Tag Archives: OVH

You *ARE* Backing Up Your Cloud Data?

Source, Code, Software, Computer, Programming Language

The fallout from the data center fire at OVH in Strasboug, France continues. OVH, the third largest cloud provider in the world, lost one of 4 data centers in their complex in Strasboug last week. One other data center in the complex was seriously damaged and two more were shut down due to water being sprayed on everything. The shutdown has affected more than 2 million web sites.

It appears that one of their UNINTERRUPTABLE power supplies was, in fact, very interruptable and caught fire, burning down the data center.

The CEO of OVH told customers to fire up their disaster recovery/business continuity plans.

What, you don’t have one?

Well, I guess you can just take the backup that your cloud provider makes and upload it to a web server at another provider.

Wait; OVH has some bad news for you. That backup – it is not recoverable.

So, bottom line, your web site went dark, and all of your data is gone.

I do have some good news.

Your cloud provider probably won’t charge you for the time that your server is dead.

Beyond that, you are pretty much on your own.

If you lost years of customer data, it is gone. IF you have the right kind of cyber insurance it might pay you something, but probably not much. Insurance may pay for the cost of recovering your data, but if the data is gone there is nothing to recover. No payout. If you lose business and you have the right coverage, you will get compensated up to a point, but if it is unrecoverable and the damage to the business is unrecoverable, you probably will not get compensated at a level that you want.

What is important to understand is that your cloud provider likely has no liability for your systems going down or your data going away forever. Check your contract. You might be able to get them to change their contract for you. Oh, wait, probably not. Other than they probably won’t charge you while your servers aren’t working. Your contract may remain in force, so if you do move to another data center provider you may get to pay twice.

OVH is going to start powering up some servers later this week, but that just begins the process. OVH says it will take 6-8 days just to power on the servers in one of the 4 data centers in the cluster. All of the support equipment has to be tested and some probably has to be replaced. Likely the fiber going into the site has to be replaced. Think about the effort to figure out where all those tiny strands of glass are connected to.

They hope to build 15,000 new servers over the next few weeks. That probably is only the beginning of what they need to do. Will this new infrastructure slapped together by very tired, stressed out engineers work reliably?

Let’s assume they get things in one of the data centers working in a couple of weeks. Are your customers going to still be your customers?

What if all of their history with you is gone? Will you even know how to price deals to those customers?

Cloud providers generally operate under what they call a “shared responsibility” model. This is code for “you take it as is and we are not responsible for very much”.

Generally speaking, fires burning down data centers are infrequent and losing all of your data is also infrequent, but infrequent does not mean never and does not mean they are responsible for fixing it or paying you.

If you have not already thought this problem through, our recommendation is that you consult with an expert, because the problems are often subtle, and you may not have what you think you have. We are happy to assist, of course.

I am sure there will be lawsuits – I have no idea what the laws for that, in France, are like, but if the laws are similar to the laws in the U.S., the lawsuits are likely to fail. In the meantime, you are out of business, literally.

Just sayin’!

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).


Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.