Today we are going to focus on how a website works, share an overview of a hosting environment, and explore some other aspects of how a website functions.
Back in the old days, a website was a simple text document located in the server’s files. HTML let webmasters define the formatting on a website with the flexibility comparable to an advanced text editor, such as MS Word and allowed them to display images, and eventually other media.
The European Union has implemented a new law called the General Data Protection Regulation - GDPR for short - to help protect personal data of EU citizens. As a company that has many clients in the European Union, we have taken this very seriously and took steps to make sure that our service is GDPR compliant, which means many good things for our clients, not only from the EU but from all around the world.
In the last few days, we have seen questions regarding the recently released ImageTragick vunerabilites. We began working to patch and protect the CloudAccess.net platform shortly after the vunerability was announced. Here are a few commonly asked questions that we have seen.
ImageTragick is the internet nickname that was given to CVE-2016–3714 to help spread the word of this vulnerability to end users and the media. It features a website and a logo and is a pun based on "ImageMagick".
Originally developed in the 1970s, IPv4 is a cornerstone of the Internet as we know it. It was developed long before anyone could really imagine all of the interconnected devices that we have today. IPv4 allows for approximately 4.3 billion unique IP addresses, which might sound like a lot and certainly was a lot in 1970s standards. Nobody in 1970, however, could have predicted that the Internet would be as popular as it is or that many of us would be walking around with high speed computers in our pockets. With close to 3 billion current Internet users, IPv4 presents some serious limitations.
Essentially, the biggest limitation is that IPv4 is running out of the 32 bit addresses that each computer or device is required to have. An example of a 32 bit IPv4 address:
There are several reasons a site can be hacked, but the culprit we identify most often is an outdated extension. Updating extensions is critical because hackers can easily identify vulnerabilities in older versions, which are like a wide open back door to the site. If you’re using a Joomla site, it’s best practice to visit the Vulnerable Extensions List frequently. If you see an extension you’re using on this list, download and install the patches immediately. If no patches exist, disable the extension and find something to replace it.
Another reason we see sites hacked is because the site itself is an older version of the application, like Joomla 1.5 for example, which is no longer supported with security patches. We provide a managed hosting platform, which means we’ll update versions for you when a new STS (short term support) version becomes available. When a new LTS (long term support) version becomes available, it’s up to site administrators to upgrade on their own. It’s definitely best practice to stay current with the most recent version of your application.
CloudAccess.net server administrators actively monitor numerous security channels and we became aware of the vulnerability immediately. The bug causing the vulnerability has been around since December of 2011, but was only announced on Tuesday of this week by a team of researchers. Although there are no known real-world exploits of the bug, we have taken every measure to protect our clients, like we always do.
First, we applied the security patch to our entire network as soon as it was made available. We also communicated with our SSL provider who has confirmed that the vulnerability lies within the OpenSSL implementation, and not in certificates provided to us. We’re confident we’ve done everything within our power to protect your data. We’ve had no reported issues from any client on any of our servers. The only other step that can be taken is to re-key your SSL and we will do that for any client upon request.
If you’ve got an upcoming event or need a permanent home for your group, you can either launch a demo site and we’ll upgrade it for as long as you need it, or we’ll help you migrate an existing site into our network free of charge. We appreciate the valuable work you do and we want to support you any way we can. We’re the preferred web host for sites like Joomla! Day Chicago, Joomla! Day Ethiopia, and Joomla! Day North Carolina, among many others. We’d be proud to add your group or event to the list. Once in the network, you can experience our one-of-a-kind Cloud Control Panel™(CCP) for managing your Joomla site, and you’ll even be able to submit support tickets to get help from time to time.
Our highly devoted support team has an unwavering passion to help you build your online home. We’ll help migrate your site or upgrade your demo account, and we know you’ll fall madly in love with our entire platform. Remember, you need only purchase one SLA - after that, each additional site is only $5 per month.
We cherish all of our clients, and whether you desire a Standard, Business or Pro SLA, we’d love to create a perfect union with you. Experience our industry-leading level of faithful support. You won’t be disappointed. This is a limited time offer valid through Saturday, February 15th.
To protect highly sensitive cardholder data, the Payment Card Industry Security Standard Council (PCI SSC) released 12 Top Level Data Security Standards (DSS). Financial organizations are required to validate their adherence to certain DSS requirements. Below is an overview of the 12 PCI DSS requirements.
| Control Objectives | PCI DSS Requirements |
| Build and Maintain a Secure Network | Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes |
| Maintain an Information Security Policy | Requirement 12: Maintain a policy that addresses information security |
There are over 130 Approved Scanning Vendors (ASVs) that can be used to detect vulnerabilities found in a public cloud. CloudAccess.net, a Michigan-based Platform as a Service (PaaS), used McAfee and Comodo to perform security scans on targeted hosting environments. Using the results, the company adjusted server specifications to pass subsequent scans, ultimately helping several clients validate the security of their content including Reliance Bank, a full service bank with twenty branches in the St. Louis metropolitan region, and CIMA (the Center for Information Management and Assurance), an organization that aims to elevate the information security community. CloudAccess.net is helping clients pass ASV scans on an individual basis, but the company is developing an automated PCI-DSS hosting layer that can be applied to any environment with a click of a mouse.
Godaddy’s DNS network went down today, and it's not a surprise. This was caused by a Distributed Denial of Service (DDOS) attack causing extended downtime for millions of websites world-wide. At CloudAccess.net, we've built a very special DNS network aptly named “Bolt-DNS”. Bolt-DNS is a distributed DNS network that allows us to handle very large volumes of traffic even during a DDOS attacks. Our Bolt-DNS network will distribute the traffic evenly during these attacks, and it quickly reacts by working with our DNS data centers to stop or block any denial of service attacks.
The Godaddy DNS outage has also affected the sending and receiving of email messages for thousands of people. CloudAccess.net partners with Google for email services for a more reliable email hosting service. In the case where Godaddy email is down, our system stays up. In fact, taking down both Google and CloudAccess.net would be nearly impossible. You cannot take down two of the biggest players in DNS world down at the same exact time. Both providers have cached networks that would continue to route mail even on the largest of network attacks. Since your Godaddy email is directly connected to a non-distributed DNS network rather than on a massive network like Google and CloudAccess.net, you're subject to failures.