Re: [bitfolk] Proposal: Security incidents postings

Top Page
This message is part of the following thread:
M-+++++++++++\the complete thread tree sorted by date
M\MMMMMMMMMMMMRoss Younger at <-
MM.M..M.MM.MMPeet Grobler at ->

Reply to this message
Author: Brendan
Date:  
Subject: Re: [bitfolk] Proposal: Security incidents postings
tfolk.com
>> X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri, 07 Dec 2012 02:19:46 +0000
>> X-SA-Exim-Connect-IP: 127.0.0.1
>> X-SA-Exim-Mail-From:
>> users-bounces+bitfolklist=tony-andersson.com@???
>> X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false

>> Hello,

>> From time to time BitFolk customer VPSes occasionally become subject
>> to various kinds of compromise. Frustratingly, the kinds of
>> compromise encountered are generally the result of run of the mill,
>> completely preventable and unremarkable root causes.

>> I would like to find a way to raise awareness of these very simple
>> security concerns amongst the customer base, in order to hopefully
>> cut down on how often they happen.

>> I was thinking that if customers saw how often these things happen
>> to people very much like themselves then it might help remove some
>> of the "yeah I've heard of that but it will never happen to me"
>> mindset that we all regrettably can fall into.

>> So I was contemplating posting an email thread to this ("users")
>> list every time we become aware of a customer compromise, and I was
>> wondering what you thought of that idea.

>> It might look something like this: 

>>     Today at around 04:30 we became aware of a customer VPS
>>     initiating an abnormal amount of outbound SSH connections (~200
>>     per second). The VPS's network access was suspended and customer
>>     contacted.
 

>>     It was later determined that a user account on the VPS had been
>>     accessed starting 3 days ago, via an SSH dictionary attack. The
>>     attacker installed another copy of the SSH dictionary attack
>>     software and set it going. We do not believe that root access
>>     was obtained.

>> The amount of detail would vary because we may only become aware of
>> a compromise when the customer's VPS itself starts perpetrating
>> abusive activity, and then we rely on the customer to investigate
>> why that is.

>> If the customer is unable/unwilling to do this then we may never
>> know why their VPS began misbehaving. We don't examine customer data
>> unless given permission to do so, and even then this is often too
>> time-consuming to undertake on an unpaid basis. I would consider the
>> above an example of the maximum amount of detail we would go into.

>> No identifying information regarding the affected customer would be
>> shared. We already share non-identifying information similar to the
>> above to peers within the industry to aid deterrence and detection
>> of future abuses.

>> Would this sort of posting be welcomed or would it be unwelcome
>> noise? If the consensus is that it would be unwelcome noise then I
>> may create a new list specifically for it, but I would rather not do
>> so as then that is just another list that we have to raise awareness
>> of.

>> Please also note that those with an extremely low tolerance for
>> email noise may wish to quit this list and instead join the
>> "announce" list, as it contains only announcements from BitFolk with
>> no customer discussion whatsoever: 

>>     https://lists.bitfolk.com/mailman/listinfo/announce
>>     http://lists.bitfolk.com/lurker/list/announce.html

>> (just 19 threads this year)

>> Thoughts?

>> Cheers,
>> Andy


> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users 



From matt@??? Fri Dec 07 10:05:34 2012
Received: from mx.bf.smtl.co.uk ([85.119.82.254])
    by mail.bitfolk.com with esmtp (Exim 4.72)
    (envelope-from <matt@???>) id 1TguoI-0003Ef-CM
    for users@???; Fri, 07 Dec 2012 10:05:34 +0000
Received: from mailhost.smtl.co.uk (mailhost.smtl.co.uk [176.35.190.158])
    by mx.bf.smtl.co.uk (Postfix) with ESMTP id 1B57694DEA
    for <users@???>; Fri,  7 Dec 2012 09:58:47 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
    by mailhost.smtl.co.uk (Postfix) with ESMTP id EDFE214E947
    for <users@???>; Fri,  7 Dec 2012 09:58:46 +0000 (GMT)
Received: from mailhost.smtl.co.uk ([127.0.0.1])
    by localhost (ktinga.smtl.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 28857-08 for <users@???>;
    Fri,  7 Dec 2012 09:58:46 +0000 (GMT)
Received: from [10.187.129.148] (unknown [10.187.129.148])
    by mailhost.smtl.co.uk (Postfix) with ESMTP id BD28914FB6A
    for <users@???>; Fri,  7 Dec 2012 09:58:46 +0000 (GMT)
Message-ID: <50C1BDD7.8020703@???>
Date: Fri, 07 Dec 2012 09:58:47 +0000
From: Matthew Moore <matt@???>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
    rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: users@???
References: <20121207021942.GT3867@???>
    <1706451964.20121207095251@???>
    <763976915.20121207095703@???>
In-Reply-To: <763976915.20121207095703@???>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at smtl.co.uk
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
    07 Dec 2012 10:05:34 +0000
X-SA-Exim-Connect-IP: 85.119.82.254
X-SA-Exim-Mail-From: matt@???
X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Us
This message was posted to the following mailing lists:
users
Mailing List Info | Nearby Messages		<-Re: [bitfolk] Proposal: Security incidents postingsRe: [bitfolk] Proposal: Security incidents postings->
Bitfolk Mailing List Archive administrated by List AdminLurker (version 2.3)