Re: [bitfolk] Proposal: Security incidents postings

Return-Path: &lt;users-bounces+bitfolklist=tony-andersson.com(a)lists.bitfolk.com&gt; X-Original-To: BitFolkList(a)tony-andersson.com Delivered-To: BitFolkList(a)tony-andersson.com Received: by tony-andersson.com (Postfix, from userid 500) id F090B24008; Fri, 7 Dec 2012 02:19:46 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on spamd3.lon.bitfolk.com X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT shortcircuit=ham autolearn=disabled version=3.3.1 X-Spam-Report: * -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Received: from mail.bitfolk.com (bitfolk.com [85.119.80.223]) by tony-andersson.com (Postfix) with ESMTPS id CDB5524007 for &lt;BitFolkList(a)tony-andersson.com&gt;om>; Fri, 7 Dec 2012 02:19:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bitfolk.com; s=alpha; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:To:From:Date; bh=vRbIloMoG9gJ141i3a7pQTJwQvEPRJCMNXFddRhCqVw=; b=NxPuc0+iwzaEN71o7gWpkatFlLBIa6VbsG3NyqWcaNeYmSPICkTDeE7lSNBNxJTkYf6Qjd5aA7LejgILtndux+t/cLXeYgjQpCIVUBp1/19AkTs9HrWRPAUWF6cDYGv6; Received: from localhost ([127.0.0.1] helo=bitfolk.com) by mail.bitfolk.com with esmtp (Exim 4.72) (envelope-from &lt;users-bounces+bitfolklist=tony-andersson.com(a)lists.bitfolk.com&gt;) id 1TgnXW-0001Mr-K4 for BitFolkList(a)tony-andersson.com; Fri, 07 Dec 2012 02:19:46 +0000 Received: from andy by mail.bitfolk.com with local (Exim 4.72) (envelope-from &lt;andy(a)bitfolk.com&gt;) id 1TgnXS-0001Lk-6E for users(a)lists.bitfolk.com; Fri, 07 Dec 2012 02:19:42 +0000 Date: Fri, 7 Dec 2012 02:19:42 +0000 From: Andy Smith &lt;andy(a)bitfolk.com&gt; To: users(a)lists.bitfolk.com Message-ID: &lt;20121207021942.GT3867(a)bitfolk.com&gt; MIME-Version: 1.0 OpenPGP: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc X-URL: http://strugglers.net/wiki/User:Andy User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri, 07 Dec 2012 02:19:42 +0000 Subject: [bitfolk] Proposal: Security incidents postings X-BeenThere: users(a)lists.bitfolk.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Users of BitFolk hosting <users.lists.bitfolk.com> List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>, <mailto:users-request@lists.bitfolk.com?subject=unsubscribe> List-Archive: <http://lists.bitfolk.com/lurker/list/users.html> List-Post: <mailto:users@lists.bitfolk.com> List-Help: <mailto:users-request@lists.bitfolk.com?subject=help> List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>, <mailto:users-request@lists.bitfolk.com?subject=subscribe> Content-Type: multipart/mixed; boundary="===============1702776325==" Sender: users-bounces+bitfolklist=tony-andersson.com(a)lists.bitfolk.com Errors-To: users-bounces+bitfolklist=tony-andersson.com(a)lists.bitfolk.com X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri, 07 Dec 2012 02:19:46 +0000 X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: users-bounces+bitfolklist=tony-andersson.com(a)lists.bitfolk.com X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false

Hello,

From time to time BitFolk customer VPSes occasionally become subject to various kinds of compromise. Frustratingly, the kinds of compromise encountered are generally the result of run of the mill, completely preventable and unremarkable root causes.

I would like to find a way to raise awareness of these very simple security concerns amongst the customer base, in order to hopefully cut down on how often they happen.

I was thinking that if customers saw how often these things happen to people very much like themselves then it might help remove some of the "yeah I've heard of that but it will never happen to me" mindset that we all regrettably can fall into.

So I was contemplating posting an email thread to this ("users") list every time we become aware of a customer compromise, and I was wondering what you thought of that idea.

It might look something like this:

Today at around 04:30 we became aware of a customer VPS initiating an abnormal amount of outbound SSH connections (~200 per second). The VPS's network access was suspended and customer contacted.

It was later determined that a user account on the VPS had been accessed starting 3 days ago, via an SSH dictionary attack. The attacker installed another copy of the SSH dictionary attack software and set it going. We do not believe that root access was obtained.

The amount of detail would vary because we may only become aware of a compromise when the customer's VPS itself starts perpetrating abusive activity, and then we rely on the customer to investigate why that is.

If the customer is unable/unwilling to do this then we may never know why their VPS began misbehaving. We don't examine customer data unless given permission to do so, and even then this is often too time-consuming to undertake on an unpaid basis. I would consider the above an example of the maximum amount of detail we would go into.

No identifying information regarding the affected customer would be shared. We already share non-identifying information similar to the above to peers within the industry to aid deterrence and detection of future abuses.

Would this sort of posting be welcomed or would it be unwelcome noise? If the consensus is that it would be unwelcome noise then I may create a new list specifically for it, but I would rather not do so as then that is just another list that we have to raise awareness of.

Please also note that those with an extremely low tolerance for email noise may wish to quit this list and instead join the "announce" list, as it contains only announcements from BitFolk with no customer discussion whatsoever:

https://lists.bitfolk.com/mailman/listinfo/announce http://lists.bitfolk.com/lurker/list/announce.html

(just 19 threads this year)

Thoughts?

Cheers, Andy