Security optimize

Surprise at the GoDaddy outage? Vulnerable networks are ticking bombs

Bob Eisenhardt sees the GoDaddy outage as the tip of iceberg for vulnerable networks from banks to infrastructure. His take is pessimistic. Do you disagree?

It was hard to imagine -- the total collapse of the GoDaddy service for six hours on September 12, 2012 by an outside attacker (perhaps) -- a single hacker associated, (perhaps) with Anonymous. The CEO of GoDaddy promptly indicated it was caused, rather, by a "series of internal network events that corrupted router data tables." The stories are bad no matter which version you pick. Accompanying this failure was the thousands of small business websites that produce genuine commerce also collapsed. (One customer was out $50,000). With those failures, an untold amount of raw data also was put, potentially, at severe risk of security theft. With theft can easily follow lawsuits and lawyers get rich.

The GoDaddy incident could be viewed as a staggering breach of web-based commerce, and Steve Wozniak has it precisely correct when the guru-savant of Apple predicted the security risks of storing data "in" the cloud. A partner of mine (a certified BCP/DR planner) feels precisely the same way about the inherent dangers of cloud-based storage. The list of consequences is actually endless if you ponder the imponderables of it all.

The precise cause of the GoDaddy attack remains vague for, obviously, the hacker (or as Cliff Stoll might say, a piece of human slime) is not going to reveal his methods or, worse, location, though doubtless the IP security trace is after his data packets. Anonymous rarely takes credit for attacks it does not commit but the stories on the GoDaddy account do not add up under verification. Thus the internal network story gains credibility or at least makes for better PR. It is far better to admit it's an internal error than an external invasion which frightens everybody away.

Big Data reports that "web-facing databases have a huge target on their backs. The easy way to secure these databases would be to take them off the web." Easy concept, but nobody buys it, at least those infused with the Religion of the Cloud. On a smaller scale, a medical office I support uses a web-based product for patient management. If the Internet goes down (something that we all know never ever happens), their business does not exist, patients do not exist, and if a medical emergency should enter the office in a rush, a potentially life-threatening situation can develop. Worst case scenario would be a lawsuit and, again, rich lawyers.

On September 18, 2012 the Bank of America website encountered periodic outages by cyber attacks launched to protest the Islamic issues boiling over in the Middle East. A message posted to Pastebin.com from "Cyber fighters of Izz ad-din Al qassam" (referencing the military wing of Hamas) said that the New York Stock exchange would suffer a similar assault. The consequences of THAT scale attack are truly frightening and it has already happened overseas.

Inside Saudi Arabia's largest oil company, over 30,000 computers were wiped clean by an Al-Qaeda attack reported as an inside job. Last month the Shamoon virus spread throughout their network, the largest corporate attack in history! Shamoon was not a high level monster, just aimed at normal business computers, and once inside, attempts to infect everything it can find, steals whatever data it can touch, and then simply wipes hard drives clean. Liam O. Murchu of Symantec said that it has been "10 years since we saw something so destructive."

In response to Shamoon, the Department of Homeland Security reported that our domestic systems have no cause for concern. We must remember that In February of 2012, their domestic website was hacked by Anonymous.

Bill Pennington, chief strategy officer at White Hat security, said that companies "have to be aware that cyber attacks are part of the landscape we live in today." I have to wonder if this is NEWS to anyone who has not lived on the Internet for any length of time? Only the perpetrators and the victims will fully comprehend what happened at Bank of America. Pennington added that businesses should expect more attacks.

Like a waterfall, the news continues to run fast and cold. Recently, computers manufactured in China shipped with malware pre-installed in an infected version of Windows. A few years ago, laptop computers that came back from China during the Olympics carried malware. A few years ago my small server was being FTP password blasted from an employee with the Beijing Railroad.

We must be blind to the obvious. The above examples, far from technical in nature, showcase SECURITY IGNORANCE 101. Forget searching for the IP addresses of Officejet printers, we are missing so many basics in security protocols, I am surprised our infrastructure is not wrecked already. Or perhaps it already is shattered only we have not discovered it yet.

In my view, rethinking our dependence on cloud storage, web based backup, and disaster recovery is essential. Only under certain limited conditions do I even consider cloud storage a viable option. For any secure data, I firmly believe that companies investing in the secure cloud environment are, in fact, buying pallet loads of snake oil from Professor Eustace McGargle (an early role of W.C. Fields). The outside world is coming in and all I read in the above tales is general astonishment mixed with the age old line, "It can't happen here." Truth be told, it already has.

Our network infrastructure is enormously vulnerable because we believe our security protocols to be satisfactory. History proves us as Americans to be enormously naïve. In December of 1941 the secure waters around Ford Island became stained with blood and oil. The title of Gordon Prange's book At Dawn We Slept is a perfectly apt title that carries into the future. I remember having that feeling of security when I was on the 101st floor of the South tower about eleven Septembers ago. At 8:46 a.m. my ignorance came to a shattering end.

Whether a physical attack or a network penetration from within or without, I feel that the future bodes ill for our secure networks.

Are you more optimistic about the security of big networks? If so, share your thoughts in the discussion.

27 comments
ksec2960
ksec2960

I believe just like with 9/11 it will take a catastrophic event before things really change. Hardware Software companies are not yet really security minded. If they where the constant bugs, patches and holes would not be the norm. Companies put out products still to this day that don't employ even moderate security measures. When there is a security breach it seems everybody just looks around and says we don't know what happened.

maszsam
maszsam

What life isn't perfect??? 6 whole hours? The humanity! Real stores are way safer, why when they burn down, er eh how long does that take? Or when they are broken into, why it only takes... how long? If you lose data it is because you are sloppy. This article actually makes the case for not having the system managed on site. It wasn't a cloud company employee who did the dirty work. And if it was on a cloud, it would probably have had a back up and better protection in the first place. I was trying to run the clould verses on site senerio out a few years. Not getting a clear picture about it, but one thing for sure: A person who knows what they are doing can always do a better job with their own assets than rented help. Maybe the best of both worlds is tech people heavely interfacing on an ongoing basis with the service provider. Sort of a hands on via wire if you will.

Techcited!
Techcited!

I am amazed to see all of the glass-half-emply types here. What about the other half of the glass? In terms of small business (50 employees or less), I ask... What about 5 9's+ of uptime that we would never be able to acheive with the funds we have to spend on our little local setups? Who can afford the multiple redundant pipes coming in to their office that one gets with a cloud provider? What about the enterprise-class security that we do get without spending hours upon hours managing it ourselves? Even if the 25-person company could afford to hire a tech full time to manage all of this, how much could they really do? How much risk could they mitigate? Sure our data could get compromised at some cloud provider. However, I would argue that the risk is even greater when you are running your own SBS server in some office in Podunk. There is no way a 25-person Builder/Remodeler could even come close to what they need technology-wise as compared to what one gets from the various cloud providers Yes, there's risk. If someone promises you that there isn't, you should run like your hair is on fire. And if you're a big enough company, you can surely take on and mitigate some of those risks yourself. However, for those in small business, I will take the other half of the glass - the full half. After all, for me it is much closer to full than it is to empty.

waterfrontguy
waterfrontguy

Since the days of swapping out CDC multi-disk platters on a VAX 11/780 for redundant incremental backups, I have been acutely aware of data control. Whoever thought that evoking something as opaque, ephemeral, and amorphous as the “cloud” to entrust the most important commodity of the digital age is sadly misguided. This article presents the dangers in a very general manner. Anyone who has ever lost their data can only multiply the damage when the impact is extended to the worldwide infrastructure. Forget Iran’s nuclear program, because a corps of hackers at the Ministry of State Security in Beijing constitute the biggest threat to the Western world.

Thumper1
Thumper1

I am the IT person in a medium size law firm. For the most part, I make all tech decisions and, as long as everything is working, am left alone. We have been deluged by the Emails and magazine articles saying the the "The Future is in the Cloud" touting the reduction in cost. Thinking I would be biased, they did independent research. Once they weighed the risks to the benefits, they decided that the cloud wasn't worth the risk.

Wunderbarb
Wunderbarb

The cloud paradigm makes a strong assumption: Continuous access to the cloud services. This means that in addition to having security requirements for the cloud service itself, there are even more requirements on the security and reliability of the communication network. And here we have a serious issue. In Carr's book, the big switch, he presented the analogy with the commodities of electrical power and the cloud. Cloud power will become equivalent to having access to electrical power through the power plug. It is an interesting analogy. Let's push it a little bit further. In the case of critical infrastructure, there is always a local UPS that compensates a potential electrical power outage. In the case of a 100% cloud based solution, at least in our current architectures, we do not have the equivalent part of this local UPS. Thus create your own equivalent of UPS, for instance in the case of critical data, you need to have them available locally, with secure sync in the cloud. Critical computations should be executable locally... The issue of relying on a pervasive Internet connection is not limited to the cloud, it spreads all over our applications. More and more, they need external resources or info to work properly. Thus, the reliability and security of the communication infrastructure is key. And it relies on private companies...

guillegr123
guillegr123

In my country, and the near regions of Central America, use of the cloud it's still not affordable, because the Internet service goes down sometimes, whatever the ISP might be, and that's a fact.

eScoop
eScoop

Perfect Irony. As I'm reading in this thread about all the dangers of the Cloud, I looked up to the top of the page and noticed it was being sponsored by Carbonite Online Backup. "Better for Your Business"- Why have all that pesky security in your own facility when you can send your data off to be hijacked by pirates?

jlwachtel
jlwachtel

Robert is right on target! Our view of security is seriously flawed. Our communication’s protocols have been proven, more than once to be inadequate and security measures have been proven to be a fable at best on the Internet. Banks have been hacked, insurance companies have been hacked, Apple has been hacked and systems worldwide have been compromised. When will we wake up and realize that the Internet is merely a work in progress. The cloud has been oversold and its legend far exceeds its reality. Putting confidential information or sensitive information on an unknown server in an unknown location to be handled like a commodity by unknown people does not seem to make a lot of sense. Further, putting your data where your only possibility of getting to it relies on one method of communication, the Internet, appears exceptionally problematic when that data is mission-critical. The "Internet" does not have to go down to stop you from getting to your data, your power company might go down or the power company near the cloud servers may go down or the telephone pole next to your building might be hit by a truck and go down. (Yes I know that there are UPS’s. But I also know UPS’s fail and have limitations!) These are just the natural possibilities. When you add to these possibilities malicious motivated individuals who are seeking to cause mayhem or to steal data or to get revenge, you begin to get a better picture of the dangers of the cloud. It still seems to me that the best model is to control my own data, and use the cloud as a place to store highly encrypted backups. At least until we can get the bugs out of our security.

8string
8string

This is just the tip of the iceberg and likely still just the beginning. Having been involved in tracking down some of the first attacks back in the 90s, (the Chinese railway hacker was likely simply exploiting an unsecured workstation), this is nothing new. From what I've seen, it's not because IT folks don't know what to do to solve these problems of security, but because of an inability to really convince management in these cloud companies to spend the money, both in tools and manpower, to actually secure these sites properly. It's not cheap and it's about having people who really know their stuff and don't directly contribute to the bottom line. Having left Big IT I can't tell you how many small businesses I've seen that don't even understand the rudiments of security on their sites. Like even getting passwords right, or using directory services, or even putting in basic firewalls! It also plays, once again, into the hand of large corporations, like Google, Amazon and MSFT who have so much more to lose by not getting it "right", and actually have the resources to do so. That's why I end up using them for cloud storage, but still store sensitive information locally, and wait on the day when we will see this 'cloud' thing done with an infrastructure that is finally secured. I think it's possible to be vastly more secure (think of how long we *could* have really secured email if the solution wasn't so onerous for the average consumer). My feelings is that getting it *good enough* and really securing the backbone properly, will create an 80/20 rule. But there is so much more to do, and sadly, will only happen after the equivalent of a 911 attack on the Internet. As we know, the stealing of millions of passwords over the years has not gotten our Congress to do anything of value to force more support. Or did I miss something?

darcyi
darcyi

Nobody's mentioning the little fact that the US had a hand in developing the Stuxnet virus that went after the Iranian centrifuges, and that now that little secret is out, I suspect there are covert hackers working on a retaliatory measure at the behest of Iranian allies.

junk
junk

Bob, in regards to medical records you say "Worst case scenario would be a lawsuit and, again, rich lawyers.". I beg to differ; that is the BEST case. The worst case is a dead patient because of a doctor relying on old or partial records.

gbp987
gbp987

I can see through events that have already taken place that " The Cloud" is far far away from being secure enough to gamble the heart of your business on. The Internet, especially in the US is vulnerable in too many ways, but none the less, many companies large and small have decided to go cheap in order to slash IT costs in equipment and personnel. The decision is often being made by a money person with little or no IT savvy or knowledge. The Cloud is good for Web apps but not ready if ever for secure "all the eggs in one basket" approach data storage.

Deadly Ernest
Deadly Ernest

has had a major interruption to its services, and we've even had a few go to the wall and close the doors before the users can get their data back from the server farms. Yet, despite all this, there are people claiming the cloud is absolutely safe. Let's put cloud computing into a real historical perspective with a slightly changed quote: After getting down from the plane, Prime Minister Chamberlain waved the document and said, "There is peace in out time and we have absolute safety with cloud computing."

rodscher
rodscher

I agree 100%. In spite of the fact that I make occasional use of cloud-based services, I'm very leery of the entire concept. We've already shown that we can't really guarantee the security of Web-facing systems; even if the technology were locked down (which it is not), people are (and will remain) the weak link. And when that weakness results in the compromise of personal data -- and in commerce sites that are suddenly unable to conduct business -- well, disaster will strike sooner or later.

Deadly Ernest
Deadly Ernest

proprietary companies who keep their code secret don't have any decent security at all. Because if they did they couldn't make more money off you by selling you their security software.

HAL 9000
HAL 9000

But still no longer able to trade because of some others failure? If the Actual Store is Burnt Down or otherwise adversely impacted by something aren't they then covered by Insurance? When their Web Site goes down through the fault of another they are not covered and as such eat the loss. Col

Jonathan.G.Shilling
Jonathan.G.Shilling

A one-man shop can be quite effective without spending tons of money. It really boils down to the capability of the person. You can setup a basic firewall and packet monitor for very little money, as well as a mail server. It depends on whether you want to limit yourself to a strictly Windows approach, or if you are willing to implement a Linux based environment. Thinking that most of these people are taking the "glass-half empty" approach is over-simplifying the issue. I work in a cloud environment, and I am aware that there are many more dangers to a companies data in the cloud than there are at a local site. Most of the comments here have been very open, and realistic.

Deadly Ernest
Deadly Ernest

snake oil salesman approach of ONLY giving the good points and none of the bad points, so we take time to remind people that all is not roses while we tell them of the things the articles have either missed out or glossed over. So we mention the glass is half empty so we can counter these people claiming it's an overflowing cornucopia with some realism. As to what you say, it matters NOT a thing about how much server up time the provider has if the Internet connection does NOT have a 100% up time, and that's just not possible. There are way too many things that can go wrong between the office and the server farm, and neither side is responsible for the problem, but it still means the business comes to a screeching halt. Another point to keep in mind is that the majority of the problems people have with computer security comes from being connected to the Internet, so that comes down to how much connectivity is NEEDED in the business environment. I know of a small business that has one PC connected to the Internet, a mail server connected to the Internet, and the only ports open in their gateway are for the mail server, every other port is locked down and the back end router refuses ALL connections from the gateway side. They work on a lot of highly confidential stuff and the staff do NOT need Internet access to do their work, so it's just not there.

maszsam
maszsam

Logic error: appeal to authority. Just because they know one subject does imply any knowledge or compentency in another. Further they probably they probably projected their world view on your situation: I'm a rat, so he's a rat too. Otherwise they would have trusted you to come up with a solution to any perceived risk. Did they even ask for a working solution? They are trained in law not technology. Did they do a formal risk assessment and maybe hire an independent team to do penetration testing? Most likely they reached an uninformed conclusion. If you have backups in place and keep the doors locked, you are going to be fine. Maybe encrypt things?

reisen55
reisen55

I have no association with them at all, nore Mozy and all the rest.

Deadly Ernest
Deadly Ernest

something that was NOT part of the original design criteria. The system does what it was designed and meant to do in a perfect manner. When we want it to do something beyond that we need to set up extras, especially at the perimeter of our home defence area.

reisen55
reisen55

Guess you have it all figured out.

reisen55
reisen55

I spent eight months of hell at a NY City Hospital chain that oursourced support to India and a web-based program crashed, records were bad and nobody ever heard of the word REDUNDANCY. Oh, like a duplicate copy should be retained somewhere? Think Man?

draack
draack

of hard copy records. When my son's family moved to Vegas this summer, my pregnant DIL tried to find a new doctor. She'd been given a "copy of her records" (what was available to her online), but it wasn't enough for the new doctors. Took her *weeks* to get what the new doctors wanted. Sometimes hard copy is still best.

Jeremy Barker
Jeremy Barker

I have a background in both IT systems and law (I worked 15 years as a software engineer before I went to law school) and I have no doubt that the law firm mentioned came to the correct conclusion. Apart from probably using a cloud-based storage for saving an additional copy of my encrypted backups I would be extremely reluctant to move anything to the cloud.