This week we have seen another example of why you can’t be too paranoid about Internet security.
Code Spaces, a company that specializes in svn hosting (hosting your source code so your team can access it) announced that their servers were hacked big time. Apparently, the perpetrator began with a Denial of Service Attack then gained access to Code Spaces’ Amazon EC2 account. He or she then contacted Code Spaces via email in an attempt to extort a large fee to stop the attack. When the folks at Code Spaces attempted to take back control of their Amazon EC2 account, the hacker deleted all of their data including backups and off-site backups. Unable to recover, Code Spaces has made the decision to shutdown completely. The cost of the attack is just too great to continue.
Code Spaces advertised themselves as providing secure svn hosting. And it probably was secure. But “secure” doesn’t tell you much. It could be a little secure or extremely secure. Services typically don’t want to say too much about their security because that’s giving hackers information that can help them attack. This is why we take security so seriously with the Xojo Cloud. We have multiple layers of industrial-strength security that would be prohibitively expensive for any individual user to implement. Part of the reason we can make Xojo Cloud so secure is that we control just about every aspect of access to any user’s Xojo Cloud server. This allows us to keep each server locked down in a way that most cloud servers can’t be due to the nature of how those servers are used. When we showed our security to the folks at Rackspace, our hosting provider, they laughed and said, “Only our most paranoid customers have this kind of security.” When it comes to security, it pays to be paranoid. When it comes to protecting valuable data, too much security is never enough.
An internet security specialist once told me that the only way to make a server completely secure is to unplug it. That’s true. No one can guarantee you won’t be hacked. But with the Xojo Cloud, we can at least say that we have multiple levels of industrial-strength security and as a result, there are likely to be easier targets than us.
I feel for the folks at Code Spaces. Being hacked feels horrible and it’s only insult on top of injury that it has resulted in the end of their company. But there can be some value in the experience. We should all see incidents like this one as a cautionary tale. We should take Internet security even more seriously than before. Most people wait until they have been hacked, until they have lost valuable time and money, before they take it seriously enough.
Here are 8 tips on making servers more secure:
1. Use long, random passwords
The longer and more random your passwords are, the more difficult it is for them to be determined via a brute-force attack. Yes they can be inconvenient but there are ways to make them more convenient via password managers such as 1Password. I suggest using the longest password any important system will allow.
2. Don’t reuse passwords
Don’t use the same password for more than one system even if it is a long and random one. If a hacker gains access to a server, you want to limit the damage as much as possible.
3. Be prepared for the worst
If a hacker does get access to one of your systems, you should have a plan for how to respond. For example, you should have a list of servers and how to change the passwords quickly. Any important data should be documented for each server as well as what needs to be done if that data is compromised. For example, if private keys are compromised, certificates for things like SSL and code-signing will need to be reissued.
4. Have off-site backups
If a server is compromised you have to assume that all data and software has been compromised as well. That means having a backup and specifically, an off-site backup is important. Those backups need to happen with the frequency of which you can afford to lose data. If you can afford to lose a day’s worth of data, once a day should be enough. But keep several days of backups as you may not discover you have been hacked until several days after it has happened.
5. Passwords should be on a need-to-know basis
Everyone that knows any given password is a potential security risk. It doesn’t matter how careful they are. It’s just another place where a password could accidentally be leaked.
6. Change passwords on a regular basis
The more important the information, the more often the password should be changed for the device storing it. For servers, change the passwords once a month. Most password managers will auto-generate passwords for you making it relatively painless to change them.
7. Get some security expertise
If you don’t have very good security expertise in-house, hire a consultant. They can review your security and give you a lot of tips and strategies. Alternatively, use a managed server. They are more expensive per month but the hosting company will take care of maintenance and security for you.
8. Don’t trust URLS unless you typed them yourself
One way hackers get your password is by phishing. You get an email that appears to be official from your hosting provider, Facebook, etc. You click a link and end up on a page that appears also to be the real site but in fact is a fake. You enter your username and password then the fake page logs you in to the real page so you think it was legit but now the hacker has your login credentials. Don’t click on links in email messages. Go to the page by typing in the known URL.
Take security seriously, perhaps more seriously than you do now. You will sleep better at night.