Written by Patrick Pelanne
Tuesday, October 14th, 2014
Tonight Google announced a flaw in the design of SSL v3. We have been tracking this issue after we heard whisperings in private security circles last week. Upon disclosure of the details we began remediating immediately.
The vast majority of end users should not experience any issues as a result of the changes we’re making. In fact, Google estimates this change will affect less than 1% of the internet. (The SSL 3.0 protocol is almost 15 years old but has remained in place to support users running older browsers.)
The attack vector for this vulnerability has prerequisites and is very sophisticated. As such, the real world severity is far below the recent Heartbleed & Shellshock vulnerabilities.
Check out Google’s Security blog for details.
If you would like to be 100% protected, you can disable SSLv3 in your browser settings. Information on how to do this in a few popular browsers can be found here.
Written by Sean Valant
Thursday, April 10th, 2014
You may have now heard of the “Heartbleed Bug.” Before we continue, we want to reassure you that if you are hosting on a HostGator shared or reseller server, that your server has already been patched. For everyone else, HostGator customer or not, we have created the following tool to assist you with determining whether or not your site is presently vulnerable and what further action to take, if necessary: https://heartbleed.hostgator.com/
Now, what exactly is the Heartbleed Bug? Technically speaking, it is a serious vulnerability in the popular OpenSSL cryptographic software library. In layman’s terms, it allows the ever-present nefarious individuals the ability to intercept and decode encrypted data. The following quote comes from heartbleed.com:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
The bug is so-named due to a normal function between two computers across a network (such as the Internet) sharing an encrypted connection. The “heartbeat” is simply a pulse, or packet of information, sent from one machine to the other to ensure the connection still exists. This functionality is what allows the exploit to occur, in that the heartbeat is simulated by a third party in such a way as to allow them access to the memory of the receiving server.
What this translates to is virtually unlimited, and untraceable, access to a myriad of private information which potentially can include usernames, passwords, and even credit card information. The full extent of the situation is not presently known. What is known is that we should all consider all of our passwords to be compromised. As a result, you absolutely want to update any passwords for anything and everything you log into online. However, if you change your password for an account on a server that has not been patched, then you can consider the new password compromised as well.
For full information regarding this situation, we recommend reading the associated Wikipedia article.
Written by Taylor Hawes
Wednesday, November 6th, 2013
In May of 2013, former National Security Agency contractor Edward Snowden fled the United States with classified documentation revealing some of the most sophisticated and prolific public spying in American history. The PRISM program he divulged is an extensive campaign that utilizes classified intelligence directives to acquire “metadata” from major Internet players like Google and Yahoo. Since then, Snowden has brought to light myriad directions of similar ilk, geared toward data collection in the name of intelligence efforts.
In a recent leak, however, it was revealed that PRISMs scope pales in comparison to the NSA’s international data mining project, known by the acronym MUSCULAR and run in tandem with the British GCHQ. The program, it was shown, utilizes the linkages between Google and Yahoo data centers, mining entire data flows and shipping the data back to NSA data warehouses in Fort Meade.
The NSA program utilizes a structural flaw in the two companies’ architecture. Yahoo and Google maintain high speeds through decentralized data centers spanning multiple continents and connected by thousands of miles of fiber optic cable. In order to maximize performance, these data centers continuously sync information between repositories, including whole user accounts and email indexes.
In order to obtain the information desired, the NSA needed to circumvent exemplary data security protocols. These protocols include 24-hour guards, biometric identity verification, and heat-sensitive camera at data centers. According to the article in the Washington Post, company sources had reason to believe that their internal networks were safe.
Despite these measures, a weakness was uncovered. An internal NSA slide show leaked by Snowden contained a hand-drawn diagram outlining the transition point between Google internal networks and user computers. The drawing highlighted Google front-end servers as the weak point, noting that these servers actively decrypted information and could be exploited for data acquisition purposes.
Neither company was aware of the backdoor intrusion. Both companies acknowledge and acquiesce to front-end requests for data but maintained that their internal networks were secure. Google vice president for security engineering Eric Grosse even announced plans to encrypt linkages between data centers with the presumption of security.
Since the leak, both companies have reacted in outrage. Google’s chief legal officer, David Drummond remarked on the subject: “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide.” Yahoo commented: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”
Legally speaking, the NSA is exploiting a loophole related to international espionage practices. While Congressional oversight has limited domestic spying, international monitoring remains less inhibited. Because the data centers of the two Internet giants span multiple continents, interception of these data flows is technically permitted under Section 702 of the FISA Amendments Act of 2008.
This international monitoring occurs with the cooperation of the British GCHQ. The UK agency maintains a data cache that can hold three-to-five days of traffic data before recycling storage. During this time, NSA software utilizes search terms in order to sift desirable data from the dredges. This data, once identified, is shipped via fiber-optic cables to the data warehouses in Fort Meade. This information, the agency claims, has produced intelligence leads against “hostile foreign governments.” At this point, this assertion of intelligence value remains largely unsubstantiated, likely due to the classified nature of such leads.
The scope of the MUSCULAR program lies in the volume of search terms used while sifting through acquired data. According to records, these inquires include 100,000 terms, more than two-fold the amount used in the PRISM program. The volume indicated in the Washington Post’s documents topped 181 million records over a 30 day period. The data acquired includes who sent or received emails, the subject of these emails, when and where they were sent, and the text, audio, and video content of these messages.
The program strikes a chord with both companies due to its unique nature. Both organizations were willing participants in the collection of data through front-end means, but the back-end intrusion remains uncharacteristically aggressive. Google, as mentioned, will move to encrypt its internal networks, however Yahoo has not indicated whether it will do the same.
The ramifications of these revelations is yet to be seen. However it is likely that, in the wake of negative public reaction to the PRISM documents, the sentiment will be similar. Ultimately, the continued exposure of agency programs continue to demonstrate the inter-connected and heavily monitored nature of our digital communications; a fact that can no longer go unacknowledged.
Written by Sean Valant
Friday, August 23rd, 2013
Yesterday (August 22nd, 2013) a massive number of IP addresses used for email gateways on virtually every webhost in the world became blacklisted on multiple networks. This resulted in a global inability for email to be received (any time the email originated from one of the blacklisted IPs and was “received” on one of the blacklisting networks).
The issue is on-going at the time of this writing, and some customers are still being affected at this moment, however HostGator was one of the first companies to successfully mitigate the situation and we have since been assisting other companies with this issue. As it stands, we are presently working to now get our IP’s removed from the blacklists and restore full worldwide email deliverability from our network.
This situation resulted from a combination of multiple factors stretching back a few months. Before we explain the circumstances, we want to once again stress the importance of keeping all scripts on all hosting accounts updated. Failure to update scripts, as well as not exercising basic security practices, is what allows situations like this to continue to occur. An out-dated script on a hosting account is akin to an unlocked car left in a parking lot… it’s an invitation for maliciousness by unscrupulous individuals.
Unlike the situation back in April that affected WordPress, this time the target was Joomla. Back in May, there was a string of exploits against known vulnerabilities in Joomla. These vulnerabilities, related to a component called JCE, had been previously addressed via certain mod_sec rules. However, a workaround was discovered that allowed malware to be installed, and later activated, to allow the uploading and execution of mailing scripts.
These mailing scripts were activated en masse yesterday, beginning a massive spamming campaign resulting in the blacklisting of email gateway IPs worldwide. One of the largest networks with users reporting issues initially was AOL, resulting in us creating this forum post.
As with all issues of this nature, there are lessons to be learned. The most important lesson here is to (again) keep all scripts on your hosting account up-to-date. Most scripts have a one-click feature to update them anytime a new version is released. Keeping scripts up-to-date is paramount in ensuring a secure hosting account.
HostGator has now added additional monitoring capability to our systems which will alert us to situations like this even faster than yesterday. Our work is on-going, though we should have the majority of the blocks resolved by tomorrow (spam lists move slow, with good reason). But remember, there is no better way to keep your car safe than to lock it. Please take this moment to log into your hosting script back-ends and ensure they are up-to-date. Don’t give the bad guys an open door to walk through.