Criminals go full Viking on CloudNordic, wipe all servers and customer data

Re: Why is it the company's responsibility to make backups of the customer's data?

If CloudNordic provided a back up service then yes, it's on them. But you are not meant to have just one back up for data resilience. In a physical setting you are meant to have an onsite back up, and an off site backup. If you're operating solely in the cloud you should have a back up away from the provider because it's not enough to just rely on the provider's backup.

Re: Why is it the company's responsibility to make backups of the customer's data?

Why would anyone need to make backups??? All the data is in the cloud, it is safe.

Or so the marketing lore goes.

Sorry, I have that very fight a lot with clients, with only a small number actually realizing how they could be effected when they do not have a current "offline" backup of their data.

Re: Where are the backups?

> The customers' customers, of course, will probably complain about CloudNordic's customers (their own service providers) not having their own backups

It's resellers failing to back up all the way down.

Re: Where are the backups?

"If a CloudNordic customer borks their own data, that's on the customer. If CloudNordic borks customer data, that's on the CloudNordic."

Not if it isn't the legaleze, it isn't. Most cloud providers provide only that - cloud access and services. It is your data and they are just handling or presenting it. Many legal documents will say that they have no responsibility for loss incurred from their operations - again, from their [legal] perspective, it is your data and they are just providing an internet-accessible container for it. If their container fails they are only liable for not providing that container, not for its contents (which are yours).

They may have provided an extra cost data redundancy service, as mine does, and if those repositories are also affected then they should be liable for that. In the meantime, my own company's hosting service ToS states:

Storage and Security. You shall be solely responsible for undertaking measures to: (1) prevent any loss or damage to your website or server content; (2) maintain independent archival and backup copies of your website or server content; and (3) ensure the security, confidentiality and integrity of all your website or server content transmitted through or stored on our servers.

so I would be SOL if I didn't have backups. It is common occurrence in today's world to expect everyone *else* to take responsibility for my things, but that's not the way it works.

Re: Where are the backups?

Then they have misunderstood the principle of backup, which is supposed to be immutable!

That's an awful lot of BD-R disks.

Or do you mean offline rather than immutable? Tape storage is not immutable, but tends to be offline unless the tape has been loaded into a tape-drive and mounted*. The problem is ensuring that files being backed up to tape have not already been encrypted with a key you don't know (You are encrypting backups, aren't you?). There is nasty malware out there that encrypts your backups with the malware key for a while before triggering on the source data, so you find your backups are useless. Which is why a regular check to see that you can restore from backup on an independent system is important.

For me, the principles of backup include:

1) Backup data to backup media. Twice.

2) Disconnect backup media from system being backed up.

3) Attach backup media to independent system and check you can restore successfully.

4) Move successfully checked backup media to independent off-site locations.

5) Repeat frequently enough that restoral of backed up data doesn't give you a system with unusably old data on it.

Copying data from one network-attached system to another, leaving them permanently network-attached does not give you a secure backup. Verifying an offline copy of the backed-up data on an independent system is important.

*Note that automated tape silos are vulnerable to shenanigans, as are automated shingled-disk silos. Erasing one medium of the set from the previous couple of cycles of full-backups will kill the utility of the backup. Offline means - unable to access by means of programmatic control, and you need to be very sure that your backup-media inventory control system can't be compromised to 'accidentally' request operators to mount (for erasure) critical backup media.

Re: Where are the backups?

Likely 1 month free, or a refund for the current month :-)

Re: Where are the backups?

TBH, any sort of financial liability would not help the clients much.

The provider is likely to be bankrupt from an incident like this (so the final payout will be negligible), and in any case, the legal system will take too long to save the clients' business should they rely on the data.

It's a bit like insurance against a meteorite strike: They may pay your heirs a princely sum, but you'd still be dead.

Re: Where are the backups?

Doesn't have to be an insider job if the hackers are good/patient....

Hang out inside the targets systems for a while identifying processes, weak points, and ability to pay....

Then sic ransomware on them after your recon has been completed....

Although in this case it doesn't seem to have worked out since the only reason to burn it all down is if they didn't pay....

I mean, if you get known for shooting hostages AFTER receiving ransom, NO ONE will pay you...

Re: Where are the backups?

It really depends on how the backup is taken. With something like TSM or Amanda, the physical media is not writeable by anything other than the server doing the backups. Sure, that still allows for the backup server to be compromised, but it's an extra level of indirection that the intruders have to understand and know how to compromise, especially if it has it's own authentication domain.

What is important is to make sure you have offline copies of the database that tracks what is on the backup media (especially in an incremental forever backup solution), as without that, you really are stuffed.

Re: Where are the backups?

Understand also that if it's not physically protected and maintained read-only until such time as it's been superseded by another backup it's also not a backup. That includes being kept read-only even while and after being restored. If it isn't read-only it's a copy but it isn't a backup.

While I take your point, making a backup on a mutable medium 'read-only' is not trivial. The bit of sticky-tape on the Philips cassette after you broke off the plastic tab, removing the 'write-protect' ring inserted on the hub of 9-track tape, or flipping the movable 'switch' on SD-cards makes supposedly 'read-only' media writeable again. Disk controllers that don't allow writes to attached disks are somewhat specialised. Software 'read-only' flags can be bypassed or ignored.

What you can use is independently-stored cryptographically-signed data integrity checksums to assure yourself that the data restored from a medium is the same (to a high degree of probability) as the data on the medium it was copied from. It doesn't stop the backup from being modified; but you can at least detect it. Maintaining the physical integrity and security of the backup medium then becomes the problem. There are 'immutable' backup media - such as CD-R and BD-R, but they don't scale to cloud data volumes.

'Read-only' is a proxy for data integrity, and if you are storing data on rewritable media, relying on software labels to tell you it can't have been changed is 'brave'.

Doing backups properly is hard, which is why many people and organisations don't do it properly.

Re: Where are the backups?

Interesting that the servers just being on the same networks made them vulnerable.

I know, there's no such thing as a totally secure system, but what that probably meant was that there was a shared namespace and authentication domain, so once a certain level of access was obtained, the entire environment became vulnerable.

And what's this about the internal network? Was there just one all pervasive internal network?

Segregation of function, and of security is vital to at least slow down intruders.

Re: Where are the backups?

Another possibility is the MegaUpload vulnerability. When the Feds seized the MegaUpload server in New Zealand, they wiped out as "collateral damage" all the innocent customers whose data was on the same server.

Re: Where are the backups?

By that definition practically no one does backups anymore. You're talking about hiring someone full time just to sling tapes around, and tape sizes have not kept up with disk sizes, so it's going to be a LOT of tapes.

Re: Where are the backups?

Different types of backup protect against different things.

Taking data offsite mainly gives extra protection from physical destruction of the environment, but you can achieve this with cross-site copying of data, and if you have sufficient access control, this can be relatively safe.

The secret to protecting against the type of problem described here is mainly a problem of access to the media. If you use an additional writeable storage accessible by the systems that were compromised for your 'backup' (or, in fact, by any other compromised system), then this is in reality not a backup but a copy of the data. This is vulnerable to this type of attack (and is, sadly, how many modern environments believe they have a backup solution).

In a properly designed enterprise backup solution, the systems at the front end using the data have no access to the backup media, and the systems at the back end which run the backups and do have access are heavily protected, in at least a different authentication domain. And the route between them is guarded to restrict one getting to the other except to transfer the data.

I do think that in this case, during a physical move of the infrastructure, I would probably have suggested a full offline copy of the data, transferred between the sites using different transport, just as a fall-back.

Re: Where are the backups?

Had this.

Management were sold that SAN server was so resilient that loss of data was near on impossible...

... until a total loss of the SAN server and all the data happened. And all the systems, including the management infrastructure that installed the other servers, and the server doing offline backups were also on the same SAN... (it wasn't my design!)

Building the environment back from the ground up using first principals just to get to the point where you can use the tape backups is no fun. Fortunately, once the tape backup server was rebuilt, the tape library became accessible, it then became a lot easier. Still had a week of downtime though (although partly because of a bug in the restore process of the tape storage manager software).

In my ideal world, the server managing the tape backups, and the image deployment server should always be on separate infrastructure (not just server hardware, but storage hardware as well) from the rest of the environment, each with their own re-installable, offline backups taken regularly. This way you can get the deployment server and the backups available quickly (if it's even necessary), and then move on to the rest of the environment.

Re: Where are the backups?

"And the other server is sharing the same SAN to maximise efficiency."

...and enables SAN-wide de-dupe to save space.

Re: Offline backups??

I wonder if they made the mistake of confusing access to the backups with access to the unencrypted content of the backups.

It's easy to assume that because your backup files are encrypted they're safe, but they're only "safe" against being read, not destroyed or in this case encrypted again!

Re: And Then ?

No no no. Backups to tape will be offered as 'archive storage'!

All Eggs in One Basket

Well, having a "master key for all machines" is effectively the same problem as the one in this affair, isn't it ? Same with the "Master Console controlling all servers".

Efficiency is not the same as security...

Re: And Then ?

"Unfortunately? Try negligently."

I'd say stupidly.

Re: "Simple Tape"

Yeah, old style backups on manually extracted/rotated tapes.

Until you discover said DDS tapes are actually no longer extracted, or as I discovered once: there has only been a single poor DDS tape for the last 2 years !

The poor thing was probably no longer holding anymore useable data ! I was as shit when I discovered this !

Re: "Simple Tape"

I worked for a company where the IT manager did the same thing. This is Florida where it can reach 100+ degrees in the summer, 140+ degrees inside a car! Needless to say those tapes were useless!