Tag Archives: security

Meltdown & Spectre Security Vulnerabilities

Hello Readers!
Here we are in 2018, as we are just about to enter 2018, our newsfeed is filled with this alarming issue. By now, you have probably heard about securities issues called Meltdown & Spectre,  that have wreaked digital havoc and mass of confusion in their wake. Earlier this week, security researchers release official documentation – complete nicknames and logos-of two major flaws found in nearly in all modern central processing units, or CPUs.

The flaw name Meltdown & Spectre were discovered by Security Researchers at Project Google’s Project Zero in conjunction with academic and industry researchers from several countries.

Meltdown and Spectre are the name of two (2) serious security flaws that have been found in within computer processors. This Meltdown & Spectre allows cybercriminals to steal sensitive information from almost any computer, mobile device or even from the cloud. Not just that, this affects all current Intel, ARM and AMD processors, regardless of the devices.

Sounds Scary right?

The great news is patched have been created, to protect many affected systems and products and efforts are underway to update others.  While the bad news is these fixes might slow down computer performance.

In order to understand where did, these threats come from, you first will need to understand the behind the scene process called speculative execution.

These speculative execution lets devise do some work ahead of time to speed up the routine task. But, it also creates a security vulnerability nobody expected.

Let’s imagine that your computer as a restaurant and you are the Cook. Every day you will see a pattern of your customers ordering the same menu for breakfast. Eventually, you will make order ahead of time to ensure the breakfast is ready when a customer comes starts to come. But how about if that regular customer decided to order different menu one day? Now, you as the cook will have to throw away the prepared breakfast and start over.Speculative execution works in a similar way.

Whenever computers perform calculations that aren’t actually needed, the results are thrown away.  This data ends up in an unsecured part of the computer’s cache memory, where unauthorized users can access it through a side channel.

What are Meltdown and Spectre?

Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected. Meanwhile, Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.

Why Data Left Unsecured?

Previously, back in 60’s computers were very self-contained and there is no way to see data being thrown away. Nobody thought it was a risk, and it was never secured. But, nowadays, computers and mobile devices share system resources with many applications and environments. Sharing is good, but when unprotected data from speculative execution ends in shared memory, it can become a serious issue.

Like robbers trying to rob your house, these cybercriminals will try hard to look for a loophole and use a side channel to sneak in and hijack data.

Even, worse, they can trick computers into loading any data like passwords and account information into the shared memory so they can steal it.

 

So what’s being done about Meltdown and Spectre?

When researchers identified them, they brought them to the attention of major technology companies. Hundreds of engineers came together to create patches that block Meltdown and Spectre attacks. It’s critical to install these patches right away and stay up to date with the latest releases of operating systems.

“Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement, denying that fixes would slow down computers based on the company’s chips. “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

In the future, system designs will change to eliminate these kinds of vulnerabilities for good. The reality is, computers will always have some securities issues. That’s why it’s so important to have as many engineers and developers looking for them as possible, and for companies to come together and solve problems that affect us all.

What can I do about it?

Update your computer with latest security fixes as soon as possible and as mobile users, you should receive updates from your manufacturer.

Apple has advised customers in a blog post to update their devices’ operating system and only download software from “trusted sources such as the App Store”.

ServerFreak Servers

Majority of our servers are patched now, where some older OSes are waiting for our vendor to patch it to the latest stable version. A kernel update required a server reboot. Please expect a 5-20 mins downtime on each server reboot.

We will also help our managed server clients to update the kernel and windows updates, which we will schedule in waves, and out of hours.

Following the reboot, it would also be advisable for unmanaged customers to update their virtual machine’s to secure them too if you are unsure how please contact our support team who will be happy to assist!

Read more here on our Meltdown and Spectre patching announcements

Related topics  How to avoid Chrome Browser’s ‘Not Secure’ Warning

How to avoid Chrome Browser’s ‘Not Secure’ Warning

Hi Readers!

2017 brought a number of changes to Google’s online security policy as they are working towards enforcing a secure internet.

Cyber hackers can easily encrypt information from user’s web browser to the web page’s server if not protected. Thus, Secure Socket Layer has been introduced to ensures users can browse and enter their private information without it being compromised.

Related post: Why you need SSL,  Google Chrome to label Sensitive HTTP pages as “Not Secure”

Website owners especially websites that collect credit card information and password have been warned to apply Secure Socket layer to their site since September 2016, starting in January, Google started labeling some HTTP website as non-secure. Website owners may risk a lose search ranking and organic traffic as Google announced in 2014, this HTTP will be part of their ranking signal other than to gain user trust and security. There are steps that need to be taken to avoid losing search traffic and ranking. Here are Google’s recommendation on Site moves with URL changes

 

Coming this October, Google Chrome will explicitly label any HTTP web page containing a text input field (such as a search bar) as not “Not Secure”. Consumers will see a “Not Secure” warning and icon in the address bar when unsecured (HTTP) web pages that collect data load. Consumers will also see a “Not Secure” warning on any web page they browse to in incognito mode.

 

How Can You Tell If You Have an SSL Certificate Installed?

Type https://www.your-domain-name.com into your Google Chrome browser

If you see the green lock, this is good and means that you do have an SSL certificate installed.
If you see the red warning, this is bad and means you don’t have an SSL certificate installed.

We highly recommend you take action and obtain an SSL certificate for your website before Chrome 62 roll-out this October.

 

Here what you can do :
If you have already owned a website, you can purchase SSL from us here: https://www.web-hosting.net.my/ssl-certificates.html

Pre-Sales FAQ

1) I want to start a website with SSL. Which package should I subscribe?

Semi pro and above. Our hosting package here shared hosting

2) If I have SSL cert, can ServerFreak help us install this cert? How much will you charge?

Yes, do provide us the SSL cert and we will help install for you. RM 95.00 is charged for setup fees.

 

3) I want to install SSL to my sub- domains too. Which SSL package should I subscribe?

Positive SSL Wildcard Rm550/year exclude GST + RM 95.00 Setup Fees exclude GST

– 1 Domain with Subdomain

 

4) Should I install SSL with ‘www’ or without ‘www’?

The SSL certificate can be installed in either ‘www’ or without ‘www’. If you install the cert in ‘www’, your site visitors will see invalid cert message when they try to visit https://abc.com because the certificate must match the address they visit.

5) I have a website with ServerFreak, but my website still appears to HTTP, what should I do?

Let us know your domain name and we help check for you. If you are currently on Basic and Value package, we would highly recommend you to upgrade Semi-Pro package and above comes with Free Unlimited SSL.

 

6) What is the difference between Free SSL in Semi-Pro and Postive SSL ?

The difference is Free SSL in Semi Pro is auto- updated every 3 months and do not have a warranty. Positive SSL comes with $10,000 Warranty and updated every 1 year.

7) I have purchased your SSL and has been install. How to verify this SSL?

You can verify the SSL validity via SSL Shopper
Have more questions? Reach us sales@serverfreak.com

 

 

 

 

Why do you need SSL?

Perhaps most of you still wondering why my website need SSL?

SSL functions to encrypt information between a server and a client. It is a link between a web server and a browser to make sure all data that is transmitted is protected and not intercepted by malicious parties.

 

Data protection

data protection

There are many personal and private data such as log in details, credit card information and personal information like identification number , address and telephone numbers. SSL makes sure datas are sent to intended recipients only. This is especially important for those who operates e-commerce sites or even membership sites that handle sensitive information on a daily basis. 

For corporate use, SSL helps to encrypt sensitive information such as email password that are transmitted between the email client (e.g. Outlook) and the email server.  Using security protocol such as SSL/TLS, the email server verifies its identity to the email client by sending a certificate that is trusted by the user’s software, or by a third party trusted by it. Doing so ensures that the email client isn’t sending messages to an imposter. Once the client knows it can trust the server, a key is exchanged between the two, which allows all messages sent and received to be encrypted.

 

Make sure your website is secure

greeen padlock

Having a green padlock on the URL bar assures your site visitor that you are indeed a legit site and not a fraud. Https instead of http may assure the visitors that your site can be trusted.

 

My website does not handle sensitive data, do I still need SSL ?

seo

SSL helps in improving SEO ranking.Google had previously mentioned that secured sites will have higher rankings in the search engine. If you want your site to be noticed and have a higher traffic, you should definitely consider installing SSL.

 

Does SSL reduce the website’s speed?

http2-fast-websites

Yes, encrypting and decrypting data will indeed consume time and cpu resources, thus slowing the site’s speed. However, you can opt to exclude some of your webpages where SSL is not necessary. In addition, http/2 is here to solve the problem and improve website’s performance even through SSL connection.

 

How to obtain SSL certificate?

1.You may buy an annual SSL certificate from Serverfreak.

2.Purchase a hosting package that is semi-pro or above that comes with free shared SSL.