By now, you've probably heard about the celebrity photo leak that took place over Labor Day Weekend. The photos – which included nude and semi-nude snapshots of more than a few well-known celebrities – were published on 4Chan, Reddit and a host of other platforms, spurring some to dub the event "Celebgate," noted The Verge. Understandably, this has increased the focus on storing data in cloud applications, calling into question the security of those platforms.
The scandal: What exactly happened?
While details surrounding the event are still emerging, there are a few concrete data points that have been confirmed. The leakage included the photos – which may or may not be real – of more than 100 celebrities and public figures, such as singer Ariana Grande, television star Lea Michele, athlete Hope Solo and actress Jennifer Lawrence – who confirmed her photos were genuine. Currently, experts and investigators are unsure as to where the hack originated, but The Verge reported that at least a portion of the photos were leaked from celebrity iCloud accounts which cybercriminals infiltrated individually.
As the dissemination continued, photos appeared on various websites and underground platforms, although the authenticity of some of the images has yet to be confirmed in many cases. Soon enough, attackers and other holders began asking for funds in exchange for uncensored versions of the photos.
"It appears the intention was to never make these images public, but that somebody – possibly the previously identified distributor – decided that the opportunity to make some money was too good to pass up," noted security consultant Nik Cubrilovic.
The Verge noted that the photos appear to have been collected over several months, if not longer. At this point, the true intention of the hackers is unclear.
iCloud confirms compromisation, patches flaw
Although NPR notes that Apple initially stated that there was no evidence of a breach of iCloud or the popular Find My iPhone application, it later released a statement confirming compromisation.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practices that has become all too common on the Internet," Apple stated.
The company also encouraged "all users to always use a strong password and enable two-step verification." The day before confirming the compromised accounts, Apple patched the vulnerability described, which allowed hackers to utilize a brute force attack style to guess account information. The system contained a flaw that didn't lock users out after entering incorrect information a set number of times, as Apple does within many of its services.
Are cloud applications still secure?
In response to the leakage, Apple announced that it will bolster its security protocols to ensure users' safety, including encouraging more widespread use of two-factor authentication, according to The Guardian.
Since the attack, a number of questions have been raised about the overall security of cloud systems. While users are understandably apprehensive, this was a targeted attack that in no way signals insecurity of cloud technology overall. In this case, attackers specifically infiltrated individual accounts that were not protected with all the security measures that they could have been.
Businesses and users looking to boost their cloud security can consider the use of two-factor authentication, as Apple did after the breach.
"[C]ould you ever imagine using your debit card at an ATM and not entering a PIN?" WhiteHat Security threat management expert Matt Johansen pointed out. "That's two factor, something you have (a card) and something you know (a PIN), and we all get along just fine."
Other measures, including system monitoring, can also be helpful to ensure that a watchful eye is on the lookout for any suspicious activity that could point to a breach.
Another healthcare provider has been given a costly reminder of the value of data security.
Publicly traded hospital operator Community Health Systems admitted in a Security and Exchanges Commission filing that names, Social Security numbers and addresses for 4.5 million patients were compromised by cyberattackers from April to June of this year.
According to statistics maintained by the U.S. Office of Civil Rights, this ranks as the second largest theft of patient data ever.
The Health Insurance Portability and Accountability Act (HIPAA) oversees protection of such personal data. There is no theoretical maximum fine for a HIPAA breach, though any individual violation is capped at $1.5 million.
This incident can serve as a reminder to all healthcare entities that data security cannot be overlooked. HIPAA compliance is a crucial issue for the entire industry. Liability for compliance extends beyond healthcare companies to all “business associates” of these entities who handle protected health information.
To view a list of CHS hospitals and clinics, visit this link.
If HIPAA compliance is among your company's concerns, discuss with our consultants how to protect yourself and your data.
Editor's note: Below is an updated version of our blog post designed to address questions customers had after the email that accompanied this message. Added sections are italicized below.
With the recent report of 1.2 billion compromised username and password combinations, believed to be the largest ever hack of private Internet information, we'd like to take this opportunity to remind all of our customers of some password best practices. The following is intended to be an informative look at email best practices. We strive to enable our customers to be as secure as they possibly can in their Internet use.
It’s important to immediately change your password – not just for your Hostway account, but also for any accounts you use that involve personal or financial data. Your Hostway account password is no more vulnerable than any other password you use on any other site. We're simply alerting our customers to news that concerns all Internet users: The volume of passwords and accounts that are no longer secure creates a reasonable likelihood that one or more of your accounts – across all means of Internet-based services – is no longer secure, and that action should be taken to ensure the security of your personal and financial information. Make unique passwords for each of these sites, so that anyone gaining access to one of your accounts doesn’t easily gain access to more. The email account you use for password recovery is especially crucial to maintaining your digital security.
A strong password has the following characteristics:
With these tips, you'll be well on your way to a safer online existence.
The HTTPS lock icon we’re all used to trusting in our browsers hasn’t been as trustworthy as we’d like to believe.
Ever since the good folks at Codenomicon and Google have publicized the OpenSSL implementation bug known colloquially as Heartbleed, two questions have come to the forefront for each Internet user: What sites have been compromised, and what do I need to do about it?
OpenSSL, an open-source cryptographic library project which began in 1998, has been vulnerable since December 31, 2011, which means that many current versions of the most popular traffic-encryption service currently running are compromised.
Apache Tomcat users are particularly endangered, because OpenSSL comes bundled with that web server. Apache today released information on mitigating the Heartbleed vulnerability.
In total, it is believed that 17% of all SSL web servers can currently allow hackers to view purportedly secured information. These affected sites reportedly include Twitter, Yahoo, Tumblr, Steam, DropBox, and many more of the most popular URLs on the Internet. Among those, Tumblr has already reacted by advising all users to change their passwords.
On the website-operator end, Hostway has determined that 4 percent of Hostway’s total server count may have been affected by this OpenSSL issue, and has contacted each customer regarding steps to become more secure.
While affected sites are busy reissuing their security certificates to rectify the situation, Internet users are left wondering what they should or can do about the issue. Here are three tips on staying safe:
Firstly you can use this site to determine if a site is vulnerable. But it may be best to proceed as though all your accounts have been compromised. Here's a handy list of major sites, if they were vulnerable, if they've acted, and if you should do anything yet.
Secondly, it’s important to note is that changing your password before a site corrects the issue doesn’t completely address the security issue. Major websites subject to the vulnerability will likely publicize their response to it; once they confirm that their security certificates are updated, then change your password there. OpenSSL has already addressed the issue on its end.
Finally, it will be impossible to determine if attackers have intercepted user passwords in the interim unless a problem arises. So until you get the all-clear, don’t log in to affected sites at all. With the vulnerability as high-profile as ever, it seems more likely now that hackers will be aware of the opportunity to exploit the weakness.
So while you’re waiting to browse the web and figuring out how to generate new passwords, check out xkcd’s advice on the subject.
On April 8, Microsoft will no longer support Exchange 2003. The trusty decade-old email software is still used by more than 66 million people worldwide. With the impending deadline approaching many users will no doubt be asking, “Where do we go from here?”
Exchange 2003 is from the pre-cloud era, and business technology has changed dramatically since Exchange Server 2003 came out. The last couple versions of Exchange have brought more features and enhanced functionality, including S/MIME-based message security, Windows Server 2012 R2 support, OWA junk email reporting, and SSL offloading, just to name a few.
Since 2003, businesses have also experienced a culture shift regarding mobile device integration. Checking email on your smart device or tablet has become second nature to so many professionals as the devices have become more powerful and pervasive – Bring Your Own Device (BYOD) policies are necessary for most businesses. Users have new expectations from their email, calendar and messaging environments that Exchange 2003 simply can’t fulfill.
If you are among the remaining users of Exchange 2003, you have several options available to you to prepare for the upcoming abandonment of Exchange 2003 by Microsoft support.
1. Remain on Exchange 2003: This is by far the most risky option, with the software’s End of Life imminent. Microsoft will no longer issue security patches, which leaves you open to security and privacy threats. In addition, you’ll be missing out on innovations offered by the newer versions.
2. Upgrade to on-premise Exchange 2010 or 2013: Unfortunately, an on-premise upgrade of Exchange 2003 involves more than upgrading licenses and installing servers. A successful Exchange upgrade typically requires the services of specialized Exchange migration consultants, as well as significant IT time and budget. You’ll need to invest time and money in network topology upgrades, and potentially address the following as well:
3. Migrate to cloud-based Exchange 2010 or 2013: Companies can avoid the labor costs and capital investments of an on-premise upgrade by migrating to cloud-based Exchange. Choosing the right cloud provider will eliminate downtime risk, keep costs low and deliver a reliable, secure and integrated cloud environment.
For customers who have an existing on-premise Exchange 2003 platform, Hostway offers a free migration to a Cloud Exchange platform.
Making the move from Exchange 2003 to more recent versions of cloud-based Exchange is the safest, most cost-effective option. It’s perfect for companies who are looking for a secure, reliable email solution that is intuitive, familiar and simple.
Don’t fall behind – make the transition!
Own a jewelry store and looking for a way to stand out among the thousands of websites that also sell jewelry? Move over .com, as .diamonds is in town.
Last month, the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees Internet domains, went live with a long-drawn-out plan to massively expand the number of Internet generic top-level domains (gTLDs) available to businesses.
This is big news in the Internet world; over the past 30 years, only 14 new generic top-level domains had been created. This new plan will introduce hundreds and perhaps thousands of domains per year, and the first few – including .singles, .camera, .clothing and .bike – are already being rolled out by a company called Donuts, which has submitted more than 300 potential names to ICANN for approval. Google has also submitted for more than 100, including gTLDs to protect trademarks such as .google and those that have “interesting and creative potential,” such as .lol.
Businesses owning a trademark were allowed to submit a claim during a sunrise period before the names became available to the general public. More than 20 new gTLDs are now generally available from Donuts, with a handful of new ones coming out each week. Other domains will become available soon from other companies approved by ICANN.
Although a new name may be approved, it doesn't mean anyone can register a new domain in it. There are three phases of approval for each domain:
So what does this mean for SMBs, and why might they be interested in these new domains? First and foremost, it gives small businesses the ability to get in on interesting and simplistic domain names because of the sheer number of possibilities becoming available and the specificity of many, such as .plumber and .limo.
It also helps visitors understand what your company does just by looking at your URL – if you’re not a limousine company, you probably haven't grabbed a .limo domain. However, a company stuck with www.jonesandsonsjewelryco.com can add in www.jones.diamonds as its URL with prices starting at $40 per year.
Still, a number of questions still need to be answered before this becomes a no-brainer for SMBs. Because they are so new, there is not yet enough information on these gTLDs to understand how search engines will view and rank them. Unless it can be proven that they are given as much SEO weight as .com addresses, small businesses will likely take a look at what's available and may invest in one or two if the price is right, but steer clear of using them until the situation crystallizes. Until then, much of the land grab of new domains might be restricted to bigger companies looking to protect their brand.
It also might require a bigger marketing spend to get customers who are set in their ways to visit the new URLs, and SMBs with minimal marketing budgets may find this an insurmountable hurdle. Until mindshare is established for the new domain, SMBs will likely have to bear the cost of maintaining two domains and employing redirects to the new domain from the old site.
Consult your web hosting provider to learn more about the pros and cons of pursuing a new gTLD for your SMB.
San Antonio, the home of one of Hostway's offices, is a crossroads for major cross-country optical fiber. An east-west route follows Interstate 10, and a north-south one follows I-35.
Still, the announcement that Google Fiber may come to San Antonio – one of nine metropolitan areas eligible for the service – is significant news; if it happens, it will provide a much-needed jolt to the local incumbent telephone and cable companies while also helping Google develop a more balanced revenue stream.
For those unfamiliar with Google Fiber, the first city to receive the new service, Kansas City, was chosen after a competitive selection process. Over 1,100 communities applied to be the first recipient of the service. Austin, Texas followed as the second city to be developed.
To grasp the impact of Google Fiber, consider this: Prior to Google Fiber's announcement, Time Warner Cable charged $65 for its fastest residential service in San Antonio, at 50 megabits per second.
Google Fiber will provide service at 1 gigabit – 1,000 megabits – per second.
To put it simply, Google Fiber starts with a connection that is up to 100 times faster than today's average broadband speeds, providing instant downloads and crystal clear high definition TV. Interested yet?
Imagine that the following packages available to Kansas City coming to your town, and their effect on the market:
Google Fiber second-tier offering – though considerably slower – is billed as “today's basic speeds.” The one-time start-up fee of $300 can be paid in $25 monthly installments for a year, and would help bring Internet access to a less affluent demographic.
An advantage for San Antonio is that city-owned CPS Energy owns 86 percent of utility poles in the city. AT&T owns the remainder. This could help Google Fiber avoid lease disputes, which have slowed plans in Austin.
Perhaps most notable, this will fuel competition. With Google Fiber building a network in Austin, PCWorld reported Time Warner Cable will boost broadband speeds there while keeping prices flat.
It is important to understand that in order to utilize gigabit speeds as of 2013, devices would require support for 1000BaseT – Gigabit Ethernet on copper cables, using four pairs of Category 5 unshielded twisted pair to achieve the gigabit data rate – and category 5 or greater cabling, or a 802.11ac compatible WiFi router and wireless adapter.
Also keep in mind that even if the Gigabit connection can handle any load you can muster, the Gigabit connection really only gets close to such high speeds if you have something on the other end to serve it adequately, and not throttle or otherwise slow it down.
All in all, the new Google Fiber development is an exciting phenomenon to potentially come to these cities. Time will tell if Google will move forward with plans to build the infrastructure. Rest assured, I will be staying tuned.
Cloud computing is growing at an unprecedented rate, and shows no signs of slowing down in 2014. Gartner predicts that 70 to 80 percent of cloud adoption in 2014 will come in the form of hybrid or public clouds.
But beyond this general prediction, what are some of the major themes we can expect to see in cloud computing in the coming year?
Underlying all of these trends is the customer experience. If companies can make the transition to the cloud more easily, and become more educated about the cloud, they become more likely to adopt additional cloud-based services.
The PCI Security Standards Council released a new set of requirements in November 2013. According to the Council, the changes were designed to “help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.” We at Hostway and SilverSky thought it would be helpful to deep-dive into specifics of the new requirements and discuss what they mean to our customers in the retail industry. Here are the new PCI 3.0 requirements – along with guidance about what each requirement means to you:
New PCI Requirement
5.1.2 – Evaluate evolving malware threats for any systems not considered to be commonly affected
SilverSky Guidance
Certain systems (mainframes, mid-range computers, etc.) were not traditionally affected by malware. However, these systems could potentially be at risk due to evolving malware threats, and you need to perform periodic evaluations in case these systems require protection in the future.
This is unlikely to apply to the average small to mid-size retailer. However, when discussing PCI solutions with Hostway and SilverSky, our experts can help you determine if you have any systems that may be at risk and provide guidance on how to address these risks.
New PCI Requirement
8.2.3 – Combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
SilverSky Guidance
For this requirement, the customer bears the responsibility for setting and enforcing sufficient password policies for their employees. Make sure to require a minimum length of seven characters and include both numeric and alphabetic characters in order to meet minimum requirements.
SilverSky’s E-Security Training course helps promote employee security awareness, including the importance of sufficient passwords. Our web-based course can help you reduce security risk and meet compliance requirements at a much lower price than alternative options.
New PCI Requirement
8.5.1 – For service providers with remote access to customer premises, use unique authentication credentials for each customer
SilverSky Guidance
This requirement was added to the PCI code in response to a data breach incident in which a vendor used one password for all customers. With just this one password, a hacker was able to compromise multiple accounts.
This requirement applies to any service provider with remote access to your on-premise systems (for example, POS companies that have access for support purposes). These third-party service providers are responsible for meeting this requirement, but you should make sure that they are complying with the rule – after all, it’s still your data and reputation at risk.
New PCI Requirement
8.6 – Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), these must be linked to an individual account and ensure only the intended user can gain access
SilverSky Guidance
Linking authentication mechanisms to individual accounts prevents them from being used by multiple people. This reduces the risk that an unauthorized individual can gain access to critical data via the authentication mechanisms.
Hostway’s partner, SilverSky, provides authentication mechanisms to our PCI Complete customers via Managed VPN and multi-factor authentication. However, it is up to you to ensure that these are assigned to one person only and not shared.
New PCI Requirement
9.3 – Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
SilverSky Guidance
Restrictions on physical access to data are required to limit the chances of unauthorized personnel obtaining sensitive data. This includes monitoring the access levels of authorized personnel as well.
All Hostway’s data centers have physical security safeguards, including controls on facility entry, login access restrictions, CCTV monitoring capabilities, and limits on who can access internal systems and administrative functions.
New PCI Requirement
9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
SilverSky Guidance
Criminals often attempt to steal cardholder data by stealing or manipulating card-reading devices and terminals (aka “skimming”). Because these are physical devices on customer premises, it is the customer’s responsibility to secure them. In order to prevent skimming and ensure compliance, customers should consult this document on skimming prevention provided by the PCI Council.
New PCI Requirement
11.3 and 11.3.4 – Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
SilverSky Guidance
According to the PCI Council, these rules were implemented in response to “requests for more details for penetration tests, and for more stringent scoping verification.”
SilverSky provides internal and external vulnerability scans and file integrity monitoring as part of our PCI Complete solution to cover requirement 11.3. In addition, we can provide penetration testing through our Professional Services team to verify that your segmentation methods are operational and effective.
New PCI Requirement
11.5.1 – Implement a process to respond to any alerts generated by the change-detection mechanism
SilverSky Guidance
File Integrity Monitoring (FIM) solution (included with PCI Complete) detects unauthorized changes to your critical resources and immediately notifies you of suspicious activity. You are responsible for implementing a process to respond to our alerts, but we will prove guidance on how to remedy any security issues that we detect.
New PCI Requirement
12.8.5 – Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
SilverSky Guidance
To meet this requirement, you will need to create documentation to show which PCI requirements are covered by your company, which are covered by SilverSky, and which are covered by other service providers. SilverSky provides you with documentation detailing which PCI requirements we cover to make this process easier.
New PCI Requirement
12.9 – Service providers that store, process, or transmit sensitive data on behalf of the customer must acknowledge their accountability for securing the data in writing to the customer
SilverSky Guidance
SilverSky provides written acknowledgment of our responsibilities to all of our customers. Customers will also need to make sure that they receive similar written acknowledgement from all service providers that handle sensitive data on your behalf.
Did you know:
To learn more about how Hostway and SilverSky can help your organization improve IT security, reduce costs and complexity, and meet PCI compliance, please visit https://www.hostway.com/managed-security/compliance/pci-dss-compliance.html.
Another year is winding down, allowing us all to sit back and reflect on the last year’s trends in various sectors of technology. As more and more businesses flock to the cloud, they have increasingly turned to web hosting providers to maintain and operate their websites.
With that in mind, let’s take a look at some of 2013’s strongest trends in the web hosting market that carry momentum into 2014:
Providers should keep these trends in mind when mapping out the future of their businesses. It remains to be seen what 2014 will bring, but the traction of the cloud-based web hosting market seems certain to surge, causing the market to expand at an even faster rate.
Sources: