Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Code Hosting Service Shuts Down After Cyber Attack
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/3/2014 | 2:37:23 PM
Good advice here....
Good advice hewre from Nethapsis Patrick Thomas against threat of attack in the cloud. 
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Strategist
6/23/2014 | 2:48:03 PM
more security
Sounds like dual-control may be needed - a second person logging on to approve changes - at least for adding another admin and deleting important items
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
6/23/2014 | 10:18:30 AM
Redundant back-up.
" Perhaps it makes more sense to start talking in terms of diversified backups, to emphasize the broad types of threats that a backup strategy must mitigate."

Sad it's come to this. Cloud only back-up do present certian limitations.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/22/2014 | 9:47:15 AM
Re: AWS the Right Platform?
I think the truth lies somewhere between your hypothesis and the published story.  

I would say the most logical explanation is that they simply do not have the ability or desire to fight the attack.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/21/2014 | 3:03:10 AM
Re: AWS the Right Platform?
@TalKlein

While you're right, it's more than just that for me.  Certainly mirrors/offsites are not also available for deletion the the AWS EC2 control panel?  That is more what astounds me than anything - I just find it hard to swallow that a cyber attack erased mirrored backups and offsite backups.  I'd want to read more about the incident before being too suspicious, but again, with many a tried/true source code repository platform out there, this scenario reads strangely; either AWS is the wrong platform for a code sharing infrastructure, or something else is going on.  I guess what I'm getting at is, if a mistake was made, own up to it - we've all been there and learned from it - and if not, then perhaps some fresh eyes need to look at AWS and how the services are set up.  Let's not let our customers (as IT) shoot themselves in the foot on something so basic as how data is backed up and mirrored.   
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/21/2014 | 2:03:48 AM
Re: AWS the Right Platform?
You're making the age old case for delegated admin which looks great on paper, but we all know that in reality any company for whom security isn't a core competency will have an administrator who dips their feet in two ponds. In general we must design for failure, which means:

1. Assume administrators are human and therefore gullible

2. Develop a proper mechanism for valuating data

3. Build security models around behavioral risk modeling rather than linear detection

Until we solve for these tenants, life in the mobius strip remains the status quo.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/20/2014 | 7:20:05 PM
AWS the Right Platform?
I wonder at a source code hosting service being framed upon AWS. When it comes to cloud platforms and the type of infrastructure that should be deployed there, I wouldn't have pegged AWS as right for this, though Bitnami has a Gitorious AWS package which seems to be gaining ground. When I think of GitHub, Gitorious, Launchpad, GNU Savannah, GForge and SourceForge - the last thing I imagine is this scenario where the body of decades of valuable free and open source software (FOSS) programming goes down the drain. I love the cloud as much as the next person, but I also believe there are certain properties that need to be hosted more securely, and also propagated across multiple, "untouchable" mirrors. Simply astounding, and almost suspect, that something like this would even be possible with the source code hosting platforms we currently have out there that have stood the test of time (for the most part).


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23369
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVE-2020-23371
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
CVE-2020-23373
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2020-23374
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.