Attacks/Breaches
6/20/2014
01:40 PM
Connect Directly
RSS
E-Mail
50%
50%

Code Hosting Service Shuts Down After Cyber Attack

Code Spaces shuttered its doors after a hacker accessed the company's Amazon EC2 control panel and erased business data and other information.

A code hosting company has shut down following a cyber attack that erased much of its data, backups, machine configurations, and offsite backups.

The company states in a message on its homepage:

Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of ongoing credibility.

Visitors to the Code Spaces website are greeted with a lengthy outline of what happened. On Tuesday, the company explains, Code Spaces was hit by a distributed denial-of-service attack against its servers. Such attacks weren't uncommon. Unfortunately, this time it was just the beginning.

The unknown attacker was able to gain access to Code Spaces' Amazon EC2 control panel, and left a number of messages for the company to contact them using a Hotmail address. Doing so yielded an extortion demand. When the company realized the attacker had access to the EC2 control panel, further investigation revealed the person also had access to the data in the company's systems, although no machine access occurred, because the intruder did not have the private keys.

The company statement continues:

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances.

Patrick Thomas, security consultant for Neohapsis, calls the situation a "nightmare scenario" for cloud services companies:

This is a wakeup call to other organizations that have critical assets on cloud services. Two-factor authentication and detailed event monitoring and alerting are essential components of any cloud strategy.

Offsite backups have been considered a necessary operating procedure for any sensitive data, but in the age of cloud infrastructure many organizations think that they can simply pass the buck on backups, getting their geographic distribution and redundancy for free as part of going to the cloud. However, anything that's vulnerable to the same threats isn't fulfilling the original intent of offsite backups. Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate.

Jim Reavis, chief executive officer of the Cloud Security Alliance, stresses that DDoS attacks and other malicious activity have caused business outages and shutdowns before among companies using traditional IT, and that cloud computing itself was hardly a factor in exacerbating Code Spaces' demise. He told me in an email:

Cloud users of IaaS [infrastructure-as-a-service] like Code Spaces have significant responsibilities in implementing security best practices to protect their system availability and proprietary information, as we have outlined in our security guidance and controls framework. At a high level, tenancy with a robust cloud computing infrastructure should provide greater pipes to withstand DDoS attacks than a small business could afford.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Strategist
7/3/2014 | 2:37:23 PM
Good advice here....
Good advice hewre from Nethapsis Patrick Thomas against threat of attack in the cloud. 
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Apprentice
6/23/2014 | 2:48:03 PM
more security
Sounds like dual-control may be needed - a second person logging on to approve changes - at least for adding another admin and deleting important items
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Apprentice
6/23/2014 | 10:18:30 AM
Redundant back-up.
" Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate."

Sad it's come to this. Cloud only back-up do present certian limitations.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 9:47:15 AM
Re: AWS the Right Platform?
I think the truth lies somewhere between your hypothesis and the published story.  

I would say the most logical explanation is that they simply do not have the ability or desire to fight the attack.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/21/2014 | 3:03:10 AM
Re: AWS the Right Platform?
@TalKlein

While you're right, it's more than just that for me.  Certainly mirrors/offsites are not also available for deletion the the AWS EC2 control panel?  That is more what astounds me than anything - I just find it hard to swallow that a cyber attack erased mirrored backups and offsite backups.  I'd want to read more about the incident before being too suspicious, but again, with many a tried/true source code repository platform out there, this scenario reads strangely; either AWS is the wrong platform for a code sharing infrastructure, or something else is going on.  I guess what I'm getting at is, if a mistake was made, own up to it - we've all been there and learned from it - and if not, then perhaps some fresh eyes need to look at AWS and how the services are set up.  Let's not let our customers (as IT) shoot themselves in the foot on something so basic as how data is backed up and mirrored.   
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/21/2014 | 2:03:48 AM
Re: AWS the Right Platform?
You're making the age old case for delegated admin which looks great on paper, but we all know that in reality any company for whom security isn't a core competency will have an administrator who dips their feet in two ponds. In general we must design for failure, which means:

1. Assume administrators are human and therefore gullible

2. Develop a proper mechanism for valuating data

3. Build security models around behavioral risk modeling rather than linear detection

Until we solve for these tenants, life in the mobius strip remains the status quo.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/20/2014 | 7:20:05 PM
AWS the Right Platform?
I wonder at a source code hosting service being framed upon AWS. When it comes to cloud platforms and the type of infrastructure that should be deployed there, I wouldn't have pegged AWS as right for this, though Bitnami has a Gitorious AWS package which seems to be gaining ground. When I think of GitHub, Gitorious, Launchpad, GNU Savannah, GForge and SourceForge - the last thing I imagine is this scenario where the body of decades of valuable free and open source software (FOSS) programming goes down the drain. I love the cloud as much as the next person, but I also believe there are certain properties that need to be hosted more securely, and also propagated across multiple, "untouchable" mirrors. Simply astounding, and almost suspect, that something like this would even be possible with the source code hosting platforms we currently have out there that have stood the test of time (for the most part).
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.