Stack Clash vulnerability

A new vulnerability was announced today affecting all Linux servers (including OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64).  The vulnerability allows local users to corrupt memory and execute arbitrary code.

We are currently contacting customers to arrange for appropriate times to reboot servers and load in the new kernel. 

If you manage your own server we highly recommend you fully patch and reboot your server ASAP.

If you are using a VPS server you will likely need to wait for confirmation from your VPS vendor that they have made a new kernel available.  Do make sure that when you reboot you boot into the new kernel and not the old one.  We are doing this for customers and have already had replies from some providers.

Anyone using an operating system that is now end of life (such as Ubuntu 12.04) will have to upgrade their operating system.  Some vendors do have additional support offerings.  Canonical is offering Extended Security Support for Ubuntu Advantage customers which will cover this vulnerability.

More technical information can be found in the excellent write up from Qualys who discovered the vulnerability.

“Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around.”

If you do not have a support contact in place with us and would like help with this please feel free to contact us.

Feature image by Steven Lilley under the CC BY-SA 2.0 license.

How will CentOS 5 end of life affect me?

On 31st March 2017, CentOS 5 reaches end of life.
We recommend that you update to CentOS 7.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old CentOS 5 systems past March 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

CentOS End of life dates:

  • CentOS 5 : 31st March 2017
  • CentOS 6 : 30th November 2020
  • CentOS 7:  30th June 2024

Faster:

Just picking up your files and moving them from CentOS 5 to CentOS 7 will speed up your site due to the newer software.

  • Apache 2.2.3 -> Apache 2.4.6
  • PHP 5.1 -> PHP 5.4
  • MySQL 5.0 -> MariaDB 5.5

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

HashGate

HashGate: An intrusion detection tool

HashGate is a simple intrusion detection tool we wrote for use internally and in customer environments to monitor files and alert us on any unauthorised changes to them.

We try very hard not to re-invent the wheel and are already big users of tools such as Tripwire and Rookit Hunter but we wanted something lightweight for monitoring site files, not system files.

HashGate is written in Python using only core modules and aims to work on all platforms that can run Python 2.7, not just Linux!

Our main use for HashGate is for monitoring files on WordPress & Magento installations which more commonly are exposed to vulnerabilities allowing hackers to modify files. HashGate records the hashsum of all files in the specified directory and stores them for checking periodically, we run our checks hourly via cron.

Below is an basic example output where a file has been modified:


alex@dogsbody-alex:~$ ./hashgate.py -ca /tmp/files.cache -f /home/alex/Documents/Junk/ -t check
The following files were modified:
/home/alex/Documents/Junk/wordpress/index.php
----------------------------------

Other features of HashGate include whitelisting, which allows us to ignore files that frequently change and don’t need to be monitored such as WordPress’ cache files or Magento’s sessions directory.

There is also VirusTotal checking, this is where HashGate will check flagged files hashes against VirusTotal’s database of malicious files to determine if the change was malicious or not. Due to the nature of VirusTotal’s API we’re only able to do 4 requests per minute so if lot’s of files are flagged it will add some extra time to hash checks.

We have recently open sourced this tool and you can find some more information and a list of the full features and usage in the Github repo, if you feel something can be written better or there’s a feature you’d like to add we invite you to contribute and help us build a better tool. We make use of tools like HashGate in some of our server monitoring packages so be sure to check them out and get in contact if they could be of use.

DROWN vulnerability

Dogsbody Technology maintenance customers are already protected against the newly disclosed DROWN attack, but as of the 1st March, 33% of all HTTPS sites are affected by this vulnerability.

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) vulnerability affects HTTPS and other services that rely on SSL and TLS, these cryptographic protocols that make security over the Internet possible.

The attack affects all SSLv2 servers and allows attackers to decrypt HTTPS traffic during transfer letting them spy on traffic. In some cases encryption can be broken within minutes!

The fix web servers is to disable SSLv2 support:

  • For Apache: SSLProtocol all -SSLv2 -SSLv3
  • For Nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

For more information on the attack and research paper take a look at the official DROWN Attack website.

Dogsbody Technology are Linux SysAdmin’s, building secure scalable reliable servers for the internet. We keep our servers up-to date and in doing so have already mitigated this attack.

If you want your site checked or have any questions please contact us.

CVE-2015-7547 glibc vulnerability

In the past few days Google has identified a vulnerability in glibc (GNU C Library). It allows attackers to crash processes and potentially run code remotely on your server.

The vulnerability itself is best described by the Google Security Team’s blog-post. To summarise:

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack… …Remote code execution is possible, but not straightforward.”

glibc is a library which provides many basic functions and system calls to C programs. Since libraries are only loaded in when a program is started, this means that only daemonised (a process which is left running in the background) programs are effected. When those programs are restarted they will load in the new glibc library which mitigates the issue.

You can get a list of all programs using glibc by running a command such as:

sudo lsof | grep libc | cut -d' ' -f 1 | sort | uniq

This shows that glibc is tied into nearly every service on a typical Linux system.  It can quickly become a large job to restart each process, especially in the correct order.  The quickest way of doing this is by rebooting your server.

Our advice regarding this matter is:

  1. Ensure the latest glibc packages are installed.
  2. Reboot your server (or restart all processes that use glibc)

Feel free to get in touch if we can help with this.

Privacy

Data Privacy Day 2016

Today is Data Privacy Day! It’s been taking place annually on the 28th of January since 2007, and this year is no different. As you may have worked out already, data privacy day is all about protecting and maintaining your privacy, especially in the online world. One of the main focuses of the day is raising awareness of data protection requirements and best practices, so we thought we’d talk about some organisations and laws that help to do so.

Summary

  • If you’re a UK business and store any customer information, you need to register with the ICO
  • If a user types payment card information into your website, you are required to be PCI DSS compliant

Data Controllers & The ICO

The Information Commissioners Office (ICO) is interested in upholding rights with regards to information and does so in the public interest. It keeps track of businesses that are storing personal information (data controllers), deals with enquiries and complaints, and encourages bodies to comply with particular laws such as the Freedom of Information Act and the Data Protection Act.

The Data Protection Act stipulates that “every organisation processing personal information” must register as a data controller with the ICO (unless you are exempt), so make sure you do so if this applies to you! The responsibilities of a data controller cover things such as making sure you’re not holding onto data for longer than necessary, and that you are only recording information for the reasons specified to the ICO upon registering as a data controller.

The ICO can also provide you with help and advice on ensuring you’re upholding your responsibilities as a data controller. We highly recommend filling out the self assessment provided by the ICO to help you determine if you need to register with them.

PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS), and compliance is all about certifying that your company is handling payment card data in a safe and secure manner. It’s purpose is to try and improve the security of the online payment process, at the benefit of both the merchant and consumer.  If your website or application accepts, transmits or stores payment card information, then you must be PCI DSS compliant.

There are different levels of compliance which you must meet depending on how many payments you process and the way in which you do so. If you’re using a payment gateway, such as SagePay or PayPal, which redirects users to an external page, then you probably only need to to fill out a self-assessment questionnaire to gain compliance. You can find that questionnaire here.

If you don’t meet the standards, then you’re leaving yourself open to the possibility of very hefty fines and damage to your brand image. Setting up and securing your servers to aid in meeting the standards is something that we at Dogsbody Technology are perfectly suited to, so please get in touch if you have any questions or think that we can help!

Feature image by g4ll4is under the CC BY-SA 2.0 license.

CVE-2014-0160 – Heartbleed

A vulnerability has been discovered that allows anyone over the internet to read data straight off of your server.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
– Bruce Schneier

Labelled “Heartbleed” this vulnerability leaves your servers memory vulnerable and accessible to be read by anyone. A lot of private information is at risk, everything from passwords to SSL certificate keys are loaded into memory so often it is only a matter of time until a malicious user gets them.

The affected software, OpenSSL is a library that provides tools for encryption. OpenSSL is installed by default on many Linux systems as many core tools depend on it for SSL. It is widely used by servers for web, email, remote shell, VPN, file transfer and much more…

Test your website for the Heartbleed vulnerability.

The following command lists all services using libssl:

sudo lsof | grep libssl

The only fix is to upgrade OpenSSL to a non-vulnerable version and restart all services using it. Since it is used by so many services it can quickly become a large job to restart each process, especially in the correct order. The quickest way of doing this is by rebooting your server.

For more reading see the official Heartbleed website.

Our advice regarding this matter is:

  1. Ensure a fixed OpenSSL package is installed.
  2. Reboot your server (or restart all processes that use OpenSSL)

Feel free to get in touch if we can help with this.

Feature image by Alan O’Rourke under the CC 2.0 license.

Sponsoring Project Honey Pot

Dogsbody Technology is a proud sponsor of Project Honey Pot with the donation of over 40 mail server addresses and some raw cash to the project.

Project Honey Pot allows us to track the reputation of all of our customers servers.  They would do this without donations from us but it’s the least we can do to support such a great service.

To quote their website…

Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.

If you run servers yourself, we encourage you to signup to the project, monitor your IP addresses and donate an MX record or a link from your site.

Feature image – “Storage Servers” by grover_net is licensed under CC BY ND 2.0

ISO27001 Certification

 

We are often asked to make sure we source servers or products from companies that are ISO27001 (or ISO9001) certified.  While it’s good to have a stamp to prove that a company has attained a level of standard I feel there is often confusion over what this certification means.

Luckily, Alec Muffett, a friend of mine wrote a lovely piece on his blog about Google receiving ISO27001 certification for their Google Apps products…

ISO27001 is good to see stamped upon a vendor’s product and business processes – however it is emphatically not a “seal of security approval” – not at all.

The promise of 27001 certification is that a vendor has considered and documented various security risks and threats which would impact their offering – and has established a process to continue this in an ongoing fashion – and then has had the documentation of that understanding cross-checked and validated by an external agency.

In sporting metaphor: a vendor (in this case, Google) gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it; and then they jump over it and the certification agency simply attests that they have successfully performed a high-jump over a bar of their own design. The design documents and jump technique do not need to be made public.

So what would be really interesting would be if Google publishes their security requirements, their standards, their policies and risk assessments, so everyone else can see what kind of high-jump they have just performed – how high, how hard, and landing upon what kind of mat?

It would be that which would inform me of how far I would trust Google Apps with sensitive data, most especially with regard to the provisions they must make for “lawful access” to data by government actors.

Dogsbody Technology helps you cut through all the layers of sourcing new infrastructure. Talk to us to find out how.

Security and The Cloud

Don’t worry this isn’t going to be another post on how security is holding up cloud adoption or how the cloud is destroying security.  There is already too much negativity regarding the reporting of security news (some would say all news).  I do however want to discuss how security is changing due to the cloud and cloud technologies.  In my opinion cloud computing is actually good for security.

What’s in a word

I probably use the word “cloud” too much, I realise it’s an industry buzzword for something that has been around for ages but it works.  Call it Outsourcing, Virtulisation, SaaS or Utility computing, they are all variations of Internet computing by machines that you do not directly own and have just licensed for the time that you need.

The ring of steel

For years security experts have been saying that companies should stop using the idea of a ring of steel around their internal network. The concept that you are either connected to the internal (trusted) network or the external (untrusted) network is very outdated and just doesn’t work with today’s computing use but companies still insist on using it.

While people tried to adopt this topology to greater granularity with “Chinese firewalls” (lets separate accounts from development) people will continue to have to move data around between areas of the business to do their work and it quickly becomes an IT vs Business battle.

With more companies needing to get company data outside the building either to access it from a smartphone or share the data with another company the whole procedure falls down altogether.

Smaller rings

One solution is to adapt the model to it’s ultimate conclusion.  A ring of steel for each machine/job/task.  Until now this has been an impossible task, from a practice standpoint but now that companies are moving to cloud and virtual environments resources can be configured in any way needed.  No longer are you required to physically move cables in the patch room to change a networks topology.  Instead of one server with one operating system running web and email and any number of other tasks you can have that same server with many operating systems all locked down to do their one job well.  Most servers in the cloud and virtual environment come with their own firewall and authentication mechanism that can be easily managed on mass.  How many hardware server rooms can say that?

Outside is inside

Given this new model there is no need to have a “corporate firewall” on the edge of your network at all.  Why not let the internet in?  This is in fact what we do at Dogsbody Technology. Every machine on the network is public and even internal switching is treated as public.  If we want to move a private file from one machine to another it needs to be done in a secure/encrypted way.  While that sounds like a lot of work it really isn’t.  You save on a lot of infrastructure from not having to worry about a locked down network and while it does take a while to setup safe transfer methods, once you are set up there is no difference between transferring a private file to the computer next to you or a computer the other side of the world.

Not the end of the story

Of course, like all security, this is not the end of the story and will not fix all your issues.  Monitoring and company policy are still required to stop, find and block exceptions but we’ll discuss that in a separate blog post.

If you have any questions or comments reading this post them please do leave a comment below or contact Dogsbody Technology for more information.