Murder in the Amazon cloud

The demise of Code Spaces at the hands of an attacker shows that, in the cloud, off-site backups and separation of services could be key to survival

Code Spaces was a company that offered developers source code repositories and project management services using Git or Subversion, among other options. It had been going for seven years, and it had no shortage of customers. But it's all over now -- the company was essentially murdered by an attacker.

We talk about security, backups, and especially the cloud, but it's hard to quantify most of the effort we make, especially in light of budgetary concerns. We can fortify our walls as best we can with the resources we have, and in the vast majority of instances, that will suffice. Sometimes, however, it's not going to be enough.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Code Spaces was built mostly on AWS, using storage and server instances to provide its services. Those server instances weren't hacked, nor was Code Spaces' database compromised or stolen. According to the message on the Code Spaces' website, an attacker gained access to the company's AWS control panel and demanded money in exchange for releasing control back to Code Spaces. When Code Spaces didn't comply and tried to take back control over its own services, the attacker began deleting resources. As the message on the website reads: "We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances, and several machine instances."

The attack has effectively destroyed Code Spaces. It is a direct comparison to someone breaking into an office building late at night, demanding a ransom, then throwing grenades into the data center if the demands were not met. The only difference is that it's an awful lot easier to penetrate a cloud-based platform than to physically breach a corporate data center.

I'm sure this scenario never occurred to those poor souls at Code Spaces. More than likely they kept up their security measures, ensured that their server security was tight, and relied on Amazon for the bulk of their infrastructure -- not unlike thousands of other companies. Yet the attack that brought Code Spaces under was as simple as gaining access to its AWS control panel. All the security in the world is immaterial when the threat comes from within, and that appears to be what has happened here.

Code Spaces had replicated services and backups, but those were all apparently controllable from the same panel and, thus, were summarily destroyed. The company says that some data still remains, and it's working with customers as best it can to provide access to what's left.

This is the kind of story that should hit us all hard, because it could definitely happen to you and me. It certainly reinforces the idea that separation of services is a good thing.

If you run cloud services, maybe you should use a few different vendors. You should spread your services across multiple geographic locations, if at all possible, and spend a few extra bucks here and there on safety measures beyond simple server instance imaging. You should definitely have off-site backups -- this should be non-negotiable -- though it'll amount to a significant expense when everything else is running in the cloud.

The time is right for third-party cloud backup vendors to fire up their bullhorns. This extremely sad tale should gain them more than a few customers.

To the folks behind Code Spaces who are doubtless still reeling from this unconscionable attack, you have my sincerest condolences. One hopes that the people behind such havoc as this will be brought to justice, though that seems unlikely. May you take some small solace in knowing that your misfortunes may well help others avoid similar fates. Small comfort, I know.

This story, "Murder in the Amazon cloud," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies