BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Cloud hosting provider Linode is receiving praise for its handling of a string of recent security attacks, but some customers are concerned enough to consider other options.
Linode Manager passwords expired last week and users were prompted to set new passwords after an investigation found unauthorized logins into three accounts. The reset came on top ongoing distributed denial-of-service (DDoS) attacks the cloud provider faced in its data centers. Linode also faced downtime earlier in 2015 when it had to do a reboot to address security issues around Xen.
The vast majority of Linode cloud customers have been supportive, according to the company, but two users said the string of attacks has them looking elsewhere.
The series of attacks was "quite a big deal" for Dallas-based consulting firm and Linode cloud customer etc.io, which suffered several outages as a result of the attacks, said chief advocate E.T. Cook. Etc.io uses a variety of cloud providers but Linode has been its go-to platform.
"We've been transparent, and although we sympathize with the Linode DDoS situation and won't be abandoning them, we're starting to look at diversifying and having failovers outside of Linode for all of our primary properties," Cook said.
Making such a move will create challenges, particularly around database replication, but he's convinced it needs to be done.
Munzee Inc., a McKinney, Texas-based scavenger hunt game with workloads hosted in Linode's Atlanta facility, said in a blog post that the attacks lasted 10 days before finally stopping on Jan. 3. The worst of it came the weekend prior, with intermittent uptime resulting in its apps, websites and stores down the majority of that time period.
E.T. Cookchief advocate, etc.io
The post also said Munzee was taking steps to prevent similar downtimes in the future, including hosting servers in multiple data centers or with multiple companies, and possibly changing providers. In an email to SearchCloudComputing, Scott Foster, vice president of technology at Munzee, said the company was making the move from Linode to Amazon Web Services.
An investigation found unauthorized logins into three accounts in the Linode cloud. Two Linode.com user credentials were used on an external machine -- meaning they could have been read from Linode's database, either offline or on, Linode said.
There was no indication that any customers' information was accessed, but it's possible that usernames, email addresses, securely hashed passwords and encrypted two-factor seeds could have been read from the user table of its database, according to Linode.
Users of the three potentially affected customer accounts were immediately notified, and no additional evidence was found of access to the vendor's infrastructure. An unnamed third-party security firm has been brought on to assist in the investigation.
Linode has handled the situation well, based on the information the company has been made available, with an appropriate level of transparency regarding what occurred and the steps taken, said Adrian Sanabria, senior security analyst at 451 Research. Linode also has been smart not to disclose information that customers don't need to know, such as the name of the firm they've engaged to help with the investigation, he added.
"It's nice to see that they're not running all over social media waving a Mandiant-branded flag, or denying responsibility because the attacker was 'super advanced' or 'sophisticated,'" Sanabria said.
The DDoS attacks started on Dec. 25, and over the next week the Linode cloud faced more than 30 attacks of what the firm called "significant duration and impact."
Linode claims to have no information about who is behind the attacks or if the attacks are connected. The company is working with law enforcement officials and plans to have a full technical explanation of the incidents once the attacks stop.
Past examples of DDoS attacks have run concurrent with fraud. Investigators will explore any possible connections but that will be difficult to prove, said Robert Westervelt, research manager at IDC Research.
"Identifying a threat actor is very difficult, and connecting them to multiple incidents further complicates the issue," Westervelt said.
While acknowledging that unauthorized login of three customer accounts is troubling, Westervelt agreed that Linode appears to be responding appropriately. Users are known to adopt poor password practices, but the company used accepted best practices around securely hashing passwords and encrypting two-factor seeds.
Stolen passwords are one of the top risks for cloud services providers, according to Westervelt. One good way [to address this] is to add multi-factor authentication, he said. "Most providers provide it as an optional capability if customers desire that level of protection."
Another common method for attackers to gain access is through chinks in the Web-based management system software, which could have vulnerable components, Westervelt said.
"For Linode, providing transparency about its actions to contain the threat and any remediation steps it has taken, is important for it to maintain the trust of its customer base," Westervelt said.
Trevor Jones is a news writer with TechTarget's data center and virtualization media group. Contact him at firstname.lastname@example.org.
Seven cloud security risks to avoid
Protect your cloud with a penetration testing plan
Five hybrid cloud security challenges to overcome