If someone hacked your Cloud account, could they knock you out of business?
For the company CodeSpaces, the answer was a resounding yes:
The beginning of the end was a DDoS attack initiated yesterday that was accompanied by an intrusion into Code Spaces’ Amazon EC2 control panel. Extortion demands were left for Code Spaces officials, along with a Hotmail address they were supposed to use to contact the attackers.
“Upon realization that somebody had access to our control panel, we started to investigate how access had been gained and what access that person had to the data in our systems,” Code Spaces said. “It became clear that so far no machine access had been achieved due to the intruder not having our private keys.”
Code Spaces said it changed its EC2 passwords, but quickly discovered the attacker had created backup logins, and once recovery attempts were noticed, the attacker began deleting artifacts from the panel.
“We finally managed to get our panel access back, but not before he had removed all EBS snapshots, S3 buckets, all AMI’s, some EBS instances and several machine instances,” Code Spaces said. “In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.”
Within 12 hours, Code Spaces went from a viable business to devastation. The company reported that all of its svn repositories—backups and snapshots—were deleted. All EBS volumes containing database files were also deleted.
When it comes to platforms, there is a constant refrain from the programmer community to “not to put your eggs in someone else’s basket“, or “What Apple Giveth, Apple taketh away“, and yet we still do it. We still think that just because someone else promises redundancy, we’ll be OK.
We won’t. Gmail goes down. AWS goes down.
Being in the ‘cloud’ doesn’t change your disaster recovery plan. Scott Hanselman refers to it as the Backup Rule of Three:
- 3 copies of anything you care about – Two isn’t enough if it’s important.
- 2 different formats – Example: Dropbox+DVDs or Hard Drive+Memory Stick or CD+Crash Plan, or more
- 1 off-site backup – If the house burns down, how will you get your memories back?
As a business, who do you trust with your data? More importantly, who do you trust to make sure you don’t go out of business?