Keeping the Internet Safe

Earlier this month was Safer Internet Day, which is a day dedicated to creating awareness around safe internet usage mainly geared towards children and teens. I realized this topic didn’t exist when I was growing up. Think about it for a second. I am in my mid-late twenties and I have had more years with dial-up internet or no Internet at all, than I have with anything close to the high speeds we have today. I’ve grown up with the Internet quite literally. When I was a kid, teachers and parents were just trying to grasp the concept of the Internet and how it was used, let alone talk about how to safely address it. For this reason, I’ve taken it upon myself to catch all of us up on some quick Internet Safety Tips.

Passwords

Creating complex passwords and changing your passwords regularly can go a long way. That means moving past the passwords like ‘Password123’ and ‘Jacob19’, onto more creative phrases and symbols. It is also beneficial to use different passwords for your different accounts and websites, rather than using the same one across the board. For this reason, I would recommend using tools like LastPass, KeePass or 1Password to help keep track of all of your different passwords. These tools can also be set up to remind you to reset your password every couple of months.

Public Network Security

Free public Wi-Fi has essentially become a basic utility, making the internet easily accessible virtually anywhere. This is also making users increasingly vulnerable. The challenge with public Wi-Fi is that it’s often unsecured, making it easy for hackers to access your device. If you want to utilize public Wi-Fi in a secure manner, you can purchase a Virtual Private Network (VPN). A VPN is a software that will provide you with a secure connection to the Internet.

At Home Network Security

Taking a comprehensive look at your home network will allow you to have peace of mind when you are connecting to the Internet at home on your various devices. Changing administrative passwords and implementing a few precautions can make your connection much safer. For a checklist on securing your home network check out our Securing Your Home Network blog.

Safe Browsing

Many times, Internet browsers themselves provide Safe Browsing functions (see Google). However, you can go an extra step and retrain yourself on not giving away personal information, avoiding questionable websites, only downloading software from sites you trust, and increasing your browsers security settings.

  • Click Smart – don’t click on sketchy links or ads
  • Share Selectively – don’t just share your personal information with anyone
  • Shop Safe – when shopping online always make sure to look for https

HTTPS

Keep an eye on the addresses of the sites you are visiting. In the address bar for your website, you will see either HTTP or HTTPS (more about the difference) which represents how data is transferred between a web server and a web browser. With an HTTPS site, the data is encrypted, which keeps your information safe. This is extremely important for any online shopping or banking, and any site taking your personal information. You need to make sure that it has encryption.

Stay Up to Date

Staying up to date on the latest operating systems (OS) and software/application versions will ensure that you have the most up-to-date security measures in place. We recommend turning on auto-update when applicable.

If you have more questions about making your home a safe place please feel free to reach out to us on social media or at [email protected]

Other Resources:

HTTPster Update

HTTP (Hypertext Transfer Protocol) is the default protocol used to transfer data between a Web server and a Web browser. When you open Internet Explorer, Chrome, Firefox or Safari and type a URL in the address bar (for example, https://www.datayard.us); you’re actually sending an HTTP request to DataYard’s Web server requesting information; in this case DataYard’s homepage. When DataYard’s Web server receives this request, it searches for the desired information and responds to your Web browser with the appropriate information. This information is then displayed on your monitor and the HTTP connection is closed. If you were to click on any link within the home page, another HTTP request is sent to the Web server and it responds with the desired data and again displayed on your monitor.

HTTP is inherently insecure, meaning information is sent in plan or clear text. Why is this noteworthy? If a savvy person were to “snoop” on your Internet connection, they’d be able to read the data rather easily using simple tools found all over the Internet. This isn’t such a bother when you’re browsing for the latest football scores or reading up on recent events. However, if you’re paying bills, checking bank accounts or attempting to secure a loan of some type via an online finance tool, this becomes seriously concerning. The answer: HTTPS.

HTTPS (Hypertext Transfer Protocol Secure), as its name implies, is HTTP’s much more secure brother. If you were to type “google.com” into your favorite browser, you’ll likely see the address change and it’ll look like this…

Why is this, though? It’s because Google uses an SSL (Secure Socket Layer) certificate to encrypt data sent between their Web servers and your Web browser. Much the same can be said about almost any other Web domain that would be expected to serve up sensitive information (banks, online shopping, investment entities, utility companies that accept online payments, etc.). Without this certificate or HTTPS, if you were to complete an online shopping transaction and someone happened to be “snooping” on your device or Internet connection, they’d be able to see the details of your purchase in plain or clear text. Credit card information, shipping addresses and other details of your transactions would be wide open for the world to see. So how does HTTPS work exactly?

When an SSL certificate is purchased and placed on a Web server, the Web server holds a private key, basically an encryption algorithm that tells its public key holders how to decrypt the information its sending back and forth. Let’s take our first example of HTTP but this time we’re going to use HTTPS.

It’s time to pay bills and instead of using snail mail, you’ve opted to go green and pay online. You enter your vendors Web address in your browser, https://www.electriccompany.com. Immediately upon this request, Electric Company’s Web server will send your browser a public key, instructions on how to decrypt the encrypted information via the private key. Confused yet? You shouldn’t be. All this decrypting and encrypting is transparent to the user and is exclusively handled by the browser and server.

As you enter your credit card information and click “SUBMIT”, your credit card information, account details and other personally identifiable information is sent to the Web server within a snug, tightly-wrapped blanket of human-unreadable characters that can only be deciphered by the Web server and it’s private key. So the guy that’s been “snooping” on your Internet connection would only see a very lengthy and incoherent string of characters that would envy Da Vinci’s cryptex.

Now that you have a better understanding of HTTP and HTTPS, as well as their differences and advantages; how does one go about “securing” their Web site? It’s rather simple, actually and as more and more people conduct sensitive business in our technologically endowed world, certificate authorities (CA) are making this process even more streamlined than before.

Companies like VeriSign, GeoTrust, DigiCert and GoDaddy specialize in the sale and deployment of SSL certificates on a global scale. A user would simply purchase an SSL certificate from any of these CA’s then install the certificate on the appropriate Web Server(s). Once the installation is complete, any browser requesting information from that Web server would then have the benefits and peace of mind that all the transactions would be safe and secure! If you’re not up for the task just let us know and we’ll be sure to take care of everything giving you a wonderful gift, peace of mind.

How to update your DataYard Mail Filter Settings

DataYard’s new and updated mail filter features improvements to both spam and virus filtering performance and the user interface.  This article explains how to create an account on DataYard’s Mail filter, update your password, add and remove entries from your whitelist and blocklist and adjust your spam filtering levels from the defaults.

Creating an account

Access the Mail filter login page at https://filter.datayard.us.  Enter your email address in the username field and click  “Create New Password”

Spam_Walkthrough_1

It will tell you that an account has been created and will have sent an email to you with your password.

Spam_Walkthrough_2

Spam_Walkthrough_3

Now you can log in to the portal with your email address and password.

Spam_Walkthrough_4

Here is what you’ll see when you log in.  The page will default to the Quarantine Inbox that is disabled by default (you can enable it by following the instructions here).

Spam_Walkthrough_5

 

Changing Your password

Upon logging in, click on Preferences

Spam_Walkthrough_6

Then click Password

Spam_Walkthrough_7

Enter your old password and desired password as directed, then click Save Password.

 

Updating your whitelist/blocklist

Click Preferences, then Whitelist/Blocklist

Spam_Walkthrough_8

You will be presented with the following page.  To add an address to either list, click into the entry box in either list, then enter the address and click Add.  To remove an entry, click the trash can next to the entry you wish to remove.

Spam_Walkthrough_9

To remove an entry, click the trash can next to the entry you wish to remove.

Spam_Walkthrough_10

You can edit the list as a whole by clicking Bulk Edit on the list you wish to edit.

Spam_Walkthrough_11

Never edit the first line and put each entry on its own line, as shown below. Click Save once finished.

Spam_Walkthrough_12

 

Customizing your filter settings

Click on Preferences, then Spam Settings

Spam_Walkthrough_13

In order to change your settings from your Domain defaults, select No for Use Domain Defaults under the Spam Scoring section, then click Save.

Spam_Walkthrough_14

You’ll now be able to adjust the scoring levels for blocking, quarantine (see Enabling Your Spam Quarantine if you’d like to utilize the quarantine feature) and Tagging.  Adjust the sliders to your desired levels and click Save.  Higher numbers are less sensitive and lower numbers are more sensitive. For example, if you change the Block slider from the default level of 5 to 8, you will receive more messages.

Spam_Walkthrough_15

Getting Help

The new mail filter includes comprehensive help, if you need an explanation for a setting or section, simply click the “Help” link at the top right of every section header.

Spam_Help

You can also contact us any time at [email protected] or 937-226-6896 for assistance.

A Commitment to Radical Privacy

On April 3rd, President Trump signed legislation repealing the FCC’s privacy regulations. As a result, Internet Service Providers (like DataYard, AT&T, Spectrum, etc.) can now quietly gather, store, and sell the Internet histories, communications, and usage patterns of everyone they provide Internet access to. The legislation goes further, by placing restrictions on the types of privacy guidelines the FCC can attempt to institute in the future. If you’re reading this on a screen, this action covers you at this very moment.

I’ve worked at DataYard (and previously DONet) for 11 years, four of those as a Systems Administrator and Data Center Engineer. I know first-hand the level of access that ISPs have to customer data, and the gravity of that access. We have a mantra at DataYard, “with great power comes great responsibility”, attributed to either Voltaire or Ben Parker, depending on who you ask. It is incredibly true in this and many other industries and vocations, but as more and more of our daily lives are driven online…well, ours is a unique business. We at DataYard make it our practice to log only the data we need to maintain our systems and provide the best customer service to our clients. We’ve got a database with your address in it, but so does Trader Joe’s.

If you are a business owner, work with Intellectual Property (IP) or Personally Identifiable Information (PII), are a HIPAA covered entity, or simply don’t want your personal preferences and business browsing data tracked and categorized – this new reality is an uncomfortable one. When ISPs begin to track, store, and replicate this personal data, it exponentially increases the potential attack footprint for malicious access. We’ve all heard about the Target / Yahoo / Verizon / [insert name here] hacks. Can you imagine the fallout if those companies had the last four years of your Internet usage stored and indexed for the taking?

We at DataYard want to publicly voice our disapproval of these legislative actions, undertaken with the sole purpose of opening new profit centers in an exploding industry. We know better than most the implications this decision has. It’s our business to know. Every customer we work with can rest assured that DataYard is not, and will not be, interested in the collection or sale of your communications and activities.

In a time when every move is tracked, every bit is stored forever, and everything is for sale, promising to forgo those profits is a radical move. But it’s a promise we make proudly.

See more: Dayton Daily News story here.

DataYard’s Privacy Policy:

https://www.datayard.us/about/policies/open-internet-compliance-statement/

WordPress updates raise CMS security questions

“By failing to prepare, you are preparing to fail.” –Benjamin Franklin

WordPress vulnerabilities and exploits have filled the press lately, with 3 urgent security releases in the past month alone. The popular content management service (CMS) powers nearly one quarter of the web, making WordPress a ripe target for exploitation and a big concern for website owners and visitors to those sites.

A recent study from W3Techs shares that 47% of WordPress users only back up their sites “every few months,” with 25% saying they’re not trained in using WordPress at all. If exploited, however, nearly 25% say they would pay “almost anything” to get the lost data back. Add that to another 20% who would pay “several thousand dollars” to recover, and we’ve got almost half of WordPress users who recognize the price of inaction.

Why are these sites so vulnerable? In failing to prepare. Nearly half of the respondents reported having no IT or Website Manager. They are using WordPress because the CMS makes editing and adding site content easy for an everyday user. Sales and marketing teams are often left minding the shop with little to no technical training on the backend of the website.

WordPress itself is very responsive when it comes to releasing updates to patch holes as they come up, but they have to be implemented.

Where do you stand?

If you’re using the fully hosted WordPress.com solution, then the updates are part of the package. If you’re using the self-hosted WordPress.org solution, then it’s up to you to be prepared. (Not sure? More here.)

On self-hosted websites, the key is in how rapidly the security updates and patches are adopted. Security updates and patches are boring maintenance items, often not included in the overall website plan.

What can you lose?

Walking through the door to Customer Service, you see they’re really hopping already with email, chats, phones… Wow! Then, you catch the conversation in the room, and you realize there’s something wrong. Really wrong.

The site is not doing what it’s supposed to be doing. Content has changed. Customers are being redirected to odd places. They report suspicious pop-ups and installation requests. Some even, trusting you, have allowed these things to run.

Your website is doing a lot…of all the wrong things. You’ve been hacked.

Websites drive revenue, provide information, collect donations, and communicate on your behalf. When the site stops working, your mission and reputation are in jeopardy. If you collect information on your users, breach of privacy may open you up to additional cost and liability.

What can you do?

Designers and developers build content, behavior, graphics, features, shopping carts, etc. It’s tested and then deployed to a hosting provider. After a final check, the keys are turned over to the company.  If it’s up to you, what do you do?

First, WordPress is not alone.  Open-source (WordPress, Drupal, Joomla) and proprietary CMS platforms are all susceptible to exploit.

As a hosting provider for many self-hosted websites built on a variety of CMS platforms, what do we see? How do successful sites not only launch, but also remain secure and successful?

Know your CMS.

Communication is the key. When you’re building your website, get everyone together, and keep them talking on a regular basis. Ask a lot of questions along the way.

  • What CMS forms the foundation of the site? What permissions can be set for users? Many users posting content to the site may not need permission to change core elements about the site’s base architecture.
  • What plug-ins or add-ons contribute to the functionality? While recent exploit targeted the core WordPress CMS, these integrated programs interact with the sites and can also be targets for getting past site security.
  • Does your CMS have an auto-update function? WordPress offers a few options that can be set to help keep you current. If not, does the CMS offer alerts or an update blog site so that you can stay current on any issues?
  • What must be managed manually? Major version changes of the core CMS often require compatibility testing and are often not automatic as a result. Set up a testing and release schedule for these big changes.
  • Staying on the current version means that you’ll also stay up to date with the most recent security patches. Seen in every technology platform, end of life for a version means no one will be trying to keep it patched and stable.

Know your role.

Remember that survey. Nearly half of site owners would spend thousands, if not “almost anything” to recover lost data. That’s a lot of Benjamins.

It is like a good insurance policy, and a better use of resources, to plan for maintenance instead of praying and paying for miracles after you experience a loss.

IT resources are needed to manage and maintain the live website. You don’t have to be that expert yourself, but don’t forget to budget for routine maintenance and updates when you’re allocating IT resources.

If you don’t have in-house expertise, consider a management agreement with your developer. Like oil changes for car, it’s part of the price of ownership.

Know your hosting provider.

Not all hosting providers are created equal. Your hosting provider should be an active partner: at a minimum, keeping the Windows- or Linux-based infrastructure stable, secure, and updated in its own right.

As a provider ourselves, we’re a bit biased here at DataYard. We think that a hosting provider should be so much more!

Customer service and support expertise are vital. At DataYard, we love being included in a website’s overall design and development from Day One. We’re experts on our hosting platform, the options available, and maximizing the architecture’s performance for your site.

We talk to you about the site architecture itself, and making sure it’s backed up on a regular schedule. Regular backups mean no mad scramble to see if anything can be recovered.

“When we work with the developers as a site is under construction, we look for bottlenecks to performance,” shares Ryan Chewning, DataYard Systems Administrator. “Most security plugins in WordPress, for example, are incompatible with one another even when they’re fine separately. Some of the security plug-ins help drop malicious connections rapidly, keeping system resources readily available.”

For those building a new website to replace an existing site with active customers, we have extra considerations. Ryan explains, “The user experience during any change is important, from incorporating plug-ins that seamlessly bridge site versions to minimizing any downtime needed to complete the transition.”

The relationship with your hosting provider should not stop when the site goes live. Active management is a valuable element to keeping your website healthy. A DataYard managed account is monitored for performance. With success and more traffic, needs change over time. Ryan concludes, “We watch for performance degradation and make proactive recommendations to keep the site growing along with you.”

What next?

Since your website ties to your bottom line, the bottom line is that you don’t want to trust it to just anyone. If you’re not sure what you have, now’s the time to ask. If you need some help looking at where you are and where you want to be, remember to ask your trusted partners here at DataYard.

“Venom” Vulnerability Details Released

This week the “Venom” vulnerability was announced, affecting a number of virtualization systems, like Xen, KVM, and VirtualBox (http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/). Hackers can use the defect to exploit flaws in code written more than 10 years ago, a virtual floppy disk controller, to shut down the hypervisor. With the hypervisor disabled, a hacker would then able to access the virtual machines of other people or companies running on the same server.

Prior to Wednesday’s announcement software makers developed patches to close the door to the exploit, but not all hosting providers have been able to roll the patch out to their affected systems. As a result, a number of virtualization platforms running these distributions remain vulnerable to possible exploits.

Since our systems are built on VMware, DataYard’s cloud infrastructure is not vulnerable to this exploit. Microsoft’s Hyper-V and Bochs are also not affected by this bug.

SSLv3 Man in the Middle (POODLE)

SSLv3 Man in the Middle (POODLE)

What Is It?

Padding Oracle On Downgraded Legacy Encryption (POODLE) – a security vulnerability that forces the downgrade of negotiated session protocol to SSLv3, a legacy protocol used to establish secure web communication (HTTPS). The vulnerabilities are limited in scope and several client and servers restrict the use of SSLv3 which is a 15-year-old protocol. If a server is vulnerable, a man-in-the-middle attack can be executed to compromise the encrypted session.

How Does It Work?

This is a man-in-the-middle attack that forces browsers and sites to downgrade the security protocol to SSLv3 from TLS. This is done by interrupting the handshake between the client and server. This forces the retry of the handshake to earlier protocol versions. It is important to understand that in order to successfully exploit the POODLE vulnerability, the exploiting user must either be on the same network of the client or server or be able to successfully execute malicious JavaScript.

DataYard’s Actions?

DataYard has already disabled SSLv2 and SSLv3 on all of our shared infrastructure and internet facing servers. We are in the process of contacting managed customers to disable earlier protocol versions. Currently, the only workaround is to stop using SSLv3. The only downside to disabling SSLv3 is that legacy operating systems with legacy browsers that do not support TLS (Windows XP / IE 6 and earlier) will not be able to access sites and services with SSLv3 disabled.

With Great Power Comes Great Responsibility

The technological landscape continues to evolve at a fantastic pace, and staying on top of it all can be challenging. In spite of the high rate of change I think there are some “timeless” lessons we’ve learned over the last two decades, lessons that will continue to be true for the foreseeable future. Here are three lessons that are part of our DNA today and are integrated in our daily thinking.

The first is that the demand for robust, high-performance Internet access and applications consistently increases. It never shrinks. Our clients today are getting much more comfortable taking their applications off-site and into the cloud, so reliable, fast, low-latency connections to the network are becoming increasingly vital to daily operations. Furthermore, our users are connecting to their data using a dizzying array of devices, applications, and APIs from a diverse number of geographic locations. This trend is only going to continue as more computing power is loaded into smartphones and tablets, and small-footprint IoT (Internet of Things) devices like Arduinos and Raspberry Pis multiply.

The second is that good data and application security cannot be an after-thought. Protecting data, and your users’ access to it, has to be an important element of the system from Day 1. Good security is not something you do once and then assume you’re done, nor is it something you bolt onto an already-built system. Good security requires processes that are enforced, systems and software that are monitored around the clock, and software updates and security patches — at least at the operating system level — for the lifespan of the application. Failing to take security seriously from the onset means that your critical systems might be exposed to potential compromise, and that critical business data might be corrupted or lost.

Thirdly, a tremendous amount of planning and care is needed to integrate new Internet services into a client’s enterprise with nearly zero downtime to the end user. This cannot be done haphazardly. It requires knowledge of a client’s working environments, their online habits, their schedules, their processes. It requires critical thinking and the judgment skills necessary to weigh competing priorities to help create installation plans that minimize negative ripple effects when new systems are brought online. It requires the ability to communicate excellently, both on a technical and an operational level. A client can’t have a positive technology experience if they don’t understand what’s going on, if they don’t know who is leading the project, or if they never know where they are in the process.

For the last few years I’ve used a line from a superhero movie to describe the importance of the role we at DataYard play on behalf of our clients: “With great power comes great responsibility.” We take the management of our entire infrastructure, and the management of individual client applications from end-to-end, very seriously. When you have the power to bring an enterprise’s technology to a screeching halt you tend to open technical doors very carefully. You only open those doors when you absolutely have to. You do it with a purpose, and you know — in advance — exactly what you’re going to do when you’re on the other side. To be careless with a client’s applications or data only invites disaster.

Nobody likes disasters, including technological disasters. Responsible technologists avoid disasters by first imagining all the things that could go wrong. Then they use their position and influence to mitigate those risks one by one through good processes, building in capacity and redundancy, and preparation prior to plan execution. To do anything less is a disservice to your users.

OpenSSL Security Vulnerability: Heartbleed

OpenSSL Security Vulnerability: Heartbleed

Late yesterday, a vulnerability in the OpenSSL libraries, CVE-2014-0160, was announced. The OpenSSL libraries are used to provide the secured or encrypted connections for web stores like Amazon or EBay, banks, and other sites like Google, Facebook, and Twitter. This vulnerability would allow attackers to learn the private keys used to encrypt and decrypt the secured information.

Several of our servers were affected by this vulnerability, including our Linux Fusion platform and Connect webmail interface. We have updated all vulnerable services but strongly recommend that all customers with SSL enabled sites get the SSL certificates revoked and re-issued. Some customers may see warnings when connecting to SSH/SFTP for the Linux Fusion platform as we have also re-generated the keys for SSH/SFTP. If you have any questions or concerns please contact support at 800-982-4539 or by email at [email protected]

For more information on the vulnerability please visit:  http://heartbleed.com/ or http://www.kb.cert.org/vuls/id/720951

What attachments are blocked by DataYard’s Email filtering?

What attachments are blocked by DataYard’s Email filtering?

A complete list of attachment types that are not allowed through DataYard’s email services.

You should never accept or download any type of file from an unknown source. To help stop the recent increase in malicious files being received via DataYard email accounts, we have implemented new policies regarding the sending and receiving of certain executable files.

If someone attempts to send an email with one of these attachment types, they will receive a non-deliverable message letting them know that we do not accept these types of attachments for security reasons. The message will not be delivered to you.

The list of files that will NOT be accepted are as follows:

  • .ade – MS Access Compiled Database and Code
  • .adp – MS Access Data
  • .bat – Batch
  • .chm – Microsoft Help Document
  • .cmd – Microsoft Batch
  • .com – MS-DOS Executable
  • .cpl – Windows Control Panel Configuration
  • .exe – Win32 Executable
  • .hta – HTML Executable
  • .ins – Windows Internet Settings
  • .isp – IIS Settings
  • .jse – Javascript Encoded Script
  • .lib – Static Library
  • .mde – MS Access Compiled Database and Code
  • .msc – MMC Console Snap-in Control
  • .msi – Windows Installer Package
  • .msp – Windows Installer Patch
  • .mst – Windows Installer Transform
  • .reg – Windows Registery Key
  • .pif – Program Information
  • .ps1 – Powershell Script
  • .psm1 – Powershell Module
  • .psd1 – Powershell Hash Table
  • .scr – Windows Screensaver
  • .sct – Foxpro Compiled Query
  • .shb – Windows Document Shortcut
  • .sys – Windows System
  • .vb – VBScript
  • .vbe – VBScript Encoded Script
  • .vbs – VBScript Script
  • .vxd – Windows Virtual Device Driver
  • .wsc – Windows Script Component
  • .wsf – Windows Script
  • .wsh – Windows Script Host
  • .ws – Windows Script File
  • .msh – Microsoft Shell
  • .lnk – Windows Shortcut File
  • .inf – Information or Setup File

 

As always, if you ever have any questions or concerns please contact our support department Monday-Friday 8am-5pm.