

Linux Australia doesn’t at any point in its mailing post use words like “We’re sorry” or “apologise” which is rather grating for those whose personal information has been unnecessarily leaked, but it does say that it will make amends by rebuilding its server, with tighter security restrictions and “a far more rigorous operating system updating schedule.”

That sounds like an admission of failure to me. It sounds very much like the hack could have been avoided if more care was being taken to ensure that the webserver was being properly updated with security patches – as presumably this was how the attacker was able to initially exploit the system and gain a foothold.

In addition, Linux Australia says it will install a log analysis tool to alert administrators to suspicious activity, expire system user accounts three months after a conference has finished, and move attendee databases to a separate server once at the conclusion of a meeting.

Previous attendees of Linux Australia and PyCon events are strongly encouraged to change their passwords on other sites if they are in the (bad) habit of using the same password in multiple places. In addition, the organisation recommends that users enable two factor authentication and one-time-passwords wherever possible to harden the security of online accounts.

Linux Australia says makes no mention of whether it has informed the authorities of the hack – but I hope they do. It’s important to inform law enforcement of a hack, even if you believe that the chances of identifying the perpetrator are small. After all, it’s always possible that the computer crime cops could already be investigating a group performing similar attacks, and could use the attack against your own organisation as an important part of the jigsaw puzzle.

The truth is that an attack like this can happen to organisations big or small, anywhere in the world.

If you want to prevent it from happening to your company, you need to have the right defences and systems in place to repel an attack.

Perhaps the best way to find out if you’re at risk is to think like a hacker.

Why not try to hack yourself, rather than waiting for someone else to hack you?

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.