The Heartbleed bug (http://en.wikipedia.org/wiki/Heartbleed_bug) is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1.f.
This vulnerability allows an attacker to read chunks of memory from servers and clients that connect using SSL through a flaw in OpenSSL’s implementation of the heartbeat extension.
OpenSSL provides critical functionality in the internet ecosystem, and therefore vulnerabilities, such as Heartbleed, have a significant impact on digital communications and their integrity.
What does this mean for WHMCS installations?
SSL is an important protocol for securing web traffic, and thus securing web requests for logins, order transactions, etc.. WHMCS, like all web applications, must rely on web servers to correctly implement the SSL protocol. WHMCS as a web application cannot patch the Heartbleed vulnerability, nor can we mitigate its effects. However as a member of the internet community, we feel it’s important to raise awareness of the risk and ensure that our users check that their server is protected.
How do I check if my server is protected?
Essentially, there are three ways you can verify if your server is protected:
2) You can leverage a third party scanning tool via the web.
Below are three such sites that the community deems reputable and trustworthy. You simply enter your website and it will let you know:
3) You can run a scanning tool locally on your server. One such tool is:
What do I do if my server is not protected?
Contact your local system administrator or hosting provider immediately! They will have the technical expertise to update the OpenSSL libraries on your server to protect your SSL communications going forward.
Once I have patched my server, is there anything else I need to do?
Due to the nature of the vulnerability it is not possible to immediately know what information, including private keys, passwords, or session ID’s, may have been compromised. Attacks that leverage the Heartbleed bug occur very early in an information exchange process, before a full connection has been made, and thus leaves no log history that an attack has occurred.
We recommend that you take precautionary action and regenerate all SSH keys as well as reissue all SSL certificates in use.
If you have purchased SSL certificates directly from WHMCS or resell SSL certificates through Enom, you can find more information on how you and the SSL provider can reissue your certificates here: http://docs.whmcs.com/Reissueing_Enom_SSL_Certificates
We also recommend that you take precautionary action concerning passwords used to authenticate against your WHMCS installation. This would include resetting administrative passwords as well as contacting your customers and asking them to reset their passwords. A step by step guide and sample email template are provided here: http://go.whmcs.com/386/heartbleed-pw-reset-email-tutorial
How has WHMCS servers and my account been affected by Heartbleed?
The WHMCS website, our public servers, and the whmcs.com SSL certificate end point were not vulnerable to the Heartbleed bug when it was publicly disclosed on April 7th 2014.
Any secure communication with our servers, such as logging into the members area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.
The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. It is for that reason that we are encouraging our customers to reset their member area passwords at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords unique, random, and periodically rotate them.
WHMCS is in the process of emailing all active clients to inform them of this blog post. That email also contains a direct link to the whmcs.com password reset function as a precautionary measure.
Posted by Matt on Friday, April 11th, 2014 at http://blog.whmcs.com/?t=88022
While regularly changing your online passwords is always a good thing to do, recent news of leaked LinkedIn passwords are a great reminder why:
A new version of WordPress, a popular open-source blog and content management system, was released which addresses three security issues. Few details have been provided however, the issues addressed are a cross-site request forgery (CSRF) vulnerability, a denial of service (DoS) issue and a cross-site scripting (XSS) vulnerability. It is not clear which prior versions of WordPress are vulnerable so we urge all WordPress administrators, particularly those whose implementations of WordPress are public facing, to update to the latest fixed version, 3.1.1.
As WordPress is a Web application it seems timely to note that the IBM X-Force 2010 Trend and Risk Report contains insightful information on web application vulnerabilities and of particular relevance, the likelihood of the occurrence of CSRF and XSS vulnerabilities listed by application technology and business sector in Section IIIDeveloping Secure Software. Additionally, Section I contains information on XSS trends observed though 2010.
See Heal Your Church Web Site: HIPAA (HIPPA), Disclosures and your Church Website for some thoughts and warnings about both website information privacy and prayer chain privacy.
Some basic guidelines are:
Since Google disclosed in January that Internet hackers stole information from its computers systems, the details of the theft have been closely guarded. This week, nearly four months after the high profile breach, someone with direct connection to the investigation revealed that the cyber theft made off with one of Google’s crown jewels – a password system that controls access for millions of users worldwide and to almost all of the company’s Web services, including e-mail and business applications. If this Internet giant is vulnerable to hackers and cyber criminals, how about you?
Malicious cyber attacks around the world more than doubled last year and accounted for more of reported data security breaches than human error; a disturbing new trend. Attacks on websites can come from viruses, malware and through Internet and social media.
That’s why highlighting the importance of using strong passwords, using anti-virus software while keeping it and patches up to date, being careful when sharing personal information, and making sure sites are secure and legitimate are key everyday business practices to follow and share with others.
A website that focuses on wordpress plug-ins is available so you can research the best security measures for your website. There are many plugins that are designed to protect your website. Check them out at WordPress Plugins