Monday, October 12, 2009

Hosted Solutions – A Hackers Haven

Human beings are lazy by nature. If there is a choice to be made between a complicated technology solution and an easy technology solution, then nine times out of ten people will choose the easy solution. The problem is that the easy solutions are often riddled with hidden risks and those risks can end up costing the consumer more money in damages then what might be saved by using the easy solution.

The advantages of using a managed hosting provider to host your email, website, telephone systems, etc, are clear. When you outsource critical infrastructure components you save money. The savings are quickly realized because you no longer need to spend money running a full scale IT operation. In many cases, you don’t even need to worry about purchasing hardware, software, or even hiring IT staff to support the infrastructure.

What isn’t clear to most people is the serious risk that outsourcing can introduce to their business. In nearly all cases a business will have a radically lower risk and exposure profile if they keep everything in-house. This is true because of the substantial attack surface that hosting providers have when compared to in-house IT environments.

For example, a web-hosting provider might host 1,000 websites across 50 physical servers. If one of those websites contains a single vulnerability and that vulnerability is exploited by a hacker then the hacker will likely take control of the entire server. At that point the hacker will have successfully compromised and taken control of all 50 websites with a single attack.

In non-hosted environments there might be only one Internet facing website as opposed to the 1000 that exist in a hosted environment. As such the attack surface for this example would be 1000 times greater in a hosted environment than it is in a non-hosted environment. In a hosted environment the risks that other customers introduce to the infrastructure also become your risk. In a non-hosted environment you are only impacted by your own risks.

To make matters worse, many people assume that such a risk isn’t significant because they do not use their hosted systems for any critical transactions. They fail to consider the fact that the hacker can modify the contents of the compromised system. These modifications can involve redirecting online banking portal links, credit card form posting links, or even to spread infectious malware. While this is true for any compromised system, the chances of suffering a compromise in a hosted environment are much greater than in a non-hosted environment.


  1. Great point, however I do think that most professional hosting services are well known for their quality of work, and that they put great effort into securing their web servers.

    Many companies simply cannot afford having a lot of IT people hired (or even a single guy) just to keep their website up and running.

    What's important though, and that's also what I believe is your point, is that people weigh and understand the risks involved, and that they make sure to evaluate what might happen if their website/web server gets visited by one or more "hackers".

  2. Nice post... I think that i never consider that posibility :S

  3. Congratulations...

    You have reached a 10-year-well-know major web security problem... you should be proud of your self.
    < /troll>

    Trust is the word in this issue...
    Did you trust your host?
    Did you trust the isp of your host?
    Did you trust in their cluster/data-center security deployment?
    Did you trust in the employees inside the data-center?
    Did you trust in the DNS Record your computer have?
    Did you trust in your collegues?
    Did you trust in your PC?

    Blind trust is almost 10-year well-know problem even bruce scheiner make a book out of it, the same conclusion you just made has been know for years and the problem will stay cause people will still outsource almost all internet-related activities to another entity.

  4. Adriel,

    I had the opportunity to speak to many cloud providers who felt that their data center security is best in class. They also use nearly the same argument to arrive at a 180 degree conclusion. Once they see an intrusion, they can lock out that hacker from all of their customers. So it is "What is good for one is good for all" versus "What is bad for one is bad for all".

    I completely understand your point. That is why is up to the cloud customer to audit their cloud provider's security measures before signing that service agreement. As near as I can figure out, that could be a new point of revenue for Netragard if marketed correctly.

  5. In response to Anonymous.

    That argument is flawed because its based on an assumption is countered by reality. Specifically, most people don't know that they've been hacked until after the fact. Compounding that issue is that when a hacker hacks one system, they usually use that system to penetrate other systems on that newly compromised network. That technique is called Distributed Metastasis. Lastly, once a hacker takes a system the chances are good that the hacker will install a covert back door to maintain access. in most cases these backdoors aren't easily detected.

    So suppose you have 1000 systems that have all been compromised and all have backdoors installed on them. Chances are you won't know it and by the time you do it will already be too late.

    Go Cloud!!!

  6. Hi.

    I agree with point that shared environments increase the attack surface. but in case decision for outsourcing environment is done in a right manner, first risks/profits should be assessed and analysed if shared hosting acceptable. It is good have a threats check-lists for different hosting types as a guidelines for risk assessment. There might be even operational issues (cpu/memory quotas), not only pure security. And all at all business is money+risks, and shared hosting of course could be good for some cases.

    Glib Pakharenko

  7. In response to the "troll" on OCTOBER 14, 2009 6:40 AM

    You said: "You have reached a 10-year-well-know major web security problem... you should be proud of your self."

    You become a part of the problem when you make inaccurate and even ignorant assumptions about "common knowledge". Additionally, this issue isn't about trust and it is about the cumulative risks that people face when they outsource their IT to third party providers. The math is simple, the larger the attack surface the higher the risk value. it is almost impossible host 1,000 websites (or other service) without increasing your risk profile. So, if you're a company that needs to host 1 website, why increase your risk by 1000 points?

  8. Overall, I like your post and agree with the conclusion that, from a security standpoint, outsourcing isn't the best solution (generally speaking anyway).

    The assumption that your arguments rests on, however, should be an easy assumption to counter. That is, if one 'site' gets hacked, the entire server is. I would hope that for most reputable web hosts a single site does not hold the keys to the kingdom. That is, the server should have mechanisms in place that isolate the sites from each other.

    For example, say a certain user (aka website) has full control over their own directory (call it \var\www\sites\userA). I was under the impression that, within Linux, you have the ability to granularly restrict permissions. Thus, any process spawned by that user should *only* have access to \userA. And without access to anything else, the breach should therefore be harmless.

  9. I recently tried to publish a great comment that outlined some of the assumptions that are commonly made about hosted solutions. As a result, I am going to take the time to write about our penetration of a hosted provider. Hopefully that blog entry will clear the air about the security of "most" providers.

    With respect to the comment, I'm not sure what happened, but it clearly didn't post (too bad because it was a great comment from an anonymous reader).

  10. I see your point, but disagree with the conclusion. Your logic is true enough; one cannot dispute the mathematics of the server farm vulnerability. However, it seems to me that your conclusion is based on the supposition that the in-house system would be "as secure" as the hosted version. In my experience they rarely are. It takes a highly trained, vigilant, and dedicated staff to ensure that a self-hosted system has the high availability of a cloud server.

    I speak from personal experience of someone who battled with worms and hackers back in the day when my company hosted its own web server and Exchange Server. It became such a time drain to make sure that a) we knew what we were doing and b) implemented the proper levels of safeguards and c) put out fires when they erupted, that we were thrilled to move them off to hosted solutions when they became cost effective.

    This is a risk management decision, where one needs to consider both the likelihood of a problem and its consequence. Your point only addressed likelihood and not consequences. When you are hosting your own servers, the consequences of a breach or failure are usually much, much more severe.

  11. can you help me hack a bank? or can you do it for me ???