Cyber Security Awareness Month 2017

Dogsbody Technology is happy to be a champion of National Cyber Security Awareness Month (NCSAM) to get everyone thinking about their security online.

Online safety is our shared responsibility, and it starts with STOP. THINK. CONNECT.

STOP: make sure security measures are in place.
THINK: about the consequences of your actions and behaviours online.
CONNECT: and enjoy the internet.

We actively believe that security is not something you “do” (I’ve built this server now I’m going to secure it), it is something that has to be thought about as part of the culture of the business we are in. It is also something that has to be done at all levels of the business including customers and suppliers.

Follow these basic tips throughout October – and all year-round! – to help protect yourself, your information and promote a more trusted internet for everyone.

Own your online presence – Set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share information.

Personal information is like money. Value it. Protect it. – Information about you, such as purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected by apps and websites.

Keep a clean machine – Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

Get 2 steps ahead – Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Turn on two-factor authentication (2FA) – also known as two-step verification or multi-factor authentication (MFA) – on accounts where available. Two-factor authentication can use anything from a text message to your phone to a token to a biometric like your fingerprint to provide enhanced account security.

Share with care – Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it could be perceived now and in the future.

Declutter your mobile life –  Most of us have apps we no longer use and some that need updating. Delete unused apps and keep others current, including the operating system on your mobile device.

Do a digital life purge –  Perform a good, thorough review of your online files. Tend to digital records, PCs, phones and any device with storage just as you do for paper files. Get started by doing the following:

  • Clean up your email: Save only those emails you really need and unsubscribe to email you no longer need/want to receive.
  • Back it up: Copy important data to a secure cloud site or another computer/drive where it can be safely stored. Password protect backup drives. Always back up your files before getting rid of a device, too. You can’t go wrong with the classic 3-2-1 Backup Strategy -3 total copies of your data, 2 of which are local but on different mediums (read: devices), and at least 1 copy offsite (for if your house/office burns down).

Know what devices to digitally “shred” –  Computers and mobile phones aren’t the only devices that capture and store sensitive, personal data. External hard drives and USBs, tape drives, embedded flash memory, wearables, networking equipment and office tools like copiers, printers and fax machines all contain valuable personal information.

Clear out stockpiles –  If you have a stash of old hard drives or other devices – even if they’re in a locked storage area – information still exists and could be stolen. Don’t wait: wipe and/or destroy unneeded hard drives as soon as possible.

Empty your trash or recycle bin on all devices and be certain to wipe and overwrite – Simply deleting and emptying the trash isn’t enough to completely get rid of a file. Permanently delete old files using a program that deletes the data, “wipes” it from your device and overwrites it by putting random data in place of your information ‒ that then cannot be retrieved.

For devices like tape drives, remove any identifying information that may be written on labels before disposal, and use embedded flash memory or networking or office equipment to perform a full factory reset and verify that no potentially sensitive information still exists on the device.

 

Most of these suggestions just require time.  There really is no excuse.

Have you been pwned?

Last week Troy Hunt publicised that a spam list of 711 million user records including email addresses and passwords had been leaked.

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.”

Obviously this isn’t the first (and unfortunately) it won’t be the last time data has been breached, however this is one of the biggest by far.

Below we explain why its important to check if your data has been leaked and how to perform those checks.

So why should I care?

One look at the list of Pwned websites (websites that have been breached – which they know about) shows the type of data that has and can be leaked. With every data breach more of your personal data is being leaked and can be pieced together by bad actors to access your online world.

With this data bad actors can perform a number of attacks such as (but not limited to):

  • Phishing  – Attackers now know that you use a service and so have a great advantage when sending you mail pretending to be from that service in an attempt to trick you into sharing sensitive information such as passwords, usernames, and credit card details.  We can all identify spam mail from a bank we don’t use however it’s harder when the sender is someone we know.
  • Password Reuse – A lot of these data breaches involve passwords as well as email addresses.  The first thing that attackers will do is try and log into other accounts using the same login details from the breach. Being aware of what has been released at least give you a fighting chance if you have used the same credentials elsewhere.
  • Whaling / Spear phishing – If you are unlucky enough to have had your data breached a number of times then it is easy for attackers to start to build up a profile for you. Specifically targeted spam e-mails can be sent to you and are much more likely to get past your subconscious mail filter.  These can have life changing outcomes as recent conveyancing scams where thousands have been stolen from individuals has shown.

This week Deliveroo are warning customers over vulnerable passwords and there website hasn’t even been hacked:

“While Deliveroo’s website has not been breached or hacked, the firm has identified a number of customers whose email addresses were compromised in data breaches on other websites.”

How to check if you are affected?

Information is power, not just for the attackers but for you too.  By knowing when you have had a data breach (through no fault of your own) you can protect your brand and your business better.

  • Individual email addresses – Sign up to Have I Been Pwned Notifications to check your email address and get notified if data associated with that e-mail is breached again.
  • Domain owners – Sign up to Have I Been Pwned Domain search to check your domains. Subscribe so that you get notifications should anything else go public in the future.

How can we help?

Being aware of what’s going on with your domain is important as its your online presence to the world.

Dogsbody Technology maintenance packages all include reputation alerts for your IP addresses and domain name/s checking over 200 blacklists to ensure your IP’s aren’t blacklisted or showing up where they shouldn’t. Contact us to find out how we can help protect your brand as well as your servers.

Feature image by bonjourpeewee licensed CC BY-SA 2.0.

Stack Clash vulnerability

A new vulnerability was announced today affecting all Linux servers (including OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64).  The vulnerability allows local users to corrupt memory and execute arbitrary code.

We are currently contacting customers to arrange for appropriate times to reboot servers and load in the new kernel. 

If you manage your own server we highly recommend you fully patch and reboot your server ASAP.

If you are using a VPS server you will likely need to wait for confirmation from your VPS vendor that they have made a new kernel available.  Do make sure that when you reboot you boot into the new kernel and not the old one.  We are doing this for customers and have already had replies from some providers.

Anyone using an operating system that is now end of life (such as Ubuntu 12.04) will have to upgrade their operating system.  Some vendors do have additional support offerings.  Canonical is offering Extended Security Support for Ubuntu Advantage customers which will cover this vulnerability.

More technical information can be found in the excellent write up from Qualys who discovered the vulnerability.

“Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around.”

If you do not have a support contact in place with us and would like help with this please feel free to contact us.

Feature image by Steven Lilley under the CC BY-SA 2.0 license.

How will CentOS 5 end of life affect me?

On 31st March 2017, CentOS 5 reaches end of life.
We recommend that you update to CentOS 7.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old CentOS 5 systems past March 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

CentOS End of life dates:

  • CentOS 5 : 31st March 2017
  • CentOS 6 : 30th November 2020
  • CentOS 7:  30th June 2024

Faster:

Just picking up your files and moving them from CentOS 5 to CentOS 7 will speed up your site due to the newer software.

  • Apache 2.2.3 -> Apache 2.4.6
  • PHP 5.1 -> PHP 5.4
  • MySQL 5.0 -> MariaDB 5.5

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

HashGate

HashGate: An intrusion detection tool

HashGate is a simple intrusion detection tool we wrote for use internally and in customer environments to monitor files and alert us on any unauthorised changes to them.

We try very hard not to re-invent the wheel and are already big users of tools such as Tripwire and Rookit Hunter but we wanted something lightweight for monitoring site files, not system files.

HashGate is written in Python using only core modules and aims to work on all platforms that can run Python 2.7, not just Linux!

Our main use for HashGate is for monitoring files on WordPress & Magento installations which more commonly are exposed to vulnerabilities allowing hackers to modify files. HashGate records the hashsum of all files in the specified directory and stores them for checking periodically, we run our checks hourly via cron.

Below is an basic example output where a file has been modified:


alex@dogsbody-alex:~$ ./hashgate.py -ca /tmp/files.cache -f /home/alex/Documents/Junk/ -t check
The following files were modified:
/home/alex/Documents/Junk/wordpress/index.php
----------------------------------

Other features of HashGate include whitelisting, which allows us to ignore files that frequently change and don’t need to be monitored such as WordPress’ cache files or Magento’s sessions directory.

There is also VirusTotal checking, this is where HashGate will check flagged files hashes against VirusTotal’s database of malicious files to determine if the change was malicious or not. Due to the nature of VirusTotal’s API we’re only able to do 4 requests per minute so if lot’s of files are flagged it will add some extra time to hash checks.

We have recently open sourced this tool and you can find some more information and a list of the full features and usage in the Github repo, if you feel something can be written better or there’s a feature you’d like to add we invite you to contribute and help us build a better tool. We make use of tools like HashGate in some of our server monitoring packages so be sure to check them out and get in contact if they could be of use.

DROWN vulnerability

Dogsbody Technology maintenance customers are already protected against the newly disclosed DROWN attack, but as of the 1st March, 33% of all HTTPS sites are affected by this vulnerability.

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) vulnerability affects HTTPS and other services that rely on SSL and TLS, these cryptographic protocols that make security over the Internet possible.

The attack affects all SSLv2 servers and allows attackers to decrypt HTTPS traffic during transfer letting them spy on traffic. In some cases encryption can be broken within minutes!

The fix web servers is to disable SSLv2 support:

  • For Apache: SSLProtocol all -SSLv2 -SSLv3
  • For Nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

For more information on the attack and research paper take a look at the official DROWN Attack website.

Dogsbody Technology are Linux SysAdmin’s, building secure scalable reliable servers for the internet. We keep our servers up-to date and in doing so have already mitigated this attack.

If you want your site checked or have any questions please contact us.

CVE-2015-7547 glibc vulnerability

In the past few days Google has identified a vulnerability in glibc (GNU C Library). It allows attackers to crash processes and potentially run code remotely on your server.

The vulnerability itself is best described by the Google Security Team’s blog-post. To summarise:

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack… …Remote code execution is possible, but not straightforward.”

glibc is a library which provides many basic functions and system calls to C programs. Since libraries are only loaded in when a program is started, this means that only daemonised (a process which is left running in the background) programs are effected. When those programs are restarted they will load in the new glibc library which mitigates the issue.

You can get a list of all programs using glibc by running a command such as:

sudo lsof | grep libc | cut -d' ' -f 1 | sort | uniq

This shows that glibc is tied into nearly every service on a typical Linux system.  It can quickly become a large job to restart each process, especially in the correct order.  The quickest way of doing this is by rebooting your server.

Our advice regarding this matter is:

  1. Ensure the latest glibc packages are installed.
  2. Reboot your server (or restart all processes that use glibc)

Feel free to get in touch if we can help with this.

Privacy

Data Privacy Day 2016

Today is Data Privacy Day! It’s been taking place annually on the 28th of January since 2007, and this year is no different. As you may have worked out already, data privacy day is all about protecting and maintaining your privacy, especially in the online world. One of the main focuses of the day is raising awareness of data protection requirements and best practices, so we thought we’d talk about some organisations and laws that help to do so.

Summary

  • If you’re a UK business and store any customer information, you need to register with the ICO
  • If a user types payment card information into your website, you are required to be PCI DSS compliant

Data Controllers & The ICO

The Information Commissioners Office (ICO) is interested in upholding rights with regards to information and does so in the public interest. It keeps track of businesses that are storing personal information (data controllers), deals with enquiries and complaints, and encourages bodies to comply with particular laws such as the Freedom of Information Act and the Data Protection Act.

The Data Protection Act stipulates that “every organisation processing personal information” must register as a data controller with the ICO (unless you are exempt), so make sure you do so if this applies to you! The responsibilities of a data controller cover things such as making sure you’re not holding onto data for longer than necessary, and that you are only recording information for the reasons specified to the ICO upon registering as a data controller.

The ICO can also provide you with help and advice on ensuring you’re upholding your responsibilities as a data controller. We highly recommend filling out the self assessment provided by the ICO to help you determine if you need to register with them.

PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS), and compliance is all about certifying that your company is handling payment card data in a safe and secure manner. It’s purpose is to try and improve the security of the online payment process, at the benefit of both the merchant and consumer.  If your website or application accepts, transmits or stores payment card information, then you must be PCI DSS compliant.

There are different levels of compliance which you must meet depending on how many payments you process and the way in which you do so. If you’re using a payment gateway, such as SagePay or PayPal, which redirects users to an external page, then you probably only need to to fill out a self-assessment questionnaire to gain compliance. You can find that questionnaire here.

If you don’t meet the standards, then you’re leaving yourself open to the possibility of very hefty fines and damage to your brand image. Setting up and securing your servers to aid in meeting the standards is something that we at Dogsbody Technology are perfectly suited to, so please get in touch if you have any questions or think that we can help!

Feature image by g4ll4is under the CC BY-SA 2.0 license.

CVE-2014-3566 – POODLE

What is POODLE

The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows an attacker to obtain data transferred with the SSL 3.0 protocol.  An attacker acting as a man in the middle can downgrade a TLS connection to SSL 3.0 and then use a padding-oracle attack to access sensitive information such as cookies.  Since stealing a user’s cookies will allow an attacker to login as that user, they are the most likely target of a POODLE attack.

Prevention

This vulnerability can be fixed either on the server or in the client.

Site owners can protect their users against POODLE attacks by disabling TLS fallback or SSL 3.0 (Note that disabling SSL 3.0 will break the site for IE6 users):

  • For Apache: SSLProtocol all -SSLv2 -SSLv3
  • For Nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Browsers are rolling out fixes but for users the quickest fix is to disable SSL 3.0:

  • In Firefox this is done by going to about:config and setting security.tls.version.min to 1
  • Chrome users have to use the command line flag --ssl-version-min=tls1

Going deeper

This attack is possible because SSL pads requests to fill the last block before encryption.  SSL 3.0 only requires the last byte to be checked by the server; it must have a value equal to the number of bytes that have been used for padding.  The values of the other padding bytes are not validated, this allows an attacker to move the block they want to decrypt to the the last block and try all 256 possible values until the server accepts the request, allowing them to decode one byte of the cookie.  An attacker in a privileged network position (or sharing public WiFi) just needs to downgrade the SSL connection from TLS to SSL 3.0 and then use JavaScript to quickly obtain a cookie one byte at a time.

For more technical information I would recommend this article by ImperialViolet.

Feature image made by Koji Ishii licensed CC BY 2.0

CVE-2014-0160 – Heartbleed

A vulnerability has been discovered that allows anyone over the internet to read data straight off of your server.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
– Bruce Schneier

Labelled “Heartbleed” this vulnerability leaves your servers memory vulnerable and accessible to be read by anyone. A lot of private information is at risk, everything from passwords to SSL certificate keys are loaded into memory so often it is only a matter of time until a malicious user gets them.

The affected software, OpenSSL is a library that provides tools for encryption. OpenSSL is installed by default on many Linux systems as many core tools depend on it for SSL. It is widely used by servers for web, email, remote shell, VPN, file transfer and much more…

Test your website for the Heartbleed vulnerability.

The following command lists all services using libssl:

sudo lsof | grep libssl

The only fix is to upgrade OpenSSL to a non-vulnerable version and restart all services using it. Since it is used by so many services it can quickly become a large job to restart each process, especially in the correct order. The quickest way of doing this is by rebooting your server.

For more reading see the official Heartbleed website.

Our advice regarding this matter is:

  1. Ensure a fixed OpenSSL package is installed.
  2. Reboot your server (or restart all processes that use OpenSSL)

Feel free to get in touch if we can help with this.

Feature image by Alan O’Rourke under the CC 2.0 license.