Would be even better if I replied to the list...

---------- Forwarded message ----------
From: "Moggers87" <moggers87@googlemail.com>
Date: Dec 7, 2012 4:11 AM
Subject: Re: [bitfolk] Proposal: Security incidents postings
To: "Andy Smith" <andy@bitfolk.com>

I'd very much appreciate knowing what causes compromises in the real world. Would be a good reminder to those of us who believe we have secure servers.

On Dec 7, 2012 2:19 AM, "Andy Smith" <andy@bitfolk.com> wrote:
Hello,

>From time to time BitFolk customer VPSes occasionally become subject
to various kinds of compromise. Frustratingly, the kinds of
compromise encountered are generally the result of run of the mill,
completely preventable and unremarkable root causes.

I would like to find a way to raise awareness of these very simple
security concerns amongst the customer base, in order to hopefully
cut down on how often they happen.

I was thinking that if customers saw how often these things happen
to people very much like themselves then it might help remove some
of the "yeah I've heard of that but it will never happen to me"
mindset that we all regrettably can fall into.

So I was contemplating posting an email thread to this ("users")
list every time we become aware of a customer compromise, and I was
wondering what you thought of that idea.

It might look something like this:

    Today at around 04:30 we became aware of a customer VPS
    initiating an abnormal amount of outbound SSH connections (~200
    per second). The VPS's network access was suspended and customer
    contacted.

    It was later determined that a user account on the VPS had been
    accessed starting 3 days ago, via an SSH dictionary attack. The
    attacker installed another copy of the SSH dictionary attack
    software and set it going. We do not believe that root access
    was obtained.

The amount of detail would vary because we may only become aware of
a compromise when the customer's VPS itself starts perpetrating
abusive activity, and then we rely on the customer to investigate
why that is.

If the customer is unable/unwilling to do this then we may never
know why their VPS began misbehaving. We don't examine customer data
unless given permission to do so, and even then this is often too
time-consuming to undertake on an unpaid basis. I would consider the
above an example of the maximum amount of detail we would go into.

No identifying information regarding the affected customer would be
shared. We already share non-identifying information similar to the
above to peers within the industry to aid deterrence and detection
of future abuses.

Would this sort of posting be welcomed or would it be unwelcome
noise? If the consensus is that it would be unwelcome noise then I
may create a new list specifically for it, but I would rather not do
so as then that is just another list that we have to raise awareness
of.

Please also note that those with an extremely low tolerance for
email noise may wish to quit this list and instead join the
"announce" list, as it contains only announcements from BitFolk with
no customer discussion whatsoever:

    https://lists.bitfolk.com/mailman/listinfo/announce
    http://lists.bitfolk.com/lurker/list/announce.html

(just 19 threads this year)

Thoughts?

Cheers,
Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAlDBUj4ACgkQIJm2TL8VSQsqvACgwIgInU6KIOtadzOhGfxJbzq2
IMwAoKpBPCQW2HYD1Dgs6RPF38QNycai
=xqsl
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users