Security

Another SSL vulnerability – the POODLE bug, has surfaced. Server-side measures taken.

SSL 3.0 POODLE vulnerability -October 16th, 2014

Just a few months after the Heartbleed bug shattered the believed-to-be-secure SSL/TLS encryption layer status quo and put data transfers, emails, instant messages, etc. at risk, a new SSL vulnerability has been brought to light by Google experts.

According to Google researchers, a weakness in the SSL 3.0 protocol could be used to eavesdrop critical data that is transferred over an encrypted connection between web browsers, apps, etc. and servers.

The ‘new’ bug is called POODLE – an acronym for Padding Oracle On Downgraded Legacy Encryption.

The mechanism of the POODLE attack

The newly discovered POODLE exploit poses a great threat to online security, since it affects an old SSL version, which is still widely used by the majority of servers and clients.

It allows hackers to outsmart a web client by telling it that the server does not support the more secure TLS (Transport Layer Security) protocol, so the client is forced to connect via SSL 3.0.

This downgrade maneuver opens the door of abuse and attackers can freely decrypt secure HTTP data and steal the protected information.

Measures taken against POODLE attacks

With the discovery of POODLE, the security specialists at Google instantly recommended measures for dealing with this encryption issue.

First and foremost, the SSL 3.0 protocol needs to be disabled for both participants in the SSL communication – the server and the client, and they need to default to the more secure TLS. This will stop attackers from forcing the communication to go through the exploited SSL 3.0.

Server-side measures:

In response to the Google team’s recommendation, our web hosting servers no longer support SSL 3.0 and older versions of the protocol. Also, our administrators have set the minimum SSL requirement to the provenly secure TLS 1.0.

NOTE: As a result, an Internet Explorer browser whose version is 6.0 or older will not be able to access websites hosted on our servers.

Client-side measures:

As far as web clients are concerned, Google specialists recommend that end users immediately disable SSL 3.0 support in their browsers, if such exists.

In response to the issue, Google plans to remove SSL 3.0 support completely from all its products in the upcoming months. Currently, they even offer a Chromium patch, which disables the SSL 3.0 fallback.

Mozilla has also announced plans to turn off SSL 3.0 in Firefox and it will be disabled by default in Firefox 34, which will be released in November. They also offer code for disabling the protocol, which is now available via Nightly. Also, you can use the SSL Version Control add-on for Firefox.

Upcoming actions against POODLE attacks

To further secure our system against future downgrade attacks, our admins are also planning toimplement TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) on all our servers shortly. We’ll keep you posted.

 

ModSecurity now enabled with all VPSs

ModSecurity on VPSThe ModSecurity Apache module is a great solution for minimizing the number of hack attacks to websites and applications.

It acts as an application-layer firewall and is able to effectively prevent most brute force/ URL forgery attacks and forum spamming attempts targeted at sites.

Some time ago, we enabled the ModSecurity protection layer as a default feature with all shared hosting accounts. Now the highly effective anti-hack firewall is enabled with all VPSs as well.

ModSecurity enabled on all VPSs

As with shared hosting accounts, the ModSecurity firewall is enabled by default on your VPS, so you don’t have to configure anything in order to have your websites protected.

ModSecurity is running in a blocking mode, so it will automatically block all incoming requests that are flagged as insecure according to the commercial rules at http://www.atomicorp.com.

You can access the ModSecurity section in the Hepsia Control Panel from the newly added shortcut on the Control Panel’s home page or from the Advanced drop-down menu:

ModSecurity in the Control Panel

How does ModSecurity exactly work?

Over 70% of all the attacks are now carried out at the web application level and being a web application firewall (WAF) itself, ModSecurity effectively addresses this problem.

Its purpose is to establish an external security layer, which allows for HTTP traffic monitoring and real-time analysis, and it offers a powerful API for implementing the advanced protection needed.

This way, the firewall ensures an enhanced level of security, where the malicious attacks are detected and prevented before they reach the web applications.

ModSecurity against brute force attacks

ModSecurity has proven to be very efficient in preventing “brute force” attacks, i.e. the attempts to guess the username and the password of a web application, using a predefined set of usernames and passwords and combining them randomly.

Thanks to the ModSecurity firewall, if there are more than 15 failed login attempts from an IP address within 3 minutes, the IP address will be blocked from accessing the website for the next 30 minutes.

So far, the ModSecurity plugin has reduced the number of hacked websites on our servers dramatically.

If you have any questions about ModSecurity and about how it will work on your Virtual Private Server, don’t hesitate to contact our support team by opening a ticket from the Web Hosting Control Panel.

Password Setup interface added for new web hosting accounts

Password setup interface for Hepsia Control PanelPassword transmission over email has always been a hot topic for security-sensitive users and this is so for a reason – password smugglers are getting smarter in inventing new ways of stealing private information.

We’ve addressed this issue by moving passwords out of welcome emails and by implementing a password setup interface for first-time customers.

The interface will be applicable to both new hosting account signupsand to situations when users request to reset their passwords.

A Password Setup interface for new customers

From today, welcome emails sent to newly registered users will feature special instructions on how to set up their hosting account passwords on their own:

Password Setup interface - Welcome mail

Through a special link, they will be taken to a secure page where they can set up their web hosting account password:

Password setup interface - login page

After they type their password in the two fields following the password strength tips that we have included in the form, they will be able to log into their hosting accounts immediately.

The password they set through the form will be also be valid for the FTP account, which is created for the user at signup.

A Password Setup interface for resetting passwords

The password setup form can also be used in cases of password changes. When a customer requests to reset their password from the login form of the Web Hosting Control Panel, they will be sent an email notification, which will forward them to the same password setup form:

Password setup interface - reset password

After filling out the form, the user will be instantly logged into the Control Panel with the new password.

NOTE: Since the hosting account password will not be readily available to the user in a written form anymore, users will be recommended to instantly save their passwords in the browser or use a password management tool.

[Fri, 28 Nov 2014] – Thousands of CMS sites threatened by CryptoPHP malware. Learn how to protect your sites.

Our admins located a series of unauthorized attacks on CMS-based sites on our platform over the weekend, which appeared to be part of the CryptoPHP hacker ‘campaign’.

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plugins to compromise web servers.

This turns out to be a global phenomenon, which was discovered by experts in the Netherlands through a compromised Joomla plugin on a customer’s site.The plugin had been downloaded from a legitimate-looking site that offers a list of free, compromised themes and plugins.

What is the CryptoPHP malware all about?

By downloading and installing pirated CMS themes and plugins on their own sites, users also install the CryptoPHP backdoor, which empowers attackers to exercise remote control over their sites.

The CryptoPHP malware can inject infected content into the compromised sites and even update itself.

However, the main purpose of the malware is to conduct blackhat SEO operations. Experts have detected links and text injected into the compromised pages with the sole purpose of tricking crawlers into giving the hacker sites backlink credit and a pagerank.

Experts have identified thousands of plugins that have been backdoored using CryptoPHP, including both WordPress and Joomla plugins and themes and Drupal themes.

The exact number of websites affected by CryptoPHP has not been determined yet. However, specialists have reasons to believe that they are at least a few thousand.

How are sites on our platform affected by CryptoPHP?

Unfortunately, a few CMS sites on our platform became the target of CryptoPHP hackers as well. Upon locating the attack, our admins made a thorough investigation of the affected sites and found out that they all contain files like ‘social.png’, ‘social0.png’, or ‘social1.png’, etc.  in their code, which are actually PHP scripts instead of PNG files.

They have managed to clean all infected sites of the malware. However, they cannot guarantee that CMS users will not be compromised again if downloading a pirated CMS theme or plugin from the web.

What should I do to make sure I am not affected?

If you have ever installed pirated or untrusted WordPress/Joomla/Drupal plugins/themes/templates, you are potentially susceptible to a CryptoPHP attack.

This is why, you need to take immediate measures and check your sites for files named ‘social.png’. If the file is a PHP script instead of a PNG file, you are probably backdoored.

Also, if you realize that you are infected, you can resolve the problem temporarily by activating the Outgoing Connections Firewall from your Web Hosting Control Panel:

The backdoored sites are trying to make outgoing connections to certain IPs, so this will help you pause the attack until you find a way to resolve the problem.

The best way to protect yourself from the CryptoPHP malware is by making sure you download CMS themes/plugins from from trusted developers’ sites and popular marketplaces.

Here you can find the whole report by the Dutch company, which diagnosed and publicized the CryptoPHP malware:

https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf