Another day, another exploit. However, as far as the Heartbleed exploit goes this is a doosey!
Heartbleed is a proof-of-concept exploit for one of the most popular encryption libraries available, OpenSSL, that allows attackers to steal live memory from the target server. That’s right – the contents of the memory of the server – which as its an exploit for an encryption library… the cryptographic keys and certificates. As far as defeating encryption or impersonating a site goes, this is the holy grail – actual, legitimate, valid certificates and keys direct from your target’s own infrastructure.
We strongly recommend that you check all of your public facing SSL enabled hosts for vulnerabilty using this tester; Heartbleed Tester by Filippo Valsorda.
This brings us onto the point of this post. Bugs and exploits are a way of life on the Internet. Software is written by humans, and humans invariably screw up.
It baffles some of us here in the Astutium Technical teams how many people, customers and otherwise, think that application, sites and servers can be stuck up on the Internet and left for months and years without any kind of TLC. If this were possible, quite aside from being out of a job; bugs wouldn’t matter, Microsoft wouldn’t badger you every second Tuesday in the month to update Windows, there would be no more compromise, war — but then we’d need to wake up.
Every computer system requires updates, read that again, every computer system requires updates.
Even your WordPress blog that nobody should possibly be interested in breaking into – this WordPress blog gets an average of 1300 attacks per day !
Heartbleed just goes to show quite how bad it can get when the bug is in a piece of fundamental software, however there are literally thousands of sites and servers every day compromised by flaws in far less critical software.
Security is always a reactive game. We try to figure out what the bad guys will do, they do something else, we figure out how to defend against the new threat. So the cycle goes… Just like the intelligence and security services in the real world, CERTs (Computer Emergency Response Teams) and support teams face a thankless and ultimately impossible job. Attackers only have to get the attack right once to cause damage, the defenders (and SysAdmins, NetAdmins, etc.) have to be right every time.
Everybody can play their part (and help keep your local support professional’s hair on their head 😉 ), by ensuring that all the systems and applications under their control are kept up-to-date.
There is only so much your provider can do (including Astutium), as the only truly secure computer is the one embedded in six feet of concrete, without any power or network connections that no-one can ever use. After that its all a matter of risk management.
At Astutium, we try to make that as easy as possible. For our cPanel Shared Hosting and WHM Reseller customers, Softaculous is available to help you manage your dynamic website deployments with single click upgrades. For Virtual Private (VPS), Virtual Dedicated (VDS), Cloud Server and Dedicated Server customers, we have a range of server management options available to assist with keeping the low-level system secure and updated as well as resources and direct connections (and locally hosted) to OS mirrors available.
If you are not sure about keeping your system up-to-date, contact us to discuss the options.