Tickbox

Posts for category

Security

Goodbye SHA-1, Hello SHA-2

At the forefront of all websites which use and store customer information will require some form of security. That’s a fact.

From January 1, 2016 the majority of browsers will start removing support for SSL certificates that use an outdated form on encryption: SHA1 (commonly known as “Secure Hash Algorithm”). Furthermore, it seems payment providers are also getting in with the act. SagePay have recently released a statement indicating that their services will only accept SHA2. The younger, better brother, of security – well until the next release comes along!

Why is it necessary?

Due to security concerns (and we know of a few recently!) over computing power, 1024-bit (SHA1) certificates have been coming under scrutiny invoking a move towards a newer and more secure data transmission which uses 2048-bit encryption.

Google Chrome (and similarly FireFox) is deprecating support for SHA-1 before the year is out. So the time to check and upgrade is paramount. All SHA-1 support will be removed by the end of 2016. Your site will continue to be served, but with that unruly error: “Your website is not trusted.”.

insecure

Hackers/attackers never sleep therefore system administrators should not either.

What do I need to do?

If you have a website hosted with us, be it shared or on a dedicated machine, rest assured we already have this protection in place. Your SSL renewal will take place as normal and there wont be an additional charge. If your renewal has just passed…don’t sweat it. You’ve already been taken care of.

If you are not a client of ours, not a problem – contact us on 0117 325 0091 or support@tickboxmarketing.co.uk to discuss your set up. Although if you do have a current server or hosting provider, your best option would be to contact them to see if you need to upgrade.

References
Screen Shot 2016-10-21 at 15.51.14

DirtyCow moooo-ving to a server near you

Screen Shot 2016-10-21 at 15.51.14No you read that right. DirtyCow – or copy-on-write for those inclined – is the latest hidden vulnerability to hit unprotected servers and in some cases Linux driven smartphones.

What is DirtyCow?

DirtyCow, or officially called CVE–2016–5195, has actually been in existence for 9 years. It actively allows attackers to target permissions to allow for privilege escalation in the Linux Kernel. Ultimately handing over control to the attacker.

Phil Oester was able to detect this as it was used in an attempt to take over a server that he was running.

Although not as bad as previous exploits (Heartbleed, OpenSSL) security experts do say that if you have a patch available to update it anyway. Even though this is less likely to be exploited, Dirty Cow should still be taken seriously because there is evidence of abuse. Although, as its not your standard update to Linux packages, updating the Kernel does require a server reboot.

Here at Tickbox, and working with our hosting partners Rackspace, we actively seek to make sure our servers remain up to date, to control critical issues that can plague unprotected web servers. Our servers were patched, cleaned and back up and running within a blink of an eye!

If you have concerns about your hosting environment and/or need an agency to aid with any issues like this, please do contact us on 0117 325 0091 or email us support@tickboxmarketing.co.uk - and we will be more than happy to help. We will be able to cater for any needs be it web hosting or Service Level Agreements (SLA’s).

Attack of the botnets – what can you do to keep your WordPress site safe

wordpress logoIf you have a WordPress site, its probably being attacked by hackers right now. In fact industry research suggests that there are more than 3,300 automated bots attempting to access any given WordPress site at any time.

Does that mean WordPress isn’t secure? No – WordPress is simply the world’s most popular website development platform. Sites build on other platforms will be attacked too, but the sheer number of WordPress sites means the figures add up.

Botnets are a network of infected computers that can be controlled remotely by hackers. The number one reason for trying to hack your site will be to use it distribute malware to other computers or to send spam emails. If your website is hacked, it can lead to you being blacklisted and removed from search engines or completely blocked from public view

While WordPress is generally a very secure platform, with the number of attacks happening, its important that you make sure you do everything you can to ensure you don’t become a victim. There are a number of security methods you can use.

What can you do about it?

1: Password and Username

This is probably the most important – and simplest – barrier to botnet attacks, and often the biggest weakness in sites that get hacked.

One of the main ways to break into a site is to use a program to “guess” usernames and passwords – trying hundreds of combinations a minute.

The default username for a WordPress is “admin”. If you do anything, you should change this. This will be the first username the hackers try. Call it something that can’t be guessed – for instance if your company is called John Doe Llama Sanctuary, don’t use John_Doe (or anything similar) as a username.

Similarly with your password – you’d be surprised how many users still have password1234 or similar. The best bet is to use a random password generator (eg passwordsgenerator.net) to create something complex that will not be guessed.

2: Check your site for vulnerabilities

There are online tools to check your site to ensure it is secure. Tools such as Hacker Target can show you how hackers see your site – they will highlight vulnerabilities and tell you when things like out of date plug-ins might be compromising your security. You can then fix these yourself, or contact your web company to help

3: Talk to your web company and/or hosting provider or talk to us about our Tickbox Support-Extra Packages

There are plenty of things your web company and web hosts can – and should – do to keep your site secure. At a minimum you should check that they are:

Using security and monitoring tools such as WordFence to make sure plug-ins are up to date and to monitor any attempts to hack
Making regular back-ups of your site to ensure
Are using secure hosting – ask what steps they have taken to secure your server
Are regularly updating your site to make sure you have the latest versions of WordPress and any plug-ins you use. Out of date software is particularly vulnerable

Provided you take these measures, WordPress is an extremely secure platform – but vigilance is alway recommended. Stay safe out there!