security breach

Aaaand it’s gone!

I just got an email from Opscode (the company behind Chef) that their wiki and ticketing system has been compromised, the attacker was able to download the whole database including usernames and passwords.

The passwords were hashed using PBKDF2 (Password-based Key Derivation Function 2) which is also used in WPA2, and quite effective in slowing down brute-force attacks.

There are two interesting facts:

1. This is the third email I got during this summer that describes a security breach which directly affects me

2. Opscode as far as I remember uses Atlassian’s JIRA for ticketing (and maybe for wiki too). Now if indeed Atlassian is the “third party” in the story “whose software has a vulnerability in it, which allowed attackers to gain access” then this is quite big news!
So JIRA users, watch out, there could be a vulnerability in your beloved ticketing system!

Here is the full email I received:

Security Breach
User information for tickets.opscode.com and wiki.opscode.com compromised.

What Happened?
A vulnerability in the third-party software that runs our Open Source Chef wiki and ticketing system was exploited to gain access to that particular system. While on this system, the attacker gained escalated privileges and downloaded the user database for the wiki and ticketing system.

What information was exposed?
The user database that was accessed contained usernames, email addresses, full names, and hashed passwords. We believe these passwords are adequately secure (the software in question uses the PBKDF2 algorithm), but we will be forcing a password change on the ticketing and wiki systems. If you use this password on other systems, we suggest choosing a new password on those systems as well.

Were any of my personal tickets accessed? What about my Hosted Chef data?
We are still investigating this breach; however, there is currently no evidence that any other systems were impacted or that other data was compromised.

Does this affect my Hosted Chef accounts?
This does not directly impact your Hosted Chef data or accounts. If you use the same username and password, it is recommended that you change this.

How did you catch the breach?
Our security monitoring alerted us to the unauthorized access. Upon investigation, we confirmed the unauthorized activity and immediately took steps to terminate the unauthorized access, isolate the affected systems, and secure forensic data.

What has been done to prevent this type of unauthorized access?
We are working with our third party software providers to identify the vulnerability and apply the appropriate patches to the systems.

What should I do now?
You will be asked to change your password the next time you access wiki.opscode.com or tickets.opscode.com. If you use the same credentials at any other site, you should assume that those credentials have been compromised and update them immediately. You may also wish to follow @opscode_status on Twitter for immediate updates.

We will provide additional details as they become available.

If you have any questions please contact Opscode at security@opscode.com.
You are receiving this email because you have an account in our ticketing system (http://tickets.opscode.com) or on our wiki (http://wiki.opscode.com).

Our mailing address is:
Opscode
1008 Western Ave
Suite 600Seattle, WA 98104

Add us to your address book

Copyright (C) 2013 Opscode All rights reserved.

Forward this email to a friend
Update your profile

How to correctly handle a security breach – Drupal.org

I just got an e-mail from Drupal.org – they have found out that somebody had unauthorized access to user data at drupal.org and groups.drupal.org. They are still investigating, however they would like to have every member of the community to change his/her password.

Let’s see the exact case:

The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.

This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we are asking all users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps.

  1. Go to https://drupal.org/user/password
  2. Enter your username or email address.
  3. Check your email and follow the link to enter a new password.
    • It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.

All passwords on Drupal.org are stored in an hashed format. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org and other Drupal 6 sites were not salted.

I think that’s the proper way to handle a data breach – close the hole as fast as you can, notify everyone as soon as possible, then investigate.

For more information visit:
https://drupal.org/news/130529SecurityUpdate