On July 15, it was revealed that the Ubuntu forum — a primary support channel for the popular Linux distribution — had been compromised, with over 2 million emails, usernames, and IP addresses in the hands of hackers. Passwords were never at risk because the forum used Ubuntu Single Sign-On, and the password hashes are not stored in the forum software.
We make Ubuntu available as an option on our unmanaged virtual private servers, so we think clients should be made aware of the attack.
It appears that the attacker was able to compromise the forum because it was running an old version of vBulletin with a known SQL-injection vulnerability. It might seem to follow from the successful exfiltration of sensitive data that Ubuntu’s general approach to security should be under suspicion, but that’s not necessarily the case. There’s no reason to believe the Ubuntu’s software repositories, version control systems, and other platforms central to the company’s core business are at risk. In fact, the breach follows a well-established pattern — companies are very careful about the systems that matter most to their business, but can be rather lax where peripheral services are concerned.
That’s a cause for concern, because even peripheral services have the potential to leak sensitive information, and those services are often targeted as part of an island-hopping strategy in the hope they’ll provide information that can be used to compromise more critical systems.
Many small businesses manage peripheral services of this sort, whether it’s support forums, WordPress blogs, or small eCommerce stores. It’s vital that they make every effort to keep these services up-to-date, but it’s understandable that they are neglected — small development teams and solo developers are pressed for time, and checking whether your forum needs updating regularly can easily be forgotten when your focus is on improving products.
But being understandable does not make it excusable. Companies have a duty to protect their users’ data. And, even if the security of peripheral services has no real impact on product security, it doesn’t look that way to users, who won’t be eager to discriminate between the two.
The best way to make sure that peripheral services are maintained and updated is to make a member of the organization responsible for it. I’ve come across many situations where a horrendously outdated CMS is the result of everyone thinking it is someone else’s job to update it. If you’re storing user data — or running any online service, really — responsibility for its maintenance should be assigned to a team member, and systems put in place to remind that team member to regularly check for issues.
Patch management isn’t especially complex for most companies. In the case of the Ubuntu breach, it wouldn’t have taken much effort for a team member to run an update every once in a while. If they had, an embarrassing situation could have been avoided.
Before you stop reading, ask yourself this: which online services is your business running, and who is responsible for ensuring that they have the latest security patches?