Security advice – OpenSSL Heartbleed Bug (Update)

Published by Spiral Hosting on Thursday 10th April 2014

bleedheartOpenSSL Heartbleed Bug Update & SSL Certificates

This is an update to the security advisory we sent yesterday. Your webmaster or IT person should be made aware of this information.

Yesterday we emailed all our web hosting customers aboutthe Heartbleed vulnerability in OpenSSL security software. Google Security and Codenomicon – a Finnish security company – revealed on Monday that the flaw had existed in OpenSSL for more than two years. On Tuesday security patches were released by OpenSSL, cPanel and CloudLinux, and we immediately began installing these on all the web servers we manage. The security vulnerability is thought to have initially affected several million web servers. All our web servers are now protected. Our support team have received a lot of technical requests and therefore we are sending you this update.

What exactly is Heartbleed?

The Heartbleed bug is a security vulnerability where a hacker can send a request to an SSL secured website, and vulnerable versions of the OpenSSL security software running on the web server will send a response back to the hacker that exposes the SSL private keys. Normally the SSL private keys are used to decrypt sensitive data and they should be kept secret. The security patches we have implemented on our web servers will prevent OpenSSL security software from exposing the SSL private keys. There is no way of knowing if they’ve been exposed before the security patching because the Heartbleed bug leaves no trace. Web hosting companies all around the world are working on implementing similar security patching to their own web servers.

Where does Spiral Hosting use OpenSSL?

All our web servers use OpenSSL security software to encrypt data sent to/from SSL secured websites. SSL is recommended for any websites that handle sensitive data, and it’s compulsory for websites that process credit card information to have an SSL certificate. If you use an SSL connection to connect to websites, email or other applications such as cPanel, WHM and webmail, you’ll normally see the “lock” symbol appear on your web browser. If the website is hosted with us, it definitely uses OpenSSL software. There is no evidence that any of our web servers have been exploited, but as a security precaution we have re-issued the SSL certificate(s) used by website/email services on our web servers, and we have also re-issued the SSL certificate used on the Spiral Hosting client area.

What steps do I need to take?

You should be aware of the security vulnerability and take sensible steps to stay safe online. Discuss the issue with your IT person. There is useful information about the vulnerability at http://heartbleed.com/

We recommend reading this article on BBC News http://www.bbc.co.uk/news/technology-26954540because it contains useful background information and good practice tips for online security. Some major technology companies have recommended the public “change your passwords everywhere”. At Spiral Hosting, we are not forcing customers to reset their passwords, but we would remind customers that it’s considered good practice to change your passwords on a regular basis or when there is any possibility of a security threat like this.

The Mashable website http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ has a list of some of the biggest websites including Facebook, Tumblr, Yahoo and Google where you may want to change your passwords as a precaution.

My website has an SSL certificate, what do I do?

The advice we have received from our SSL providers (GeoTrust, Comodo and GlobalSign) is that all SSL certificates should be re-issued and re-installed. This is because there was the (very small) chance someone could have exploited OpenSSL on your website and retrieved the SSL private keys. This involves creating a new CSR (certificate signing request), Spiral Hosting submitting a re-issue request to the appropriate SSL provider, and then the certificate being validated, re-issued and re-installed on the webserver. If you have purchased an SSL certificate from Spiral Hosting and you’d like to have it re-issued and re-installed, please email our support team. There is no cost involved, but please be patient because our support team are receiving more requests than usual.

My website does NOT have SSL certificate, what do i do?

The Heartbleed bug won’t affect your website because there isn’t an SSL certificate installed on your website. Data to/from your website is not encrypted using SSL in the first place. We do recommend SSL certificates for any website that transmits sensitive data and SSL certificates are essential if your website transmits credit card data. You may want to consider purchasing one. Please email our sales team.

Security advice – OpenSSL Heartbleed Bug

Published by Spiral Hosting on Wednesday 9th April 2014

bleedheartOpenSSL Heartbleed Bug – Informational purposes only. No action is required.

We wish to advise that we are aware of the security vulnerability and every web server that we manage has been patched. Hence, if you have shared hosting or reseller hosting with us, your website is NOT at risk.
If you have a self-managed web server hosted with us, you will receive an email with instructions and you should liase with our technical support team.

We’ve been contacted by several customers asking about the recently discovered vulnerability in “OpenSSL 1.0.1f”. The vulnerability is known as the Heartbleed bug. It has been discovered by security experts and it is thought to affect up to 500,000 web servers worldwide. The vulnerability is receiving global news coverage. Technology companies and software providers like ZenCart are advising website owners to contact their web hosting providers.

The vulnerability allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for website, email and FTP applications. The vulnerability is known as CVE-2014-0160 and detailed information is available on the CVE website http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 and also http://heartbleed.com/

Please do not hesitate to contact our support team if you have any questions or concerns.

EU Parl adopts net neutrality & end to mobile roaming charges

Published by Spiral Hosting on Wednesday 9th April 2014

The European Parliament has adopted new proposals supporting net neutrality and eliminating intra-EU mobile phone roaming. #connectedcontinent

This is excellent news for European consumers because it should prevent Internet Service Provider’s giving preferential treatment to Internet content providers. For example your ISP might partner with Netflix and give faster speed to customers using Netflix, but slower second-rate speeds if you’re using another provider. The proposals should create a level playing field for all content providers.

Also, the elimination of mobile roaming charges, which is due to take effect in December 2015, could save EU consumers hundreds of Euro a year. It is particularly good news for those people living along intra-EU borders who are affected by inadvertent network roaming.

http://gigaom.com/2014/04/03/european-parliament-passes-strong-net-neutrality-law-along-with-major-roaming-reforms/

Melbourne office opening hours (time change)

Published by Spiral Hosting on Monday 7th April 2014

With the recent acquisition of Speedy, Spiral Hosting now have a presence in Australia. Our Melbourne office are here to help you Monday-Friday 8.30am to 5.30pm. Our Australian phone number is +61-38-652-1901.

The clock’s went back at the weekend in Australia, so it’s now 9 hours ahead of UK time (instead of 11 hours).

If you’re in UK & Ireland this means phone calls from 11.30pm to 8.30am UK time will be answered by our Melbourne office. You can phone us on the usual numbers UK 028 9002 5008 and Ireland +353 1 657 1821.

Is your WordPress site software & security up to date?

Published by Spiral Hosting on Friday 4th April 2014

Does your website use WordPress? Is the software & security up to date?

WordPress brute force attacks began in April 2013. Thousands of malicious bots would automatically attempt to guess the login details for WordPress admin dashboards.The amount and frequency of the requests inundated many websites and caused major problems for many leading web hosting providers. Spiral Hosting led the way in implementing security procedures to help prevent these attacks. There’s more information athttp://www.siliconrepublic.com/enterprise/item/32269-major-brute-force-attack-ag

One year later, unfortunately we’ve seeing a resurgence in these brute force attacks as hackers/exploiters attempt new brute force methods. Help prevent attacks on your website and help keep our web servers running smoothly for all customers. We strongly recommend you follow these security instructions:

1) Make sure the admin dashboard has a very secure password. For example, “secret1″ is a bad insecure password and “Z#hups$M4!Z” is a good secure password.

2) Make sure your WordPress core is up-to-date (always use the latest version, without any exception)

3) Make sure your WordPress plugins are up-to-date (always use the latest plugins, without any exception)

4) Make sure your WordPress theme is up-to-date (and importantly, remove any old inactive themes from the /wp-content/themes/ directory because old theme files are part of a new hack/exploit)

5) Install the iThemes Security plugin (formerly called Better WP Security), here’s how to install:

(a) In your WordPress admin dashboard, go to Plugins page, click ‘Add New’ button, then search for “iThemes Security” and click ‘Install Now’.

(b) Click on ‘Activate Plugin’ and you’ll see a message “iThemes Security is almost ready.” Click on ‘Secure Your Site Now’.

(c) You’ll be given a list of options. The 1st option is to schedule automated backups; you don’t need to do this because we already keep 14 days of backups for every website hosted with us. Proceed to the 2nd and 3rd options – ‘Allow File Updates’ and ‘One-Click Secure’. Enable both the 2nd and 3rd options and this will activate basic security measures for your WordPress website.

(d) Click the ‘X’ button and it will bring you to the iThemes Security dashboard with a list of more security measures. You should consider implementing the High & Medium security recommendations, in particular the ‘Hide Login’ functionality. There is more information on all the options available with this plugin athttps://wordpress.org/plugins/better-wp-security/

Spiral Hosting acquires SpeedySparrow

Published by Spiral Hosting on Monday 13th January 2014

speedysparrow-logo
Spiral Hosting Limited (www.spiralhosting.com), a leading cloud web hosting solutions provider today announced the acquisition of Australian web hosting firm SpeedySparrow (www.speedysparrow.com).

SpeedySparrow has been trading for over six years with a reputation for delivering a high-quality service backed by first-rate customer support. SpeedySparrow is based in Melbourne, Victoria and have a large Australian and American client base.

Spiral Hosting have a large Irish and international client base. Spiral Hosting also expanded into the American hosting market after acquiring the webhosting division of Eideashop in May 2010. Spiral Hosting is headquartered in Ireland with offices in the UK and USA.

Peter Armstrong, director of the Irish HSP explained: “Spiral Hosting are delighted to announce the acquisition of SpeedySparrow.  This acquisition allows us to expand and invest in our operations in Australia. It represents a significant investment in our webhosting infrastructure, customer service and technical support.”

“SpeedySparrow is a first-class webhosting provider that is in many ways similar to Spiral Hosting. It has an excellent reputation of offering friendly personal support that will go the extra mile for customers.”

“The new merged company will result in improvements for all Spiral Hosting and SpeedySparrow customers. Our top three objectives are excellent servers, fast support and most importantly happy customers. The SpeedySparrow team will be joining Spiral Hosting. We’ll be taking the best of both businesses and continuing to build our hosting services, cloud infrastructure and 24/7 support.”

Christmas & New Year’s Opening Hours

Published by Spiral Hosting on Monday 23rd December 2013

xmasopening

The Christmas holidays are almost upon us and we’d like to make you aware of our operating hours.

Our customer/technical support will be available every day throughout the holidays 24/7 as normal via our support ticket system.

Our phone support will close at 2pm on Monday 23rd December and re-open on Thursday 2nd January.

If you are a dedicated server or colocation customer you can still avail of our 24/7 server reboots and emergency phone support by calling the out-of-hours mobile numbers. These can be found on your last server invoice.

The IE Domain Registry will close on 23rd December and re-open on 6th January. We will continue to accept new orders for .ie domains over Christmas but they will not be processed by the registry during the holidays.

New rules for .ie domains expiry, suspension and deletion

Published by Spiral Hosting on Sunday 24th November 2013

The IE Domain Registry have this weekend launched new policies that change the expiry, suspension and deletion dates of domain names. The old MSD (mail, suspend, delete) system has been replaced by the NRP (non-renewal process) system. Any .ie domain registrants or resellers should be aware of the changes.

The old MSD system
The old MSD (mail, suspend, delete) system ran every two weeks.  For example, if a domain name expiring in September was not renewed, the domain owner would be mailed on the first Friday in November, suspended two weeks later and finally deleted two weeks after that.  The IE Domain Registry gave domain registrants a considerable grace period to renew their domain name. All the different deadlines made it very difficult to work out when a domain name suspension and deletion would actually happen.

The new NRP system
The new NRP (non renewal process) system brings .ie domain names into line with other domain extensions like .com.  This should remove the confusion and make it easier for registrars/registrants to manage .ie domain registrations. The new policy is straight-forward. Domain names are deleted 70 days after their expiry date.  If a domain name renewal isn’t paid on time, the IE Domain Registry will email the registrant after 1 day, suspend the domain name after 40 days and delete the domain name after 70 days.  The domain name can be renewed at any time during the 70 days, but any website/email services associated with the domain name will stop working when the domain name is suspended, and someone else may re-register the domain name when it is deleted.  It’s important to renew your domain name on time.  Don’t risk losing your domain name!

Changes to .ie transfers
The IE Domain Registry have introduced an additional step for .ie domain registrars (like Spiral Hosting). Domain transfers are now “pulled” into our registrar account. This is an additional step for our staff.  It’s important that customers submit a domain transfer order on their client area before they submit any domain transfer documentation.

Automatic domain name renewals
Spiral Hosting provide an auto-renewal option on all domain names.  If it’s enabled, we will attempt to charge your credit card 5 days before the domain name renewal date. Providing the payment is successful, your domain name will be renewed. We recommend all customers enable this option.  Don’t risk losing your domain name!

SPEED Students – 50% Discount on WebHosting Plans

Published by Spiral Hosting on Monday 16th September 2013

logoSpiral Hosting have launched their 2013 discount for SPEED Plus students and graduates. For the past five years, Spiral Hosting have provided 50% off web hosting for participants in the Student Placements for Entrepreneurs in EDucation (SPEED) programme.

The SPEED programme has provided business start-up funding and training for thousands of university students and graduates across 20 UK universities. SPEED fellows generally start their business in July, August or September and get paid to work for themselves for 6 months. They learn business development skills, receive advice and mentoring from business experts, and they also receive significant discount off web hosting from Spiral Hosting!

SPEED students and graduates can get 50% off our webhosting packages (Size S, Size M, Size L, Size XL) including a free domain registration or transfer. We can also offer discount on other services such as SSL certificates – please contact us for details.

Universities involved in the SPEED programme have included University of Ulster, Birmingham City University, Coventry University, Keele University, Nottingham Trent University, Southampton Solent University, Staffordshire University, Thames Valley University, University of Birmingham, University of Derby, University of Lincoln, University of Wolverhampton and University of Worcester.

More information is available on the SPEED website. If you are a SPEED participant, please use promotion code “speed” on our website checkout. Please note Spiral Hosting have no official affiliation with SPEED Plus. The SPEED Plus logo is © Copyright 2013 SPEED Plus.

Aventure Host is now part of Spiral Hosting

Published by Spiral Hosting on Sunday 1st September 2013

Spiral Hosting Limited (www.spiralhosting.com), a leading UK and Ireland web hosting solutions provider today announced it has consolidated its Aventure Host business (www.aventurehost.com) into the main Spiral Hosting brand.

Aventure Host started trading in 2002 providing domain registration and Internet hosting solutions. Aventure Host’s reputation for delivering a high-quality service backed by first-rate customer support meant that it quickly grew a large UK and Ireland client base. Aventure Host was the first webhosting provider in Ireland to offer webhosting on the cloud. In March 2011, Aventure Host was acquired by Spiral Hosting Limited.

Spiral Hosting has been trading for ten years. Spiral Hosting has offices in Belfast and Dublin. Spiral Hosting has grown its Irish webhosting business into an international business, offering hosting solutions in five countries and selling in five currencies. Spiral Hosting has made several acquisitions in the last 3 years, including Aventure Host, Fresh Hosting, SpeedySparrow and the webhosting division of Eideashop.

Peter Armstrong, director of the Irish HSP explained: “Spiral Hosting are delighted to welcome Aventure Host clients. We acquired Aventure Host in March 2011 as part of a large investment in our webhosting infrastructure, customer service and technical support. In an effort to provide the best possible customer experience, we feel the time is right to consolidate the Aventure business into our main brand.”

“Aventure Host was a first-class webhosting provider that was in many ways similar to Spiral Hosting. Both companies were located just a mile apart in central Belfast, they have a long history of providing quality reputable services and friendly personal support. The consolidated business under the Spiral Hosting brand will achieve even greater things.

“The merger will result in improvements for all Spiral Hosting and Aventure Host customers. Our top three objectives are excellent servers, fast support and most importantly happy customers. Aventure Host clients will continue to receive the same web hosting, domain registration and SSL services, as well as 24/7/365 support. Our team will continue to provide friendly personal support from our offices in central Belfast.”

Aventure Host website screengrab