Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2014
01:40 PM
50%
50%

Code Hosting Service Shuts Down After Cyber Attack

Code Spaces shuttered its doors after a hacker accessed the company's Amazon EC2 control panel and erased business data and other information.

A code hosting company has shut down following a cyber attack that erased much of its data, backups, machine configurations, and offsite backups.

The company states in a message on its homepage:

Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of ongoing credibility.

Visitors to the Code Spaces website are greeted with a lengthy outline of what happened. On Tuesday, the company explains, Code Spaces was hit by a distributed denial-of-service attack against its servers. Such attacks weren't uncommon. Unfortunately, this time it was just the beginning.

The unknown attacker was able to gain access to Code Spaces' Amazon EC2 control panel, and left a number of messages for the company to contact them using a Hotmail address. Doing so yielded an extortion demand. When the company realized the attacker had access to the EC2 control panel, further investigation revealed the person also had access to the data in the company's systems, although no machine access occurred, because the intruder did not have the private keys.

The company statement continues:

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances.

Patrick Thomas, security consultant for Neohapsis, calls the situation a "nightmare scenario" for cloud services companies:

This is a wakeup call to other organizations that have critical assets on cloud services. Two-factor authentication and detailed event monitoring and alerting are essential components of any cloud strategy.

Offsite backups have been considered a necessary operating procedure for any sensitive data, but in the age of cloud infrastructure many organizations think that they can simply pass the buck on backups, getting their geographic distribution and redundancy for free as part of going to the cloud. However, anything that's vulnerable to the same threats isn't fulfilling the original intent of offsite backups. Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate.

Jim Reavis, chief executive officer of the Cloud Security Alliance, stresses that DDoS attacks and other malicious activity have caused business outages and shutdowns before among companies using traditional IT, and that cloud computing itself was hardly a factor in exacerbating Code Spaces' demise. He told me in an email:

Cloud users of IaaS [infrastructure-as-a-service] like Code Spaces have significant responsibilities in implementing security best practices to protect their system availability and proprietary information, as we have outlined in our security guidance and controls framework. At a high level, tenancy with a robust cloud computing infrastructure should provide greater pipes to withstand DDoS attacks than a small business could afford.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/3/2014 | 2:37:23 PM
Good advice here....
Good advice hewre from Nethapsis Patrick Thomas against threat of attack in the cloud. 
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Strategist
6/23/2014 | 2:48:03 PM
more security
Sounds like dual-control may be needed - a second person logging on to approve changes - at least for adding another admin and deleting important items
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
6/23/2014 | 10:18:30 AM
Redundant back-up.
" Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate."

Sad it's come to this. Cloud only back-up do present certian limitations.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 9:47:15 AM
Re: AWS the Right Platform?
I think the truth lies somewhere between your hypothesis and the published story.  

I would say the most logical explanation is that they simply do not have the ability or desire to fight the attack.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/21/2014 | 3:03:10 AM
Re: AWS the Right Platform?
@TalKlein

While you're right, it's more than just that for me.  Certainly mirrors/offsites are not also available for deletion the the AWS EC2 control panel?  That is more what astounds me than anything - I just find it hard to swallow that a cyber attack erased mirrored backups and offsite backups.  I'd want to read more about the incident before being too suspicious, but again, with many a tried/true source code repository platform out there, this scenario reads strangely; either AWS is the wrong platform for a code sharing infrastructure, or something else is going on.  I guess what I'm getting at is, if a mistake was made, own up to it - we've all been there and learned from it - and if not, then perhaps some fresh eyes need to look at AWS and how the services are set up.  Let's not let our customers (as IT) shoot themselves in the foot on something so basic as how data is backed up and mirrored.   
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/21/2014 | 2:03:48 AM
Re: AWS the Right Platform?
You're making the age old case for delegated admin which looks great on paper, but we all know that in reality any company for whom security isn't a core competency will have an administrator who dips their feet in two ponds. In general we must design for failure, which means:

1. Assume administrators are human and therefore gullible

2. Develop a proper mechanism for valuating data

3. Build security models around behavioral risk modeling rather than linear detection

Until we solve for these tenants, life in the mobius strip remains the status quo.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/20/2014 | 7:20:05 PM
AWS the Right Platform?
I wonder at a source code hosting service being framed upon AWS. When it comes to cloud platforms and the type of infrastructure that should be deployed there, I wouldn't have pegged AWS as right for this, though Bitnami has a Gitorious AWS package which seems to be gaining ground. When I think of GitHub, Gitorious, Launchpad, GNU Savannah, GForge and SourceForge - the last thing I imagine is this scenario where the body of decades of valuable free and open source software (FOSS) programming goes down the drain. I love the cloud as much as the next person, but I also believe there are certain properties that need to be hosted more securely, and also propagated across multiple, "untouchable" mirrors. Simply astounding, and almost suspect, that something like this would even be possible with the source code hosting platforms we currently have out there that have stood the test of time (for the most part).
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...