Category: Industry News

The Web Hosting and Domains industry is dynamic in nature with new policies, mergers & acquisitions, important ICANN announcements, New gTLD updates, cyber attacks, etc. creating a stir from time to time. To give you a quick lowdown on all these fresh industry updates and trends that matter to you through, we collate all major newsworthy events into simple 2-minute long reads.

Industry News

POODLE – Vulnerability in SSL 3.0 and how does it affect You

Posted on by Amreen Bhujwala

In a clear indication that underlines the importance of keeping software up-to-date, Google yesterday announced the uncovering of a bug in SSL 3.0, which is a standard of SSL that is 15 years old. The discovered bug, named POODLE, would render transactions originating from certain outdated browsers and/or Operating Systems vulnerable to attacks.

The key point, though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service and allowing for once-encrypted information to be seen in plain-text. The newly disclosed vulnerability in SSL 3.0 does exactly this. The term ‘POODLE’ is an acronym for Padding Oracle On Downgraded Legacy Encryption. You can read more about Google’s assessment of the bug on it’s Online Security Blog.

As soon as this flaw was announced, we removed access through SSL 3.0 to our servers and there is no reason to suspect any security breach. We strongly suggest that you take note of these developments and take steps to protect yourself against the POODLE loophole.

How does this affect you?

  • If you’re in the less than one percent of users relying on outdated browsers, simply download a newer client such as Mozilla Firefox or Google Chrome. The latest clients leverage a more secure protocol than SSL known as TLS and have the added benefit of updating automatically which can help you remain secure in the future!

  • If you are using Chrome, you can get rid of SSL 3.0 by using the command line flag –ssl-version-min=tls1 to do so.

  • If you are using the latest version of Firefox, it will be disabling SSL 3.0 in its November 25th update by default. However, you don’t have to wait for that update. Mozilla has created a plugin that will allow you to set the minimum SSL version that Firefox will accept. Some other workarounds to patch this vulnerability can be found here.

  • If you are using Internet Explorer 11, you can disable SSL 3.0 support by going to: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.

Further Reading:

We strongly suggest that you communicate the discovery of this bug and its remedy to all your clients.

If you’re a LogicBoxes Partner, stay tuned to our forums for further updates! Feel free to get in touch with us if you need any further information!

Industry News

The Heartbleed Bug – What’s going on!?

Posted on by Amreen Bhujwala
Heartbleed Bug

Image Source: Mashable.com

The internet is abuzz with reports on the Heartbleed Bug and how it could be one of the biggest security threats the Internet has ever seen. Earlier this week, security researchers announced a security flaw in OpenSSL (a popular data encryption standard) that gives hackers the ability to extract massive amount of data from the services that we use every day and assume are mostly secure. The bug has exposed the potential vulnerability on any machines powering services that transmit secure information, like Facebook and Gmail.

At LogicBoxes, we have already implemented remedial measures so as to secure the Businesses of our Partners from any further security threats due to this bug. In this blog post we’ll take you through:

  • What is the Heartbleed bug?
  • What steps are we taking?
  • What steps should you be taking?

What is the Heartbleed Bug?

Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by majority of sites on the web to encrypt transmitted data that users want to keep secure. It basically gives you a “secure line” when you’re sending an email or chatting on IM. Encryption works by making the data that is sent, look like illogical to anyone but the intended recipient.

Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.

Due to a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.

How bad is that?

It is really bad. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. This flaw, however, has worse implications as it makes it possible for hackers to steal encryption keys – the codes used to turn gibberish encrypted data into readable information. With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.

What steps are we taking?

The security of our Partners and their customers is our top priority. We began addressing this issue immediately upon disclosure and have successfully applied patches to all of our platforms. The likelihood that private information was compromised is very minimal due to the lack of a public exploit at the time of the disclosure.

We have updated the OpenSSL packages installed on all our Linux shared hosting servers. We have also re-issued Digital Certificates on affected web servers after moving to a patched version of OpenSSL.

As always, we will continue to work to protect the security of our Partners and their data.

What steps should you be taking?

The Heartbleed bug makes it practically impossible to detect history of abuse, but to be on the safer side, we strongly recommend that you change your Account passwords and also notify your customers to change their passwords. Not just that, we suggest that you should also change your passwords at other 3rd Party Services like Gmail, Facebook, etc.

For Partners selling Hosting and/or SSL certificates through us:

  • If you / your customers have purchased both Hosting and SSL Certificates for an installation from LogicBoxes, follow steps 1 and 3 below
  • If you / your customers have purchased Hosting from LogicBoxes and have SSL enabled on it with an SSL Certificate from a 3rd party vendor for your installation, follow steps 2 and 3 below
  • If you / your customers have purchased SSL Certificated from LogicBoxes but host with a 3rd party provider, follow step 1 below and reinstall the Certificate according to the instructions of your hosting provider
    1. Re-issue the SSL certificate from the OrderBox control panel by referring to the steps mentioned in the following KB article : http://manage.logicboxes.com/kb/servlet/KBServlet/faq1094.html
    2. Contact the SSL Certificate vendor to re-issue the SSL certificate. Once the SSL certificates are re-issued, you will need to install the new certificates under the hosting packages
    3. Install the reissued SSL Certificate by following the instructions relevant to you from the below options:
  • Also, partners reselling Hosting through us can use the force password reset option in WHM to ensure that all your hosting customers change their passwords

For Partners using LogicBoxes API:

We strongly recommend that you regenerate your API key by logging into your Control Panel and navigating to Settings >> API and clicking on the ‘Regenerate’ icon to get your revised API key. Update your API calls to use the new key.

Further Reading

If you are a Logicboxes Partner and require any further information regarding the Heartbleed Bug, please feel free to get in touch your Account Manager.

That’s it for our update on the Heartbleed bug. Have something to add to this post? Do share it in the comments.

Industry News

.INFO, .ORG & .BIZ can now get on the Vertical Integration Bus

Posted on by Amreen Bhujwala

Vertical Integration

The ICANN board has passed a resolution to renew the Registry contracts of .INFO, .ORG and .BIZ Registries, with a number of clauses being changed. The renewed contracts are a product of months of negotiation sessions between ICANN and the Registries.

One of the biggest changes that was proposed by Registries was the removal of clause 7.1 (c) which places a restriction on Cross-ownership / Vertical Integration between Registries and Registrars. The clause was as follows:

7.1 (c) Restrictions on Acquisition of Ownership or Controlling Interest in Registrar.
Registry Operator shall not acquire, directly or indirectly, control of, or a greater than fifteen percent ownership interest in, any ICANN-accredited registrar.

The resolution for removal of this clause effectively brings the .INFO, .ORG and .BIZ Registries on equal playing grounds with New gTLD Registries who will, by default, have no restriction to Integrate Vertically. The impact of this change will be huge considering that Registries will now have greater control and flexibility over sales, marketing and distribution of their TLD.

Here’s a summary of all changes in the proposed INFO, ORG & BIZ agreements, compared to the existing Registry agreements.
 

Industry News

Global DDOS Attack on WordPress Sites by Hackers

Posted on by Amreen Bhujwala

wp

WordPress is easy. That’s why people like it. It’s quick to set up a simple site. It’s easy to manage large amounts of content. It’s easy to add functionality without having to know how to code PHP because there is such a large developer community that makes tons of free plugins.

If you and your customers are running WordPress sites, now would be a good time to ensure that strong passwords are always used and that your username should be changed from “admin”. According to reports, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aims to find the password for the “admin” account that every WordPress site sets up by default. This attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is very difficult to block all malicious data.

To ensure that websites are secure and safeguarded from this attack, we recommend the following eight-step process: (feel free to share this with your customers)

1. Avoid Obvious Passwords. Use a hefty mix of alphabets, numbers and alpha-numeric characters to create a good, strong password

2. Immediately change your passwords to the WordPress admin area, FTP, any control panels, and all email accounts

3. Change the Admin Username. The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin”, create a new user with admin privileges (you will need to use a different email address than the one attached to the current administrator account) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. The five minutes you spend here will ensure that your hours of hard-work are safe and secure.

4. Scan your computer for viruses, keyloggers, rootkits, and botnet software. Make sure the scan is performed on all computers that have access to your site admin area

5. Update WordPress and all plugins to the latest versions

6. Add this to the .htaccess file in your document root (public_html, www, htdocs, etc). This is in order to stop direct automated attempts to log in to your site:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.yourdomain.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]

Note: Replace example.com below with your domain (leave the “?.” before it and everything else)

7. Now for the Plugins to install on all WordPress installations:

8. We recommend that you use Cloudflare to prevent the attack from affecting the functionality of sites that belong to you and your customers

Current statistics confirm that one in every six sites on the web runs on WordPress. That’s a lot of fodder to make a botnet out of! You can ensure your customer’s sites don’t get affected by making them aware of these simple fixes.

Got better ways to secure WordPress? Do comment and let us know!

Announcements, ICANN Announcements, Industry News, Press Releases, Registries

.SX – The Hottest New Domain of 2012 is Live on OrderBox!

Posted on by Amreen Bhujwala

.SX, the official ccTLD for St. Maarten, is now available on OrderBox.

Branded as the ‘Hottest new TLD of 2012’, the .SX domain is associated with adult content and falls in the same bucket as .XXX. The .SX Registry is managed by SX Registry SA and they’ve partnered with OpenRegistry to provide the back-end Registry services.

Anyone can register a .SX domain name without any restriction or requirement for local presence on the Island.

Registrars: Please contact your Account managers for introductory pricing and white-labeled marketing collaterals.