Category Archives: Security

Reminder: Password Security

As you may have heard, the full database from LinkedIn’s 2012 compromise was posted last month, resulting in more than 150 million additional user logins having been publicized. In light of all these login credentials being leaked from LinkedIn and other services, I wanted to (again) remind everyone of the importance of maintaining secure passwords and also provide some good general guidelines to follow.

Unique Passwords

Never re-use passwords for any reason. Every login that you setup must use an entirely unique password otherwise a compromise of one service compromises your logins for other services. This is becoming more of an issue as these incidents continue to occur. The last thing you want is for an online community compromise to result in the compromise of your email or bank logins.

Limit Access

Do not share your login information with others if it can be avoided. Doing so increases the risk of a compromise significantly since you have no control over how or where that login might be used. If you must provide your login information to a 3rd party you should set a temporary password and then reset it once the 3rd party no longer needs access. Continue reading

Critical Joomla Security Update

On Monday, December 14th, Joomla 3.4.6 was released to address a critical remote code execution vulnerability (CVE-2015-8562) that exists in all prior versions from 1.5.0 through 3.4.5. Hotfixes are also available for the older, unsupported 1.5 and 2.5 branches. It is imperative that you update all Joomla instances immediately. This was a zero day vulnerability that was actively being exploited prior to it having been discovered and patched. As such, it is remotely possible that your Joomla was already compromised.

We posted this to our forums and in our portal on Monday to give our clients a heads up but given the critical nature of this we figured another post couldn’t hurt. At that time we also deployed mod_security rules which we believe to sufficiently protect all Joomla instances hosted by us unless you have specifically disabled mod_security on the domain, which is not the default or recommended. As always, though, it is still important that these latest patches be applied immediately in order to secure your Joomla instances.

If you have any questions or concerns please don’t hesitate to contact us and we hope everyone has a Merry Christmas!

Script Security Updates

As the holiday shopping season has begun it is more important than ever for businesses to make sure their websites are secured against attackers. Staying on top of script updates (plugins and themes included) is one of the easiest and most vital parts of securing your website. We wanted to take a moment to cover a couple of serious updates that should receive special attention this holiday season.

A Joomla update (3.4.5) was released last month to address a critical remote and unauthenticated SQL injection vulnerability that is present in all 3.2+ versions. The severity of this cannot be stressed enough as it can allow attackers complete access to your account. We’ve had mod_security rules in place to block exploitation of this vulnerability since the day it was announced. To the best of our knowledge attackers have been unable to circumvent these rules but it is in your best interest to apply this update immediately if you have not done so already. If for some reason you’ve manually disabled mod_security on your website it remains fully exposed to this vulnerability if it hasn’t been patched and has likely already been compromised in some manner. For this reason we never recommend disabling mod_security. Further details concerning this update can be found here.

Last week a vulnerability in Zen Cart was also announced and has subsequently been patched. This is an arbitrary file inclusion vulnerability that again could allow attackers complete access to your account. Details and patches are available directly from Zen Cart here. Please note that public disclosure of this vulnerability is scheduled for December 16th but since a patch has already been released it wouldn’t take much for attackers to figure out how to exploit the vulnerability, if they haven’t already. All Zen Cart users should patch their instances immediately.

As always, we will continue to stay on top of these critical vulnerabilities and address them as possible or necessary. If you have any questions please feel free to submit a ticket via our client portal and we’ll gladly assist in any way that we can.

Security Update Roundup

There are many aspects to securing a website but one the easiest and most important things you can do is to stay on top of script updates as they become available. Our clients are generally pretty good about doing this but mistakes do happen. Attackers exploiting old, vulnerable scripts is by far the number one reason that we see sites being compromised. Cleaning a site once a compromise has already occurred can be a costly and time consuming process. Being proactive and keeping everything patched in a timely manner is far easier and significantly reduces the chance that your site will be compromised.

wordpress-logo-stacked-rgb

Popular scripts like WordPress have a very easy update process that can be run from within the administrative interface and be completed with just a couple of clicks. You can also configure your WordPress instances for automatic updates which can even take care of your plugins and themes as well. Another option is to configure Softaculous to automatically handle these for you. If you install a script using Softaculous this is very easy to do from their cPanel interface. Continue reading

Adobe Flash & GHOST: Critical glibc Vulnerability

flash logo

Lately it seems there has been no shortage of critical vulnerabilities being discovered in commonly used software. In the past couple of weeks alone, Adobe has had to release patched versions of Flash to address a trio of publicized zero day vulnerabilities. While as a host that doesn’t really impact us directly, it should be a top priority for anyone browsing the web. The vast majority of end-user computer infections come from malicious content taking advantage of such vulnerabilities. These can often lead to your login information being compromised which certainly does become an issue for us. As always, please be sure you’re staying up-to-date with these Flash patches as well as those for your operating system, web browser, Java, etc. Continue reading

Behind the Scenes: POODLE SSLv3 & Network Speedtest

As you may have heard, in October a new vulnerability was disclosed in SSL version 3 that was dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption). This allowed an attacker to read SSLv3 encrypted data via a man-in-the-middle attack. It has long been standard to disable SSLv2 and as a result of this new disclosure many providers, including us, have opted to disable SSLv3 as well. Disabling SSLv3 was really long overdue anyways and only used for legacy support of older operating systems that have long reached their end of life, such as initial releases of Windows XP. Any recent OS or software will instead use a version of TLS to connect which is now the only option that our servers permit. Aside from a couple of very minor cipher issues which were quickly remedied, we’ve experienced no problems with the deployment of these changes back in October. Ultimately this is just another small part that shows our ongoing commitment to security here at Dathorn, where keeping your data safe and secure is a priority.

Screen Shot 2014-10-15 at 10.53.07 AMIn other unrelated news, we have added network performance testing information to our network page. We frequently receive requests for information on how to test our network connectivity from a client’s location. To help make this process easier we’ve added this information directly to our website and have even setup a speedtest there. The image above shows some sample results from my own cable connection at home. Does anyone with Google fiber want to show off a bit?

Drupal SQL Injection Vulnerability – CVE-2014-3704

drupal_logo-blue

On October 15th a very serious SQL injection vulnerability was discovered in Drupal that exists in all 7.x versions prior to 7.32. The severity of this vulnerability led to quick exploitation of it within approximately 7 hours of it having been publicized. Fortunately the provided patch to address this issue was quite simple and easy to apply. In fact, the patch only changed one line of code in the includes/database/database.inc file. Because of this we opted to go ahead and pro-actively apply the patch to all installations of Drupal 7.x on our servers. In less than an hour we had protected all of our clients’ Drupal installations from being exploited by this vulnerability. Beyond that it helped to protect our servers from attackers that were exploiting this vulnerability to run other malicious scripts. Affected clients should still upgrade their Drupal to the latest version as soon as possible.

Overall we were very pleased that this was so easily addressed on our end and we will certainly look into options like this going forward as new vulnerabilities in popular scripts are discovered. This incident shows how important it is for you to stay on top of script, plugin, and theme updates. Within a mere 7 hours of publicizing this vulnerability, it was being actively exploited. We highly recommend that you sign up for security related mailing lists for the scripts that you are using if they are available. This will give you the best chance at protecting yourself when (not if) a vulnerability like this comes to light.

Behind the Scenes: Shellshock & PHP 5.4

Here’s another quick update on what’s been going on here behind the scenes at Dathorn. As you may have heard, critical bugs were discovered in the popular Linux shell, bash. This event, dubbed “Shellshock”, started to publicly unfold about two weeks ago.

shellshock-bugThe details of these vulnerabilities can be a bit difficult to follow given the number of different patches that were posted. It even required a few quick, consecutive updates from some Linux distributions just to get it right. It seemed like each time a new patch was released someone else was able to poke holes in it, finding new methods to exploit and turning bash into a bit of swiss cheese. Continue reading

Quick Look: WordPress Security Plugins

Securing a WordPress installation is certainly not a new topic. A quick Google search will turn up a large number of guides on how to go about doing this. Many of these have great information already but this task can often seem tedious to those that are inexperienced or don’t have a lot of time to spend on it. Given that WordPress is by far the most popular script that our clients use on our servers, I wanted to quickly highlight a couple of plugins that we find very useful in mitigating various issues that we’ve observed.

Better WP Security

The Better WP Security plugin offers a set of very straight forward steps that you can follow to help secure your WordPress installation as you can see below. Continue reading

Safe Web Browsing Practices

A couple of our recent posts have covered how to keep your login information secure and how to secure your local environment. In the latter we briefly mentioned how important it was to browse the web safely. Malicious content being served from a website is by far one of the biggest and most common threats to the security of your computer. The best advice that I can offer concerning safe web browsing is simple: trust nothing.

It should come as no surprise that browsing unsavory websites, such as those containing adult or pirated content, comes with risks of infecting your computer. Unfortunately this same potential exists with every single website out there. Some might think that since they are visiting a reputable company’s website that it is safe and that is not the case. Back in February NBC’s website was compromised and ended up serving malicious content to users. Just this past August the New York Times’ DNS was hijacked leaving near endless possibilities for attackers to abuse. Again my advice on handling this would be to trust nothing. Continue reading