Authentic8 Blog Author: Les Dunston

NEWS

The techno-sphere is on fire again, this time with news of a newly discovered vulnerability present in a ubiquitous component of the internet infrastructure. Just a few months ago, Heartbleed gave us all a lesson on how OpenSSL works and how to secure network communications. It also demonstrated that the infrastructure we rely on has gaping security holes. At the time, experts called Heartbleed the “worst security flaw ever.” But the industry responded and the furor died down. Now, a vulnerability in Bash dubbed Shellshock has taken Heartbleed’s place as the worst ever. We’ll leave it to others to hash out which flaw deserves the title of ‘worst.’ What matters is that our infrastructure is vulnerable and there are almost certainly other exploits that haven’t be found yet. Or they have been found and just haven’t been publicised.

This latest vulnerability is within Bash, the de facto command line shell that exists on all Unix/Linux systems.

NEWS

Last Tuesday, Code Spaces came under a DDoS Attack. The attacker then obtained access to Code Spaces’ Amazon console and demanded ransom for the safe return of the account. For some unknown or yet-to-be-explained reason, Code Spaces decided to start changing Amazon credentials in an effort to regain control of the account. This is where the story goes from bad to worse. The attacker, noticed Code Spaces’ activity and retaliated by deleting EC2 instances, S3 buckets, and EBS snapshots. This effectively laid waste to all of Code Spaces infrastructure and backups. The devastation was so bad, it not only knocked Code Spaces offline, but offline indefinitely. Game over.

We feel for Code Spaces. Building, deploying, and maintaining an online service is a difficult endeavour. Ne’er-do-wells lurk at every corner trying to knock your service offline or steal data. The sophistication varies from script kiddies to state sponsored attacks. The most potent attacks though, come from the inside. Regardless of the