2m Ubuntu users' data leaked; Telstra buys MSC Mobility; Bug bounty for cars


By Andrew Collins
Thursday, 21 July, 2016


2m Ubuntu users' data leaked; Telstra buys MSC Mobility; Bug bounty for cars

The personal information of two million users has been leaked during the hack of web forums devoted to the Ubuntu Linux distribution.

The hack was publicly acknowledged in a blog post on the Ubuntu insights website.

“There has been a security breach on the Ubuntu Forums site,” wrote Jane Silber, CEO of Canonical, the company that leads the Ubuntu Project.

“In the interest of transparency, we’d like to share the details of the breach and what steps have been taken.”

Silber said that on 14 July, Canonical’s IS team was notified that a person was claiming to have a copy of the Ubuntu Forums database.

“After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched,” Silber said.

The Canonical CEO said that the attacker behind the hack had the ability to inject certain formatted SQL to the Forums database on the Forums database servers.

“This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table,” she said.

The attacker went on to download portions of the user table which contained usernames, email addresses and IPs for two million users, according to Silber.

“No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted),” she said.

Silber said the attacker was not able to gain access to any Ubuntu code repository or update mechanism.

The blog post has more on what Canonical believes the attacker did and did not have access to, and the steps Canonical has taken since the breach.

Telstra buys MSC Mobility

Telstra has entered into an agreement to acquire MSC Mobility, an enterprise mobility solution provider and a long-time Telstra partner.

MSC provides MDM (mobile device management) and provisioning services for its customers.

Telstra said MSC has been one of its partners for a decade, and that MSC currently provides device management services to a “large number” of Telstra’s enterprise customers.

Telstra Executive Director Global Products Michelle Bendschneider said: “By acquiring MSC we can now work with a customer’s entire enterprise mobility experience and can manage it through one unified platform. This provides Telstra with an enhanced offering in the market and a seamless experience for our customers.”

Telstra said it expects the MSC acquisition to be completed within a matter of weeks.

Fiat Chrysler launches bug bounty

Car manufacturer Fiat Chrysler Automobiles (FCA) has launched a bug bounty program targeting internet-connected vehicles the company produces.

The program is running on bug bounty website Bugcrowd.

The car maker announced the program in a YouTube video that featured Titus Melnyk, senior manager, Security Architecture at FCA US, and Casey Ellis, CEO and founder of Bugcrowd.

Ellis explained that Bugcrowd allows organisations to run contests where security researchers “compete to find vulnerabilities and submit them in exchange for cash and social recognition”.

“The first to find each unique vulnerability that’s within scope of the program will get a reward, and obviously the goal is to have those vulnerabilities be fixed before the bad guys come along and do it for real,” the Bugcrowd CEO said.

According to the Bugcrowd page for the Fiat Chrysler program, researchers can earn between US$150 and US$1500 per bug reported.

The Fiat Chrysler program’s page on the Bugcrowd site has more information, including the specific products targeted in the program.

“This program is focused on the security of FCA’s connected vehicles, including the systems within them; the external services and applications that interact with them,” the page said.

Image courtesy Ubuntu.

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd