SSL 3.0 Poodle Vulnerability

SSL v3 Vulnerability

Google reported in a blog post today the discovery of a security vulnerability with SSL version 3.0. Our engineers were notified of this vulnerability before the announcement was made public and have made the necessary changes to disable access to SSL 3.0 on our core infrastructure.

Unlike the HeartBleed vulnerability, most of our users will not be impacted from this change. However, those that are using outdated web browsers (Internet Explorer 6 for example) will be unable to connect securely to our control panel and website.

If you’re using an outdated web browser, simply download the updated versions or download newer clients such as Mozilla Firefox or Google Chrome. These browsers utilize an enhanced security protocol known as TLS, which has the ability to automatically update keeping you secure in the future.

SSL Version 3.0 will be disabled on Firefox on November 25, but you do not have to wait for this to be released. You can download a plugin that will allow you to set the minimum SSL version. If you’re using Internet Explorer, simply go to Settings -> Internet Options -> Advanced Tab -> Uncheck SSLv3 under Security.

Our system engineers are working to disable SSL version 3.0 across all of our servers. This will be done in segments to ensure there is no impact your websites.

You can learn more about this issue by reading Google’s report

As always, you’re more than welcome to contact our support if you have any questions and/or concerns.

The Heartbleed bug and what you need to know


HeartbleedIn the last few days I am sure that you’ve heard about an Internet-wide security exploit called the Heartbleed bug. Security here at GreenGeeks is a top priority and we take it very seriously. Once learning about the exploit, technically referenced as CVE-2014-0160, we began to address it immediately.  We have created this article to help you understand a bit more about Heartbleed, how you can protect your information and what we’ve done to address it.

What is Heartbleed

The Heartbleed bug is a very serious security vulnerability in the popular OpenSSL cryptographic software library used to secure information traffic across much of the Internet. It was nicknamed “Heartbleed” because the vulnerability could leak/bleed information and was involved in the Heartbeat function of OpenSSL. The weakness allows hackers to steal information that is normally protected by the SSL/TLS encryption used to secure the Internet. SSL encrypts information sent over networks such as web, email, IM, etc. With the bug, names, passwords, and any sensitive information could be “sniffed” resulting in stolen data directly from any website.

What is being done about the Heartbleed Bug?

The vulnerability was identified, given a reference of CVE-2014-0160 and was patched by the team at OpenSSL. This patch was made publicly available to service providers across the world, including GreenGeeks. We have patched, tested and verified that all of our systems are secured with this latest patch from OpenSSL.

As mentioned before, we take security very seriously and is a top priority for us. Upon discovering the exploit, we began immediate action to secure our servers. We believe that the likelihood of exploit is very minimal. As always, we will continue to be vigilant to ensure the safety and security of our systems.

Has GreenGeeks replaced their SSL’s?

Yes, upon discovery our team has quickly patched and replaced all SSL’s on our network.

Is My Server Vulnerable?

Anyone relying on OpenSSL was vulnerable. Upon discovery of the exploit, we patched our entire network and are now protected from the vulnerability.

Will the SSL I purchased from GreenGeeks be Updated?

Yes, while the risk of exploitation is extremely low, as a pre-caution we are working with our SSL provider to re-issue all SSL certificates that were purchased directly through us. This process is being done automatically for you and there is no involvement required.

What if I purchased an SSL certificate from a third-party provider?

Re-issuing the certificate is a choice you’ll have to make. If you feel that it’s worth your time, then it’s a good idea to get your SSL reissued. The likelihood of your keys being exploited are very low. If you decide to go ahead with the change, then please contact your SSL provider. Once you’ve received your new private key, certificate and CA bundle, our team will be more than happy to help you install the certificate. Alternatively, you can simply buy a new SSL certificate through us where we will handle similar situations such as this for you.

Has any of my information been compromised?

Anyone relying on OpenSSL was vulnerable. Upon discovery, we immediately patched our system. The chance that your keys were exploited are very minimal due to the lack of public exploit at the time of disclosure. We recommend that you always change your password regularly and can do so through our Account Manager.

You can test to see if you’re vulnerable by using the HeartBleed Checker

You can learn more about the Heartbleed Bug at heartbleed.com.

 

Phishing Scam Alert: Tariff Plan Changes

We have recently become aware of a phishing scam attempt on our customer’s Account Manager login credentials. If you have received the below e-mail, it is not from GreenGeeks. The e-mail is attempting to phish for your Account Manager username/password. If you have clicked on the link and continued to provide any information, you may have fell victim to the phishing scam. We recommend that you contact our support immediately or log into your account manager and changing your password.

For your safety, please always visit our website at www.greengeeks.com and click on the Client Login link at the top right hand side of the page.

Below is an example of the e-mail.

alert-phishing-scam

Remember, if you aren’t absolutely sure that the e-mail you receive is from GreenGeeks, you are more than welcome to contact our support to double check with us. Phishing scams are all too common and you should use safe practices with any provider that you have online.

Protect yourself with Secure Passwords

Changing cPanel Password

The first line of defense against cyber criminals (hackers) are passwords, but weak and easy to guess passwords aren’t much of a defense. It’s important to create strong passwords that are unique to each of your important account and it’s especially important to update the passwords often. Your GreenGeeks web hosting services comes standard with 24/7 monitoring of servers and includes advanced firewall systems to protect against most attacks, however a weak password is like leaving your front door unlocked. All the cyber criminals have to do to gain access to your precious stuff is to just try and open your door.

Continue reading “Protect yourself with Secure Passwords”

“My WordPress Blog Got Hacked!” – Prevent it!

“My WordPress Blog Got Hacked” is something that we as a hosting company hear all the time, which is unfortunate. What’s even more unfortunate is we as the web hosting provider often get blamed for it by our very own customers. I can’t really blame our customers for this either, I guess they just don’t know it can happen — So hopefully, this blog post will help bring some awareness and help prevent their blogs from being hacked.

It’s not uncommon for a WordPress site to get exploited, you’ll often see an image of some pirate or a bunch of statements claiming that you’re a sucker for getting hacked. Doesn’t really look all too professional when your visitors see this. If you feel that you’re the only one out there, you’re not. If you think that WordPress is the wrong CMS to use, that’s not the case. With a proper setup, you could avoid being defaced.

WordPress has put together an entire My WordPress Site was hacked FAQ page, dedicated to help WordPress users prevent their sites from being hacked and for those who have been hacked, preventing it from happening again. Check it out, it will be helpful in preventing your WordPress installation from being exploited.

I do want to point out a part of the FAQ, where it says to check with the hosting provider.

As far as the hosting environment goes, we take security very serious here at GreenGeeks. We have a multitude of security measures in place to prevent a wide-spread type of exploitation of scripts. So you’re safe there. We regularly update our servers, scan them for vulnerabilities and do what we are required to keep our customers safe.  The general rule of thumb for protecting yourself from being exploited is: Always upgrade to the latest version, don’t use unknown plug-ins and keep regular backups.