Have you been pwned?

/0 Comments/in /by

Last week Troy Hunt publicised that a spam list of 711 million user records including email addresses and passwords had been leaked.

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.”

Obviously this isn’t the first (and unfortunately) it won’t be the last time data has been breached, however this is one of the biggest by far.

Below we explain why its important to check if your data has been leaked and how to perform those checks.

So why should I care?

One look at the list of Pwned websites (websites that have been breached – which they know about) shows the type of data that has and can be leaked. With every data breach more of your personal data is being leaked and can be pieced together by bad actors to access your online world.

With this data bad actors can perform a number of attacks such as (but not limited to):

  • Phishing  – Attackers now know that you use a service and so have a great advantage when sending you mail pretending to be from that service in an attempt to trick you into sharing sensitive information such as passwords, usernames, and credit card details.  We can all identify spam mail from a bank we don’t use however it’s harder when the sender is someone we know.
  • Password Reuse – A lot of these data breaches involve passwords as well as email addresses.  The first thing that attackers will do is try and log into other accounts using the same login details from the breach. Being aware of what has been released at least give you a fighting chance if you have used the same credentials elsewhere.
  • Whaling / Spear phishing – If you are unlucky enough to have had your data breached a number of times then it is easy for attackers to start to build up a profile for you. Specifically targeted spam e-mails can be sent to you and are much more likely to get past your subconscious mail filter.  These can have life changing outcomes as recent conveyancing scams where thousands have been stolen from individuals has shown.

This week Deliveroo are warning customers over vulnerable passwords and there website hasn’t even been hacked:

“While Deliveroo’s website has not been breached or hacked, the firm has identified a number of customers whose email addresses were compromised in data breaches on other websites.”

How to check if you are affected?

Information is power, not just for the attackers but for you too.  By knowing when you have had a data breach (through no fault of your own) you can protect your brand and your business better.

  • Individual email addresses – Sign up to Have I Been Pwned Notifications to check your email address and get notified if data associated with that e-mail is breached again.
  • Domain owners – Sign up to Have I Been Pwned Domain search to check your domains. Subscribe so that you get notifications should anything else go public in the future.

How can we help?

Being aware of what’s going on with your domain is important as its your online presence to the world.

Dogsbody Technology maintenance packages all include reputation alerts for your IP addresses and domain name/s checking over 200 blacklists to ensure your IP’s aren’t blacklisted or showing up where they shouldn’t. Contact us to find out how we can help protect your brand as well as your servers.

Feature image by bonjourpeewee licensed CC BY-SA 2.0.

Stack Clash vulnerability

/0 Comments/in /by

A new vulnerability was announced today affecting all Linux servers (including OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64).  The vulnerability allows local users to corrupt memory and execute arbitrary code.

We are currently contacting customers to arrange for appropriate times to reboot servers and load in the new kernel. 

If you manage your own server we highly recommend you fully patch and reboot your server ASAP.

If you are using a VPS server you will likely need to wait for confirmation from your VPS vendor that they have made a new kernel available.  Do make sure that when you reboot you boot into the new kernel and not the old one.  We are doing this for customers and have already had replies from some providers.

Anyone using an operating system that is now end of life (such as Ubuntu 12.04) will have to upgrade their operating system.  Some vendors do have additional support offerings.  Canonical is offering Extended Security Support for Ubuntu Advantage customers which will cover this vulnerability.

More technical information can be found in the excellent write up from Qualys who discovered the vulnerability.

“Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around.”

If you do not have a support contact in place with us and would like help with this please feel free to contact us.

Feature image by Steven Lilley under the CC BY-SA 2.0 license.

How will Ubuntu 12.04 end of life affect me?

/1 Comment/in /by

On April 2017, Ubuntu 12.04 reaches end of life (EOL).
We recommend that you update to Ubuntu 16.04.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old Ubuntu 12.04 systems past April 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Ubuntu End of life dates:

Ubuntu LTS (long term support) operating systems come with a 5 year End Of Life policy. This means that after 5 years it receives no maintenance updates including security updates.

  • Ubuntu 12.04 : April 2017
  • Ubuntu 14.04 : April 2019
  • Ubuntu 16.04 : April 2021

Faster:

Just picking up your files and moving them from Ubuntu 12.04 to Ubuntu 16.04 will speed up your site due to the new software.

  • Apache 2.2 -> Apache 2.4
  • MySQL 5.5 -> MySQL 5.6
  • PHP 5.3 -> PHP 7.0

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

How will CentOS 5 end of life affect me?

/0 Comments/in /by

On 31st March 2017, CentOS 5 reaches end of life (EOL).
We recommend that you update to CentOS 7.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old CentOS 5 systems past March 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

CentOS End of life dates:

  • CentOS 5 : 31st March 2017
  • CentOS 6 : 30th November 2020
  • CentOS 7:  30th June 2024

Faster:

Just picking up your files and moving them from CentOS 5 to CentOS 7 will speed up your site due to the newer software.

  • Apache 2.2.3 -> Apache 2.4.6
  • PHP 5.1 -> PHP 5.4
  • MySQL 5.0 -> MariaDB 5.5

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

HashGate

HashGate: An intrusion detection tool

/0 Comments/in , /by

HashGate is a simple intrusion detection tool we wrote for use internally and in customer environments to monitor files and alert us on any unauthorised changes to them.

We try very hard not to re-invent the wheel and are already big users of tools such as Tripwire and Rookit Hunter but we wanted something lightweight for monitoring site files, not system files.

HashGate is written in Python using only core modules and aims to work on all platforms that can run Python 2.7, not just Linux!

Our main use for HashGate is for monitoring files on WordPress & Magento installations which more commonly are exposed to vulnerabilities allowing hackers to modify files. HashGate records the hashsum of all files in the specified directory and stores them for checking periodically, we run our checks hourly via cron.

Below is an basic example output where a file has been modified:


alex@dogsbody-alex:~$ ./hashgate.py -ca /tmp/files.cache -f /home/alex/Documents/Junk/ -t check
The following files were modified:
/home/alex/Documents/Junk/wordpress/index.php
----------------------------------

Other features of HashGate include whitelisting, which allows us to ignore files that frequently change and don’t need to be monitored such as WordPress’ cache files or Magento’s sessions directory.

There is also VirusTotal checking, this is where HashGate will check flagged files hashes against VirusTotal’s database of malicious files to determine if the change was malicious or not. Due to the nature of VirusTotal’s API we’re only able to do 4 requests per minute so if lot’s of files are flagged it will add some extra time to hash checks.

We have recently open sourced this tool and you can find some more information and a list of the full features and usage in the Github repo, if you feel something can be written better or there’s a feature you’d like to add we invite you to contribute and help us build a better tool. We make use of tools like HashGate in some of our server monitoring packages so be sure to check them out and get in contact if they could be of use.

PHP 5.5 support will stop on the 10 July 2016

/0 Comments/in /by

Quick Public Safety Announcement, PHP 5.5 is end of life (EOL) on the 10 July 2016.

Anything not running PHP version 5.6 or newer exposes your site to significant security vulnerabilities.

We have ensured that all our customers are safe and ready. Unsure if you are affected? Want a hand upgrading? Get in touch!

 

composer-PHP-usage-chart-2016-01

I am a big fan of graphs, Jordi Boggiano has provided this is a great overview of the PHP versions out there in the wild!

We are very happy to see a big drop in PHP 5.3 and 5.4 since they have long passed end of life and a surprisingly quick rise in the brand new PHP 7.0. 🙂

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

DROWN vulnerability

/0 Comments/in /by

Dogsbody Technology maintenance customers are already protected against the newly disclosed DROWN attack, but as of the 1st March, 33% of all HTTPS sites are affected by this vulnerability.

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) vulnerability affects HTTPS and other services that rely on SSL and TLS, these cryptographic protocols that make security over the Internet possible.

The attack affects all SSLv2 servers and allows attackers to decrypt HTTPS traffic during transfer letting them spy on traffic. In some cases encryption can be broken within minutes!

The fix web servers is to disable SSLv2 support:

  • For Apache: SSLProtocol all -SSLv2 -SSLv3
  • For Nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

For more information on the attack and research paper take a look at the official DROWN Attack website.

Dogsbody Technology are Linux SysAdmin’s, building secure scalable reliable servers for the internet. We keep our servers up-to date and in doing so have already mitigated this attack.

If you want your site checked or have any questions please contact us.

CVE-2015-7547 glibc vulnerability

/1 Comment/in /by

In the past few days Google has identified a vulnerability in glibc (GNU C Library). It allows attackers to crash processes and potentially run code remotely on your server.

The vulnerability itself is best described by the Google Security Team’s blog-post. To summarise:

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack… …Remote code execution is possible, but not straightforward.”

glibc is a library which provides many basic functions and system calls to C programs. Since libraries are only loaded in when a program is started, this means that only daemonised (a process which is left running in the background) programs are effected. When those programs are restarted they will load in the new glibc library which mitigates the issue.

You can get a list of all programs using glibc by running a command such as:

sudo lsof | grep libc | cut -d' ' -f 1 | sort | uniq

This shows that glibc is tied into nearly every service on a typical Linux system.  It can quickly become a large job to restart each process, especially in the correct order.  The quickest way of doing this is by rebooting your server.

Our advice regarding this matter is:

  1. Ensure the latest glibc packages are installed.
  2. Reboot your server (or restart all processes that use glibc)

Feel free to get in touch if we can help with this.

Privacy

Data Privacy Day 2016

/1 Comment/in /by

Today is Data Privacy Day! It’s been taking place annually on the 28th of January since 2007, and this year is no different. As you may have worked out already, data privacy day is all about protecting and maintaining your privacy, especially in the online world. One of the main focuses of the day is raising awareness of data protection requirements and best practices, so we thought we’d talk about some organisations and laws that help to do so.

Summary

  • If you’re a UK business and store any customer information, you need to register with the ICO
  • If a user types payment card information into your website, you are required to be PCI DSS compliant

Data Controllers & The ICO

The Information Commissioners Office (ICO) is interested in upholding rights with regards to information and does so in the public interest. It keeps track of businesses that are storing personal information (data controllers), deals with enquiries and complaints, and encourages bodies to comply with particular laws such as the Freedom of Information Act and the Data Protection Act.

The Data Protection Act stipulates that “every organisation processing personal information” must register as a data controller with the ICO (unless you are exempt), so make sure you do so if this applies to you! The responsibilities of a data controller cover things such as making sure you’re not holding onto data for longer than necessary, and that you are only recording information for the reasons specified to the ICO upon registering as a data controller.

The ICO can also provide you with help and advice on ensuring you’re upholding your responsibilities as a data controller. We highly recommend filling out the self assessment provided by the ICO to help you determine if you need to register with them.

PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS), and compliance is all about certifying that your company is handling payment card data in a safe and secure manner. It’s purpose is to try and improve the security of the online payment process, at the benefit of both the merchant and consumer.  If your website or application accepts, transmits or stores payment card information, then you must be PCI DSS compliant.

There are different levels of compliance which you must meet depending on how many payments you process and the way in which you do so. If you’re using a payment gateway, such as SagePay or PayPal, which redirects users to an external page, then you probably only need to to fill out a self-assessment questionnaire to gain compliance. You can find that questionnaire here.

If you don’t meet the standards, then you’re leaving yourself open to the possibility of very hefty fines and damage to your brand image. Setting up and securing your servers to aid in meeting the standards is something that we at Dogsbody Technology are perfectly suited to, so please get in touch if you have any questions or think that we can help!

Feature image by g4ll4is under the CC BY-SA 2.0 license.

Security and The Cloud

/1 Comment/in /by

Don’t worry this isn’t going to be another post on how security is holding up cloud adoption or how the cloud is destroying security.  There is already too much negativity regarding the reporting of security news (some would say all news).  I do however want to discuss how security is changing due to the cloud and cloud technologies.  In my opinion cloud computing is actually good for security.

What’s in a word

I probably use the word “cloud” too much, I realise it’s an industry buzzword for something that has been around for ages but it works.  Call it Outsourcing, Virtulisation, SaaS or Utility Computing, they are all variations of Internet computing by machines that you do not directly own and have just licensed for the time that you need.

The ring of steel

For years security experts have been saying that companies should stop using the idea of a ring of steel around their internal network. The concept that you are either connected to the internal (trusted) network or the external (untrusted) network is very outdated and just doesn’t work with today’s computing use but companies still insist on using it.

While people have tried to adopt this topology to greater granularity with “Chinese firewalls” (lets separate accounts from development) people will continue to have to move data around between areas of the business to do their work and it quickly becomes an IT vs Business battle.

With more companies needing to get company data outside the building either to access it from a smartphone or share the data with another company the whole procedure falls down altogether.

Smaller rings

One solution is to adapt the model to it’s ultimate conclusion.  A ring of steel for each machine/job/task.  Until now this has been an impossible task, from a practice standpoint but now that companies are moving to cloud and virtual environments resources can be configured in any way needed.  No longer are you required to physically move cables in the patch room to change a networks topology.  Instead of one server with one operating system running web, email and any number of other tasks you can have that same server with many operating systems all locked down to do their one job well.  Most servers in the cloud and virtual environments come with their own firewall and authentication mechanism that can be easily managed on mass.  How many hardware server rooms can say that?

Outside is inside

Given this new model there is no need to have a “corporate firewall” on the edge of your network at all.  Why not let the internet in?  This is in fact what we do at Dogsbody Technology. Every machine on the network is public and even internal switching is treated as public.  If we want to move a private file from one machine to another it needs to be done in a secure/encrypted way.  While that sounds like a lot of work it really isn’t.  You save on a lot of infrastructure from not having to worry about a locked down network and while it does take a while to setup safe transfer methods, once you are set up there is no difference between transferring a private file to the computer next to you or a computer the other side of the world.

Not the end of the story

Of course, like all security, this is not the end of the story and will not fix all your issues.  Monitoring and company policy are still required to stop, find and block exceptions but we’ll discuss that in a separate blog post.

If you have any questions or comments reading this post them please do leave a comment below or contact Dogsbody Technology for more information.