[Cryptography] Code Spaces has been under DDOS attacks and...

ianG iang at iang.org
Sat Jun 21 10:02:49 EDT 2014


On 21/06/2014 03:21 am, Tom Mitchell wrote:
> There are risks in the cloud, oh my.
> I might ask here how encryption helps or hinders (both attacker and
> defenders) attacks in the cloud.
> 
> Slash dot noted:
> "Code Spaces [a code hosting service] has been under DDOS attacks since
> the beginning of the week, but a few hours ago, the attacker managed to
> delete all their hosted customer data and most of the backups. They have
> announced that they are shutting down business.
> 
> "From the announcement:An unauthorized person who at this point who is
> still unknown (All we can say is that we have no reason to think its
> anyone who is or was employed with Code Spaces) had gained access to our
> Amazon EC2 control panel and had left a number of messages for us to
> contact them using a Hotmail address. Reaching out to the address
> started a chain of events that revolved around the person trying to
> extort a large fee in order to resolve the DDOS.


DDOS and breach extortion has been going on for the longest time in the
gaming world.  There, the costs can easily be quantified because they're
making real money, hand over fist.

This doesn't apply to the startup world who are on a shoestring and
their value if ever found is in some IPO or buyout.  Which is
untouchable really.

So, what is going on in the attacker's head that made this a good use of
their time?


> "At this point we took action to take control back of our panel by
> changing passwords, however the intruder had prepared for this and had
> already created a number of backup logins to the panel and upon seeing
> us make the attempted recovery of the account he proceeded to randomly
> delete artifacts from the panel."


When I think of cloud I assume there will always be some form of control
panel.  And this will be protected by a password.  Which leaves me
pretty vulnerable to a complete attack.

So I guess it all depends on whether you are in a business where this is
an unacceptable risk?

To answer your top question, it is about securing a control panel.  If
it is a password, then the answer is simple -- don't use passwords.  Use
PKC.

If it is such an important asset, then it needs to be protected by a
token that the server can't forge or lose (has Amazon been hacked?
sure...) and also that cannot be easily stolen from the owner company.
So you need some form of secured device that has private key to drive an
interface that is otherwise unbreachable.

Take online banking.  Because the PC/browsers aren't secure against
e.g., phishing and viruses and sandbox attacks, the standard advice
would be to use a computer that is used for nothing else, isn't
connected to the network, and has a browser that isn't used for any
other thing.



iang


More information about the cryptography mailing list