Search Blog

Blog

Get the latest on what's happening at itomic

Informative commentary on the web industry from the experts at Itomic.

November 19, 2014

Itomic official closing times for upcoming 2014-15 Xmas and New Year holidays

By Ross Gerring

In common with most other Australian businesses, please be advised of the following official closing times for Itomic for the upcoming holiday (hooray!) season:

Last working day: Friday Dec 19th 2014

First working date back: Mon Jan 5th 2015

Or if you prefer, we’re officially closed from Mon Dec 22nd 2014 – Friday Jan 2nd 2015 inclusive.

We do have some staff members (esp. in Melbourne!) taking extended annual leave beyond Jan 5th, so please bear with us as we come back up to full strength over the course of January 2015.

Itomic is of course a fully-fledged website hosting company, and websites don’t take holidays! Therefore we’ll have at least a skeleton staff on standby to respond over the holiday season in the unlikely event of any mission-critical website hosting issues. In the event that you do spot any such issues with your Itomic-hosted website, just call 1300 ITOMIC, 24/7/365.


November 3, 2014

Itomic risk assessment re: the serious Drupal vulnerability SA-CORE-2014-005 of Oct 2014

By Ross Gerring

On Oct 15th 2014 a serious security vulnerability in the Drupal CMS was reported by the Drupal Security Team:

https://www.drupal.org/SA-CORE-2014-005

with additional articles here:

https://www.drupal.org/drupalsa05FAQ
https://www.drupal.org/PSA-2014-003

The issue also made the headlines of some major news agencies, e.g.

http://www.bbc.com/news/technology-29846539

Itomic hosts and/or supports some 40+ Drupal sites. Within 24 hours of the issue being announced, all Drupal sites covered by Itomic’s Drupal Security Contract (DSC) were patched. Where Drupal site owners did not have a DSC, their sites were patched some time afterwards.

In common with the experience of others (see the FAQ), Itomic noticed that some sites (4, to be precise) had already been patched, but not by us. This was a clear indication of  interference by hackers. First they used the security vulnerability to write a malicious script (a single file) to the hosting account, then they closed the backdoor to other hackers by patching the vulnerability. This technique might have tricked some website owners into thinking that, because their websites were patched, everything was fine. In each of the 4 compromised websites Itomic was able to quickly and easily delete the malicious scripts.

All Drupal sites hosted and/or supported by Itomic, including the 4 above, were individually reviewed for malicious activity. This included the use of the tool Drupalgeddon. No additional malicious activity was discovered. 

We acknowledge that, just because no additional malicious activity was discovered, this does not guarantee that some of the sites were not compromised in ways we have not yet been able to detect. That said, because of our prompt action and follow-up site reviews, we deem this to be very unlikely.

If indeed there are some sites on our systems that remain compromised, we’re as confident as we can be that our hosting systems and procedures are extremely well equipped to a) detect and report any significant malicious activities emanating from the compromised sites, and b) prevent those malicious activities from negatively impacting other hosting accounts on the same hosting server.

Here’s a quick overview of why Itomic hosting is superior website hosting. With the odd exception (for legacy and/or decommissioning reasons) all our servers use/employ:

  1. CloudLinux, arguably the most secure operating system for shared and dedicated website hosting.
  2. suPHP and CageFS. These make it theoretically impossible for an infected hosting account to interfere with other hosting accounts or the broader server environment. 
  3. OSSEC. Intrusion detection system.
  4. Maldet. Realtime malware detection.
  5. OpenNMS. Performance and health monitoring.
  6. KernelCare. Rapid automatic patching of core server software.

Additionally,

  1. In collaboration with our advanced tech support partners in the USA (a very successful 10+ year relationship), we have a 24/7 human response team in place to deal with critical issues.
  2. With the odd temporary exception, our hosting policy is to only run a single CMS-type per server. So for example we have Drupal-only servers and WordPress-only servers. This has two primary benefits: 1) we can optimise the hosting environment for that particular CMS, 2) security issues with one CMS-type do not impact other CMS types.

Above we’ve described what Itomic does to protect the website assets of our valued clients. And yet the fact remains that if a person (or ‘bot’) is in possession of a valid username and password, all the above provides little or no protection. Which is why always using very ‘nasty’ (hard to guess) passwords is imperative for all persons who login to electronic systems – especially those with elevated privileges such as administrators or super-users. We acknowledge that really nasty passwords are, by definition, hard to remember. We therefore strongly recommend the use of password management systems such as LastPass or other reputable alternatives. If you’re not comfortable with electronic systems storing all your passwords, here’s an article about how to create and remember good ones.

Are you knowingly using a relatively easy-to-guess password? We urge you to change it today.


October 17, 2014

Myth Busting Paypal [Protip]

By Izumi Mitsui

Over the years I’ve noticed there’s a common misunderstanding of Paypal which resulted in some kick-back as a payment method selection. I’ll address the 3 topics most often covered in conversations.

Myth 1 – I have to sign up to Paypal to use it. 

FALSE. This is the conversation that comes up the most. While it makes it more effortless if you do own an account (with pre-filled fields etc), you can choose to pay as a guest.

 paypal_itomic

Myth 2 – I can’t use my credit card with Paypal 

FALSE. Refer to the graphic above, paying as a guest allows you to pay with your standard credit cards (VISA, MASTERCARD, AMEX and DISCOVER)

Myth 3 – Paypal is not recognised enough around the world 

FALSE. Paypal is used by a myriad of companies globally across numerous industries/markets. A comprehensive list of Aus companies that use Paypal see here https://www.paypal.com.au/where-to-shop-with-paypal/ (I bet you’ll recognise more than a few of your favs in the list) 

Development Cost Advantages

When developing an e-commerce solution using Paypal will allow you to avoid the following costs: 

  • Merchant account with the bank. | Costs vary depending on the bank.
  • Payment gateway programming | Costs vary depending no the bank.  
  • SSL Certificate - to handle sensitive information such as payment details in an encrypted format

I hope this serves to be helpful information in understanding Paypal better. 
Got questions? Let’s chat!  


September 30, 2014

Itomic Security Announcement | Shellshock Vulnerability

Public Announcement

You may have recently heard about a new security vulnerability affecting many millions of computers worldwide. It’s been dubbed ‘Shellshock’, and you can read more about it here:

http://www.smh.com.au/it-pro/security-it/shell-shock-bash-bug-labelled-largest-ever-to-hit-the-internet-20140925-10ltx1.html

This message is to reassure you that the affected software, “Bash”, is 100% up-to-date across all Itomic’s hosting servers.

In collaboration with our technology partners we will continue to monitor the situation closely. If/when additional recommended security patches are released, we are well prepared to respond very quickly to apply them.

If you have any questions or concerns, please don’t hesitate to contact us.

Sincerely,

Team Itomic


September 15, 2014

Webmail Access [How to]

By Izumi Mitsui

Using POP email? need access to emails when you’re traveling or not near the home computer? Here’s a quick tip!
To access your webmail login portal type ‘/webmail’ at the end of your web address.

e.g. www.mywebsite.com.au/webmail

This will take you to a login portal that looks like this:

Enter in your email address and password and you’re in!
If you can’t remember your password contact our team and we’ll be happy to reset it for you.

Happy days!