CVE-2014-0160 – Heartbleed

A vulnerability has been discovered that allows anyone over the internet to read data straight off of your server.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
– Bruce Schneier

Labelled “Heartbleed” this vulnerability leaves your servers memory vulnerable and accessible to be read by anyone. A lot of private information is at risk, everything from passwords to SSL certificate keys are loaded into memory so often it is only a matter of time until a malicious user gets them.

The affected software, OpenSSL is a library that provides tools for encryption. OpenSSL is installed by default on many Linux systems as many core tools depend on it for SSL. It is widely used by servers for web, email, remote shell, VPN, file transfer and much more…

Test your website for the Heartbleed vulnerability.

The following command lists all services using libssl:

sudo lsof | grep libssl

The only fix is to upgrade OpenSSL to a non-vulnerable version and restart all services using it. Since it is used by so many services it can quickly become a large job to restart each process, especially in the correct order. The quickest way of doing this is by rebooting your server.

For more reading see the official Heartbleed website.

Our advice regarding this matter is:

  1. Ensure a fixed OpenSSL package is installed.
  2. Reboot your server (or restart all processes that use OpenSSL)

Feel free to get in touch if we can help with this.

Feature image by Alan O’Rourke under the CC 2.0 license.

Sponsoring Project Honey Pot

Dogsbody Technology is a proud sponsor of Project Honey Pot with the donation of over 40 mail server addresses and some raw cash to the project.

Project Honey Pot allows us to track the reputation of all of our customers servers.  They would do this without donations from us but it’s the least we can do to support such a great service.

To quote their website…

Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.

If you run servers yourself, we encourage you to signup to the project, monitor your IP addresses and donate an MX record or a link from your site.

Feature image – “Storage Servers” by grover_net is licensed under CC BY ND 2.0

ISO27001 Certification

 

We are often asked to make sure we source servers or products from companies that are ISO27001 (or ISO9001) certified.  While it’s good to have a stamp to prove that a company has attained a level of standard I feel there is often confusion over what this certification means.

Luckily, Alec Muffett, a friend of mine wrote a lovely piece on his blog about Google receiving ISO27001 certification for their Google Apps products…

ISO27001 is good to see stamped upon a vendor’s product and business processes – however it is emphatically not a “seal of security approval” – not at all.

The promise of 27001 certification is that a vendor has considered and documented various security risks and threats which would impact their offering – and has established a process to continue this in an ongoing fashion – and then has had the documentation of that understanding cross-checked and validated by an external agency.

In sporting metaphor: a vendor (in this case, Google) gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it; and then they jump over it and the certification agency simply attests that they have successfully performed a high-jump over a bar of their own design. The design documents and jump technique do not need to be made public.

So what would be really interesting would be if Google publishes their security requirements, their standards, their policies and risk assessments, so everyone else can see what kind of high-jump they have just performed – how high, how hard, and landing upon what kind of mat?

It would be that which would inform me of how far I would trust Google Apps with sensitive data, most especially with regard to the provisions they must make for “lawful access” to data by government actors.

Dogsbody Technology helps you cut through all the layers of sourcing new infrastructure. Talk to us to find out how.