Cybersecurity 102: How Firewalls Protect Against Threats

The internet is two-way connection. You don’t just go onto the internet. The internet goes onto the device you’re using. If you’re not careful, a lot of bad things can get into your system through the internet.  

Recently, we discussed some of the major threats that companies face on the internet. Now it’s time to look at the first step to protect yourself from those threats.  

It’s Starts with a Firewall 

A firewall is the gatekeeper to your network and/or device. Its purpose is to let safe information in while keeping the bad stuff out. Dangerous items could include spyware, viruses, hackers, and much more. Additionally, certain firewalls can be customized and configured to keep out content that’s technically “safe”, but unwanted on a particular network. For example, companies may use firewalls to block time-consuming websites such as Facebook or YouTube. 

Firewalls can also act as a filter between different company networks. This is helpful in protecting your information from vendors and contractors you may work with. 

Are All Firewalls the Same?

No. First of all, a firewall can either be a software program or a physical device. Both perform the function of flagging questionable content and preventing it from coming through, though they do so in slightly different ways. 

A software firewall operates on your computer (or other device), protecting the information found there. Should a virus or hacker breach your network, a software firewall can still protect your individual device.  

A software firewall continues to protect your device even when you’re on other networks, which is very beneficial.  

Hardware firewalls are physical devices that act as the first point of connection to the internet, protecting your entire system and every device connected to it. Sometimes hardware firewalls double as routers. Other times, they connect to a router. Different hardware firewalls can offer different features. 

Not only do hardware firewalls protect against hackers and viruses, but they also keep out spam traffic that can slow down your network. 

The best form of protection is a mixture of both physical and device-based firewalls throughout the environment. DataYard provides a comprehensive solution that may include physical, hosted, and next-generation firewall solutions.  

Firewall Systems Need to Stay Updated  

Digital attacks are constantly changing as hackers find new flaws and loopholes in network systems and computer software. In order for your firewall to do its job, it needs to be maintained and updated. It’s important that you keep your network and online data somewhere that’s secure and protected against the latest threats. 

As an IT partner DataYard values an ‘eat your own dog food’ model that incorporates all the products that we would recommend to a client including physical devices, hosted firewall solutions, and software-based products. The more points of security the better. All of these options are available to new and current clients utilizing DataYard’s access, cloud hosting services and colocation. Second to great firewall solutions we maintain backups as an extra safety measure.  

For those who have extra security compliance standards to meet, we have you covered. Our team has a track record for providing thorough solutions that check all the boxes for all compliance requirements.  

And for those who want to make sure they have the right firewalls in place and configured correctly, our IT support in Dayton, Ohio can help you out. 

Not sure what you need? We’re happy to consult so you get the protection you need. Contact us today! 

Our Data Center is Here for You

LEARN MORE ABOUT HOW WE CAN KEEP YOUR DATA PROTECTED


Cybersecurity 101 – What are the Threats?

With so much of our lives and businesses online, cybersecurity is more important than it’s ever been. And it’s not just something that big businesses have to worry about. Nearly half of cyber-attacks are targeting small businesses 

For small businesses, one bad hack could be enough to put them out of business for good. 

That means cybersecurity should be a top priority for all businesses. If any part of your business is storing information online (and it probably is), you need to protect yourself against threats. How do you do that? 

The best place to start is by understanding what types of attacks are happening out there. Here are some of the most common types of attacks taking place in 2019. 

Today's most common threats to your data...

Ransomware  

Ransomware has been around since ‘89, and it’s a tactic that’s still going strong. As you might deduce from the name, ransomware is malware that gets into your system, locking you out of it, and cutting you off from your data. In order to get access back, hackers will demand payment or “ransom”. 

Sophisticated encryption in modern day ransomware ensures that your data is virtually impossible to recover without gaining permission from the random holder. What’s even scarier is the fact that should you pay the ransom, the hacker might delete your information anyway. 

This is why regular backup systems and segmentation is so important in modern server systems. 

Cryptojacking 

This is a relatively new attack that’s quickly gaining steam. You’ve probably heard of cryptocurrencies such as Bitcoin and Ethereum. Without going into too much detail (because cryptocurrencies can get very confusing, very fast), these currencies involve a process called mining, which requires a lot of computer power to perform efficiently.  

This is where cryptojacking comes into play. 

Cryptojacking involves planting hidden malware that secretly uses your company’s hardware and resources to mine cryptocurrencies. These attacks can be very hard to notice as they don’t cause obvious problems. They do, however, slow down your system and anyone who is connected to it. 

The good news is it’s relatively simple to prevent cryptojacking from happening. Even if your system has been infected, a skilled IT professional can get it removed quickly. 

Device Exploitation 

Smart technology is only growing more popular. These devices connect with the internet and with each other, forming something called the “Internet of Things”. While these devices can offer a lot of convenience, they can also serve as areas of exploitation. 

Individual devices have their own systems which require their own updates. Failing to update your devices is one of the easiest ways to expose yourself to attackers. Software and network updates exist largely to patch potential security risks in products. 

Systems need to be in place to ensure that the various devices connected to your network are secure and up-to-date. 

Third Parties 

Everyone likes to think of their vendors and contractors as trusted allies, but the truth is, they can be massive security risks as wellEspecially smaller companies who often lack proper security systems and dedicated IT teams.  

If your vendors have any access to your system, they pose a potential threat. You need to account for this. An IT audit, or Discovery, as we like to call them, can help expose where these weaknesses exist and provide steps to remediation.  

Phishing 

Despite a pretty wide awareness of phishing, it’s still a popular (and often successful) means of attack. Today’s phishing schemes are smarter than ever, often utilizing personal info and professional sounding email addresses to seem legitimate. 

These schemes can easily steal important passwords or spread malware through one wrong click. 

Cyber Attacks are Constantly Changing and Evolving 

Technology is advancing faster than ever. With it, cyber-attacks are constantly evolving. The only way to protect yourself, your customers, and your partners is with on-going security. Software or a simple firewall isn’t enough. 

You need a professional team by your side. 

At DataYard, we provide cyber security in Dayton, Ohio and beyond. Our web hosting and cloud services ensure regular backups of your data are made and that your systems stay up-to-date. Our IT support services (AYS) can further assist you in forming proper security protocols and ensuring that you stay protected from the latest digital threats. 

Contact us today to learn how we can keep you and your business safe.  

Is your company safe?

LEARN MORE ABOUT OUR CYBER SECURITY SERVICES


Google Chrome Updates – Is Your Site Secure?

The world’s most popular Internet browser, Google Chrome, is releasing an important update in the coming weeks.  Starting with the public and stable release of Chrome update 68, the browser will show a yellow “warning” icon next to the URL of web sites which are not protected by a SSL cert, and when this icon is hovered over a “Not Secure” warning will be displayed.  With over 53% of total browser market share, this update is sure to affect a wide swatch of users and websites.

Read the Google blog post here.

Not sure if your website will be affected by this change?  Visit your site in a browser, and then look at the URL in the address bar.  If your address begins with “HTTP” and not “HTTPS”, your visitors may start to see a warning when this update is released.

To get ahead of the curve on this, give us a call or send us an email – for $175 a year, we can purchase, coordinate, and install a fix for this issue for any DataYard hosting customers.  Just another way we are here to help you make IT better.

 

Keeping the Internet Safe

Earlier this month was Safer Internet Day, which is a day dedicated to creating awareness around safe internet usage mainly geared towards children and teens. I realized this topic didn’t exist when I was growing up. Think about it for a second. I am in my mid-late twenties and I have had more years with dial-up internet or no Internet at all, than I have with anything close to the high speeds we have today. I’ve grown up with the Internet quite literally. When I was a kid, teachers and parents were just trying to grasp the concept of the Internet and how it was used, let alone talk about how to safely address it. For this reason, I’ve taken it upon myself to catch all of us up on some quick Internet Safety Tips.

Passwords

Creating complex passwords and changing your passwords regularly can go a long way. That means moving past the passwords like ‘Password123’ and ‘Jacob19’, onto more creative phrases and symbols. It is also beneficial to use different passwords for your different accounts and websites, rather than using the same one across the board. For this reason, I would recommend using tools like LastPass, KeePass or 1Password to help keep track of all of your different passwords. These tools can also be set up to remind you to reset your password every couple of months.

Public Network Security

Free public Wi-Fi has essentially become a basic utility, making the internet easily accessible virtually anywhere. This is also making users increasingly vulnerable. The challenge with public Wi-Fi is that it’s often unsecured, making it easy for hackers to access your device. If you want to utilize public Wi-Fi in a secure manner, you can purchase a Virtual Private Network (VPN). A VPN is a software that will provide you with a secure connection to the Internet.

At Home Network Security

Taking a comprehensive look at your home network will allow you to have peace of mind when you are connecting to the Internet at home on your various devices. Changing administrative passwords and implementing a few precautions can make your connection much safer. For a checklist on securing your home network check out our Securing Your Home Network blog.

Safe Browsing

Many times, Internet browsers themselves provide Safe Browsing functions (see Google). However, you can go an extra step and retrain yourself on not giving away personal information, avoiding questionable websites, only downloading software from sites you trust, and increasing your browsers security settings.

  • Click Smart – don’t click on sketchy links or ads
  • Share Selectively – don’t just share your personal information with anyone
  • Shop Safe – when shopping online always make sure to look for https

HTTPS

Keep an eye on the addresses of the sites you are visiting. In the address bar for your website, you will see either HTTP or HTTPS (more about the difference) which represents how data is transferred between a web server and a web browser. With an HTTPS site, the data is encrypted, which keeps your information safe. This is extremely important for any online shopping or banking, and any site taking your personal information. You need to make sure that it has encryption.

Stay Up to Date

Staying up to date on the latest operating systems (OS) and software/application versions will ensure that you have the most up-to-date security measures in place. We recommend turning on auto-update when applicable.

If you have more questions about making your home a safe place please feel free to reach out to us on social media or at hello@datayard.us

Other Resources:

HTTPster Update

HTTP (Hypertext Transfer Protocol) is the default protocol used to transfer data between a Web server and a Web browser. When you open Internet Explorer, Chrome, Firefox or Safari and type a URL in the address bar (for example, https://www.datayard.us); you’re actually sending an HTTP request to DataYard’s Web server requesting information; in this case DataYard’s homepage. When DataYard’s Web server receives this request, it searches for the desired information and responds to your Web browser with the appropriate information. This information is then displayed on your monitor and the HTTP connection is closed. If you were to click on any link within the home page, another HTTP request is sent to the Web server and it responds with the desired data and again displayed on your monitor.

HTTP is inherently insecure, meaning information is sent in plan or clear text. Why is this noteworthy? If a savvy person were to “snoop” on your Internet connection, they’d be able to read the data rather easily using simple tools found all over the Internet. This isn’t such a bother when you’re browsing for the latest football scores or reading up on recent events. However, if you’re paying bills, checking bank accounts or attempting to secure a loan of some type via an online finance tool, this becomes seriously concerning. The answer: HTTPS.

HTTPS (Hypertext Transfer Protocol Secure), as its name implies, is HTTP’s much more secure brother. If you were to type “google.com” into your favorite browser, you’ll likely see the address change and it’ll look like this…

Why is this, though? It’s because Google uses an SSL (Secure Socket Layer) certificate to encrypt data sent between their Web servers and your Web browser. Much the same can be said about almost any other Web domain that would be expected to serve up sensitive information (banks, online shopping, investment entities, utility companies that accept online payments, etc.). Without this certificate or HTTPS, if you were to complete an online shopping transaction and someone happened to be “snooping” on your device or Internet connection, they’d be able to see the details of your purchase in plain or clear text. Credit card information, shipping addresses and other details of your transactions would be wide open for the world to see. So how does HTTPS work exactly?

When an SSL certificate is purchased and placed on a Web server, the Web server holds a private key, basically an encryption algorithm that tells its public key holders how to decrypt the information its sending back and forth. Let’s take our first example of HTTP but this time we’re going to use HTTPS.

It’s time to pay bills and instead of using snail mail, you’ve opted to go green and pay online. You enter your vendors Web address in your browser, https://www.electriccompany.com. Immediately upon this request, Electric Company’s Web server will send your browser a public key, instructions on how to decrypt the encrypted information via the private key. Confused yet? You shouldn’t be. All this decrypting and encrypting is transparent to the user and is exclusively handled by the browser and server.

As you enter your credit card information and click “SUBMIT”, your credit card information, account details and other personally identifiable information is sent to the Web server within a snug, tightly-wrapped blanket of human-unreadable characters that can only be deciphered by the Web server and it’s private key. So the guy that’s been “snooping” on your Internet connection would only see a very lengthy and incoherent string of characters that would envy Da Vinci’s cryptex.

Now that you have a better understanding of HTTP and HTTPS, as well as their differences and advantages; how does one go about “securing” their Web site? It’s rather simple, actually and as more and more people conduct sensitive business in our technologically endowed world, certificate authorities (CA) are making this process even more streamlined than before.

Companies like VeriSign, GeoTrust, DigiCert and GoDaddy specialize in the sale and deployment of SSL certificates on a global scale. A user would simply purchase an SSL certificate from any of these CA’s then install the certificate on the appropriate Web Server(s). Once the installation is complete, any browser requesting information from that Web server would then have the benefits and peace of mind that all the transactions would be safe and secure! If you’re not up for the task just let us know and we’ll be sure to take care of everything giving you a wonderful gift, peace of mind.

How to update your DataYard Mail Filter Settings

DataYard’s new and updated mail filter features improvements to both spam and virus filtering performance and the user interface.  This article explains how to create an account on DataYard’s Mail filter, update your password, add and remove entries from your whitelist and blocklist and adjust your spam filtering levels from the defaults.

Creating an account

Access the Mail filter login page at https://filter.datayard.us.  Enter your email address in the username field and click  “Create New Password”

Spam_Walkthrough_1

It will tell you that an account has been created and will have sent an email to you with your password.

Spam_Walkthrough_2

Spam_Walkthrough_3

Now you can log in to the portal with your email address and password.

Spam_Walkthrough_4

Here is what you’ll see when you log in.  The page will default to the Quarantine Inbox that is disabled by default (you can enable it by following the instructions here).

Spam_Walkthrough_5

 

Changing Your password

Upon logging in, click on Preferences

Spam_Walkthrough_6

Then click Password

Spam_Walkthrough_7

Enter your old password and desired password as directed, then click Save Password.

 

Updating your whitelist/blocklist

Click Preferences, then Whitelist/Blocklist

Spam_Walkthrough_8

You will be presented with the following page.  To add an address to either list, click into the entry box in either list, then enter the address and click Add.  To remove an entry, click the trash can next to the entry you wish to remove.

Spam_Walkthrough_9

To remove an entry, click the trash can next to the entry you wish to remove.

Spam_Walkthrough_10

You can edit the list as a whole by clicking Bulk Edit on the list you wish to edit.

Spam_Walkthrough_11

Never edit the first line and put each entry on its own line, as shown below. Click Save once finished.

Spam_Walkthrough_12

 

Customizing your filter settings

Click on Preferences, then Spam Settings

Spam_Walkthrough_13

In order to change your settings from your Domain defaults, select No for Use Domain Defaults under the Spam Scoring section, then click Save.

Spam_Walkthrough_14

You’ll now be able to adjust the scoring levels for blocking, quarantine (see Enabling Your Spam Quarantine if you’d like to utilize the quarantine feature) and Tagging.  Adjust the sliders to your desired levels and click Save.  Higher numbers are less sensitive and lower numbers are more sensitive. For example, if you change the Block slider from the default level of 5 to 8, you will receive more messages.

Spam_Walkthrough_15

Getting Help

The new mail filter includes comprehensive help, if you need an explanation for a setting or section, simply click the “Help” link at the top right of every section header.

Spam_Help

You can also contact us any time at support@datayard.us or 937-226-6896 for assistance.

A Commitment to Radical Privacy

On April 3rd, President Trump signed legislation repealing the FCC’s privacy regulations. As a result, Internet Service Providers (like DataYard, AT&T, Spectrum, etc.) can now quietly gather, store, and sell the Internet histories, communications, and usage patterns of everyone they provide Internet access to. The legislation goes further, by placing restrictions on the types of privacy guidelines the FCC can attempt to institute in the future. If you’re reading this on a screen, this action covers you at this very moment.

I’ve worked at DataYard (and previously DONet) for 11 years, four of those as a Systems Administrator and Data Center Engineer. I know first-hand the level of access that ISPs have to customer data, and the gravity of that access. We have a mantra at DataYard, “with great power comes great responsibility”, attributed to either Voltaire or Ben Parker, depending on who you ask. It is incredibly true in this and many other industries and vocations, but as more and more of our daily lives are driven online…well, ours is a unique business. We at DataYard make it our practice to log only the data we need to maintain our systems and provide the best customer service to our clients. We’ve got a database with your address in it, but so does Trader Joe’s.

If you are a business owner, work with Intellectual Property (IP) or Personally Identifiable Information (PII), are a HIPAA covered entity, or simply don’t want your personal preferences and business browsing data tracked and categorized – this new reality is an uncomfortable one. When ISPs begin to track, store, and replicate this personal data, it exponentially increases the potential attack footprint for malicious access. We’ve all heard about the Target / Yahoo / Verizon / [insert name here] hacks. Can you imagine the fallout if those companies had the last four years of your Internet usage stored and indexed for the taking?

We at DataYard want to publicly voice our disapproval of these legislative actions, undertaken with the sole purpose of opening new profit centers in an exploding industry. We know better than most the implications this decision has. It’s our business to know. Every customer we work with can rest assured that DataYard is not, and will not be, interested in the collection or sale of your communications and activities.

In a time when every move is tracked, every bit is stored forever, and everything is for sale, promising to forgo those profits is a radical move. But it’s a promise we make proudly.

See more: Dayton Daily News story here.

DataYard’s Privacy Policy:

https://www.datayard.us/about/policies/open-internet-compliance-statement/

WordPress updates raise CMS security questions

“By failing to prepare, you are preparing to fail.” –Benjamin Franklin

WordPress vulnerabilities and exploits have filled the press lately, with 3 urgent security releases in the past month alone. The popular content management service (CMS) powers nearly one quarter of the web, making WordPress a ripe target for exploitation and a big concern for website owners and visitors to those sites.

A recent study from W3Techs shares that 47% of WordPress users only back up their sites “every few months,” with 25% saying they’re not trained in using WordPress at all. If exploited, however, nearly 25% say they would pay “almost anything” to get the lost data back. Add that to another 20% who would pay “several thousand dollars” to recover, and we’ve got almost half of WordPress users who recognize the price of inaction.

Why are these sites so vulnerable? In failing to prepare. Nearly half of the respondents reported having no IT or Website Manager. They are using WordPress because the CMS makes editing and adding site content easy for an everyday user. Sales and marketing teams are often left minding the shop with little to no technical training on the backend of the website.

WordPress itself is very responsive when it comes to releasing updates to patch holes as they come up, but they have to be implemented.

Where do you stand?

If you’re using the fully hosted WordPress.com solution, then the updates are part of the package. If you’re using the self-hosted WordPress.org solution, then it’s up to you to be prepared. (Not sure? More here.)

On self-hosted websites, the key is in how rapidly the security updates and patches are adopted. Security updates and patches are boring maintenance items, often not included in the overall website plan.

What can you lose?

Walking through the door to Customer Service, you see they’re really hopping already with email, chats, phones… Wow! Then, you catch the conversation in the room, and you realize there’s something wrong. Really wrong.

The site is not doing what it’s supposed to be doing. Content has changed. Customers are being redirected to odd places. They report suspicious pop-ups and installation requests. Some even, trusting you, have allowed these things to run.

Your website is doing a lot…of all the wrong things. You’ve been hacked.

Websites drive revenue, provide information, collect donations, and communicate on your behalf. When the site stops working, your mission and reputation are in jeopardy. If you collect information on your users, breach of privacy may open you up to additional cost and liability.

What can you do?

Designers and developers build content, behavior, graphics, features, shopping carts, etc. It’s tested and then deployed to a hosting provider. After a final check, the keys are turned over to the company.  If it’s up to you, what do you do?

First, WordPress is not alone.  Open-source (WordPress, Drupal, Joomla) and proprietary CMS platforms are all susceptible to exploit.

As a hosting provider for many self-hosted websites built on a variety of CMS platforms, what do we see? How do successful sites not only launch, but also remain secure and successful?

Know your CMS.

Communication is the key. When you’re building your website, get everyone together, and keep them talking on a regular basis. Ask a lot of questions along the way.

  • What CMS forms the foundation of the site? What permissions can be set for users? Many users posting content to the site may not need permission to change core elements about the site’s base architecture.
  • What plug-ins or add-ons contribute to the functionality? While recent exploit targeted the core WordPress CMS, these integrated programs interact with the sites and can also be targets for getting past site security.
  • Does your CMS have an auto-update function? WordPress offers a few options that can be set to help keep you current. If not, does the CMS offer alerts or an update blog site so that you can stay current on any issues?
  • What must be managed manually? Major version changes of the core CMS often require compatibility testing and are often not automatic as a result. Set up a testing and release schedule for these big changes.
  • Staying on the current version means that you’ll also stay up to date with the most recent security patches. Seen in every technology platform, end of life for a version means no one will be trying to keep it patched and stable.

Know your role.

Remember that survey. Nearly half of site owners would spend thousands, if not “almost anything” to recover lost data. That’s a lot of Benjamins.

It is like a good insurance policy, and a better use of resources, to plan for maintenance instead of praying and paying for miracles after you experience a loss.

IT resources are needed to manage and maintain the live website. You don’t have to be that expert yourself, but don’t forget to budget for routine maintenance and updates when you’re allocating IT resources.

If you don’t have in-house expertise, consider a management agreement with your developer. Like oil changes for car, it’s part of the price of ownership.

Know your hosting provider.

Not all hosting providers are created equal. Your hosting provider should be an active partner: at a minimum, keeping the Windows- or Linux-based infrastructure stable, secure, and updated in its own right.

As a provider ourselves, we’re a bit biased here at DataYard. We think that a hosting provider should be so much more!

Customer service and support expertise are vital. At DataYard, we love being included in a website’s overall design and development from Day One. We’re experts on our hosting platform, the options available, and maximizing the architecture’s performance for your site.

We talk to you about the site architecture itself, and making sure it’s backed up on a regular schedule. Regular backups mean no mad scramble to see if anything can be recovered.

“When we work with the developers as a site is under construction, we look for bottlenecks to performance,” shares Ryan Chewning, DataYard Systems Administrator. “Most security plugins in WordPress, for example, are incompatible with one another even when they’re fine separately. Some of the security plug-ins help drop malicious connections rapidly, keeping system resources readily available.”

For those building a new website to replace an existing site with active customers, we have extra considerations. Ryan explains, “The user experience during any change is important, from incorporating plug-ins that seamlessly bridge site versions to minimizing any downtime needed to complete the transition.”

The relationship with your hosting provider should not stop when the site goes live. Active management is a valuable element to keeping your website healthy. A DataYard managed account is monitored for performance. With success and more traffic, needs change over time. Ryan concludes, “We watch for performance degradation and make proactive recommendations to keep the site growing along with you.”

What next?

Since your website ties to your bottom line, the bottom line is that you don’t want to trust it to just anyone. If you’re not sure what you have, now’s the time to ask. If you need some help looking at where you are and where you want to be, remember to ask your trusted partners here at DataYard.

“Venom” Vulnerability Details Released

This week the “Venom” vulnerability was announced, affecting a number of virtualization systems, like Xen, KVM, and VirtualBox (http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/). Hackers can use the defect to exploit flaws in code written more than 10 years ago, a virtual floppy disk controller, to shut down the hypervisor. With the hypervisor disabled, a hacker would then able to access the virtual machines of other people or companies running on the same server.

Prior to Wednesday’s announcement software makers developed patches to close the door to the exploit, but not all hosting providers have been able to roll the patch out to their affected systems. As a result, a number of virtualization platforms running these distributions remain vulnerable to possible exploits.

Since our systems are built on VMware, DataYard’s cloud infrastructure is not vulnerable to this exploit. Microsoft’s Hyper-V and Bochs are also not affected by this bug.

SSLv3 Man in the Middle (POODLE)

SSLv3 Man in the Middle (POODLE)

What Is It?

Padding Oracle On Downgraded Legacy Encryption (POODLE) – a security vulnerability that forces the downgrade of negotiated session protocol to SSLv3, a legacy protocol used to establish secure web communication (HTTPS). The vulnerabilities are limited in scope and several client and servers restrict the use of SSLv3 which is a 15-year-old protocol. If a server is vulnerable, a man-in-the-middle attack can be executed to compromise the encrypted session.

How Does It Work?

This is a man-in-the-middle attack that forces browsers and sites to downgrade the security protocol to SSLv3 from TLS. This is done by interrupting the handshake between the client and server. This forces the retry of the handshake to earlier protocol versions. It is important to understand that in order to successfully exploit the POODLE vulnerability, the exploiting user must either be on the same network of the client or server or be able to successfully execute malicious JavaScript.

DataYard’s Actions?

DataYard has already disabled SSLv2 and SSLv3 on all of our shared infrastructure and internet facing servers. We are in the process of contacting managed customers to disable earlier protocol versions. Currently, the only workaround is to stop using SSLv3. The only downside to disabling SSLv3 is that legacy operating systems with legacy browsers that do not support TLS (Windows XP / IE 6 and earlier) will not be able to access sites and services with SSLv3 disabled.