The Heartbleed Bug

The last couple of days has seen a lot of press attention about the 'Heartbleed Bug', a compromise in Internet privacy & security that affects websites hosted on the Apache and Nginx web servers, used by many leading website hosting companies including ourselves. (More details on the Heartbleed Bug can be found below.)

‘The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.’

Source: http://heartbleed.com/

Heartbleed bug creates confusion on internet   10 April 2014
Heartbleed: Do you need to worry?                 10 APRIL 2014
Tech firms urge password reset                      09 APRIL 2014
Scramble to fix huge security bug                   08 APRIL 2014

Like everyone else involved in the Internet and Internet security we are still coming to terms with some aspects of this particular bug.

Our advice: stay calm - there is no sign so far (anywhere on the internet) of large scale exploitation of this bug to compromise servers. As far as we know legitimate security researchers were the first to find this and not hackers. That being said - the implications of the bug are serious.

Below we have some information for our current customers about the steps that are being taken by ourselves and our providers to ensure the safety and security of your data. Please rest assured that all is in hand and we will be in touch with further updates should the situation change.

If you are not currently one of our clients and you are looking for help / advice with your own websites, hosting or servers please contact us using via the contact form visible when clicking this next link - or directly using the telephone number at the top of this page.

Our Providers

Our providers have patched all of their own infrastructure and generated new ssl certificates for control panels and associated technologies.

Our Shared Hosting

Our shared hosting - which you utilise - is safe, very few clients on shared hosting use their own ssl certificates, so there is little risk there. There are some 'shared SSL certificates' used so that images and other resources can be shown from a 'secure' url - useful for example if you want Paypal to show your logo on their sercure checkout page which Paypal host, but the implications here are minimal.

Our High Capacity, High Availability Hosting

Our servers, like two thirds of the internet, were running the vulnerable version of the Open SSL library. Once word of the vulnerability started to leak out, were found out about the exploit quickly and had all of our servers pathced and the appropriate services restarted very quickly. By close of business on Tuesday all of our servers were secured. Like everyone else we are evaluating next steps including advising clients on the need to update passwords.

Word is spreading of a need to change all passwords on all accounts you use across the internet - this will include your 'Hosting control panel', email, ftp, and database user accounts. This step is precautionary - there is no evidence that such info has been compromised.

We recommend that you take steps to change as many of these as you can, and contact us for help to change any that are outstanding.

For Shared Hosting

Please log into: http://customer.deanmarshall.co.uk/ with your current username and password in order to affect the changes.

  • Control panel and ftp passwords:  
    can be changed from the right hand side bar.
  • Database passwords:                    
    from within 'Web Tools' -> 'MySQL Databases'
  • Email accounts:                           
    from within 'Email' -> 'Mail boxes'         (if your email is hosted elsewhere no action is needed here)

High Capacity Hosting

  • CPanel Password:            
    Preferences -> Change password
  • Email Accounts:              
    Mail -> Email accounts -> alongside each account click change password
  • Main ftp account:           
    uses your CPanel password - so is updated if/when you change that
  • Additional ftp accounts:   
    Files -> FTP Accounts -> alongside each account click change password
  • Databases:                    
    Databases -> MySQL databases -> Scroll down to list of Database Users -> click on each in turn -> enter new password twice

Please bear in mind - that changing passwords on email accounts and ftp will leave you unable to connect until you place the new passwords into software on your computers.
Changing database passwords will leave your site inoperable until relevant configuration files are updated.

In closing - there is no evidence that this bug has been exploited in the wild. Our systems are now safe and changing passwords is a precaution in case anything was compromised prior to the fix.

How can we be sure that nothing has been compromised. The long and the short of it is that we can not - no-one can. The exploit in question leaves no trace, no evidence in log files no visible sign anywhere.  Although the nature of the bug itself would leave no evidence of exploitation - large scale compromises tend to get boasted about and proof, in the form of thousands of passwords, posted online. To date there is no evidence of any such thing.

I hope that the information is of use.

Dean
--
Dean Marshall
Managing Director


© Copyright 2002-2016
Dean Marshall Consultancy Ltd - all rights reserved
Registered in England and Wales, Company number 6615299
A team of professional developers specialising in custom Joomla development

Dean Marshall Consultancy - a Member of W3C Sites XHTML valid website valid CSS website design WAI conformant website design

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. This site is not affiliated with, or endorsed by, Open Source Matters or the Joomla! Project.