Webhosting management company cPanel suffers break-in, lets slip customers' root passwords

Filed Under: Data loss, Featured, Security threats

Webhosting management company cPanel recently announced a worrying sort of compromise.

A break-in to one of the company's technical support servers put customers at risk by exposing Personally Identifiable Information (PII).

This time, the PII was of the most intimate sort: root (i.e. administrative) passwords.

As cPanel explained in a support forum:

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

Fast forward to yesterday and cPanel had, thankfully, come up with a reponse that is a modest silver lining.

Giving remote support staff administrative access to your servers is always fraught with danger.

It's a bit like handing the keys to your fancy new car to the valet parking guy.

You assume that he's insured, and that he's a competent driver, and even that he's a lot more experienced than you at reversing in and out of the tricky spaces in the parking garage.

But he has, after all, got hold of your keys, and they're probably hanging on a peg in a rack where, for all you know, sneaky passers-by could make off with them.

(Or, worse still, make off with a copy of them, so you don't even know there's been a compromise.)

That's what happened here, to an unknown subset of customers over an extended period.

The good news is that cPanel has quicky moved towards a system based on disposable SSH keys that will now authorise cPanel support staff only temporarily to dig into your servers.

By automatically retiring the relevant cryptographic material after each session, cPanel hopes that this sort of problem can largely be avoided in the future.

Of course, there are still some ironies in what happened at cPanel.

If you were already using SSH keys on your servers, rather than typed-in passwords, you weren't affected by this hack.

→ SSH offers two main forms of authentication. One relies on you typing in a password every time you want to login. An attacker who sniffs or steals the password anywhere between you and the server can get in later at will. The second relies on a public-private key pair. You upload the public key to the server at the outset, and use your locally-stored private key to authenticate each time you access the server. You still have to keep the private key secure, of course, but you can store it off-line and encrypted, thus minimising your exposure to danger.

One wonders, therefore, why cPanel continued to allow the use of password-based logins for remote support purposes, and why it didn't make more effort to discourage its customers from working that way.

This is always a question you need to ask yourself after a data breach: did anyone actually need to collect the stolen data, or was it collected merely because it was operationally convenient to do so?

Another irony is that this is already being excused with the S-word.

This has been labelled "a sophisticated attack", in the same document in which cPanel admits that it does "not know the exact nature of this compromise."

That's another habit we need to break: that of adding dramatic adjectives (such as the A in Advanced Persistent Threat) even when we aren't sure that they actually fit the situation.

That's a bit like crying "fire" when what you really meant to say was "smoke", or "wolf" when you mean "moving object."

It also makes those who have suffered the misfortune of what they themselves consider to be an unsophisticated attack feel as though they're deserving mugus who had it coming to them, rather than the victims of cybercrime.

, , , , , , , , ,

You might like

4 Responses to Webhosting management company cPanel suffers break-in, lets slip customers' root passwords

  1. My webhost (greengeeks) uses cPanel, does that mean that I am at risk?

  2. JohnC · 536 days ago

    The comment about the use of the phrase "sophisticated attack" is reminiscent of the days before Internet access was widespread and most external security breaches were via dial-up modems. Whenever some teenager would gain unauthorized access to a system (usually by guessing some absurdly obvious password) they would be labelled a "boy genius" or a "prodigy" by the press.

    It's an entertaining image: a young prodigy outsmarting the seasoned professionals, but it was almost never true. The more mundane truth is that the seasoned professionals were lazy.

  3. gman · 536 days ago

    Wait. Why to analysts need to view passwords?? Isn't that a breach in of itself?

  4. Keith · 536 days ago

    They pretty much have to say that, probably legal reasons. They can't say it was a well known exploit and we fell for it anyway. And, they can't say we've got no clue as to how they did this and we're in over our heads. By saying that it's sophisticated it says they're doing their job but the bad guys sprang something new and terribly clever on them so it's not their fault.

    I'm exaggerating but it has a kernel of truth.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog