Code Spaces Hosting Shutting Down After Attacker Deletes All Data 387
An anonymous reader writes Code Spaces [a code hosting service] has been under DDOS attacks since the beginning of the week, but a few hours ago, the attacker managed to delete all their hosted customer data and most of the backups. They have announced that they are shutting down business.
From the announcement: An unauthorized person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a Hotmail address. Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDOS.
At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel.
At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel.
Re:The cloud (Score:5, Interesting)
Single account to rule them all......the best approach is the separation of concerns (user management, server management, backup / restore, etc.) so that it is a lot harder to compromise everything.
Re:The cloud (Score:5, Interesting)
The concept was good but the people in charge were in way over their heads and it became suddenly clear to them that they had no business securing other peoples data. Good for them. At least they know what they suck at.
Facking Idiots (Score:5, Interesting)
Git (Score:5, Interesting)
Re:The cloud (Score:5, Interesting)
Good thing people hosted their stuff on the cloud...
I don't think their problem is necessarily because it was "on the cloud" - the same thing could have happened if someone penetrated a corporate network and got hold of a VM farm. A bigger obstacle to be sure, but if your corporation has partner/vendor access and a not-so-sharp security guy...
One question I have though - instead of changing a password, why couldn't they have called Amazon, had the thing universally locked out for that company, replaced all root-level access with a new account, and sent the new username and p/w by phone back to the company?
Also, why didn't they have an offline (think: off-cloud) backup of the stuff? Sure it costs time/money/skull-sweat to do that, but it's worth the time and trouble in the end. After all, if your family jewels are hanging out there, it always pays to have a DR plan for 'em...
If nothing else, they could have set up a separate and distinct AWS account/rigging as a "DR" of sorts, with DB replication and the works feeding it as a warm DR site. That way if some jackass compromises the first, you only need to stop DB replication, turn on the rest of the DR servers, do a quick test, and shift your DNS to the backup site - 15 mintues later, you can delete the objects yourself in the original site if you want (while you set up yet a different site and build a new backup site to replace the one you just put into production.)
We have a sizable AWS setup where I work, and first/foremost we back that shit up (the DB contents) to machinery that we control. We also have a means of re-deploying/rebuilding if necessary; sure it takes time, but it's better to have it and not need it...
Re:I can't think of a better argument... (Score:5, Interesting)
for air gapped backups.
It has to be more than that. We had a policy of air gapped backups that everyone followed. But we had several different sites with several different admins. There was a large hurricane and we found some flaws in the system to say the least.
In several cases, the backups were kept IN the drive... they were gone.
In others, they removed the backups, put them on top of the server or in a desk draw.... gone as well.
In others, they actually removed the tapes from the site, but often they were taken home by the admin or other staff... in those cases we faired slightly better because both the site and the staffs house would have to be under water. Hurricanes are big however, so we had about a 50% success rate there.
In some cases they had a safe on site. This proved marginally better... the tapes were safe in most cases. In one instance we had a rather brave Admin fly across the country, take a cab out to the site and the literally SWIM to get the tape. But in a lot of cases the tape was OK, but the safe was under water. So we weren't able to retrieve it for days.
The sites where local admins stored the tapes at local banks faired the best. So now that's our policy. Backups get stored off-site, in a vault. Technology is better now so we also do remote backups across the net now as well in case the bank is under water as well. But no matter what, we can always head to the bank vault. Ok, I guess a meteor would ruin our day, but you cant plan for everything.
Re:The cloud (Score:2, Interesting)
I don't think that was a money thing, rather it was an oversight of risk management. Hindsight is always 20/20.
(Besides, where does this "blame the victim" attitude always come from? It's ridiculous. This is equal to saying that wearing scantily clad clothing means a woman deserves to get raped.)
Re:The cloud (Score:3, Interesting)
Re:The cloud (Score:5, Interesting)
I see this come up a lot and honestly..... I mean.... is it really wrong to suggest that a person should think about self-protection?
Do you lock the door to your house? Your car? I do. I generally wont even leave my phone in the locked car unless I expect I will not be out of view of the car for more than a minute, I even look around first when making such a decision. Why? Because people I know, including myself, have had shit stolen from their cars!
And you know what.... I, the victim, was stupid for thinking it was going to be ok to leave my GPS on the cradle in the car overnight. The person who stole it is still an asshole, still deserves to be punished, but you know what....that doesn't make me smart for exposing myself to his actions.
Should a woman be able to wear what she wants? Should she be able to walk down the street at night alone? Yes. Absolutely. However, when my wife clips a knife on her belt before going for walks at night, when she tells me what streets she avoids at night because she knows its where alot of the rapes are reported.... it makes me think I married a smart girl.
But hey maybe I am odd, I don't say "don''t wear that" I say "don't forget your knife"
Because its true, she shouldn't ever have to use it, and I hope she never does.... but if it ever happens, I hope she spills entrails on the sidewalk.
Re:The cloud (Score:5, Interesting)
But since the topic at hand has nothing to do with rape, let's get stop with unfitting analogies. A company that is offering HOSTING must take have a solid backup plan and security policies in place. Otherwise, even if the criminal who attacked them is solely responsible for the act, the attacked company is 100% responsible in front of their clients, just as it should be.
In the business world being totally incompetent to offer the service you want to offer is not justified. It has nothing to do with rape, burglary or anything else, really.