This past weekend, I found out that some authorized PCI Compliance Scanning vendors will only grant you PCI Compliance status if your SSL Beast protection setup only allows for RC4-SHA and nothing else.

If you have such a vendor, then the following are the settings you would use in your Apache 2 httpd.conf configuration file:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SSLHonorCipherOrder on                      

You can test your settings by running the following (preferably on another server):

openssl s_client -connect [ssl public machine]:443 -cipher RC4-SHA
openssl s_client -connect [ssl public machine name]:443 -cipher DES-CBC3-SHA
openssl s_client -connect [ssl public machine name]:443 -cipher AES256-SHA

And so on for the various ciphers; only the RC4-SHA should connect.

If you know of a more elegant way to adjust the SSLCipherSuite to only allow RC4-SHA please let us know using the comment form below.

Melinda, who hosts the Small Business Chat on twitter every Wednesday night from 8 PM to 9 PM Eastern Time, focuses on helping people become entrepreneurs and for the small businesses they create to grow and succeed.

Whether you have been in business for many years, or are just starting up… did you know that if you properly plan and prepare for your ecommerce store you greatly increase your opportunity to succeed?

If you are nodding your head, do you know how many business managers just leave this decision to their “Web” person or “IT” person?

Over the past 17 years in business, we’ve seen, read, or heard about the above two issues so often, we’ve lost count.

As you take ownership and responsibility of the decision for picking a shopping cart / ecommerce system, I encourage you to ask the following questions:

1. Is the ecommerce system PCI DSS certified (if the answer is no, attaining payment card industry (PCI) compliance runs from impossible to expensive)?
2. When was the last security bug (problem, issue, report, etc.) filed for the system on Secunia’s Vulnerability Database?
3. How many times per year is there a security bug reported over the last 15 years (the more frequently published, the higher degree there are unreported security bugs)?
4. How long has the ecommerce company that created the ecommerce system been in business (unfortunately a lot of business five years old or less fail)?
5. Does the ecommerce shopping cart provider list certified technology partners that can assist you if you run into problems using the system?
6. Is the ecommerce system fully portable should you need to move to a different hosting provider?
7. Will the ecommerce system work on the smallest of shared hosting plans?
8. How well does the shopping cart system scale? How long can you stay in a shared hosting environment to keep your monthly hosting investment to a minimum?

While you do need to trust the people with whom you are working, if you are the steward / manager of the business, the buck stops with you; and, I would encourage you to double check against any bias which may cost you your business.

I would like to share with you why you should consider ShopSite from ShopSite.com as the only ecommerce shopping cart you will need.

ShopSite is VISA PA DSS Certified. Since 1998 (when we started using and offering ShopSite as a ShopSite certified technology partner), any customer of ours using ShopSite who has a PCI Compliance Scan has ShopSite passing with flying colors.

In all of the years ShopSite has been available, they’ve only had one (1) security issue back in 1996. Compared to any other cart, that is outright amazing!!!

ShopSite has been in business for almost two decades. Very few other companies compare.

ShopSite has certified designers and certified technology / hosting partners. Dynamic Net is a certified technology / hosting partner; and we maintain relationships with certified ShopSite designers.

ShopSite is extremely portable especially if you purchase the license vs. renting (it is still portable with renting; but you want to assure that with the hosing provider from whom you rent the software prior to renting it — for us, it is 100% portable).

ShopSite is extremely fast (it is compiled code vs. interpreted PHP, Perl CGI, etc.); and ShopSite scales extremely well in a shared hosting environment.

ShopSite ecommerce stores have handled massive floods of traffic when the business is featured on national media in a shared hosting environment.

ShopSite is relatively web server agnostic; you don’t have to worry about a down ecommerce store because your hosting provider updated the operating system, the web server software, or the database software.

Please contact us if you have questions as to why ShopSite would be the only ecommerce system / shopping cart software your small to medium business will ever need.

Please share your thoughts and questions about this article below in the comment area.

Some house keeping first in terms of going over some terminology and a starting foundation.

A. You have systems that are as up to date (patched) as practically possible; and you have systems up to date period (no exceptions).

Those whose systems that are as up to date as practically possible will be on the latest versions (including patches) as provided by the vendor(s) of system(s) they are using.

Most small businesses cannot afford to have everything custom written for them, so it is common to see a small business use a system provided by a vendor that is mass marketed.

What are some examples as it relates to PCI Compliance Scans and the web? cpanel, Parallels H-Sphere, and Parallels Plesk where some of the components of the system are as only up to date as the vendor (cpanel and Parallels) provides.

While some vendors are faster than others at releasing updates and patches, and all of them to date are excellent at releasing critical security updates, customers do not have control over when the updates come out.

B. Nothing is hacker proof; you can have degrees of being resistance to being hacked. To state an electronic device / machine is hacker proof currently is an incorrect statement.

Now let’s lay the foundational perspective of the small business owner.

1. The small business owner’s site uses a mass market system (cpanel, H-Sphere, Plesk, etc.) that is as up to date as practically possible (which is different than up to date period).
2. The small business owner’s site is on a server that has the following security measures in place:

1. Servers are secured, and the operating system core components are up to date period.
2. Server security includes an adaptive IDS (intrusion detection system) that interacts with an adaptive firewall to block brute force and related attacks.
3. Server security includes a WAF (web application firewall — eg. modsecurity) that blocks cross site scripting attacks, SQL injection attacks, and RFI (remote file inclusion) attacks.
4. Server security includes consistent, frequent, alerts of what is being blocked along with trending.
5. Server security includes 3rd party scans (not directly related to PCI compliance vendors) that show green (with any non green issues being handled in 72 hours or less).

3. The applications used on the site are as up to date as practically possible (often times for site-based applications, it is easier to be up to date period than overall systems).

Now, the small business merchant sits back and sees they have a relatively high bar for being hacker resistant. They have a disaster recovery plan in place for when they will be hacked; and they are obeying the spirit of the PCI compliance standards and rules.

Here starts the small business gripes – complaints.

The small business provider hires an authorized PCI Compliant scanning vendor to do a scan.

The scanning vendor starts a scan, and the security systems in place on the target server see attacks coming in (let’s be frank, a scan is seeing what a hacker may try to break in — what is and is not allowed; and intrusion detection systems, at present, cannot differentiate from a simulated attack and a real one; so good systems block), and the security does what it is supposed to do when someone is attacking the system… It blocks the attack.

Now, in practical terms, you would think you’ve just proved the system is resistant enough for PCI Compliance. Right? After all, an attack run started, and the system reacted timely and blocked the attacks from continuing to occur; and you’ve reviewed the logs to see there was no break — the PCI Compliance scan was stopped before they got into the yard.

Yet that’s not what happens. The PCI Compliance scanning vendor cries foul play! How dare you treat their scans as you would any hacker. They need to be white listed. They want you to treat their machines and IP block special (as if you would ever purposely do that for a hacker).

Ok, you agree that they need to do a full scan to really test the security above and beyond any automated blocking systems. So you white list their IP addresses (typically it is a block).

The PCI Compliance scan kicks off again (time varies a lot but can be from two to ten hours depending on how aggressive is the scan), and the scan completes (they were not blocked).

As you review the results of the scan you see that various areas that PCI Compliance standards say should be blocked (this is different from blocking a scan) is blocked.

For example, on Apache mod_userdir needs to be disabled. You have it disabled, and the authorized PCI Compliance scan ran two to a dozen specific tests against mod_userdir each one showing that it was not enabled.

But because each test they did showed a different error message (bottom line it didn’t work), they flunked your scan. Even though hackers could not abuse it, and even though the PCI Compliance scanning vendor could not prove you have it enabled, because each test response varied (for the geeks — only responding with 403, 404, 500 inclusive), it’s a no go.

So now you work through those issues making sure that the error message is the same (remember mod_userdir was never enabled in the first place); and they re-scan.

This time you fail because a PCI DSS certified shopping cart using a valid, active (non expired), properly installed secure certificate allows the consumer to manually remove the “s” in “https” on the address bar and continue to shop with http (non SSL) vs. https (with SSL).

How many people do you know, who, while working to complete their shopping cart for a purchase will purposely go to the address bar to purposely remove the “s” in https (keeping in mind the entire process was using https to start and the only way to change it would be to remove the “s” that was there to start)? Where’s the reality check in PCI Compliance scan results?

Now, the small business merchant is in a bind. They are using a mass market shopping cart; and the developers might take three months to twenty-four months to come up with a programming change to handling this non realistic consumer issue. In the mean time, the small business merchant is not PCI compliant. Wow!

Now, your hosting provider comes to the rescue with an Apache mod_rewrite that basically puts the “s” back in “https” should it see a visitor in the shopping cart area with https off.

You now, think you are ok. You ask the PCI compliance vendor to do another scan.

Another two to ten hours pass, you fail again.

You review the results and you see everywhere where it really counts the PCI compliance scan could not find a fault or break in the actual, practical security. Even though they were white listed, they could not brute force. Even though they are white listed, the applications showed they were not vulnerable to XSS (cross site scripting), RFI (remote file injection), SQL (database) injections or other forms of attacks.

What in the world is going on? Why is the scan failing now???

You read the very long report only to find out the authorized PCI Compliance scanning vendor is now complaining the versions of your mass market system (i.e. database server, email server, FTP server, web server, etc.) are hiding version information.

Now, wait just one second! Best practices is to not disclose version information.

While almost all IDS (intrusion detection system) and firewalls have a means to white list on IP addresses, in 2012 there’s not an easy, practical means to disclose version information on an IP basis to some and not to others. For example, you either have the version for Apache on or off.

If you turn on the version information for the scan, that means for two to ten hours, your versions are showing for hackers all around the world (there is so much automation with hacking there is no “safe time” to be unsafe!!!).

So you tell them the versions… now you get kicked to the curb!!!

Even though for all practical purposes you have proven your systems and applications are as resistant as possible, because your versions are not up to date period, your compliance scan is marked as failing.

This is where the rubber meets the road. If you have systems in place so that being x version(s) behind still provide the same protection as if you were on the latest version, should the version matter?

Something has to change in favor of small businesses.

If the PCI Security Standards Council wants more and more small businesses to adopt PCI Compliance measures, then there needs to be people who are looking out for small business merchants.

Security matters, and must be a way of life for anyone connected electronically; however, living that life should not be so impractical or expensive to push small businesses away from the ecommerce dream.

If you manage, steward or otherwise own a small business, please consider contacting the PCI Security Standards Council Board of Advisors asking them review all authorized PCI Compliance Scanning firms to ensure small businesses are not being kicked to the curb due to regulations, rules, and enforcement which have either zero security implication or are otherwise unrealistic for small business to adopt.

Point them to this article and share your own experiences (especially so if you have them) with them.

Complaint summary:

1. Authorized PCI Compliance Scanning vendors ask to have their systems treated differently than hackers — i.e. allow my simulated attacks.
2. If you have something that should be off, off — and the scanning vendor shows it is off, get off the high horse about the error message for being off (off is off even if there’s a different error message).
3. If the small business merchant is using a PCI DSS certified ecommerce shopping system with an active, valid, properly installed secure certificate and the system directs shoppers to https, get off the high horse of what if the consumer removes the “s” questions; deal with the practical.
4. If the scan shows that zero (0) attacks succeeded (i.e. nothing got through — all vulnerabilities properly handled), then get off the high horse as it relates to versions.

I welcome your comments below.

Thank you.

Maybe you’ve been one of our customers for years, and need to be PCI compliant for your eCommerce offerings. Maybe you’ve read Revealing the process of becoming PCI Compliant, and decided you want care from a provider with high integrity as well as great security. Either way, you want to know the minimum requirements you need from us in order to get off the ground and become PCI Compliant.

Most of our customers are small to medium businesses; and the overwhelming majority of them fit well in our PCI Compliant Linux Professional Hosting Plan (or any of our hosting plans).

In addition to a hosting plan which will pass PCI Compliance scans from companies like SecurityMetrics.com and TrustKeeper — a TrustWave brand — you also need a secure certificate (also known as a digital ID) as well as a dedicated IP address for your site.

Most of our customers go with the GeoTrust QuickSSL Secure Certificate which runs $100 per year if you purchase it from our company. However, you are free to use almost any secure certificate (SSL) vendor; you do not have to purchase your secure certificate from our company. Our servers support secure certificates from Comodo, GeoTrust, InstantSSL, RapidSSL, Verisign, Thawte, and many others.

In addition to PCI Compliant hosting, a secure certificate, and a dedicated IP address, you will also need to contract with an authorized PCI Compliance scanning vendor.

We strongly recommend SecurityMetrics.com who is approved by the PCI Security Standards Council. Another authorized scanning provider that is easy to work with for small businesses is Control Scan.

Once you are under our hosting care, have a dedicated IP address (a requirement for the secure certificate), have your secure certificate (so areas of your site — including your entire site if needed — can use https), then prior to any PCI Compliance Scan, you want to make sure your applications — included, but not limited to, Drupal, Joomla, WordPress, etc. are completely up to date including any add ons, plugins, and themes.

You will want to review, or have your developer review, any custom coding used for customer information — whether there is credit card data being collected or not — is using secure coding techniques. This includes making sure all input and output is sanitized; and testing to ensure code cannot be injected or otherwise manipulated remotely. It may also involve the developer recoding old techniques that relied on direct operating system calls to more secure techniques that use what is referred to as black boxes.

If you are not sure of your code, check with our support department; and they will do their best to help review what you are using, and make suggestions to help with PCI Compliance.

Once you are ready, you then schedule a PCI Compliance Scan with your scanning vendor.

If you are able, please do let our support department know the scanning vendor, and the approximate date and time of their scan as well as where the scan will be coming from in terms of the scanning vendor IP address(es). While this information is not necessary, it does help us help you as we will typically monitor your site and the server your site is on more closely during the scan to ensure you have the best results.

Once your scan is complete, given that you’ve also filled out your self assessment questionnaire, you should now be fully PCI Compliant.

To summarize, what you need from us:

• Linux Professional Hosting Plan (or any of our hosting plans).
• Dedicated IP address (needed for a secure certificate).

• GeoTrust QuickSSL Secure Certificate

What you need externally is an authorized PCI Compliance scanning vendor such as SecurityMetrics.com or Control Scan.

Contact us if you have any questions.

Over the years, we’ve helped various business owners and managers to become PCI Compliant.

To those who have not gone through the PCI Compliance process, the road to having their first PCI Compliance certificate can look long, hard, and daunting.

This article is meant to take away the sting, especially for first time business owners and managers, by revealing the process of becoming PCI Compliant.

Like many things in life, gaining PCI Compliance and keeping it is a process. Let me first cover some common questions and definitions; and then we’ll get into the heart of the matter.

What is PCI?

What does it mean to be PCI Compliant?

What if I have online forms or an online cart that uses a third-party processor like Authorize.net, Paypal.com, Verisign Payflow Pro, Google Wallet, or the like? If my credit card processor is already PCI Compliant, don’t I inherit their compliance?

What are the steps an owner of a web site goes through to become PCI compliant?

1. Determine your merchant level.
2. Determine your validation type.
3. Complete and report an attestation of compliance and self assessment questionnaire (SAQ) annually.
4. Complete and report results of all external vulnerability assessment scans (all public facing IP addresses used to process, view, or handle credit card data require scans) performed by an approved scan vendor (ASV) quarterly.
5. Create and update an information security policy annually.

What is a merchant level?

The merchant level is based on transaction volume for the organization.

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of a merchant’s Visa transactions (inclusive of credit, debit and prepaid).

What is a validation type?

The Payment Card Industry classifies level four merchants into five different validation types. The following chart from the Payment Card Industry website gives an explanation of the levels:

Source: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

What questions can I expect to be asked on the self assessment questionnaire (SAQ)?

While the exact questions or wording of the questions may vary from assessor to assessor, the following are the types of questions you can expect to be asked:

• What is the approximate number of credit card transactions you process per calendar year (this goes towards merchant level)?
• What is the legal business name of the credit card processing company you are using? (i.e. authorize.net) If you are using several, you will be asked to list each one.
• What is the legal business name of your Web hosting provider?
• What is the name of the shopping cart you are using?
• What is the legal business name of the data center where your servers are rented or co-located?
• If you are using point of sale terminals, who is the legal business name of the manufacturer? What is the make and model number?
• If you are using a payment application what is the legal business name of the payment application vendor? What is the name of their software? What version of the software are you using?

What is a PCI Compliance scan?

What is an information security policy?

By now, you might be feeling overwhelmed; and, you might be thinking, does it have to be this hard?

The process of getting and keeping PCI Compliance can be overwhelming IF you try to eat it in one bite; break down the process into easier to eat bites, and it is not that difficult.

PCI Compliance is a dance between multiple dancing partners. Let’s start breaking down the process by looking at each party, and who is responsible for what steps.

Here are the parties and pieces involved in the dance:

• The merchant — you.
• The hosting provider.
• The ecommerce application (i.e. shopping cart) being used.
• The payment gateway (i.e. authorize.net) being used.
• Your web site in terms of any forms and other applications you have installed on the site.
• The approved scanning vendor.
• Your bank.
• Potentially, a PCI Compliance company that acts as a holding company for information on your compliance (i.e. Trustwave does this for a number of banks where you can upload various security documents attesting to your PCI Compliance).

Let’s look at this dance from multiple angles based on your potential partners.

Best Practice – Each PCI Compliance dance partner fits the PCI Compliance theme and individually a strong entity

You are still you, the merchant. In your office or home office set up, you are using best practices for security for your network / wireless network along with best practices for how you maintain customer information including any credit card information. This includes, but is not limited to having a firewall, anti-virus which is kept up to date, anti-malware which is kept up to date, a shredder, and pc’s with strong passwords with zero paper trail as to passwords.

Your site is being hosted with a managed hosting provider like Dynamic Net, Inc. who is also PCI Compliant; and understands the ins and outs of PCI Compliance.

You are using a PCI compliant, PCI-DSS certified shopping cart like ShopSite or Prestashop.

You are using a PCI compliant payment processor like authorize.net

Your web site applications such as WordPress, Drupal, and Joomla are up to date including any themes and plugins.

You are using SSL with a secure certificate (digital ID); and any form the public can interact with is forced to use SSL (https).

You are using an authorized scanning vendor such as SecurityMetrics.com or Trustwave.

In the above dance, the very first PCI Compliance scan from your authorized scanning vendor (ASV) should be clean — you are on your way to PCI Compliance; just file the online forms as provided by the ASV with your financial institution or PCI Compliance holding company partner. In the worse case, you may need a second scan due to the ASV IP addresses needing to be white listed or a configuration change on the ASV end.

The key for becoming PCI compliant quickly involves making sure each partner in the PCI Compliance dance fits. Weak dance partners typically mean the PCI Compliance dance (process) takes longer, and in some cases outright fails.

Contact us for more information.

A hosting provider can have the most secure environment in the world, but if the customer uses weak passwords and out-dated applications, then that’s like waving a sign stating “thieves and vandals welcome.”

The easiest thing you can do as a customer to make your home safe, is to create strong passwords you change frequently (monthly to at least quarterly).

The key to password strength include length and complexity. An ideal password is long and has letters, punctuation, symbols, and numbers.

The password length should be twelve (12) or more characters containing numbers, uppercase letters, lowercase letters, and if permissible by the application accepting the password special symbols. A password should not contain any words or phrases found in a dictionary.

If you don’t have your own application to generate random, secure, passwords, check out random.org.

You should use a unique password for each application. So if your web site has a control panel, the control panel would have its own password. If you have FTP, then for each FTP password, it would be unique (completely different than the control panel password). The same goes for email and database passwords.

There are different applications that can help you create secure passwords, and store them for you in a secure place. One such application is SpashID, but there are many others.

The other part of keeping your home secure is making sure applications you’ve installed (whether yourself, your designers, or even your hosting provider) are kept up to date.

While some application updates are just new features you may not need, a lot of the time on the Internet, updates include security fixes necessary to help keep hackers out.

Your hosting provider technical support department should be able to get you to speed in both areas if you need help.

If your hosting provider is not responsive to your needs, contact us for more information about our managed hosting options.

If you have an online business, and want to increase sales, do you have a digital ID (SSL) set up so that the shopping cart area uses “https” ?

If the answer is no, why are you not using SSL?

Back in 1995, when Dynamic Net, Inc. was known as PMP Computer Solutions (PMPCS), my answer was due to costs. I looked at the yearly cost of a digital ID as an expense, I just could not afford at the time. Especially as a new start up business. Every penny counted.

Yet, as we started offering more and more products and services online, people were not buying. Carts were abandoned (that’s where a consumer adds items to the shopping cart, but never completes the transaction). Why where they giving up? Was the process too complex?

It turned out to be many, related, reasons:

• Concerns over identity theft since personal and credit card data was not being encrypted by a digital id.
• Concerns over credit card theft because the data was not being encrypted by a digital id.
• Concerns we were a fly by night company because we were being too cheap to purchase a digital id to protect ourselves, and our customers.

According to the Gartner survey in August 2006, approximately $913 million in 2006 e-commerce sales is lost because of security concerns among online shoppers. Another $1 billion is lost because of shoppers who refuse to shop online because of security concerns.

While that survey is now more than five years old, the foundation of it is still valid.

Consumers still want to know you care about their security as well as your own. They want to be sure you are a solid company who, if you are going to accept their personal information and credit card, are going to do your best to protect that information.

Plus, if you want to be a PCI compliant merchant (which does often lower your cost to accept credit cards), you should have a digital id to help protect your site.

Does a digital id protect your entire site from hackers?

No. A digital id only encrypts information between the consumer’s browser and your web server. While that matters greatly in helping to protect consumer data being sent from their browser to your web server, it doesn’t stop hackers from getting into vulnerable applications or vulnerable servers.

Merchants who want to invest in a secure infrastructure will work with a managed hosting provider who will proactively take care of security for the server, and hold the merchants hand to help their individual ecommerce site be secure above and beyond PCI compliance.

A digital id will inspire more sales. A managed hosting provider will help the merchant have more sales because they and their consumers will have a greater piece of mind about being more secure.

Contact us for more information.

Sometimes I think that attitude is so pervasive in our society, at large, that most of us impacted by hackers do not even consider snitching on the hacker who tried to break into our web site, email, database, or server. Even if it did cross one’s mind, some might have the attitude of what good will it do especially given the global nature of the Internet — who has jurisdiction, language barriers, culture barriers, and what else might be present.

How does one even know if their web site or server is subject to being attacked?

If you or your host performed proper log file monitoring and management, you might be surprised that most sites are attacked throughout the day, every day, 365 days a year. The average survival time of vulnerable machines on the Internet per the Internet Storm Center was 10 minutes as of August 15, 2011.

Earlier this week, I was not surprised to read about a web site owner who just set up an non managed VPS (virtual private server), installed WordPress 3.2.1, and two hours later was hacked. The site was not yet live for more than two hours, and it was already compromised!

Just so you know, any machine out of the box is vulnerable. Any software just installed is vulnerable. Unless someone takes specific measures to secure a machine or secure an application on a machine, the machine and application are vulnerable.

That’s why our company believes that security should be an entitlement to Web hosting, email hosting, and database hosting customers. It is also why we believe hosting providers need to go above and beyond PCI Compliance.

If you are completely satisfied with your hosting company, then ask their technical support department to help educate you how to read your web site logs so you can track attacks, and report them to the appropriate data center hosting the attacker; if you are not completely happy with your hosting provider, and want to switch to our managed hosting service, please contact us. If you are a hosting provider, please do consider our security services where we can help make you more money through customer retention, and new customers (who know you take security seriously).

On a typical day we are reviewing a large number of logwatch reports, brute force detection reports, and other types of security alerts. We use various WHOIS services to get the abuse email information of the data center or web hosting provider that is providing the services to the IP address that tried to attack one or more of our customers — our customers in this case include our managed service provider customers as well as our managed hosting customers.

We then contact the data center / hosting provider giving them segments of the log file, GMT time stamps, and ask them to take appropriate action.

Since we are not seeking any legal or criminal action be taken — i.e. just deal with the hacker or malware being used by the hacker — we are typically greeted with fellow security (often working in an abuse department) administrators who know we are just trying to work with them rather than force their hand, or otherwise make their job harder.

Over the past 16 years, we’ve learned that everyone’s comfort level in finding the malware or tools used by the hacker varies, so we’ve learned to include a number of tips we’ve learned over the years to track down malware and infected web sites. By helping to make the job easier for the abuse department person working with us, in the end it typically means a faster resolution time.

The responses we get from data centers vary. Some have a policy of not responding via email (though from follow up phone calls, I know they get the email), others alert their customers (who sometimes need multiple follow ups to clean up and secure their environment), and others are very quick to respond either suspending the account, or cleaning it up.

As a live example, on August 15th, we received the following response from a data center in Germany:

Sehr geehrte Damen und Herren,

Server wurde neu installiert und gerade habe ich eine Abus email bekommen.

werde heute nochmals Fail2ban installieren.

###

(which when translated to English tells us)

Ladies and Gentlemen,

Server has been reinstalled and I just got an email Abus.

Fail2ban’ll install again today.

Another live example received on August 17:

Hello, Mr. Abraham,

thanks for the time you spend us the log file excerpt.

We identified a hacked costumer web space and will close it within the next 10 minutes.

Best regards,
Thomas Schüring

Our typical experience is that if you consistently contact the appropriate abuse department asking them to stop a given attack (and providing them with log file samples, time stamps, what is the GMT time of the logs — i.e. GMT -4) that over time, the number of attacks on your site / server are reduced.

They rarely get to zero (and rarely stay at zero if you get there), but as each infected web site, malware, hacked server (that is used to attack) is cleaned up, the Internet at large becomes a safer place for everyone.

I’m a firm believer that when you put part of your life on the Internet, security must became a way of that life. Security should be layered, containing as many layers as it is practical to manage daily.

For the web site owner, those layers should consist of the following:

• Hosting your web site, email, databases, etc. with a managed hosting provider that secured the server, and keeps it secure (don’t assume such things; when in doubt, ask).
• • Regularly change your passwords using unique passwords for any control panel, application, email, FTP, etc; and use only very secure passwords that are at least 12 wide consisting of uppercase letters, lowercase letters, numbers, and where allowed special symbols where none of the letters form a word found in the dictionary.
  • Regularly scanning all personal computers connected to the Internet for malware and viruses; we do recommend MalwareBytes and ENOD/32.
  • Keeping your applications like Drupal, Joomla, WordPress, and the like up to date.
• Keeping all plugins, themes, add ons and extensions up to date; and to be aware if a particular plugin, theme, add on, etc. is listed as being either vulnerable or an outright back door to hackers. When in doubt, ask your managed hosting provider.
• Whether done by your hosting provider, yourself, or someone on your team, review your log files daily, investigate, and report hack attempts to the data center or hosting provider of the attacker.

If you host your site with us, we will let you know if your (non custom) applications are out of date, check daily if your site is listed in Google as being unsafe, check daily if your site is listed by Norton as being unsafe, and throughout the day report hack attempts to the appropriate abuse department to stop the hacks. Every one of our customers who has gone for PCI compliance received it.

Most of our customers are small business owners who appreciate there’s a lot that goes into being secure; and while they can do the tasks listed in the bullet points above, would prefer we do most of those tasks for them (did I share we regularly check for weak passwords as well?).

Contact us if you have questions.

Since I don’t have control over or a direct say in any implementation of an answer to what is and is not an entitlement as it relates to government services, I’m not going to present my feelings now to avoid any potential arguments.

What I do propose is discussing whether or not hosting security should be an entitlement.

If you host a web site, are you entitled to security? Should your hosting provider be providing proactive security services and management for you as part of the hosting service?

Why is this something to think about? Why should it matter enough for you to spend time considering the questions and implications?

In the past 48 hours, one can read Zero day bug threatens many WordPress sites and Malware attack spreads to 5 million pages (and counting), and it is typical to find similar articles published often.

If you are a WordPress user (especially with administrator rights) are you keeping up to date with such articles? Is it your responsibility or your hosting providers? If you have OsCommerce installed on your site, what about you? Are you paying attention when something like the second article is posted? Is it your responsibility?

If you are the owner of a small to medium business, and you are like many of our managed hosting customers, you need to concentrate on your business and family; where is there time to even find the appropriate news feeds to learn about such security issues, or the staff to take care of them when they are found out?

Should you, as a hosting customer, be entitled to the peace of mind that comes with knowing your hosting provider is keeping up to date with such things? Should you be entitled to security?

While I believe the answer is yes; though, from reading JTPratt’s excellent article on How to Fix a Hacked WordPress Blog, I was saddened by the section dealing with What Your Web Hosting Tech Support Will Try when I read “they usually don’t know how to do any of those things right” with “they” referring to the web hosting technical support team.

If the hosting support team doesn’t have the technical expertise to help, who does?

The hosting provider should be responsible for providing the highest level of customer care as well as proactive security. If a hosting provider is hosting WordPress sites, they should know if there is a major vulnerability in the wild; the same goes for hosting OsCommerce and other applications.

While there times the hosting provider does have to rely on, and work hand in hand with, their customer (as in upgrading WordPress for example), there are actions the hosting provider can take proactively to give their hosting customer peace of mind — after all, isn’t that the end result of entitlements from a personal perspective (peace of mind)?

While I’m not sure how other hosting providers are handling the two most current pressing matters — the zero day bug for certain WordPress themes or the OsCommerce viral attack, I can share how Dynamic Net, Inc. is handling them.

For WordPress, we took the following action steps (the same day the vulnerability was published):

1. Searched all of our managed hosting servers for timthumb.php. Found 16 (duplicated count) themes among multiple sites that had timthumb.php as part of the theme.
2. Spot checked various individual timthumb.php files for their version number; found all ones spot checked to be version 1.19.
3. Found latest version of timthumb.php at http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php which is version 1.34 at the time of this writing.
4. Developed a plan to update all 16 timthumb.php files with version 1.34.
5. Implemented the plan, and spot checked various files to see if the plan was successful.
6. Contact impacted customers to let them know we proactively updated timthumb.php, share with them the articles involved; and, let them know of the other two recommended alternatives (that are more invasive) which included editing the array around line 27 to remove the allowed sites, or to (for maximum security) remove the file entirely.
7. Lastly, let our customer know that we are there for them in case they have any questions.

We also let the LinkedIn Online WordPress community know about the issue as well as the names of the ten specific themes we found that use an outdated version of timthumb.php.

For OsCommerce, the steps were less because a lot of our Above and Beyond PCI Compliance security measures were already blocking most of the attacks. Even so, what we ended up doing is as follows:

1. Review the IP address of the attackers from the article – 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214.
2. Review our log files — while this is done as part of our daily log file monitoring and management, specifically double check — to see if there were any IP’s outside of the noted IP’s from the article doing the same or similar attack.
3. Since the IP addresses reverse back to dial up, note that the attacker’s IP address will change within a block of IP addresses from the ISP.
4. Bock 178.217.163.0/24, 178.217.164.0/24, and 178.217.165.0/24; while 178.217.164.x was not noted in the article, it is a part of the same chain used by 178.217.163.x and 178.217.165.x.
5. Alert all Oscommerce customers about what is happening; and also let them know about ShopSite since ShopSite is certified to be very secure.

Now, at the end of the day, we can ask questions and debate about what is and is not an entitlement. Yet, as I share with our 19 year old daughter (whom we adopted as a teenager), is it actions that define character, what we act upon shows what we truly believe.

Does your hosting provider believe you are entitled to peace of mind? Does your hosting provider believe you have the right to be secure in your own (hosting) home? If yes, what are their actions?

What can be done to go above and beyond PCI compliance? What can be done to proactively know if a shared hosting customer has malware or hacks on their site?

Many hosting providers put the burden of security on their hosting customers. Is that the right thing to do? Especially if there are ways to go above and beyond PCI Compliance where the shared hosting provider can actively help their customers have more secure web sites?

Dynamic Net, Inc. takes Internet security very seriously. We believe in being as proactive as possible in providing managed hosting, managed shared hosting, managed VPS hosting, managed dedicated servers, and managed services. What do we do to actively go above and beyond PCI Compliance?

1. Every day, we run a report against Google Safe Browsing checking every single domain name that we host to see if Google Safe Browsing is reporting a site we host as being unsafe.
2. We continuously monitor each customer’s user area with Linux Malware Detect.
3. Every month we check each hosting account for out of date applications; and then notify each customer running out of date applications to work with them on getting their applications upgraded.

If a client’s site is reported as being unsafe via Google Safe Browsing or Norton Safe Web, we then manually verify the results. If the results from Google Safe Browsing and Norton Safe Web are correct, then we notify the client, and work with the client to clean up their site. We also look at how the site became unsafe. Was there an out of date application? A vulnerable application? Could our own security measures be tightened in a way that helps without interfering with other hosting customers, and their clients?

Do you need proactive security for your web sites that go above and beyond PCI Compliance? Contact us for more information.