PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

Security as an Entitlement

Author: ; Published: Aug 3, 2011; Category: Customer Support, Managed Hosting, Managed Services, PCI Compliance, Security, Small Business; Tags: , , ; 8 Comments

If your family is like mine, over the last several months, you’ve either heard or participated in discussions about entitlements.  For our family, this debate came up with ObamaCare, as well as the US national debt crisis that is still ongoing as of the time I’m writing this journal entry.

Since I don’t have control over or a direct say in any implementation of an answer to what is and is not an entitlement as it relates to government services, I’m not going to present my feelings now to avoid any potential arguments.

What I do propose is discussing whether or not hosting security should be an entitlement.

If you host a web site, are you entitled to security?  Should your hosting provider be providing proactive security services and management for you as part of the hosting service?

Why is this something to think about?  Why should it matter enough for you to spend time considering the questions and implications?

In the past 48 hours, one can read Zero day bug threatens many WordPress sites and Malware attack spreads to 5 million pages (and counting), and it is typical to find similar articles published often. 

If you are a WordPress user (especially with administrator rights) are you keeping up to date with such articles?  Is it your responsibility or your hosting providers?  If you have OsCommerce installed on your site, what about you?  Are you paying attention when something like the second article is posted?  Is it your responsibility?

If you are the owner of a small to medium business, and you are like many of our managed hosting customers, you need to concentrate on your business and family; where is there time to even find the appropriate news feeds to learn about such security issues, or the staff to take care of them when they are found out?

Should you, as a hosting customer, be entitled to the peace of mind that comes with knowing your hosting provider is keeping up to date with such things?  Should you be entitled to security?

While I believe the answer is yes; though, from reading JTPratt’s excellent article on How to Fix a Hacked WordPress Blog, I was saddened by the section dealing with What Your Web Hosting Tech Support Will Try when I read “they usually don’t know how to do any of those things right” with “they” referring to the web hosting technical support team.

If the hosting support team doesn’t have the technical expertise to help, who does?

The hosting provider should be responsible for providing the highest level of customer care as well as proactive security.  If a hosting provider is hosting WordPress sites, they should know if there is a major vulnerability in the wild; the same goes for hosting OsCommerce and other applications. 

While there times the hosting provider does have to rely on, and work hand in hand with, their customer (as in upgrading WordPress for example), there are actions the hosting provider can take proactively to give their hosting customer peace of mind — after all, isn’t that the end result of entitlements from a personal perspective (peace of mind)?

While I’m not sure how other hosting providers are handling the two most current pressing matters — the zero day bug for certain WordPress themes or the OsCommerce viral attack, I can share how Dynamic Net, Inc. is handling them.

For WordPress, we took the following action steps (the same day the vulnerability was published):

  1. Searched all of our managed hosting servers for timthumb.php.  Found 16 (duplicated count) themes among multiple sites that had timthumb.php as part of the theme.
  2. Spot checked various individual timthumb.php files for their version number; found all ones spot checked to be version 1.19.
  3. Found latest version of timthumb.php at http://code.google.com/p/timthumb/source/browse/trunk/timthumb.php which is version 1.34 at the time of this writing.
  4. Developed a plan to update all 16 timthumb.php files with version 1.34.
  5. Implemented the plan, and spot checked various files to see if the plan was successful.
  6. Contact impacted customers to let them know we proactively updated timthumb.php, share with them the articles involved; and, let them know of the other two recommended alternatives (that are more invasive) which included editing the array around line 27 to remove the allowed sites, or to (for maximum security) remove the file entirely.
  7. Lastly, let our customer know that we are there for them in case they have any questions.

We also let the LinkedIn Online WordPress community know about the issue as well as the names of the ten specific themes we found that use an outdated version of timthumb.php.

 For OsCommerce, the steps were less because a lot of our Above and Beyond PCI Compliance security measures were already blocking most of the attacks.  Even so, what we ended up doing is as follows:

  1. Review the IP address of the attackers from the article – 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214.
  2. Review our log files — while this is done as part of our daily log file monitoring and management, specifically double check — to see if there were any IP’s outside of the noted IP’s from the article doing the same or similar attack.
  3. Since the IP addresses reverse back to dial up, note that the attacker’s IP address will change within a block of IP addresses from the ISP.
  4. Bock 178.217.163.0/24, 178.217.164.0/24,  and 178.217.165.0/24; while 178.217.164.x was not noted in the article, it is a part of the same chain used by 178.217.163.x and 178.217.165.x.
  5. Alert all Oscommerce customers about what is happening; and also let them know about ShopSite since ShopSite is certified to be very secure.

Now, at the end of the day, we can ask questions and debate about what is and is not an entitlement.  Yet, as I share with our 19 year old daughter (whom we adopted as a teenager), is it actions that define character, what we act upon shows what we truly believe.

Does your hosting provider believe you are entitled to peace of mind?  Does your hosting provider believe you have the right to be secure in your own (hosting) home?  If yes, what are their actions?

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

8 Responses to “Security as an Entitlement”

  1. > Searched all of our managed hosting servers for timthumb.php.

    Did you search for thumb.php (WooThemes use the file without the tim-prefix)? That’s a nasty gotcha, and I think WooThemes should leave it as the original filename, but that’s a different issue.

  2. Good day, Alastair McDermott:

    Thank you for your comment. What we found (thanks to your input) is that the Thesis framework also renames timthumb.php to thumb.php.

    I do agree with you the file name should be left alone; I also agree the issues are different (i.e. file name vs. version). Standardization goes a long way to help with maintenance, though .

    Thank you.

  3. Good day:

    I asked one of our customers using Thesis to check with Thesis rather than just doing a stock replace; and Thesis stated their version (which is modified form the stock version) is not vulnerable.

    Thank you.

Leave a Comment