Cyber Security

A small business cyber security plan

October is National Cyber Security Awareness Month (NCSAM).  #BeCyberSmart #CyberAware

Security is everyone’s responsibility, so whether you’re a small business, medium enterprise, SaaS provider or web agency, grab a cuppa and learn some of the ways, we at Dogsbody, recommend improving your security.

You are 9 times more likely to be a victim of fraud than burglary.

With 15 years of experience behind us we feel qualified to produce our very own small business cyber security plan.

A small business cyber security plan

Security (cyber or otherwise) all boils down to risk.

The only way to keep a system 100% safe is for it to be in a sealed room, inaccessible to people, to the internet or the outside world and even then, someone could almost certainly gain access to the room if they really wanted too.

Security isn’t just about protecting from the hacks we are aware of, it’s also about attempting to protect users from the threats which haven’t yet been discovered or made widely available.

Implementing preventative or early detection systems with the right security practices for your people, processes and IT systems should mean you become more tuned to spotting attacks or hacks, giving you a better chance to protect yourself and your business.

“100% secure is just not possible”

Technology is a constantly moving beast. So are the methods used to try to gain unauthorised access to your systems.

Your staff may be reasonably savvy about emails which impersonate companies, however as an example of the speed of technology, the Dogsbody team has seen AI now being used to fake people’s voices and scam people out of £1000’s.

Scammers are coming up with new methods to extract cash or assets from companies as fast as security experts are mitigating them.

In this article, we look at each of the three principle areas of risk for your business – People, Systems and Processes; as well as some of the things you can implement immediately to reduce your exposure.

Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. –

Risk #1- people

Image of technician working at three monitors - Educating people is a huge part of any small business cyber security plan

Humans are fallible (likely to make errors or fail). Nobody’s perfect, after all.

However there are some actions for which there are no excuses … weak passwords is one of them! Any small business cyber security plan has to put passwords at the centre of the plan.

The good news is that there are so many ways to make strong unique passwords for every single login. The video below contains a useful method for creating incredibly strong, yet memorable passwords:

Find out how easy passwords are to crack. Get scared.

Password reuse and poor passwords are unacceptable and easily preventable. We have talked before about using a password manager and 2 Factor Authentication (2FA) where available. Get to understand these tools (or talk to us!) and figure out how best to include them within your business.

Education is key

Having clear processes and good security training is another way to help make sure everyone is on the same page.  Free cyber security training courses, videos and online resources are readily available from reputable sources:

Social Media – your online life

Social media allows us to find out basic details about people and companies within seconds. Using a combination of Google and Linkedin allows everyone to know who you work for.

Whilst this is great for networking, it does mean that you and your team need to be careful about what you share and and who you share it with.

If you are reading this article and rolling your eyes and think this security advice just doesn’t matter, spend three minutes watching this (brilliant) video and you might just change your mind:

Frightening huh? And hopefully thought provoking too.

Have processes in place to check when dealing with all contacts via email and phone. Are you speaking to who you think it is?.

It is also sensible to avoid giving out personal data over the phone or via insecure methods such as Slack and email.

Risk #2 – systems, servers & devices

Image of two people breaking into a safe - Small business cyber security plan - Lock it down

There is something or someone trying to access your data every minute of every day.

Implementing preventative and early detection systems into your workflow may help mitigate a situation before it starts.

Devices, including servers, work laptops, home laptops, mobile phones, routers, printers, internet of things (IOT) devices (including that wifi connect light bulb) can all be used against you and your business.

Dogsbody’s #1 tip: keep your devices up-to-date

Updates for all of these devices are released regularly to address bugs, code improvements and security vulnerabilities.

If you’re not updating (patching) regularly, then you are putting yourself at a higher risk of being exploited by a known vulnerability.

Don’t be that person or company.

End of life

Be aware of software end of life (EOL). For example mobile phone hardware usually outlives its supported software meaning it’s open to new security vulnerabilities.

We often talk about ‘end of life’ software in our newsletter. Last month, we confirmed Python 2.7 and PHP 7.1 are going to be end of life soon. Once software is no longer supported, there are no guarantees about the security holes this software could lead too.

Restrict access

Only give access to the areas people need to do their job whether that is physical (rooms, offices), Documents (read only and write only) or devices/servers, it will make it easier to spot an intruder. Separate users means you can see who made a change giving you an audit trail should anything go amiss. Remember to remove old users.

Proactive monitoring

Monitor everything: cpu, memory, disk io, disk space, ports etc. We monitor all of these metrics (and more) on behalf of 100’s of customers.

Use our free tool to monitor some of your external resources too – StatusPile allows you to build a status page of status pages.

A spike or alert across any of these metrics could mean a server is being attacked. If you respond quickly, attackers can be blocked before they cause too much damage.

Back up

We’ve written about backup strategies before. This is such a fundamental part of business.

Don’t be that company that can’t recover from an event like this:

Image of burnt out server rack - Off site backups are essential

If you lost everything where do you go?

Off site backups – simply have them, know where they are and keep them up to date.

Make sure you check them regularly. Is everything being backed up correctly? Are they actually working when you perform a restore? Is the retention policy set correctly?

It’s not good enough to set and forget – new infrastructure gets added, access codes change. Be diligent and don’t lose your business when something goes wrong.

Standardised builds

Have (documented) standard builds for servers, workstations, laptops and other network infrastructure.

Insecure configurations can allow malicious users to obtain unauthorised access, so it is important to ensure the secure configuration of all systems is set up and maintained.

If you need help, talk to us – we do this every day!

Know what you don’t know

That may sound like a crazy heading – but we really mean it. If you don’t test your infrastructure regularly, you don’t know what’s really going on. Involve a third party, get an expert to ethically hack into your systems. This process is of course known as penetration testing.

Penetration tests take many different forms. Testing once a year is a step in the right direction, however infrastructure changes regularly and rightly so, patches must be applied and users added and removed, its a constantly moving beast, so it makes sense to have regular penetration tests. Whilst they give you peace of mind – they will also give your customers peace of mind too.

Protect your email

Make it harder for impersonators to send spam which looks like it comes from your business by setting up your email correctly.

Public wifi is a notorious place for hackers to lurk

Know the risks of public wifi.

Usually it’s free and often, it’s not secure. Avoid visiting sensitive sites such as banks, accounts packages, work ticketing systems when connected.

Company VPN’s can be used if you need to do this regularly. Personal VPN application are good too for personal browsing.

Risk #3 – processes

Image of white lever arch files

Processes have been intertwined within the previous two sections. We’ve discussed standardised builds, communications. device and social media policies.

It’s now time to mop up some of the areas we’ve not yet mentioned.

How would you respond to an emergency if your digital channels were down?

If and when something does go wrong have you considered how you would communicate with your customers?

Host your status page on a completely separate hosting provider to all your other business activities and remember, to make the password accessible for when you are offline.

Status pages are for facts. Do not speculate or discuss issues that have not been confirmed.

Image of Dogsbody Technology Status Page

Crisis communications is a consideration for all businesses.


You rarely hear people talking about the joys of documentation, however it’s a necessary evil of business and absolutely could be your saviour one day.

Here at Dogsbody, we do it as a matter of course. Without shared documentation, IT systems are left exposed. employees leave, employees get sick. It’s essential others can understand how your IT infrastructure works.

Server build documentation is the recipe for your servers. If a server was down and the only way to recover it was to rebuild it – would you know how to? Is it clear how it was set up … who had access … and how the operating system was configured?

Having a build guide document in place means anyone can pick it up and get it back online quickly.

Subscribe for service updates

Subscribe to your providers service updates, notifications, emails and/or RSS feeds, monitor Status pages, hang out on tech forums – as a Linux managed server provider, our team are always reading blogs, security updates and notices – its just part of the day job.

The Government National Cyber security centre release weekly threat reports as well as advice on all security topics.


That wraps up our small business cyber security plan. We hope it makes you think about how your business approaches online security.

If we can help answer any questions, please don’t hesitate to get in touch.

Python 2 will go end of life on 01 Jan 2020

Quick Public Safety Announcement, Python 2.7 goes end of life 01 Jan 2020.  This is the end of the road for Python 2.x – there won’t be a version 2.8.

This means any Python code that’s still on 2.x needs updating to Python 3.  Any code that isn’t moved over won’t receive security updates so will inevitably become insecure.

Identify your code

If you’ve got a lot of code it’s worth taking the time to check what’s where and which version of Python it’s using.

Python 3 was released at the end of 2008.  Adoption has been slow, a factor has been that all of your dependencies need to support Python 3 before you can.  Now that we’re over 10 years down the road this is much less likely to be an issue.

You can start off by checking code that has been written more recently.  Hopefully this will have been written for Python 3.  A survey by JetBrains shows that between 2017 and 2018 the number of developers that mostly used Python 2 fell from 25% to just 16%.  It’s also interesting to note the divide between use cases.  Data science having better adoption than both web and dev-ops.

Don’t forget old code

Unfortunately the numbers above are for code that developers are writing now.  We’re also concerned with code that was written many years ago and hasn’t recently had any major changes.  Looking at the number of packages downloaded instead of what developers are mostly using gives a different picture.  The numbers are closer to 50/50 with the trend between data science and dev-ops still clear.  TensorFlow is most often downloaded for Python 3 whilst botocore is heavily Python 2.  Boto is heavily used in API access to cloud providers such as AWS.

If all of your recent code is Python 3 it’s worth having a good dig around for places old code might be hiding.

What are the steps to update to Python 3?

  • The first step to update code is to make sure any packages you’re using support Python 3.  A tool such as caniusepython3 should show you where the issues are.
  • After that depending on the complexity of your code you can update it by hand or use a tool such as Futurize to help with the conversion .

A key part of smoothly updating is to have a good testing process so you can quickly find and fix the bits that unexpectedly break.  See the porting guide for more info.


Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

PHP 7.1 will go end of life on 1 Dec 2019

PHP 7.1 goes end of life (EOL) on the 1st December 2019 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 7.2 supported until 30 November 2020
  • 7.3 supported until 6 December 2021

As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability.

If you love a pie chart, Jordi Boggiano has provided this great overview of the PHP versions out there.

PHP VersionsUpgrade from PHP 7.1 before the 1st December 2019.

Want a hand? Get in touch!


Password Managers: What, How & Why?

So its 2019 and the new years resolution are on hold; Veganuary is over and Marie Kondo is helping us declutter our servers lifes. We expect a few new website and apps have caught your attention and you’ve created an account using a unique strong 12+ character password. Right?

Unfortunately data breaches are as prevalent now as they ever were. If you are still trying to memorise all your passwords, or writing them down, or the big no no, reusing them then make 2019 the year you improve your relationship with passwords.

Today we are talking about Password Managers as a method of creating and storing your passwords.

What is a password manager?

A password manager is an app, device, or cloud service that stores your passwords in an encrypted vault that can only be unlocked with a single master password. This means you only have to remember one ultra secure password not 100’s.

How does a Password manager work?

The video below (from 2017) clearly explains why you should stop memorising your passwords and why a password manager maybe a great first step to managing and securing them.

Two keys points:

  • The password manager creates the random passwords for you – A password manager isn’t a place to store your own made up passwords, its a place to create random computer generated ones. I don’t even know my own passwords, I just know one master password.
  • A password manager can store other information too – for example – the security questions some websites ask you for, mothers maiden name, first pet, first school, where you meet your husband/wife, provided these aren’t being used to prove your identity, can be completely fictitious and different for every account you set up.

Adding a further level of security

Our other blog on Multi -Factor Authentication explains about a further level of security you can use if offered.

A poll in 2018 saw more than three quarters of 2,000 UK adults do not see the point of ‘unnecessary’, ‘overly complicated’ internet security measures, ironically 46% had been victims of banking fraud. I’ll let you draw your own conclusion!

Don’t let this be you, even if a password manager doesn’t appeal at least use unique strong 12+ character passwords. With a password manager you can have easily have a 64 character password and it will 4 untrigintillion years to crack.  If its easy to create and “remember” why wouldn’t you.

And finally why 12+ characters?

A 12 character unique random password would take a computer about 3 thousand years to crack, however this true story from 2017 proves to us that it could take a whole lot longer. Always be aware that a 3 thousand year password may well be a 300 year password in 10 years time so the more characters the better.



Google Chrome to Distrust Symantec SSL Certificates

From 15 Mar 2018 Google Chrome will start distrusting Symantec SSL Certificates.

What is happening and why?

Over the past few years various concerns have been raised regarding Symantec’s process for issuing and revoking SSL certificates.  As a result Google Chrome have announced that they will be distrusting SSL certificates issued by Symantec. It is important to note that since Symantec’s root certs are used by other certificate authorities the following will also be affected: Equifax, GeoTrust, RapidSSL, Thawte, and VeriSign.

In order to restore trust in future Symantec issued SSL certificates DigiCert have acquired Symantec SSL.  Certificates issued after 1 Dec 2017 will be signed by DigiCert’s managed partner scheme and as such will remain trusted by Google Chrome.

Google are currently planning to distrust Symantec SSL Certificates in two main phases – the release of Chrome 66 and the release of Chrome 70.

How could this affect me?

If your site is using an invalid SSL certificate your users will receive a security warning.  Since Google Chrome currently makes up over half of the browser market (you can check your analytics as exact percentages vary depending on your industry) it is likely a large proportion of your users will receive errors when visiting your site.  Mozilla have announced they will be following suit.

How to check if your site is using an affected cert?

The easiest way to check this is to use Google Chrome developer tools:

  • Press F12 to open the developer tools
  • In the “Console” tab you will see the a warning if your certificate will be distrusted by a future Chrome release.


What should I do if I am using an affected cert?

  • Affected Certificates purchased before 1 Jun 2016 will need to be re-issued before Chrome 66 beta which is planned to be 15 Mar 2018 or Chrome 66 stable which release is planned for 17 Apr 2018
  • Affected Certificates purchased before 1 Dec 2017 will be need to be re-issued before Chrome 70 beta which will be roughly 13 Sep 2018 or Chrome 70 stable release which will be roughly 23 Oct 2018.

Your certificate may be going to expire before it is distrusted in Chrome in which case you don’t have anything to worry about since any certificates issued now will remain trusted.

If your certificate will be distrusted by Chrome before you would normally renew it then you will need to have it re-issued luckily this won’t cost you anything except the time it takes you.

In order to check when your SSL certificate was purchased and when it is valid until you can use the Google Chrome developer tools:

  • Press F12 to open the developer tools
  • Navigate to the “Security” tab
  • Click “View certificate” from here you should be able to see the “Issued On” and “Expires On” dates

If you are one of our customers then you don’t need to worry as we will be contacting you if any of your servers are affected.

If anyone else would like us to check if they are affected or help with the re-issuance process contact us.

Feature image – “Security Broken” by DennisM2 is licensed under CC0 1.0 Universal (CC0 1.0)

Intel vulnerabilities (Meltdown & Spectre)

On 3rd January 2018 engineers around the world scrambled to respond to the announcement that most CPUs on the planet had a vulnerability that would allow attackers to steal data from affected computers.  Almost two weeks later and we do know a lot more however the outlook is still bleak.

Am I vulnerable?

Almost definitely.  While only Intel CPUs are affected by the Meltdown vulnerability (CVE-2017-5754) CPUs made by AMD, ARM, Nvidia and other manufactures are all affected by the Spectre vulnerabilities (CVE-2017-5753 &  CVE-2017-5715).

Additionally, Spectre is a collection of vulnerabilities.  Only two of the easiest to implement attacks are currently being patched for.  There are literally hundreds of ways to exploit Spectre and many do not have an easy fix. The Spectre collection of vulnerabilities are responsible for the slowdown of CPUs in your computer as they target a major part of the CPU responsible for the speed (speculative execution).

There are a few exceptions for CPUs not affected by these vulnerabilities however so far these have all been low powered ARM devices such as the Raspberry Pi.

It is worth pointing out that while most computers, servers & mobile phones are vulnerable, an attacker would still have to be able to run code on the same CPU you are using in order for you the be affected. For cloud computing providers this is a big issue as the same CPU is being used by many guest systems. For desktop systems this is a problem as most websites nowadays require that browsers run untrusted Javascript.  For dedicated servers being used by one company however, the only code that should be running on the system is trusted code. While this doesn’t make dedicated servers any less vulnerable, it does severely reduce the attack surface.

How does it work?

Better people than us have already covered this.  We recommend these two blog posts…

How do I fix this?

You replace your CPU.  Seriously! This is currently the only 100% guaranteed method to be free of these vulnerabilities.  However, that there currently aren’t actually any replacement CPUs that aren’t vulnerable! This issue may speed up some providers depreciation of old technology.

Patches for the Meltdown vulnerability have been made available for all major operating systems now.  Make sure you have installed and rebooted to ensure that the patch is loaded in.

If you are using any sort of virtualisation or cloud infrastructure then make sure that your host is patched too. Most cloud providers are announcing reboots at very short notice.

Patches for the Spectre vulnerabilities are still dribbling out and new patches will likely be required for years to come as new fixes are developed.  The current two Spectre patches include a microcode patch for the actual CPU firmware.  This firmware update should still be shipped out via the standard operating system updates.  These patches will also require systems to be rebooted (again).

But I’m a customer!

Don’t worry, we got you.  We are actively working with all our customers to patch systems and mitigate issues.


In tracking these vulnerabilities and writing this blog post we built up a comprehensive timeline of events linking to sources of more information that maybe useful…

  • Between Aug 2016 & Jun 2017 – Multiple vulnerabilities are discovered and published by multiple researchers, mostly building on each others work.
  • 01 Feb 2017 – CVE numbers 2017-5715, 2017-5753 and 2017-5754 are assigned to/reserved by Intel to cover these vulnerabilities.
  • 01 Jun 2017 – The two attack vectors are independently found by Google’s Project Zero researchers and researchers from the academic world which are shared with Intel, AMD and ARM.
  • Sep 2017 – Google deploys fixes in their Linux based infrastructure to protect their customers.  Google proposes to pass the patches upstream to the Linux kernel after the public disclosure of Spectre/Meltdown.
  • 09 Nov 2017 – Intel informs partners and other interested parties under Non Disclosure Agreement (NDA).
  • 20 Nov 2017 – The CRD (Coordinated Release Date) is agreed upon to be 09 Jan 2018 by the parties involved.
  • 13 Dec 2017 – Apple releases iOS 11.2, MacOS 10.13.2 and TVos 11.2. These update contain fixes for Meltdown but that is not mentioned in the release notes.
  • 15 Dec 2017 – Amazon starts sending emails to AWS customers, informing them of a scheduled reboot of EC2 instances on or around the 06 Jan 2018. People that reboot following that email notice degraded performance and start discussing this.
  • 20 Dec 2017 – Jonathan Corbet publishes an article and remarks that the KPTI patches have “all the markings of a security patch being readied under pressure from a deadline”.
  • 01 Jan 2018 – A pythonsweetness post appears, speculating about what’s behind the KPTI patches for the Linux kernel.
  • 02 Jan 2018 – The Register publishes an article that puts enough of the information together.
  • 02 Jan 2018 – Andres Freund posts to the PostgreSQL mailing list showing a 17-23% slowdown in PostgreSQL when using the KPTI patch.
  • 03 Jan 2018 – Google breaks the agreed CRD and makes everything public.
  • 03 Jan 2018Two websites are launched to explain the findings.  The vulnerabilities are “officially” named Meltdown and Spectre.
  • 03 Jan 2018 – Microsoft rushes out a series of fixes, including security updates and patches for its cloud services, which were originally planned for a January 9 release.
  • 03 Jan 2018 – Amazon says it has secured almost all of its affected servers.
  • 03 Jan 2018 – Google details its efforts to safeguard its systems and user data.
  • 03 Jan 2018 – Intel acknowledges the existence of the vulnerability, but refutes reports implying it is the only chipmaker affected.
  • 04 Jan 2018 – Media organisations such as the BBC pick up the story.
  • 04 Jan 2018 – Apple confirms its iPhones, iPads, and Macs are affected by the Meltdown and Spectre vulnerabilities.
  • 09 Jan 2018 – Microsoft confirms that patches rolled out to close Meltdown and Spectre security loops have caused PC and server performance slowdowns.

Cyber Security Awareness Month 2017

Dogsbody Technology is happy to be a champion of National Cyber Security Awareness Month (NCSAM) to get everyone thinking about their security online.

Online safety is our shared responsibility, and it starts with STOP. THINK. CONNECT.

STOP: make sure security measures are in place.
THINK: about the consequences of your actions and behaviours online.
CONNECT: and enjoy the internet.

We actively believe that security is not something you “do” (I’ve built this server now I’m going to secure it), it is something that has to be thought about as part of the culture of the business we are in. It is also something that has to be done at all levels of the business including customers and suppliers.

Follow these basic tips throughout October – and all year-round! – to help protect yourself, your information and promote a more trusted internet for everyone.

Own your online presence – Set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share information.

Personal information is like money. Value it. Protect it. – Information about you, such as purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected by apps and websites.

Keep a clean machine – Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

Get 2 steps ahead – Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Turn on two-factor authentication (2FA) – also known as two-step verification or multi-factor authentication (MFA) – on accounts where available. Two-factor authentication can use anything from a text message to your phone to a token to a biometric like your fingerprint to provide enhanced account security.

Share with care – Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it could be perceived now and in the future.

Declutter your mobile life –  Most of us have apps we no longer use and some that need updating. Delete unused apps and keep others current, including the operating system on your mobile device.

Do a digital life purge –  Perform a good, thorough review of your online files. Tend to digital records, PCs, phones and any device with storage just as you do for paper files. Get started by doing the following:

  • Clean up your email: Save only those emails you really need and unsubscribe to email you no longer need/want to receive.
  • Back it up: Copy important data to a secure cloud site or another computer/drive where it can be safely stored. Password protect backup drives. Always back up your files before getting rid of a device, too. You can’t go wrong with the classic 3-2-1 Backup Strategy -3 total copies of your data, 2 of which are local but on different mediums (read: devices), and at least 1 copy offsite (for if your house/office burns down).

Know what devices to digitally “shred” –  Computers and mobile phones aren’t the only devices that capture and store sensitive, personal data. External hard drives and USBs, tape drives, embedded flash memory, wearables, networking equipment and office tools like copiers, printers and fax machines all contain valuable personal information.

Clear out stockpiles –  If you have a stash of old hard drives or other devices – even if they’re in a locked storage area – information still exists and could be stolen. Don’t wait: wipe and/or destroy unneeded hard drives as soon as possible.

Empty your trash or recycle bin on all devices and be certain to wipe and overwrite – Simply deleting and emptying the trash isn’t enough to completely get rid of a file. Permanently delete old files using a program that deletes the data, “wipes” it from your device and overwrites it by putting random data in place of your information ‒ that then cannot be retrieved.

For devices like tape drives, remove any identifying information that may be written on labels before disposal, and use embedded flash memory or networking or office equipment to perform a full factory reset and verify that no potentially sensitive information still exists on the device.


Most of these suggestions just require time.  There really is no excuse.

Have you been pwned?

Last week Troy Hunt publicised that a spam list of 711 million user records including email addresses and passwords had been leaked.

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.”

Obviously this isn’t the first (and unfortunately) it won’t be the last time data has been breached, however this is one of the biggest by far.

Below we explain why its important to check if your data has been leaked and how to perform those checks.

So why should I care?

One look at the list of Pwned websites (websites that have been breached – which they know about) shows the type of data that has and can be leaked. With every data breach more of your personal data is being leaked and can be pieced together by bad actors to access your online world.

With this data bad actors can perform a number of attacks such as (but not limited to):

  • Phishing  – Attackers now know that you use a service and so have a great advantage when sending you mail pretending to be from that service in an attempt to trick you into sharing sensitive information such as passwords, usernames, and credit card details.  We can all identify spam mail from a bank we don’t use however it’s harder when the sender is someone we know.
  • Password Reuse – A lot of these data breaches involve passwords as well as email addresses.  The first thing that attackers will do is try and log into other accounts using the same login details from the breach. Being aware of what has been released at least give you a fighting chance if you have used the same credentials elsewhere.
  • Whaling / Spear phishing – If you are unlucky enough to have had your data breached a number of times then it is easy for attackers to start to build up a profile for you. Specifically targeted spam e-mails can be sent to you and are much more likely to get past your subconscious mail filter.  These can have life changing outcomes as recent conveyancing scams where thousands have been stolen from individuals has shown.

This week Deliveroo are warning customers over vulnerable passwords and there website hasn’t even been hacked:

“While Deliveroo’s website has not been breached or hacked, the firm has identified a number of customers whose email addresses were compromised in data breaches on other websites.”

How to check if you are affected?

Information is power, not just for the attackers but for you too.  By knowing when you have had a data breach (through no fault of your own) you can protect your brand and your business better.

  • Individual email addresses – Sign up to Have I Been Pwned Notifications to check your email address and get notified if data associated with that e-mail is breached again.
  • Domain owners – Sign up to Have I Been Pwned Domain search to check your domains. Subscribe so that you get notifications should anything else go public in the future.

How can we help?

Being aware of what’s going on with your domain is important as its your online presence to the world.

Dogsbody Technology maintenance packages all include reputation alerts for your IP addresses and domain name/s checking over 200 blacklists to ensure your IP’s aren’t blacklisted or showing up where they shouldn’t. Contact us to find out how we can help protect your brand as well as your servers.

Feature image by bonjourpeewee licensed CC BY-SA 2.0.

Stack Clash vulnerability

A new vulnerability was announced today affecting all Linux servers (including OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64).  The vulnerability allows local users to corrupt memory and execute arbitrary code.

We are currently contacting customers to arrange for appropriate times to reboot servers and load in the new kernel. 

If you manage your own server we highly recommend you fully patch and reboot your server ASAP.

If you are using a VPS server you will likely need to wait for confirmation from your VPS vendor that they have made a new kernel available.  Do make sure that when you reboot you boot into the new kernel and not the old one.  We are doing this for customers and have already had replies from some providers.

Anyone using an operating system that is now end of life (such as Ubuntu 12.04) will have to upgrade their operating system.  Some vendors do have additional support offerings.  Canonical is offering Extended Security Support for Ubuntu Advantage customers which will cover this vulnerability.

More technical information can be found in the excellent write up from Qualys who discovered the vulnerability.

“Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around.”

If you do not have a support contact in place with us and would like help with this please feel free to contact us.

Feature image by Steven Lilley under the CC BY-SA 2.0 license.

How will CentOS 5 end of life affect me?

On 31st March 2017, CentOS 5 reaches end of life (EOL).
We recommend that you update to CentOS 7.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old CentOS 5 systems past March 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

CentOS End of life dates:

  • CentOS 5 : 31st March 2017
  • CentOS 6 : 30th November 2020
  • CentOS 7:  30th June 2024


Just picking up your files and moving them from CentOS 5 to CentOS 7 will speed up your site due to the newer software.

  • Apache 2.2.3 -> Apache 2.4.6
  • PHP 5.1 -> PHP 5.4
  • MySQL 5.0 -> MariaDB 5.5

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.