Posts Tagged ‘security’

Security Myth #4: A hardware firewall will stop the evil hackers from the internet. They also stop viruses and spam emails.

The Facts: A hardware firewall will filter your traffic based on a set of rules. If properly configured, this will certainly harden your system from certain types of attacks. However, if you want to stop intrusion attempts on your server, you probably want to implement brute force protection or intrusion detection (IDS). Most operating systems nowadays include brute force protection in one form or another (although it may not be turned on by default). If you want an IDS, there are several options available. Here at SoftLayer, we offer McAfee Host Intrusion Protection System (or HIPS for short) for Windows systems. This will offer you some additional protection against intrusion attempts, but it is no substitute for a well patched system with strong passwords. This is especially important to know if you contract with an outside agency to configure your firewall for you. It’s easy to delude yourself into a “set it and forget it” attitude toward security. I can’t tell you how many administrators I’ve talked to that have asked “how did I get hacked? I had a firewall!”

The Side Effects:

• Having a hardware firewall means an additional step to allow access to ports. Can be time consuming.
• Having a hardware firewall can potentially mean an additional point of failure.
• Too many rules can mean degraded performance.

Security Myth #5: I run a Unix/Linux based system, so I can’t get hacked.

The Facts: I have seen a fair share of Unix based systems get hacked, simply because the user is unfamiliar with the OS. Running everything from within a control panel is convenient, but make sure you or one of your administrators is familiar with command line access.

The Side Effects:

• Running a control panel can cause more security holes

Security Myth #6: I have my WordPress (or other web application) patched to the latest version, so I should be fine.

The Facts: WordPress is a piece of cake to install. You don’t even need to know how to code in HTML. This means you can install it and have it working properly, and still forget to correct your filesystem permissions. You need to make sure that you read the installation documentation and complete all steps. If you just stop reading once the application starts working, you could potentially forget to correct your permissions and someone could gain access as an administrative user. I ran into a situation one time where a user was utilizing a web interface to manage an online marketplace. I was shocked to find out that the link he sent me allowed me in without the use of a password! Make sure that your application doesn’t use the default password or a blank password.

The Side Effects:

• Having the latest version is great, but make sure you take a 360 degree look around to make sure nothing is out of place

Security Myth #7: I am getting SPAM messages, but I have a firewall.

The Facts: A firewall does not filter SPAM messages. You might look into the free SpamAssassin software that will filter email for potential SPAM. http://spamassassin.apache.org/

The world of IT security is full of partial truths and paranoia – some of which is completely justified. Sometimes, steps are taken that actually are beneficial, but without knowing the reason behind the precautions, many administrators are lulled into a false sense of security. Here are some common misconceptions that I see in action frequently:

Security Myth #1: If I set my password strong enough, my system will be secure.

The Facts: There are many ways to compromise a system. For example: exploitable code on your website, lax filesystem permissions, and publicly accessible services running on your system (such as email or chat). In fact, having a long secure password is often like having a steel security door with retinal scan technology on a grass hut. Don’t get me wrong, having strong passwords is a great thing, but don’t forget to look at the rest of your system!

The Side Effects:

• Longer passwords take longer to type (obviously).
• You are more likely to forget a longer password.
• You are more likely to mistype a longer password (and get locked out).
• If you force this policy on your end users they are more likely to write the password down (bad).

Security Myth #2: If I replace letters with their corresponding l33t speak numbers (e.g. hello -> h3110), it will make my password more secure.

The Facts: Technically, yes it will make your password more secure, but only marginally. Simple character substitution is a common feature among brute force tools. This will slow down the brute force attack, but your system may still eventually be compromised by a hybrid dictionary attack. You might also consider configuring the brute force protection options on your server.

The Side Effects: There are no side effects – in fact, this is a far greater idea than simply using a dictionary word. However, it is best to also add some additional numbers or letters to throw off brute force tools. Many brute forcers also allow for pre-pending or post-pending a string of numbers (e.g. 123hello or hello123). It is better to place random numbers or characters in the middle of your password so that it is not vulnerable to a dictionary attack (e.g. hagen!23daas). Another alternative to a secure and easy to remember password is make an acronym of a famous phrase or quote. For example: “sticks and stones may break my bones” -> “S&smbMb!$”.

Security Myth #3: If I change the port number for RDP/SSH/Plesk or turn off ping response, my server will be safe.

The Facts: This is the myth of “security through obscurity.” Changing your port number or turning off ping will only reduce attacks from computer worms and extremely lazy hackers. Say for example that you run a website on your server. Anyone who knows the URL of the website can easily find your IP address (by ping or nslookup). Then all they have to do is port scan that IP address (using a port scanning tool such as nmap or SuperScan) to see which ports are open. If your passwords are secure enough, you needn’t worry too much about the brute force attacks from the internet. You should only consider this a secondary safeguard just in case the server happens to have a vulnerable service running on it. Your first priority is making sure your system is properly patched and updated.

The Side Effects:

• It is very difficult to track or troubleshoot packet loss on servers that have ICMP blocked.
• Changing ports may confuse your users.
• You will need to remember to include this port information in any technical support request.
• Many automated systems or scripts will require custom configuration.

How many of you when you were kids were scared to death of the movie The Shining? I know I was. I think it still scares me today. The movie even made a little kid scary; his voice is what pulled it off. I can still get in trouble with my wife for getting our 6 year old to say “redrum” in a scratchy, scary voice.*

What do The Shining and redrum have to do with SoftLayer? We’re all about redrum but only when it comes to destroying left over customer data. What do I mean by destroying customer data you ask?

When you have a server that you spent Capex on and have it in front of you and can touch it and set coffee on it or use it for a plant stand, you know where your data is. When you replace that server or upgrade the hard drive you can then do what most people do with the old one and chunk it in the dumpster or be a little more secure and format the hard drive or even a little more secure and take the drive out and smash it into pieces. Now, that is secure.

So what do you do when you outsource your hardware to a provider like SoftLayer? You put your old data in our hands and we redrum the data and make Jack Nicholson seem like an angel.

It is a little more difficult for us to protect your old data because we are an on-demand provider. When you cancel a server we reuse that server for another customer. You probably don’t want your data in that new customers hands so we have to do a little more than format the drive and we can’t just take it outside and bash it into pieces because then we couldn’t reuse the drive. So we use a little technology to make sure your old data is safe.

When you cancel a server, it sits in limbo for a while just to make sure we can’t change your mind and have you keep it. After the waiting period we erase the data. This is a destructive process, so when you do cancel a server, make sure you have the data you still require somewhere else. Our system uses algorithms developed by the Department of Defense and several independent agencies that are considered military grade as defined by the DOD 5220.22-M (sounds official right?). Utilizing this process residual drive data is destroyed. This process is monitored and logged and we can track the history of any drive. Once complete the drive is ready to be redeployed to a new customer.

I know you are thinking, “That isn’t redrum,” but what do we do with a drive when it is at the end of its productive life? If it’s too small, not fast enough, or dead and out of warranty? We redrum it for sure! We complete the steps above and then send them offsite to get destroyed and then get them back after they are destroyed for tracking and verification of redrum! Yes, we could get them shredded but then we would have no proof they were destroyed. Here is what they look like when they return:

Note the hole in the center.

This is looking down from the “top”.

And last but not least, a view from the bottom. Note the platters are bent and protruding through the board.

*Just in case you haven’t seen The Shining (Spoiler Alert) a small boy in the movie mumbles “redrum” in an eerie voice in the beginning of the movie. He continues to say it more and more and finally he writes it on the bathroom door. When you see it reversed in the bathroom mirror you then understand what he is saying.

-@Skinman454

Just about everything you use wears out over time. Yet some people feel the need to use the same password for years on end. I have followed a few articles over the last few months and it seems that password usage best practices are hard to get to end users—between the Hotmail Scam that revealed the most common password is “123456″ to the ongoing surge of phishing sites I see in my email every day. Here at SoftLayer we provide server security scanning automatically in the portal, which is used all the time. But, some of those same users do not review their personal security policy involving their login accounts.

In the customer portal over the years we have added numerous security upgrades to help alleviate password style attacks, including: the addition recently of the Verisign Identity Protection; and, some of the past changes like security questions, IP restrictions, and failed password attempt throttling. We are trying to do our part securing your account, but we need help from you as the end user by periodically updating your password and other security requirements. The chain is only as strong as its weakest link. Now go change your password! Here are a few simple guidelines to get you started:

Good Choices:

• Make it as long as possible
• Use as many different characters as possible
• Do not use words listed in standard dictionaries as your password

Things not to do:

• Write your new password on a sticky note and attach it to your monitor
• Use one of the top 500 passwords
• Share your brand new password with friends

The bad guys are getting smarter, the end users (that means you) need to step it up too.

Offsite References:

• Microsoft – Create a Strong Password
• Wiki – Password Strength (more information than you will ever want to know)
• Duke University – Password Security
• Imperva – Consumer Password Worst Practices (PDF)

-Dorian

Security is not a thing to be taken lightly. Think about the information that is stored on your server; think about how many months or years worth of data is stored in your databases. Your account information holds a master key to all of this data on your server. This is the very reason this information is protected so closely by the SoftLayer staff.

All companies work very hard to make sure that their products and services are as easy to use as possible. While on the other hand, security works as hard as possible to, seemingly, make the product or service difficult to use. While it is never our intention to make any service difficult to use, it is our intention to make them secure. This is the very reason why, when we are presented with any questions via phone that are sensitive to the operation of your server or account we ask the inconvenient questions to make sure the person on the other end of the phone line is authorized to make the requested changes to the account or the server.

Up to this point this article has not been as light hearted as I had originally intended, but it’s all about being prepared. The point is, everyone deserves a vacation at some point or another (or believes they do), and according to Murphy’s Law, something will inevitably occur that requires immediate attention. When you’re enjoying that time on the beach, your mind a million miles from bits and bytes, and you miles from anything that can be used to properly manage your server or your account an issue can occur.

While you are out, have you made proper provisions to ensure someone can manage your hardware in your place? Your staff may have the passwords for the servers, IP addresses, and may be able to drop your name; but, I assure you this is not enough information for the SoftLayer support staff to submit a ticket, reboot, or log into your server on your behalf. Have you made sure that in a panic situation someone will be able to provide us with the answers to the security questions on the phone? Are you sure whoever is left in charge has been given the proper permissions in our management portal? Making sure these points have been thoroughly covered prior to your vacation, or even leaving for the day, will help you minimize risk while maximizing your beach vacation.

I know you already know everything about PCI compliance, especially the if’s, and’s, and but’s that go along with it. But, just in case you forgot, here it is in a nutshell.
Is PCI compliance a Federal law? Nope! Not yet anyway. Some states do make it a crime to let credit card data “be” stolen.
What is PCI? It is actually PCI DSS and it stands for Payment Card Industry Data Security Standard.
Who needs it? Anyone that accepts, transmits, or stores ANY credit card data.
Are there different levels? Yes, I am glad you asked.

• Level 4 – Any merchant processing fewer than 20,000 credit card e-commerce transactions in a 12 month period
• Level 3 – 20,000 up to 1 Million transactions
• Level 2 – 1 Million up to 6 Million
• Level 1 – 6 million + (or any merchant that Visa feels should meet level 1 to minimize risks) This is what we are all striving for, right?

Who cares if you are PCI compliant? For starters, YOU should! And secondly, your merchant bank will care. They will care more the larger you get. See minimize risks statement above.
Since it isn’t a federal law should I risk it, because I know my security and I am impenetrable? I wouldn’t take that risk because you can still pay fines, card replacement costs, and pay for forensic audits, etc if someone were to get in and steal data.
How can SoftLayer help? For starters and a quick level 4 fix you can go here and get free scanning on a single IP. Combine that with a “quick” questionnaire about your physical and data security policies and voila, no onsite visit needed and you are now PCI Level 4. Mcafee can help you with you higher level compliance if you would like. Don’t take the questionnaire too lightly because remember you do care about PCI!
Ok so if you have made it this far then you must like boring reading. Go read this. It might come in handy someday. It is the “do this if you get hacked” cheat sheet.
On to 2010! MasterCard stepped up in 2009 and stated that even their Level 2 merchants had to have an onsite QSA assessment by December 31, 2010. That has now been pushed to June 30, 2011. There seems to be some confusion from the other Credit Card companies and they didn’t all jump on board. One thing that they did all agree on is that you can’t put credit card info on WEP secured wireless at all after July 2010. Just don’t do it! And don’t use old un-patched payment applications because they are insecure and will not be allowed after July as well.
This could all change just like Texas weather. If you don’t like the new rules, then just wait a couple of days and they may change it more to your liking. There are still a few things they are looking at going forward that I will let you in on and then I assure you I will stop typing. PCI 1.2 is still about stopping hackers from getting in, there is a new interest in the community on addressing “internal” hackers. The current focus of PCI is aimed at card data “after” authorization but doesn’t say much about card data that is kept prior to authorization, so you can bet that will be added soon too and of course cloud infrastructure and card data has to be on everyone’s radar screen soon.

Everyone always says it’s a good idea to have a backup plan just in case your primary plan bites the dust. I couldn’t agree more. Recently my personal Xbox 360 failed and this has caused plenty of grief in my household. I used my Xbox to stream content from Windows Media Player on my desktop to the TV (via Media Center edition of Windows XP). This has worked great and has been able to provide me with a means to entertain my child. Of course, this going out has caused a screaming baby because now she can’t watch her “movies”.

Now, had I had a proper backup plan, this wouldn’t be an issue. See, I put all of my trust into a single device and/or single method to accomplish something. When this device failed, my operation came to a halt. I didn’t listen to the advice I’m always telling our customers… have a backup or backup plan. This is where our “extra services” come into play. Not only do we offer backup solutions (eVault, NAS…) but we also offer solutions that allow you access to high-availability configurations (Citrix XenServer, for example). With XenServer you can configure a cluster of systems and setup automatic failover. This would prevent any major outages of your website/services. If this isn’t something you think would work for you, utilizing eVault backups might. We now offer eVault Bare Metal Restore. Now, the problem is somehow applying these to my Xbox so my kiddo can go back to watching her movies… Long story short, don’t rely on a single solution. Always have a backup plan or system in place to prevent headaches in the future. You won’t regret it if you do.

8/24/2009 1:00PM – Just ordered 3 more servers from SL. Man I love how easy it is to order, and the provisioning time is incredible.

8/24/2009 11:45PM – Got the new servers setup; now I have redundancy for my app. G’nite.

9/04/2009 8:00AM – Suhweet, just passed 50K users for my app. Hitting the pool.

9/21/2009 6:42PM – Oops, app crashed too many users. Recovering now. Thank goodness for monitoring alerts.

9.21/2009 8:13PM – Sorry all, app back up. SL CloudLayer really helped. Their portal makes it all easy.

9/22/2009 3:13AM – Ok stayed up late tonight and added new functionality to the app and added a new app server, geographic load balancing baby!

10/6/2009 2:45PM – Thanks for all the support on the app, keep the new ideas coming. 450K users and growing.

10/31/2009 5:50PM – Happy Halloween! 627K users. Thank you!!

11/14/2009 6:02AM – Getting close 989K users. Party at 1 Million. Just added 2 new front end servers in each DC, adding cloud storage now for Data replication/protection.

11/21/2009 7:31AM– It’s finally here 1 Mil. Party time! Isn’t ad revenue the greatest. The in game pay to play money is fun too. Thanks all!

12/10/2009 4:42PM – Still growing. I was alerted that one server crashed. No users affected. Technology is cool.

12/18/2009 9:16PM– ‘Bout to go silent for the Holidays. Hope you all have good ones. See you at 1.5 million when I return.

12/19/2009 7:00AM – Decided to add a couple more cloud instances for good measure. App is smoking fast.

12/31/2009 10:45PM – Monitoring just hit my phone, at party will check asap.

12/31/2009 11:00PM – Found a netbook at the party. App is crashed. Looking.

12/31/2009 11:07 PM – WT? All servers down, hard down. SL up and friend app good on SL network. Investigating, sorry for outage.

12/31/2009 11:10 PM – Hackers? Not sure all servers affected. Ping only. Had very secure. No problem before.

12/31/2009 11:29PM – Portal password got hacked. Intruders OS reloaded every server with RedHat, turned off all CCI.

1/04/2009 6:00AM – Happy New Year, mine sucked – app back – 5000 daily users. Sad day.

While the above is completely fictional, it could happen to just about anyone. Don’t let it happen to you. No matter how long and how secure you think your password is, there is someone out there who can crack it. It is one thing keeping a server secure and most technical geniuses are very adept at doing just that. With all the time and effort it takes to keep your servers secure, you might find that you have slipped in other areas. SoftLayer is here to help in VIP Style.

The cutting edge SoftLayer portal now has optional Two Factor Authentication support using VeriSign’s Identity Protection. First, what is Two Factor Authentication? It is defined as, “something you know (password) and something you HAVE (pin number of sorts).” Here is how it works:

You buy a physical device in the form of a keychain token or a credit card token; or in the cool age of technology, you can simply get one of the free phone apps that do the same thing for you without the extra piece of equipment to carry. Once you get the device/app you would go to the portal and register the token’s unique ID and attach it to a username on the account. The master user gets this FREE and then if you want other users on your account to have this functionality it is $3 per user per month. If the master user does turn on this functionality no one else will be allowed into the system without using two factor authentication. Once this is setup, the user will login using their “known” password and then they will also have to enter the “code” (the thing you have) on the token device or phone app to gain access. The code changes on a fast schedule so this is extremely secure. This would have made the New Year’s celebration for the person above much more fun.

One last thing, since we partnered with VeriSign you can use the token device or phone app for different sites that use the VeriSign product. PayPal is one example. Here is a complete list.

Now that you know about it, and now that we offer it, don’t be the guy that doesn’t keep the portal secure and misses out on a Happy New Year!

The other day everything was going so well – I woke up in a fantastic mood, ate a great lunch, accomplished all of my work for the day, and left on time! I was thrilled that my day went so well, then a catastrophic failure occurred. I walked out to my car grabbed my keychain from my pocket and found that my car key was gone. My only car key! This scenario can happen not just with car keys, but can happen with your server and data as well. Redundancy can give you peace of mind and save you from an expensive mistake like I made with my car. The worst part is that I could have easily prevented this scenario by just having a backup key. Some good practices to provide redundancy are listed below:

1. Redundant backups – If you have a backup to a local disk it is good to have an offsite backup or a storage solution backup so that way you have a redundant way to recover in the event something catastrophic occurs.

2. Redundant DNS – You can run your own DNS server and use our secondary DNS service or even setup another DNS server for failover.

3. Raid Arrays – Having a raid array such as raid 1, raid 5 or raid 10 gives you an extra added level of protection with your drive’s data (this is no substitution for backups just added protection).

4. Failover – An example of this being a production server. If the server fails there is another server setup and ready to take its place. This can be done manually or with our services such as our hardware load balancer or Netscaler solutions.

5. Contact information – In the event you are unable to be reached it is a good idea to have someone else available to make contact with us to address support issues etc.

By following some of these practices you can avoid encountering issues that are generally avoidable and that would cost you a lot of downtime and headaches. I know I have learned from my key mistake!

This is usually how it starts. Some shady person sends out spam telling people they have one a million dollars or a free laptop or mp3 player with a link a form they need to fill out to claim their prize. Only you don’t win an mp3 player or laptop. You win an infected computer that is now a drone in a much larger botnet. This botnet is either for direct malicious purposes (Denial-of-Service attacks) or indirect malicious purposes (spam, phishing, etc). How do you stop this from happening to you and you becoming “that guy”? Don’t click links in email unless you’re 100% sure who it’s from and what it’s for. That’s the basic rule to remember. Secondly, make sure you have an anti-virus program that’s capable of scanning email and keeping your system protected from malicious browser exploits. Thirdly, (and this should go without being said, but I’m saying it anyways) make sure your computer (and all software) is up-to-date. Sure, there’s the occasional bug and 0-day exploit on up-to-date systems, but there’s a whole slew of exploits and things that can be done to an un-patched system. Keep your systems up-to-date and you reduce the “known” exploits from literally thousands to maybe a few.

Think about this, 80% of the world’s email is considered spam. Of that 80%, the vast majority (more than 75%) is sent using infected computers (drones). If everyone would re-think blindly clicking links in emails and on webpages (social networking sites have a history of people trying to fool users into clicking bad links) then the spammers wouldn’t have drones available to them to send spam. Interesting thought, isn’t it? Let’s stop spam by being smart internet users and denying the “bad guys” the resources they need to send out the spam.