[hacked] tagged posts

Github says: Please audit your SSH keys

I got the following from Github after their benign hacker incident:

Please audit your SSH keys
On Sunday March 4, 2012 a security vulnerability related to SSH keys (public keys) was discovered. For your protection and to prevent unauthorized access we have disabled your public keys until you approve them.

They want me to audit my SSH keys (a simple process). First, find your public key that you use on GitHub (probably in your .ssh directory if you are using a Mac). Then get its fingerprint. Here’s how you do that on a Mac:

Trinity:~ kelvin$ ls -l .ssh/id_rsa*
-rw-------  1 kelvin  staff  1743 Sep 11  2009 .ssh/id_rsa
-rw-r--r--  1 kelvin  staff   400 Sep 11  2009 .ssh/id_rsa.pub
Trinity:~ kelvin$ ssh-keygen -lf .ssh/id_rsa
2048 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX .ssh/id_rsa.pub (RSA)
Trinity:~ kelvin$

Using ssh-keygen you can get the fingerprint from your private key filename (it will look for your public key for you). That long list of “XX:XX” things will be a hexadecimal number that matches the key fingerprint at the bottom of the GitHub SSH audit page. If it doesn’t match then either Egor hacked you or you might have used a different key (keep looking!).

Tags: , , , , ,

Hacked on a Friday

It’s not the first time that I’ve been hacked and I’m quite sure that it won’t be the last time either. Today, I found out that my web host (Dreamhost) was hacked.

Part of being hacked is trying to figure out what was taken. It takes time to review logs, so I’m not too concerned that Dreamhost can’t answer questions about what data was compromised.

The thing that gets me is that they never emailed me to let me know what was going on. I found out about the breach by reading Tech Crunch. That’s really what I’m grumpy about tonight…that and the passwords I have to reset.

Update > 12h on

Dreamhost sent an email overnight with password advice. I’m still not impressed by the 12-hour delay.

Tags: , ,

The Register Hacked & Defaced

Screen grab of the Register defaced

Today The Register was defaced by a Turkish group of hackers. It looks like the DNS was changed to point to the hacker’s nameservers.

$ whois theregister.co.uk

    Domain name:
        theregister.co.uk

    Registrant:
        Linus Birtles

    Trading as:
        The Register

    Registrant type:
        UK Sole Trader

    Registrant's address:
        Situation Publishing Limited
        PO Box 478
        Southport
        PR8 2ZW
        United Kingdom

    Registered through:
        NetNames Limited
        URL: http://www.netnames.co.uk

    Registrar:
        Ascio Technologies Inc t/a Ascio Technologies inc [Tag = ASCIO]
        URL: http://www.ascio.com

    Relevant dates:
        Registered on: before Aug-1996
        Renewal date:  14-Mar-2012
        Last updated:  04-Sep-2011

    Registration status:
        Registered until renewal date.

    Name servers:
        ns1.yumurtakabugu.com
        ns2.yumurtakabugu.com

    WHOIS lookup made at 21:42:31 04-Sep-2011

--
This WHOIS information is provided for free by Nominet UK the central registry
for .uk domain names. This information and the .uk WHOIS are:

    Copyright Nominet UK 1996 - 2011.

You may not access the .uk WHOIS or use any data from it except as permitted
by the terms of use available in full at http://www.nominet.org.uk/whois, which
includes restrictions on: (A) use of the data for advertising, or its
repackaging, recompilation, redistribution or reuse (B) obscuring, removing
or hiding any or all of this notice and (C) exceeding query rate or volume
limits. The data is provided on an 'as-is' basis and may lag behind the
register. Access may be withdrawn or restricted at any time.

Yumurta kabu─ču? It mean “eggshell” if you believe this Turkish-English dictionary.

And if you are wondering who is yumurtakabugu.com then you won’t get far:

$ whois yumurtakabugu.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: YUMURTAKABUGU.COM
   Registrar: ACTIVE REGISTRAR, INC.
   Whois Server: whois.activeregistrar.com
   Referral URL: http://www.activeregistrar.com
   Name Server: NS1.ACTIVE-DNS.COM
   Name Server: NS2.ACTIVE-DNS.COM
   Status: clientTransferProhibited
   Updated Date: 03-sep-2011
   Creation Date: 16-apr-2010
   Expiration Date: 16-apr-2020

>>> Last update of whois database: Sun, 04 Sep 2011 20:45:33 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Registration Service Provided By: Active-Domain LLC
Contact:  http://www.active-domain.com

Domain Name: yumurtakabugu.com
Expiry Date: 16-Apr-2020
Creation Date: 16-Apr-2010

Name servers:
ns1.active-dns.com
ns2.active-dns.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: m4l0j36f5ks@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681

Admin Name: Whois Manager
Admin Company: Whois Proof LLP
Admin Email Address: m4l0j36f5ks@whoisproof.com
Admin Address: PO Box 4120
Admin City: Portland
Admin State/Region/Province: OR
Admin Postal Code: 97208-4120
Admin Country: US
Admin Tel No: +1.2024700599
Admin Fax No: +1.8663666681

Tech Name: Whois Manager
Tech Company: Whois Proof LLP
Tech Email Address: m4l0j36f5ks@whoisproof.com
Tech Address: PO Box 4120
Tech City: Portland
Tech State/Region/Province: OR
Tech Postal Code: 97208-4120
Tech Country: US
Tech Tel No: +1.2024700599
Tech Fax No: +1.8663666681


The data in this whois database is provided to you for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this information available "as is," and do not guarantee its accuracy. By submitting a whois query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) enable high volume, automated, electronic processes that stress or load this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone. The compilation, repackaging, dissemination or other use of this data is expressly prohibited without prior written consent from us. The registrar of record is Active Registrar, Inc. We reserve the right to modify these terms at any time. By submitting this query, you agree to abide by these terms.

Tags: , ,

Keep your WordPress up to date!

One of my clients got hacked last week. They had been running a copy of WordPress 2.5 (WP) that was installed in May of 2008 and never updated. Although WordPress 2.5.1 was released 25 April 2008 and included an important security fix, the Client software was never upgraded.

So how do you keep your WP install up to date?

Since WP 2.7, you can upgrade from the dashboard. This is by far the easiest way to stay up-to-date, but there have been some problems reported when running on some hosts so find the right host.

You can also do a manual upgrade of the software. WordPress has a mailing list and an RSS feed which all WP admins should subscribe to.

Pay someone to keep it all up to date.

And lastly, if you don’t want to have to be bothered with all this, then don’t run your own blogging software. Run a hosted solution.

Tags: ,