What is the POODLE bug and how can I check/patch my server?

A new exploit has hit the internet in the form of a vulnerability of a legacy encyption implementation, SSLv3.  The POODLE bug exploits an older encryption protocol and may allow a hacker to gain access to a secure session between a client and server utilizing SSLv3.  More info on Poodle can be found here: http://www.troyhunt.com/2014/10/everything-you-need-to-know-about.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TroyHunt+%28Troy+Hunt%29

Transport Layer Security (TLS) and its predecessor, SSLv3, are commonly used to encrypt data between a user and their web server and provide a secure connection for the user. If a secure connection between the browser and the web server cannot be negotiated using the most updated version of TLS, it will downgrade to make the connection using an older version of SSL such as SSLv3. This is where the problem starts because the flaw in SSLv3 may allow hackers to gain access to encrypted information such as HTTP cookies used in the session via a man-in-the-middle attack.

This vulnerability is not as critical as Shellshock or Heartbleed as attackers cannot exploit this flaw remotely. However, it is important to fix this issue as it could put sensitive data at risk of being exposed.

This attack requires both the client and the server to be using SSLv3 in order to be exploited.  The easiest way to protect yourself is to upgrade one or both ends of the connection.  On the client side, the only browser that still does not support TLS is Internet Explorer 6.  Fixing this bug will effectively leave IE6 users out in the cold, security-wise.  Modern browsers have the capability to turn off SSLv3 connections.  See: http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html

On the server side, you can disable SSLv3 in Apache relatively easily:

On CentOS, modify the file /etc/httpd/conf.d/ssl.conf
On Ubuntu, modify the file /etc/apache2/mods-available/ssl.conf

Find the SSLProtocol line (add it if it doesn’t exist) and change it to read:
SSLProtocol all -SSLv3 -SSLv2

Save and then restart Apache:
sudo service apache2 restart

On Plesk Panel servers, please be aware that if you’ve made any custom Apache changes to individual sites, you may have to make this modification on each site’s configuration file  (usually located at: var/www/vhosts/{domain_name}/conf/vhost_ssl.conf)

You can test your site to see if it is vulnerable to the POODLE bug at: https://www.poodlescan.com/

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance in determining if your server has been affected, or to fix the vulnerability, please open a Support Ticket via the Pantek Portal: https://portal.pantek.com

Typically, our team can determine if your server is vulnerable, and apply to appropriate fixes with a time expenditure of 15 minutes, although this may vary with certain configurations.

Pantek Clients who have purchased a Managed Service Plan (Standard, Premium, or Platinum) will receive a separate notification, as management of these third-party security issues is included without incurring extra charges.

You can find more details on our Managed Service Plans here:  http://www.pantek.com/managed

Thank you for your attention to this critical security issue.

IMPORTANT UPDATE: Major New Security Vulnerability Alert

A major security exploit has recently been identified and announced by security experts, nicknamed Shellshock. It is especially severe because it potentially allows remote users to gain complete root control over Unix, Linux, and OSX servers through an exploit in the Bash shell.

Due to the extreme severity rating of this vulnerability (10), we are informing all Pantek clients, and encourage you to check your server status immediately.

You can find out more details of this vulnerability here:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

This vulnerability affects versions 1.14 through 4.3 of GNU Bash.

Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance in determining if your GNU Bash has been affected, or to fix the vulnerability, please open a Support Ticket via the Pantek Portal: https://portal.pantek.com

Typically, our team can determine if your server is vulnerable, and apply to appropriate fixes with a time expenditure of 15 minutes, although this may vary with certain configurations.

Pantek Clients who have purchased a Managed Service Plan (Standard, Premium, or Platinum) will receive a separate notification, as management of these third-party security issues is included without incurring extra charges.

You can find more details on our Managed Service Plans here: 

http://www.pantek.com/managed

Thank you for your attention to this critical security issue.

IMPORTANT UPDATE: Major New SSL Vulnerability

A major new SSL vulnerability has been recently identified by security experts, nicknamed the “CCS Injection Vulnerability” or “MITM CCS Injection Attack”. It is especially severe because it allows anyone on the Internet to decrypt your encrypted data sent using SSL/TLS and HTTPS technologies, at any point between your server and the client accessing your encrypted data. Attackers can eavesdrop and modify your encrypted communications if your both your server and the client is vulnerable; and can completely hijack the authenticated session, even if only the server is vulnerable.

You can find out more details of this vulnerability here:

http://ccsinjection.lepidum.co.jp/

To determine if your server(s) are vulnerable, check what version of OpenSSL is installed. All OpenSSL versions ARE vulnerable EXCEPT these listed below:

OpenSSL 1.0.1h is NOT vulnerable
OpenSSL 1.0.0m is NOT vulnerable
OpenSSL 0.9.8za is NOT vulnerable

If your server(s) are vulnerable, in order to fix this vulnerability, you will need to upgrade your version of OpenSSL; and ideally completely re-issue and re-install all your SSL certificate(s).

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance to determine if your server(s) are indeed vulnerable, or to fix the vulnerability, please contact our support team using any of the normal methods. For fastest response, we recommend opening a Support Ticket via the Pantek Portal: https://portal.pantek.com

Typically, our team can determine if your server is vulnerable with a time expenditure of 15 minutes. Vulnerable servers can typically be patched and SSL certificates replaced with an additional 30-45 minute time expenditure, but this may vary with certain configurations.

Pantek Clients who have purchased a Managed Service Plan (Standard, Premium, or Platinum) will receive a separate notification, as management of these third-party security issues without incurring extra charges. You can find more details on our Managed Service Plans here:

http://www.pantek.com/managed

Thank you for your attention to this critical security issue.

New Pantek Service Offerings

As part of our continuing mission to offer the best Linux and Open Source Services on the planet, Pantek is pleased to announce three new professional service offerings:

Recurring Technical Support Services -  you can now order our Expert Technical Support Services on an automatic recurring term – monthly, quarterly, or annually — for a reduced rate. This new, optional feature is helpful for customers who require an active support contract at all times.

While Pantek has offered a range of Expert Linux Security Services since 1999 as part of our Hourly Tech Support Services, we are now offering two Fixed Price security products:

Server Security Audits: a comprehensive Linux Server Security Audit performed by our Expert Engineers for a fixed price of $1599. Includes a detailed report & recommendations.

Server Security Hardening: recommended for all Linux Servers, our Expert Engineers harden your server against a wide variety of potential security vulnerabilities for $499.


More information on these new offerings can be found at the links above
, and you can be order through either the Pantek Store or the Pantek Client Portal.

Our passion, focus, and experience has always been providing administration, consulting, support, and security services for Linux and Open Source Software. These new offerings expand the range of options for our clients. Please don’t hesitate to contact us at any time.

Pantek-team

IMPORTANT NOTICE – Major Security Vulnerability “Heartbleed Bug”

A Major Vulnerability, nicknamed the “Heartbleed Bug” by security experts, has been identified. It is especially severe because it allows anyone on the Internet access to your encrypted data sent using SSL/TLS and HTTPS technologies. This compromises the secret keys used to encrypt the traffic, the names and passwords of the users and the actual content. It allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. You can find out more details of this vulnerability here: http://heartbleed.com

To determine if your server is vulnerable, you will need to check what version of OpenSSL is installed on your server. All OpenSSL versions 1.01 through 1.0.1f are vulnerable, but the following versions are already secure (and no further action would be required):

OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

If your server is vulnerable, in order to fix this vulnerability, you will need to both (a) Upgrade your version of OpenSSL; and (b) Completely re-issue and re-install all your SSL certificate(s).

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance to determine if your server(s) are indeed vulnerable, or to fix the vulnerability, please contact our support team using any of the normal methods. For fastest response, we recommend opening a Support Ticket via the Pantek Portal: https://portal.pantek.com

Typically, our team can determine if your server is vulnerable with a time expenditure of 15 minutes. Vulnerable servers can typically be patched and SSL certificates replaced with an additional 30-45 minute time expenditure.

Pantek Clients who have purchased a Managed Service Plan (Standard, Premium, or Platinum) will receive a separate notification, as management of these third-party security issues occurs without extra charges. You can find more details on our Managed Service Plans here:

http://www.pantek.com/managed

Thank you for your attention to this critical security issue.

New Client Service Portal

We are pleased to announce the launch of our new Client Support Portal!

This free Portal enhances your support experience with Pantek with several features:

- Open new Expert Linux Technical Support Tickets online in minutes
- View past Technical Support Tickets from 2012 until the present
- Check account Time Balance and purchase additional Support Time
- Add and manage authorized account contacts who can open Tickets
- View past invoices, update credit card and all billing information

If you were one of our beta testers, you already have access and can continue using all features. If not, a new account login & password will be emailed to you this week.

You can access the Portal directly here: https://portal.pantek.com/

We hope you find this free Portal useful. Thank you for choosing Pantek!

Pantek Logo

Pantek has a new office!

Same great staff, same great services! Now moved into our new office.

Pantek, Inc.
4401 Rockside Road #205
Independence, Ohio 44131

1-216-344-1614 or
Toll Free:
1-877-546-8934

Fax: 1-216-524-1522
Pantek Business Hours:
9:00am to 6:00pm Eastern Time Monday- Friday.

Technical Support Services are available 24/7/365, and you can order online.

If you would like more information about any of our professional services sent to you, please fill out our online information request form, and information will be sent within a business day.

Pantek Inc. earns Re-Certification with Green Plus

Congratulations to Pantek Inc. of Independence, OH, for earning re-Certification with Green Plus.

Located outside of Cleveland, Pantek Inc. offers IT services and technical support to clients.  Owners Barry and Linda Zack have always operated their business with the environment in mind, from their office space to their equipment.  The Zacks even take time out to plant trees to not only offset their carbon emissions, but also to give back to the community to improve the local environment.

“We’re pleased to accept our renewed Green Plus certification,” says Barry.  ”As the understanding of sustainability evolves, we’ve kept up, made improvements, and continue to work to improve the environment, maintain a viable ongoing business, and increase our community involvement.  This will continue to be one of our top priorities.”

Congratulations to Pantek!

Green Plus
Green Plus (gogreenplus.org) educates, motivates, and recognizes smaller enterprises for their efforts towards becoming more sustainable. They are here to offer tangible, practical tips and expertise in sustainability.

Weatherhead 100 Recognizes Pantek

The prestigious Weatherhead 100 has again recognized Pantek for its proven track record for success.

 

Pantek provides business class consulting, technical support, and hosting. By augmenting their historical focus on Linux and Open Source applications with offerings for Cloud Computing and enhanced network/server security services, they have stepped up their solution offerings for their customers and the industry.

“We are proud to be recognized for our growth over the past five years, especially with the current economic environment,” said Pantek President, Barry Zack. “We are committed to providing a complete suite of IT consulting, technical support, and cloud hosting to the community and expect continued growth in the future.”

The Weatherhead 100 is a testament to hard work, commitment, innovation, and the dream to succeed. Now in its 25th year, the list showcases the fastest growing companies in Northeast Ohio. The award is objectively determined annually and is highly regarded throughout the region.

About Pantek Incorporated
Founded in 1995 with a vision is to provide a complete spectrum of comprehensive IT services to companies who utilize Linux and Open Source technologies, Pantek continues to deliver valued-added IT services. Their clients value Pantek as their partner and as a seamless extension of their IT staff. The Pantek Team has years of industry experience, matching Open Source technologies to customer business needs, providing a competitive advantage. Pantek is the leader in enterprise Linux and Open Source technology technical support and software implementations . For more information, please visit our website; http://www.pantek.com or call 877-LINUX-FIX (546-8934).

About the Weatherhead 100
Since its inception in 1987, the Weatherhead 100 has been the event that showcases the fastest growing companies in Northeast Ohio. Qualifying companies must show consistent growth over the last five years. The Weatherhead 100 list–objectively determined annually and highly regarded throughout the region–is a testament to hard work, commitment, innovation, and the dream to succeed. To view the full list of winners, log on to http://www.weatherhead100.org.

Paul Schneider, Notacon co-founder, Joins Pantek!

Pantek Incorporated has hired Paul Schneider as a Senior Systems Engineer. Paul brings with him over 20 years of technical expertise in computer and network systems, with a special emphasis on information security. He has developed his skills at institutions such as Case Western Reserve University, where he planned, organized, implemented, and supported numerous large projects, build-outs, and deployments, as well as mentoring students, staff, and faculty in various capabilities. Paul is an alumnus of Case Western, where he earned his bachelor’s degree in Computer Science.

Paul’s breadth of experience with a wide variety of Open Source applications, Linux operating systems and IT security will be a great addition to the Pantek team. His enthusiasm for success and interest in people and technology are highly valued traits at Pantek.

He enjoys conferences, and is a co-founder and lead organizer of Notacon. This annual conference in Cleveland, Ohio, encourages participants to think about technology in new and innovative ways. Currently in its tenth year, Notacon challenges attendees with an ethos of do-it-yourself, innovation and participation. Topics range from traditional information security to music, digital art and electronics.

Paul lives with his wife, Jodie, and two year old daughter, Alexa, in Cleveland. In his spare time, he enjoys producing music, travel, camping, and amateur radio.

Full story click here: http://www.prweb.com/releases/2012/11/prweb10030350.htm