Back in January, I wrote the article “What’s Wrong with having my data in the Cloud? I like it!” In that article, I was asking the question, “What if your data is not available to you anymore?”
In the meantime, people who own the Western Digital My Book Live Storage devices got an idea of what it is like to be without their data, unfortunately.
I am going to try to break this hack down as simply as possible. Apparently, this was a two layered hack.
The first compromise turned the device into a botnet zombie network. You can read more about botnets, and then the second wiped the device. The wipe on the device was due to commented out code lines in a file, by the developer, that would have, if enabled, required a password to be input to authenticate the wipe. As a result of the wipe, by bad guys—really bad guys—petabytes of data were lost.
A petabyte is 1024 terabytes. Imagine 1,000, 1 terabyte drives, the hard drive in your computer is probably 1 terabyte, and the data is totally wiped—gone. Now imagine 1,000 or more hard drives wiped or at least as many of this kind sold—astounding amounts of data lost—hopefully recoverable.
This is what I said in January about denial of service:
What I fear the most is, extortion and denial of services and infrastructure by the bad guys. It’s a bigger pay day to demonstrate they can turn something off and do it, and then threaten to do it again. I am afraid that’s where we are heading, if we are not already there. The internet, Cloud services, or both denied because they have become so centralized and vastly interconnected at business institutions where an accidental flip of a switch can take down large swaths of internet service.”
The Western Digital compromise is an example of denial of data use, it was wiped and you can’t use the data if it is gone! IT companies wanting to make file sharing easier by the use of interconnected cloud services, but in the end, it is these same services that introduced the vulnerability that let these devices get wiped. Cloud services are inherently insecure, and this or something like this will happen again and probably on a larger scale.
The importance of a Proper Backup and Disaster Recovery Strategy:
“Other My Book Live users quickly joined the conversation to report that they, too, had experienced precisely the same thing. “All my data is gone too,” one user soon responded. “I am totally screwed without that data…years of it.”
The user of this My book Live device seemingly did not have a backup plan, and I can understand why. This individual had total trust in the security of his data by a name brand company. But even if this hack did not happen, would this user fall prey to a hardware failure that would have taken the data to the grave anyways?
In either case, a solid backup plan is always needed. There needs to be two copies of that data in different geographic places, and the backups need to be encrypted. I say two places because the pain of this user would have been eliminated with a local backup copy and a disaster recovery copy somewhere else—Arnold Consulting would have been good.
How Arnold Consulting preforms our backups:
When we backup a system, we have a local backup and an offsite disaster recovery copy held on our servers. So, even if the local copy was wiped off the client’s system, we have another copy ready for recovery. All copies that come to Arnold Consulting are encrypted at the source and in flight to our location.
Just last week one of our users called us. Their system was compromised and their backups were wiped from the USB drive we attached to the system to hold the local backup. However, what the bad guy did not know is we, at Arnold Consulting, have an offsite copy.
Of course, they are charging a ransom for all the word documents family photos and videos, etc. The user wanted to pay to get their documents and photos back because there was a countdown timer, “I have to pay,” was our clients thinking.
This user did not end up paying a dime. We had his backup, and we restored his system to a new hard drive, with a backup from the day before, he lost very little. If you have a good backup plan/disaster recovery in place—you don’t have to pay any hacker, ever.
You may be thinking, “I knew you were a Cloud service.” I would say yes…and absolutely not! The offsite backup never touches what I call the public Cloud services (i.e., Google, Amazon Web Services etc.) It is all private.
The backups go over the internet, but they are going through an encrypted channel, so no credentials are passed in the clear and the backups are encrypted in flight with AES 256-bit encryption, and they land on a private network behind a secure firewall. They are never on any of the public infrastructures. Ever.
However, it is not just enough to backup. We also test the backups to make sure they are recoverable. Occasionally, we find one that we have trouble with, and when we do, we open a trouble ticket and resolve the issue. If the user from my example, with the western digital drive, had us backing his system up with our company resources and knowledge base he would still be working. The incident would have been adverted.
I like the Cloud???
So, do you still like your data in the cloud? Please, go back and re-read the first article I wrote in January, and think about all the breaches that have been published since then. For all the breaches that have been made public, there are many more that have not. Many of these breaches are simply because companies don’t want to take ownership of the data. If you own the data, don’t let somebody else secure it for you (i.e., Cloud services). If you are the owner of the data then secure it and own it. It is worth it to invest in infrastructure.