Emerald City Comicon’s website was hacked and deleted this week…along with all their backups.

Ouch.

Ticketing is all handled offsite by EventBrite, so tickets and financial info are safe. They’ve redirected their URL to the Facebook page while they rebuild their website.

Lesson learned: Isolate your backups.

I don’t just mean physically. Yes, you need to keep some offsite in case the reason you lost your server is that the building caught fire. But isolate the online access as well. If you back up your site by pushing the backups from your server to a remote location (either self-hosted or cloud storage like Dropbox or Amazon S3), those credentials are stored on your server somehow. What could an attacker do with them?

Consider: If someone breaks into your web server, what else can they do in addition to vandalizing your site? Can they access other databases? Can they hop onto your internal network? Retrieve or alter private files? Can they get at your backups? If so, can they get at all your backups including private documents?

The answers are going to depend on your network and backup setup. But they’re questions you need to start asking.

See Also: Convention Photos & Write-Ups

3 thoughts on “Backup Lesson from the Emerald City Comicon Hack

  1. I still don’t get why computer security is so difficult for computer companies to figure out. I figure the most simple way to resolve it would be to include the cost of employing full-time anti-hackers in the original cost of the product, rather than assume people will add on separate security services. Would you sell a house without a roof? A car without a shell? It’s just mind-boggling.

    • More like selling a car without LoJack or a house without armed security guards — and that’s pretty much standard.

      Security is a complicated problem, whether it’s in the real world or in the computer world. It’s better to describe it as a whole bunch of different problems. Preventing someone from exploiting a software flaw, preventing someone from impersonating a valid user, and preventing a rogue user from acting maliciously are very different problems requiring very different solutions, made more complex by the fact that attacks can be automated and launched from halfway around the world.

      There is no simple solution to that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.