The meltdown of Code Spaces could have been avoided with better system design and security says Digital Craftsmen MD Simon Wilcox.
Most of the world — or at least the bit that’s not watching the World Cup — now knows that US code-hosting company Code Spaces was forced to shut up shop on Tuesday, June 17th 2014.
The reason: a hacker sliced into Code Spaces’ control panel on Amazon’s Elastic Compute Cloud (EC2) during a 12-hour wrecking spree, demanding money with menaces before destroying customer data and back-ups.
By the time Code Spaces managed to wrest back control, the hacker had “removed all EBS snapshots, S3 buckets, all AMI’s [sic], some EBS instances and several machine instances,” says Code Spaces. The company admitted that most of its “data, backups, machine configurations and offsite backups were either partially or completely deleted.”
As a company that manages secure cloud solutions for several high-profile clients, we know that this meltdown is not inherently a cloud problem — it’s more a failure of basic system design and security procedures.
Details are scant at this time but it appears that although backups were taken to S3, they were controlled through the same user account as the primary data.
To properly protect data backups, we recommend that S3 back-up space should be provisioned, with versioning enabled, via a separate AWS account using different credentials.
Although this doesn’t stop a hacker from deleting the backups via the primary account, they can be trivially recovered via the backup account.
Secondly, two factor authentication (2FA) should be considered mandatory for all public cloud control panels.
2FA provides much stronger security than username/password combinations alone, combining something known (username/password) with something physical (such as a smartcard token) that provides a one-time code.
Without the physical device, an attacker cannot access the control panel even if they do discover the username and password.
So to all you cloud advocates out there: avoid a Code Spaces-style disaster by getting expert advice, using the strongest access protection available and not putting all your eggs in one AWS basket.