across the network: Kyle Brady: Blog  |  Kyle Brady: Fiction  |  Kyle Brady: Status  |  Kyle Brady: Stream  |  Kyle Brady: Projects  |  Kyle Brady: Profile contact
across the internet: on Twitter | on Facebook | more...

Expose:

MediaTemple’s Continued Inadequacy Issues

November 26, 2009 by Kyle Brady
Tags: , , , , , ,
As required by the FTC, a Full Disclosure is available - this piece adheres to the Code of Ethics

subscribe to Expose posts:  rss - email


[note:  substantial and important updates available]

Almost a month ago, I made MediaTemple, and the world, aware of an attack that seemed to be a large security issue, and they eventually admitted it was their problem to deal with, rather than blaming it on software like hosting companies like to do.  But, weeks later, the problem is not yet resolved, and the public is largely still in the dark.

In the last week, I’ve been notified twice to change my FTP/SSH passwords, and the request yesterday came with an odd statement:  the passwords had been previously stored as plaintext, rather than being encrypted or hashed, and that the attackers somehow had access to this - this was MediaTemple’s sole explanation of the massive security issue.

Entirely unacceptable.

After initially making this issue public, both here and at the Inquisitr, I received a phone call from Andrew Won (VP of Customer Service) and Chris, whose position I can’t remember, on 11/16/2009 saying that they discovered the issue, had patched the necessary software, and had submitted patches to the software’s vendors – but asked me to not say anything because of the “security process”.  They didn’t give me enough details as to what was actually happening for me to matter, but I kept quiet.

The traffic on my blog, and the comments, continued to mount in the days that followed and it became clear that the issue had not been resolved – people were still being hit with this hack/attack.  On 11/19/2009 I asked for an update from Andrew and received a reply stating:
Unfortunately, we still don't have anything public yet.  We have already resolved all of the issues and this issue will not recur.

Well, as the attacks continued for other people’s accounts, even through today (11/26/2009), it’s obvious that they had not resolved the issue.  When I irately called late last night (11/26/2009 early morning PST), the tech had no answers and neither did his supervisor – in fact, I knew more about the situation than they did, and I was given the partyline:  “our engineers are aware of the issue and working to address it.”  Further conversation with Andrew, via email, resulted in nothing but doublespeak and sidestepping my questions.

It’s obvious, at this point, that they are either incompetent or lazy – I’m not sure which.  They were slow to respond to this in the first place, and have made one misstep after another, which isn’t giving the affected customers much faith in their hosting company, let alone those unaffected that hear the horror stories.  The fact that passwords were stored in such an insecure way might be part of the issue, but there are larger problems:  discovery, point of entry, depth of access, and execution – none of which (mt) is, in any way, addressing.

When I mentioned this to Andrew, he responded by effectively saying they still have no idea what the problem is or how to fix it:
We are still in the process of investigating this.  Unfortunately, while we have a lot of theories and assumptions, we still do not have anything definitive.  So please bear with us while we investigate this.  We are taking all precautionary measures and locking down many external and internal systems.  We will continue to closely monitor our systems and take appropriate actions.

And they even want to dispute the fact that it’s been almost a month, while downplaying the large number of customers affected:
It was not a matter of resolving over the period of 3 weeks.  It was a matter of continuing to take steps, monitor and then take further steps.  The number of sites actually affected is very small, but due to recent events, we decided that we needed to take a more blanket security approach and change all (gs) Grid Service Server Admin passwords as a precautionary measure.

The “security protocol”, mentioned above, is essentially a “don’t talk about it until it’s fixed” process, but it assumes that those involved are actually trying to fix it, and (mt) is using this as both a crutch and deflector shield – in addition to assuming unaware customers are happier than aware ones:
Chris and I advised you of security protocol, which is what we were following.  And security protocol states that you do not publish public info until you are absolutely certain that the issue is resolved and that you are reasonably certain that the attacks or hacks have stopped.

We didn't have much choice in this matter.  As we explained to you before, security is a very sensitive issue and by making information public, you are also feeding information to your attackers.  We also alerted all affected sites and accounts of the issue and informed them of the steps that we have taken at the moment and time.  This issue was still evolving when we last spoke.

Finally, when asked about compensation to customers for their utter failure as a semi-secure hosting company, which they haven’t actually fixed yet, Andrew once again sidesteps the issue by choosing to blame the users/customers instead of themselves:
We do encrypt passwords, but there was a separate file that was kept for the purpose of allowing customers to view their FTP and mySQL passwords through their Account Center.  This was a feature many customers asked for in the past.  However, we have decided that this feature comes at a price and we are no longer willing to take that risk.  Yes, we have learned our lesson.  We definitely do understand that this was  a headache for ours customers, it was a huge one for us, so we can only imagine it was a much bigger for our customers.  We will make sure to discuss a concession of some sort for those customers that were actually affected by this issue.

In summary:

  • these attacks are the result of MediaTemple’s failure as a hosting company

  • they chose to wait three weeks to even address the issue publicly

  • they claimed to have solved the issue long ago, when they hadn’t

  • they still haven’t solved the security issue, three-or-more weeks on

  • they continue to not reveal any details to users, while sidestepping most questions

  • they seem to have no idea of what is truly occurring


They’re going to lose alot of customers over this, especially since they are known for having large-scale problems on a regular basis.

--- --- ---

Update (11/26/2009 5:30pm PST): I had a lengthy phone conversation with Andrew, and while I can't comment on the details, I feel more confident in MediaTemple's abilities and in what they're doing to solve this large security issue.  More concrete details as they come, but I would suggest that we have more patience with (mt) on this.

Update (11/30/2009 4:35pm PST): MediaTemple is slowly opening up about this, although the full story doesn't seem to be public yet.  Details as/if they come.

Expose pieces are irregular posts attempting to hold people and organizations accountable for their actions.
Kyle can be found on Twitter and MySpace, or reached via email.

subscribe to Expose posts:  rss - email

submit to reddit Add to Mixx! Share on Facbeook Retweet
Printable Version Printable Version

More Expose Pieces

see more...


Commenting Rules

The following is a basic set of rules that are enforced for all commenters.

Any violations of these rules will result in comment deletion, user bans, or both.

  1. No excessively foul language.
  2. No racist remarks.
  3. No SPAMing, unrelated linking, or otherwise unnecessary promotion of outside material.
  4. No trolling.
  5. Be respectful.
  6. Be valuable.
  7. Feel free to respond, argue, or counter-point an article - but do so coherently and intelligently.
  8. Use a personal nickname, commenting account, or moniker. Do not use your business' or website name/account.
  9. Do not trackback/pingback to this post unless your content is relevant.
also available as a standalone page

  • I've been having issues with my MT hosting for a couple of months now, and as a DV account holder I was basically told 'tough luck, you have to work it out yourself' which is such a cop out response.

    I'm moving all of my hosting away from them now, particularly since 3 of our GS accounts received that email notice over night about changing your ftp logins.

    Pretty ordinary service on MT's behalf, and being Thanksgiving I fear that the support will be seriously lacking till Monday..
  • Well, to be fair, a DV is (according to standard hosting practices) a "do it yourself" level package.

    I had one of those over a year ago for something, and they messed up the install, leaving me to find and fix the problem. I eventually downgraded because it wasn't worth the hassle.

    The (gs) is *usually* pretty good, so long as it's not down and you're not under this sort of attack. But when it's good, it *is* good and handles resource spikes pretty well.

    --Kyle
  • It turned out the issue I was having on my DV account, when I was having dramas, was a hardware failure on their end so I felt a bit put out with the generic 'its your problem' email. That said, Duncan Riley's mentioned he's had similar responses from Rackspace (I think) when the Inquisitr first moved over.

    Like you mention, I'm not sure the DV account is worth the extra hassle for me either.

    Anyway, hopefully mt get to the bottom of these security issues and address their customers with a good 'non-corporate' response.

    That was something I like about mt when I first started hosting, it felt like you were dealing with a bunch of cool, tech savvy guys and girls who cared about the service and support.
  • I received one of these emails yesterday as well. I didn't take too much notice since I'd just copied a large file up to the server, and I thought that they might have considered it suspicious. Seems like a major annoyance if you host a lot of stuff with them.

    It's not just about whether they're taking the problem seriously, its also about the fact that they've been less than forthcoming with exactly what IS going on.
  • In what reality is the (gs) good? I see downtime of 2-4 mins. every 2-3 days, and often it happens in bunches Database latency is chronic, leading to slow page rendering for apps like Drupal and Joomla.

    MT's official responses on their "system status" blog are very calculated to the point of being really good spin/lies.

    They imply they were working with law enforcement and could not, for that reason, blow the whistle or change passwords. So all their customers become unwitting parts of a sting? I think they just had no idea what to do and tried to ride it out quietly.

    They emphasize the damage has been really minimal and customer databases were not compromised. But just in case, they say change your passwords and you'll have to login separately for each of your databases in phpmyadmin. MT is lucky it wasn't totally hammered.

    Maybe no damage or illicit access to databases has been discovered, and maybe there was none, but the fact remains, with your root account password the intruders could have accessed your databases, billing info, etc.
  • I agree the db latency is an issue... I pay extra for a MySQL container that basically solves those problems.

    I also agree with pretty much everything you've said - this is a much bigger issue than they're pretending it is, which is why I've continued to hammer on the topic.

    --Kyle
  • Thanks for the hammering. I think the big concern has to be that during the weeks the stolen account login credentials were floating around, the people who got hold of them did "smarter" things than insert links into (gs) user's pages--smart as in a whaling expedition. Pick out the big fish, take over some email addresses, do some info mining for social engineering, and come up with access to people's bank accounts and credit cards.

    This is just another big frustration from (mt) in a year full of them, and I would really like to see them turn a corner unless the reality is they've been all branding and no substance all along. The lack of journalistic type inquiry and consumer reports in this area is really disturbing. It's needed.

    I've heard from a lot of people that the SQL containers don't do much. Why not just go to a (dv)? A (gs) account with an SQL container and a Rails container would end up costing more than the (dv), but you don't get as many features, and I see no reason to expect comparable performance. This has puzzled me for a long time. I am looking forward to seeing what the have to say about the (cs) which will supersede the (gs) which has just (finally) finished its "gen2" upgrade process. I have been noticing some performance improvements on the (gs) in recent weeks, but we'll see if the latency and downtime really goes away.
  • Well the gridcontainer has really helped me... as long as the server's not down, the site's up and fast. I tried a (dv) over a year ago and they messed up the install, and told me to fix it myself - so after a month of headaches I moved back to (gs) where it's more stable, scalable, and I don't have to worry about server admin stuff. I also don't use Rails, so I don't need that ;-)

    They've been having relatively good uptime since the epic failure this summer, so we'll see.

    Ultimately, I want to have a cheap middleware server that just serves requests to things like Amazon's S3, EC2, and SQL services... but at the moment I can't afford that. So I'm sticking to what will suffice for cloud computing at the moment.

    --Kyle
  • So the reboot/repair/rebuild function didn't do the trick with that (dv)? I've always thought of the (dv) with Plesk as both manageable and scalable (add on more resources as needed). The (gs) only scales relative to the containers you can add on. I guess that could be a better deal if your main resource load is your databases. I think they offered me an SQL container free for a month to try a while back, so maybe that's worth a shot.

    There IS a problem with not having an easy path from the (gs) to the (dv). The (cs) will have an upgrade path, so I am trying to decide if I should wait out the ride with the (gs)/(cs), go with the (dv) now, or give rackspace cloud a try. I will probably wait things out with the (gs) since I just use it for non-critical personal projects, but I also need a place to host some bigger clients with room to grow, and (mt) has really shaken my confidence in them. Moreover, it's the concern that buying more doesn't necessarily getting more when what you're already paying for doesn't deliver what it's supposed to.

    The thing that makes (mt) hard to just walk away from is the sense of the (gs) always being "almost there" and a really good idea. They sure have a lot going on in the labs now (http://mediatemple.net/labs)--it makes you want to believe. The (gs) control interface is ideal, and unlike Duncan Riley, I really *don't* want the ssh and vi literacy to come rushing back. I have other things to do.

    On the other hand, a Rackspace sales rep told me their "sites" package (starts at $100/mo) is akin to the (gs) and the "server" package (starts at $10.95/mo + resources as you need them) is comparable to the (dv). That threw me at first, but it makes a lot of sense: the "you're on your own" package should cost the least in the era of "cloud" hosting, because you're not tying up a whol physical server. The semi-managed packages end up costing the host more for the support it involves, most of it unseen.

    BTW, that sales rep also said they do plan to have a middle option--a pay-as-you-go version of their managed "sites" package. (No ETA on that.)
  • Hmm... well it looks like I'll be upgrading to (cs) when it's available - it sounds more stable and mature than the (gs) is, and it would be a huge pain to move anywhere else unless really necessary.

    I would recommend not moving to Rackspace either... I know people (Duncan being one) that have done that, and their cloud-based solution is relatively new (newer than the (gs)), and has proven to be shaky at times. Where Rackspace performs well is the cloud service in combination with their CDN, but only in combination - for now, that's too expensive for most people.

    For all their problems and inconveniences, I like (mt) - they tend to make my life really easy since I don't have to worry about much. But when things go down, they go down in an epic and extremely disruptive fashion.

    --Kyle
  • Agreed on the huge pain. Yes (mt) makes life easy, so I want to hope they are about to get things right. But it's been a long year. The past few weeks my GPU usage has evened out (usually it's more erratic) and performance has been pretty good.
  • Bryn
    Agreed. Another pissed off MT customer here. I'm very concerned about usernames and passwords being stolen from the user database running my site. A few of the people use the same password for their emails. One reported having his eBay account compromised just days after this happened. Passwords are encrypted in my db, but I assume they can still get at them. How do we know that the hackers didn't snoop through this stuff?
  • We don't.

    --Kyle
  • There's a new update @ (mt) Media Temple with some new info here:
    http://weblog.mediatemple.net/weblog/category/s...
  • They're slowly opening up, but the full story isn't public yet...

    --Kyle
  • Glad you're writing about this - I had a few of my sites were compromised around the same time and I never had ANY response from MT. No acknowledgement; no prompt to change my passwords. I figured it out but was wondering how things would be handled going forward. Thanks for persisting.
blog comments powered by Disqus
Kyle Brady: Blog
coherent thoughts on diverse topics


Site Navigation:
About Columns Ethics Rules Contact




  • Around the Internet


Search