Linux Australia suffers server breach

Linux Australia has revealed an attack on one of its servers could have provided a "malicious individual" with access to personal member information.

Over the weekend, Linux Australia president Joshua Hesketh notified the Linux-aus mailing list that the organisation had discovered an attack on one of its servers on March 22.

Linux Australia runs the annual Linux Australia conferences and the two-yearly PyCon conference.

The breach occurred in the server hosting the Zookeepr conference management systems for the 2013, 2014, and 2015 national conferences and for two PyCon conferences.

An unknown vulnerability was exploited to cause a buffer overflow that allowed the attacker to gain the highest level of privileges on the server, Hesketh said in the notice.

For the duration of the attack, member details including names and contact information, along with hashed passwords, were exposed – but not any credit card details.

"As Zookeepr uses a third party credit card payment gateway for credit card processing, the database dumps do not contain any credit card or banking details," Hesketh said.

"Whilst Linux Australia do not believe this was a targeted attack against the Zookeepr conference management system, nor an attempt to harvest details from the system, we are taking the necessary precautions."

The compromised host has been decommissioned and the system for PyCon Australia 2015 has been re-deployed to the new Zookeepr host, which is set to enforce key-based logins only.

The new host will have tighter restrictions for services facing the internet and a "far more rigorous operating system schedule", Hesketh said.

Error messages alerted admins to the original breach - these will now be buttressed with a new log analysis tool.

System user accounts on the new server will expire three months after each conference is held, and the linux.conf.au and PyCon Australia sites will be converted to HTML copies six months after the conclusion of the conference, Hesketh said.

Each conference's Zookeepr database will then be archived and stored on a separate server, and the database deleted from the ZooKeepr server.

Hesketh said Linux Australia "strongly encourage you change your passwords on other web services if the same password may have used when registering for our conferences".

"This would also include your Mozilla Persona accounts if you have chosen to use this method for authentication," he said.

"In the interests of improving your online security, it is recommended that a one time password service be used in the future for any accounts you may create on any web services including Linux Australia's conference websites."

At the time of writing linux.conf.au remains offline. Hesketh has been contacted for comment.

Several industry members reacted with praise to the organisation's response to the breach.

"The transparency and disclosure of this email is amazing," tweeted Queensland tech communications specialist David Ryan.

"Exemplary transparency," agreed Paul Gampe, CTO of the US-based peering technology firm IIX.