Re: [bitfolk] Proposal: Security incidents postings

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPeet Grobler at <-
MPhil Stewart at ->

Reply to this message
Author: Keith Williams
Date:  
Subject: Re: [bitfolk] Proposal: Security incidents postings
On 07/12/12 09:57, Tony Andersson wrote:
>
>>> So I was contemplating posting an email thread to this ("users")
>>> list every time we become aware of a customer compromise, and I was
>>> wondering what you thought of that idea.
>

Another vote from me. Sounds good.

In the unlikely event that it gets too much trafficwise (which I
strongly doubt) then just setup a new list.

Cheers,

--
Matthew Moore
Surgical Materials Testing Laboratory
System Administrator
Telephone: +44 (0)1656 752165
Email: matt@??? 



From rich@??? Fri Dec 07 10:21:59 2012
Received: from atomic-x.co.uk ([2001:ba8:1f1:f1dc::2])
    by mail.bitfolk.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
    (Exim 4.72) (envelope-from <rich@???>) id 1Tgv4B-0004G6-9V
    for users@???; Fri, 07 Dec 2012 10:21:59 +0000
Received: from [2001:470:1f09:11bb:1d5c:11fa:44ca:2563]
    by atomic-x.co.uk with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:128)
    (Exim 4.80) (envelope-from <rich@???>) id 1Tgv4A-0006cu-9o
    for users@???; Fri, 07 Dec 2012 10:21:58 +0000
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Richard Green <rich@???>
In-Reply-To: <20121207021942.GT3867@???>
Date: Fri, 7 Dec 2012 10:21:57 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <35695F4B-2CC8-42D8-A735-2AC00F60D4FD@???>
References: <20121207021942.GT3867@???>
To: users@???
X-Mailer: Apple Mail (2.1499)
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
    07 Dec 2012 10:21:59 +0000
X-SA-Exim-Connect-IP: 2001:ba8:1f1:f1dc::2
X-SA-Exim-Mail-From: rich@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spamd1.lon.bitfolk.com
X-Spam-Level: 
X-Spam-ASN: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
    shortcircuit=ham autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 SHORTCIRCUIT Not all rules were run,
    due to a shortcircuited rule
    * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
    <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
    <mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 10:21:59 -0000


I too think that this is a great idea, however, it might be easier to =
create a separate security@ mailing list now (and automatically?) =
subscribe users rather than posting everything to the users@ mailing =
list; even if there is little traffic right now, this may =
increase/change and it'd be easier to grow the service if its segregated =
from the start.

I also can't remember what the new customer signup form for Bitfolk is =
like, but recently filled in a form (from another organisation) with a =
single checkbox labelled "=85We like to keep you informed about =
services, campaigns, events, publications and new initiatives=85" - =
obviously more granular control is better for the user and I think that =
given the option most users will opt-in (or can be auto-enrolled in =
accordance with terms & conditions), knowing full-well that they =
actually want what they're signing-up for rather than facing the =
daunting single tick box which gives the user "all or nothing".

On 7 Dec 2012, at 02:19, Andy Smith <andy@???> wrote:

> So I was contemplating posting an email thread to this ("users")
> list every time we become aware of a customer compromise, and I was
> wondering what you thought of that idea. 



From lozsui@??? Fri Dec 07 13:09:28 2012
Received: from mail-la0-f48.google.com ([209.85.215.48])
    by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
    (Exim 4.72) (envelope-from <lozsui@???>) id 1TgxgF-0003A9-8d
    for users@???; Fri, 07 Dec 2012 13:09:28 +0000
Received: by mail-la0-f48.google.com with SMTP id m13so430680lah.21
    for <users@???>; Fri, 07 Dec 2012 05:09:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
    h=mime-version:reply-to:sender:in-reply-to:references:date
    :x-google-sender-auth:message-id:subject:from:to:content-type;
    bh=aFB/c74vsYVY3GhYw3NxZmeOzY6w97eRzS2FLCMplDc=;
    b=fCTmwtpc9vye0m5fQDbjMzEVgocu3FjBKJZrzfcmwKrPIurWnRiR72nlcas18ao9CM
    TezB15Ul0tevWLDP/iExkEWOjwfyruuvYJ6qXyZTuItXXeTFnHN1Pnu9edQffMN7FG7x
    m3KJz2wN3ZxkF1s0oIxw+TLXzgpagD9R9pjHceYj1upapZxBNmHD2MvAmPuFZPWLTIxf
    4bJWI5yHFkuS4N+qKFm678M0xjSJtdo/lEl7dwPx61+3JnSdNLKDdbmNk4ftaQz1xGqk
    30wwtzx0PgqMlHqa08s4WCkr6tZAlWCytqwEaqzwWp5b1pFxHClrt7Mc7/5MkUbf/ZSM
    QhYA==
MIME-Version: 1.0
Received: by 10.152.46.161 with SMTP id w1mr5377995lam.27.1354885760769; Fri,
    07 Dec 2012 05:09:20 -0800 (PST)
Sender: lozsui@???
Received: by 10.114.26.4 with HTTP; Fri, 7 Dec 2012 05:09:20 -0800 (PST)
In-Reply-To: <20121207021942.GT3867@???>
References: <20121207021942.GT3867@???>
Date: Fri, 7 Dec 2012 14:09:20 +0100
X-Google-Sender-Auth: 2jW0Oepj8zYxLvWffusMPy0Uft8
Message-ID: <CAMNQtb5hBZLRafo+1TNWpu6SSXfxeSwBGLP+XU=6cGpA=NEArA@???>
From: =?UTF-8?Q?Samuel_B=C3=A4chler?= <baechler@???>
To: users@???
Content-Type: multipart/alternative; boundary=bcaec55408907b5fe504d042ecc2
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
    07 Dec 2012 13:09:27 +0000
X-SA-Exim-Connect-IP: 209.85.215.48
X-SA-Exim-Mail-From: lozsui@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spamd0.lon.bitfolk.com
X-Spam-Level: 
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    HTML_MESSAGE, RCVD_IN_DNSWL_LOW,
    SPF_PASS shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
    http://www.dnswl.org/, low *      trust
    *      [209.85.215.48 listed in list.dnswl.org]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *      valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: baechler@???
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
    <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
    <mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 13:09:28 -0000


--bcaec55408907b5fe504d042ecc2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I am ok with that kind of information.

Cheers

S=C3=A4mi

2012/12/7 Andy Smith <andy@???>

> Hello,
>
> From time to time BitFolk customer VPSes occasionally become subject
> to various kinds of compromise. Frustratingly, the kinds of
> compromise encountered are generally the result of run of the mill,
> completely preventable and unremarkable root causes.
>
> I would like to find a way to raise awareness of these very simple
> security concerns amongst the customer base, in order to hopefully
> cut down on how often they happen.
>
> I was thinking that if customers saw how often these things happen
> to people very much like themselves then it might help remove some
> of the "yeah I've heard of that but it will never happen to me"
> mindset that we all regrettably can fall into.
>
> So I was contemplating posting an email thread to this ("users")
> list every time we become aware of a customer compromise, and I was
> wondering what you thought of that idea.
>
> It might look something like this:
>
>     Today at around 04:30 we became aware of a customer VPS
>     initiating an abnormal amount of outbound SSH connections (~200
>     per second). The VPS's network access was suspended and customer
>     contacted.

>
>     It was later determined that a user account on the VPS had been
>     accessed starting 3 days ago, via an SSH dictionary attack. The
>     attacker installed another copy of the SSH dictionary attack
>     software and set it going. We do not believe that root access
>     was obtained.

>
> The amount of detail would vary because we may only become aware of
> a compromise when the customer's VPS itself starts perpetrating
> abusive activity, and then we rely on the customer to investigate
> why that is.
>
> If the customer is unable/unwilling to do this then we may never
> know why their VPS began misbehaving. We don't examine customer data
> unless given permission to do so, and even then this is often too
> time-consuming to undertake on an unpaid basis. I would consider the
> above an example of the maximum amount of detail we would go into.
>
> No identifying information regarding the affected customer would be
> shared. We already share non-identifying information similar to the
> above to peers within the industry to aid deterrence and detection
> of future abuses.
>
> Would this sort of posting be welcomed or would it be unwelcome
> noise? If the consensus is that it would be unwelcome noise then I
> may create a new list specifically for it, but I would rather not do
> so as then that is just another list that we have to raise awareness
> of.
>
> Please also note that those with an extremely low tolerance for
> email noise may wish to quit this list and instead join the
> "announce" list, as it contains only announcements from BitFolk with
> no customer discussion whatsoever:
>
>     https://lists.bitfolk.com/mailman/listinfo/announce
>     http://lists.bitfolk.com/lurker/list/announce.html

>
> (just 19 threads this year)
>
> Thoughts?
>
> Cheers,
> Andy
>
> --
> http://bitfolk.com/ -- No-nonsense VPS hosting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEAREDAAYFAlDBUj4ACgkQIJm2TL8VSQsqvACgwIgInU6KIOtadzOhGfxJbzq2
> IMwAoKpBPCQW2HYD1Dgs6RPF38
This message was posted to the following mailing lists:
users
Mailing List Info | Nearby Messages		<-Re: [bitfolk] Proposal: Security incidents postingsRe: [bitfolk] Proposal: Security incidents postings->
Bitfolk Mailing List Archive administrated by List AdminLurker (version 2.3)