Customers advised to change passwords and scan websites for malware due to increased hacker activity

Over recent weeks we have noticed a huge increase in hacking attempts against our servers originating mostly from China. You may not be aware or have noticed that in recent years the majority of hacking attempts and surveillance queries are coming from IP addresses originating in China. Chinese hackers are becoming the most common and pervasive pests as evidenced by the US government’s Titan Rain investigation covered in this article in Computerworld. More recently, Google has expressed serious concerns about hacking attempts originating from China.

Unfortunately the government in China does nothing to stop or even discourage hackers or their  illegal activities. As such, we must protect ourselves from the Chinese hackers and content thieves. We have therefore now made the decision to implement a number of IP block lists which will actively block large amounts of traffic originating from IP addresses in countries which are known for most of the hacking activity. This includes China, Korea, Nigeria, Russia and parts of south America.

As a result of this increased hacker activity there has also been an increase in the number of customers websites and email that have been compromised, largely due to their having weak passwords which have been easily hacked through basic brute force dictionary or rainbow table attacks or through vulnerabilities in their website itself.
Through our investigations we have discovered that a large number of customers have files within their websites which are allowing attackers to upload malicious code and scripts. This includes outdated and insecure CMS systems with vulnerabilities and WYSIWYG editors such FCKEditor which contain known vulnerabilities in older versions, as well as other insecure upload and file managers or insecure copie sof ColdFusion CFIDE folders, and even test files which have been left on the server by developers.

We therefore strongly advise all customers to reset both their FTP and email passwords for themselves and also for fellow users/staff to do the same. A strong password should be a bare minimum of 12 characters or more, with upper case, lower case, numbers and special characters. You should always use a unique password for every service and website, *** DO NOT USE THE SAME PASSWORD MORE THAN ONCE ***

Here are some useful tools to assist you.

  • Strong Password Generator – Use this handy tool to generate strong passwords.
  • LastPass - Remembering complex/strong passwords is hard if not impossible, but you don’t need to. LastPass An excellent tool for storing and managing all your passwords and other secure information in one place, so you only have to remember 1 password, your LastPass password, and LastPass does the rest, including generating your passwords for you.

We also strongly recommend that all customers also audit/scan  their website ASAP for any malware and if using any popular off the shelf CMS systems such as Mura, Joomla, Drupal, WordPress etc, to update to the latest version and to also subscribe to alerts for when these products are updated.
If you do not have the necessary skills to keep your website secure, then we recommend using SiteLock.

Don’t Lose Business From Hackers

SiteLock provides comprehensive website security for small businesses. SiteLock offers online businesses a smart, cost effective way to protect their business while increasing sales by over 10% through earning trust. SiteLock’s Trust Seal also provides customer confidence and has been proven to substantially increase sales and conversions, with 70% of web visitors looking for a verifiable 3rd-party certification before providing personal data.

Malware Detection
Quick diagnosis of any harmful infections
or malware on your business website.
On-Demand Expert Support
Team of experienced website surgeons to repair any injuries, infections and bugs.
Blacklist Monitoring
Daily health check of your website to keep
it off Google’s blacklist.
Vulnerability Identification
An X-ray of your website that discovers security holes, and virus injections.

CLICK HERE for details and pricing.

 

ENOM DNS issues

ENOM are currently having some DNS issues which is affecting any of our customers who use ENOM DNS servers. This includes customers who manage their DNS through our domain portal www.loudex.net which uses ENOM.

Sorry for the inconvenience, but this is somehting we have no control over.

more details can be found on ENOM’s twitter feed here

CryptoLocker Virus – What you need to know

With Christmas fast approaching, it’s the time of year that online scammers, spammers and hijackers send themselves into overdrive mode.

Christmas is such an important time of year for many of our businesses, especially those in e-commerce who need to deal with the festive spike, so hackers know it is a good time to strike.

One of the nastiest online threats around has sadly reared it’s ugly head again this year, and has affected some of our customers.

It is a particularly horrible piece of ransomware called Crypto Locker, which is infecting Windows computers around the world, and has been since September 2013.

It is delivered in email form, and tricks recipients into opening the email by pretending to be from a legitimate company. Those who download the zip file inside it unintentionally allow Crypto Locker to control their computers. Crypto Locker then holds your computer hostage and leaves you with one choice: pay a set amount of ransom money or lose everything on your hard drive.

Once the virus has taken hold, there is horribly little you can do, but we do have a couple of suggestions that could help.

Infected computers will display a warning notice (from the virus) that tells you not to “disconnect from the Internet or turn off your computer”. Funnily enough, this is exactly what you should do, as if the virus is still in the process of infecting your files, unplugging your computer may save some them.

Next, find out which files you have lost to assess the extent of the damage. Check whether you have backups of these, which could be in your ‘Windows System Restore’ files. Make sure there is nothing missing that you absolutely need and don’t have access to anywhere else. Hopefully you will find everything essential to you, as paying the ransom to get them back will only encourage more malware of this sort to be created.

If you do have a backup, you should wipe your computer of the virus by running your antivirus software, as virtually every version will get rid of Crypto Locker. Next you can restore your backup and sigh a huge sigh of relief.

If you do not have backups, and you have no other way of accessing important files, there is little you can do but pay the ransom.

There are however a number of copycat viruses around which show up asking for money even though your computer isn’t infected. So if you do think your computer may be infected, ask an expert before paying anyone anything!

To prevent an attack, make sure you are careful with any email you receive and don’t open it if you can’t figure out who it is from or why they may be emailing you. Back up all of your personal and business files regularly, and run up to date anti-virus software regularly.

Be really careful with any email you receive, don’t download or open any attachments before being absolutely sure what they are.

If you are still unsure of your options, give us a call on 0845 468 2369 and we can discuss the virus, precautions you should take and anti-virus software. 

Retirement of BABCOM-POST SMTP relay servers

Back in 2012 we made an announcement about various changes to our services, including the discontinuation/retirement of our BABCOM-POST servers which are currently used for SMTP relay of bulk email and email from websites hosted on HELM servers.

The original announcement can be found HERE.

This change will now come into affect on the 1st Jan 2015 along with the EOL retirement of all the HELM servers, and it will no longer be possible to relay email through these servers after this date.

Customers currently using these servers to send mail will need to use an alternative method.

All email sent through our servers must comply with our ANTI-SPAM policy HERE. Any domains found to be sending mail in breach of this policy which results in our servers being blacklisted may be banned from sending any further email through our servers at our discretion.

The default method to send email will be as follows

  • By default all outgoing email will need to be sent through one of your existing pop3 accounts and will be subject to the standard mail limits.
    Details on the mail limits and quotas can be found HERE.
  • You will only be able to send email FROM a REAL email address hosted on our mail server. You will not be able to use FAKE from addresses or an email address that is not hosted on the same server, any emails trying to do this will be rejected.

This may require you to make minor changes to any code on your website that sends email and specify the smtp server, username and password.

 

Bulk email options

If you need to send large quantities of email that exceeds the quotas of your mailbox, such as newsletters or transaction emails, then we recommend the following options.

  • If you need to send 12,000 or less emails per month, and do not require any support or advanced features then please take a look at www.mandrill.com, which is FREE for up to 12,000 emails per month.
  • If you are looking for a fully supported service which includes bounce processing, reporting and mail/link tracking then please consider our SendGrid service which starts at £10 per month.

 

New Domain Names Launching!

We have just heard that 14 new domain extensions are entering new launch phases. Some will become available to the general public, whereas others will be available to pre-register for if you have the relevant Trademark.

Have a look at the launch dates and specifications of these great new TLD (top level domain) names below:

Wednesday, 5th November

 

Pre-registration and Sunrise for Trademark Holders

 .DEGREE, .GIVES and .WORLD

Priority Placement for Landrush

 .PHYSIO

Priority Placement for Early Access

 .GIFTS, .RESTAURANT and .SARL

General Availability

 .MARKET and .MORTGAGE

 

Wednesday, 12th November

Sunrise for Trademark Holders

.FORSALE

Priority Placement for Early Access

 .ENGINEER

General Availability

 .GIFTS, .RESTAURANT and .SARL

If you have any questions or would like more information, please email our sales team

Patch Tuesday – Your update on the updates

It was a very busy “Patch Tuesday” as far as we can tell with major releases from all the tech giants including Microsoft, Apple and even Oracle who released security patches for Java earlier this week also. As always for our managed customers we don’t just jump in and start updating client systems we usually wait a few days so we can listen to the jungle drums of the Internet and wait to see if a groundswell of complaints materialises from overly eager IT managers who have broken something because the patch is, for want of a better word, flawed.

Microsoft

Finally for those running Windows, information about Microsoft’s security patches  for Patch Tuesday October 2014 can be found by clicking the link below but in short its quite a biggie for Windows 2003 SP2 (both X64 and X32 editions) with a number of critical issues particularly in IE

https://technet.microsoft.com/library/security/ms14-oct

Oracle

For more information on the Java update please read more here;

 http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA

The main thing to note with this Java update is that they released two versions of Java 1.7. Version 1.7.0_71 contains only the security patches and 1.7.0_72 contains both the security patches and non critical/non security bug fixes. Larry’s men recommend upgrading to 1.7.0_71 unless you are experiencing one of the issues patched in 1.7.0_72.

Apple

Yesterday Apple also unleashed its new desktop operating system, Yosemite. Whilst never advertised as a security update the folks at Apple always ensure that OSX updates includes fixes for the most recently identified vulnerabilities. The OS was first announced at Apple’s developer’s conference last June, but became available as a free download Yesterday after apples main event in Cupertino, Calif.

To find out more, see what Apple has to say about their latest release here http://www.apple.com/uk/osx/

 

POODLE

You may have read about “poodle” (CVE-2014-3566) vulnerability in an earlier post but for those who didn’t it was very big news. In short, it’s an architectural bug in the SSLv3 protocol that means it cannot be patched or fixed you just need to use a better security protocol. Security boffins are recommending that you disable SSLv3 support on your servers and clients as soon as possible to avoid leaving the door open.

 

ACTION: Disable SSLv3 on your servers to be safe.

The impact of disabling SSLv3 on your web server means that clients that don’t support the TLSv1 protocol will not be able to connect over HTTPS (IE6 on Windows XP). You should also consider any crawlers, bots or API traffic coming from other servers that may be using an older HTTPS client.

More on poodle:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://poodle.io/
http://nginx.com/blog/nginx-poodle-ssl/
https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
https://access.redhat.com/articles/1232123

 

Staying ahead of the bad guys

There are things you can do to check for vulnerabilities in your server configuration like add HackMyCF to your subscription from as little as £5 per month. The newly updated HackMyCF JVM scanner will raise an issue if your server has not been updated and will warn you if your web server accepts SSLv3 connections.

Drupal Core – Highly Critical – Public Service announcement – PSA-2014-003

  • Advisory ID: DRUPAL-PSA-2014-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2014-October-29
  • Security risk: HIGHLY CRITICAL 

Description

Last week Drupal announced that there had been “automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”

WARNING: Simply updating to Drupal 7.32 will not remove backdoors.

If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Data and damage control

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at their help documentation, ”Your Drupal site got hacked, now what”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.

The Drupal security team recommends that you consult with us but we can say that we have not applied any patches on behalf of customer sites or have cause to block any SQL injection attacks at the time of the announcement on Oct 15th, 4pm UTC. Their advice, you must restore your website to a backup from before 15 October 2014. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

 

ColdFusion Security Bulletin APSB14-23

Security Update: Hotfixes available for ColdFusion

Release date: October 14, 2014

Vulnerability identifier: APSB14-23

Priority: See table below

CVE numbers: CVE-2014-0570, CVE-2014-0571, CVE-2014-0572

Platform: All Platforms

Summary

Adobe has released security hotfixes for ColdFusion versions 11, 10, 9.0.2, 9.0.1 and 9.0 for all platforms.  These hotfixes address a security permissions issue that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator.  Cross-site scripting and cross-site request forgery vulnerabilities are also addressed in the hotfixes. 

Affected software versions

ColdFusion 11, 10, 9.0.2, 9.0.1 and 9.0 for all platforms. 

Solution

Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb14-23.html

Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the ColdFusion 11 Lockdown GuideColdFusion 10 Lockdown Guide and  ColdFusion 9 Lockdown Guide.

Priority and severity ratings

 Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:

 

ColdFusion Version Hotfix Version Platform Priority rating
11 Update 2 All 2
10 Update 14 All 2
9.0.2 Update 7 All 2
9.0.1 Update 12 All 2
9.0 Update 13 All 2

These updates address important vulnerabilities in the software.

Details

Adobe has released security hotfixes for ColdFusion versions 11, 10, 9.0.2, 9.0.1 and 9.0 for all platforms.  

These hotfixes resolve a cross-site request forgery vulnerability (CVE-2014-0570).

These hotfixes resolve a cross-site scripting vulnerability (CVE-2014-0571).

These hotfixes resolve a security permissions issue that could be exploited by an unauthenticated local user to bypass IP address access control restrictions (CVE-2014-0572).

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

End of SSL 3.0 as POODLE attacks.

SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information

Back at the end of September, a team at Google discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability, known as “POODLE”, is similar to the BEAST attack. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.

Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.

POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

Google’s security team has recommended that systems administrators simply turn off support for SSLv3 to avoid the problem. But this will mean that some users trying to connect securely to a web server using SSLv3 will have trouble connecting if they’re using a client that only supports this protocol.

http://www.wired.com/2014/10/poodle-explained/

 

IMPORTANT NOTICE: There is no patch or update available to fix it in windows and Linux, but it is possible to disable SSLv3 on both the VM platforms by modifying registry in windows and config file in Linux.

 

 

ColdFusion security hotfixes for version 9-11

Adobe released security hotfixes today classified as “important” to address a XSS, CSRF, and authentication issue in CF administrator: http://helpx.adobe.com/security/products/coldfusion/apsb14-23.html

This update also includes updated web server connectors for both IIS and Apache on ColdFusion 10. ColdFusion 11 connectors do not appear to be updated since ColdFusion 11 update 1 (last month).

We will be updating our WebsitePanel shared hosting servers and any customers with fully managed servers.

Un-managed customers or those with only Basic management will need install the update themselves.

Legacy HELM systems will NOT be updated.