The guys in Enum 353 are running a session this Friday on VOIP security which might be of interest to some people:

Venue: Morrison Hotel, Ormond Quay, Dublin 1
Date: Friday 28th March 2008
Time: 9.30 a.m. to 5.00 p.m. (lunch included)

There will be no charge to attend the session.

Overview:

This workshop will discuss several VoIP security considerations from a
service providers perspective, for example, SIP client security, SIP
proxy security and PSTN Gateway security. The workshop starts with a
short SIP introduction which highlights the SIP topics needed for SIP
hacking. Following this will be an in-depth look at specific attacks, a
live demonstration of the tools used in these attacks and a discussion
of attack countermeasures. Hacking methods displayed will include:
password hacking, account hijacking, relay attacks, identity spoofing,
billing bypass ...

This full day event will be presented by Klaus Darilion an expert in the
field of SIP communications. He studied electrical engineering at the
Vienna University of Technology, where he later wrote a Doctor thesis
about SIP based voice communication for public safety applications.
Klaus Darilion is now employed with enum.at, the Austrian ENUM registry,
where he is working on ENUM based call routing and all kinds of SIP
based communication.

NB: This event is not organised by Blacknight, so please address any queries to Enum353

Update: Sorry about this, but I've just been told that this session is not as open as I thought previously! This session is only open to members of the VoIP ENUM working group so for more information please email vewg@ienum.ie

Posted by Michele Neylon at 7:27 PM | Permalink | Comments (0) | TrackBacks (0)

If you're not an existing Blacknight client this post isn't going to be that interesting or relevant to you, so you might want to move along...

The short version of this post:

We'll be emailing you to get you to choose a new username for the new control panel and billing system. The email will be clearly identified as coming from us and we won't be asking you for any sensitive information (ie. it won't be a phish!)

And for those with more patience ...

As some of you know we are currently working on a new shiny hosting system which is going to make your lives better and cure the world's ills (marketing speak gone mad! I know!).

If you can get past the marketing blurb one important fact remains. We will be moving away from Modernbill before too long. While it has served us well over the last few years our relationship has had its ups and downs, so now it only seems fair that we part our ways.

Now we know that migrating people to new systems can be disruptive and we also know how annoying it is when you're forced to use an insanely complicated username and password pair.

So our little elves (forgive the terrible metaphors!) have devised simple solution.

If you are an existing client of ours you will be getting an email at some point in the next few weeks. Within that email will be the basic details you need to choose your new username for the new billing system. It will all be quite painless we hope (and pray!).

In any case if you have any questions do let us know.

When is this going to happen?

I can't give a fixed date just yet, as we're still ironing out some issues and I hate making promises that I can't deliver on.

Posted by Michele Neylon at 4:03 PM | Permalink | Comments (0) | TrackBacks (0)

The expression "there's no such thing as a free lunch" may seem a little overused at times, but scam artists of all shapes and sizes are still "in the wild".

In some cases being a small bit more cautious or actually reading the fine print could avert disaster (or at least go a long way to avoid headaches).

It doesn't really matter which "offer" I am referring to.

It could be Domain Registry Of America (DROA) whose modus operandi consists of sending thousands and thousands of nicely laid out and very official looking letters to domain registrants. If you get one - dump it. If you don't want to dump it immediately, by all means open it and read it. But please read ALL of it.

One of the offers doing the rounds at the moment is from Euro Business Guide.

There are a couple of things about it that raise red flags:

- they're doing it via email en masse (basically spamming)
- the wording is more than a bit misleading

If you sign up with them WITHOUT reading the fine print you could be liable for a EUR 965 charge.

Posted by Michele Neylon at 7:45 AM | Permalink | Comments (0) | TrackBacks (0)

As part of upgrading our network we are changing access to our primary
name servers (217.114.173.6 and 82.96.97.64) so that they are authoritative only. If you have servers on our network that are set to use these, then you will need to update the DNS settings.

We have attempted to notify all customers whose servers are currently using our authoritative name servers. However, if you have not been contacted and believe your server(s) may be using them, then you can contact us directly for more information. Any customers who put in a server within the last six months should be already using the new servers.

On Friday the 7th of December, the servers will be made authoritative only. If your name servers are not updated by then this may cause issues with connectivity.

Posted by Niall Donegan at 4:19 PM | Permalink

The scheduled maintenance for last night went ahead on time.

According to our engineering team most people would have been affected very briefly (less than one minute).

If anyone is experiencing issues please let us know ASAP. While everything has been tested thoroughly and we have not had any reports of issues to date there is always a possibility that someone was affected - let us know if you were.

Personally I'm overjoyed that the upgrade was finally completed, as it means that our network is a lot more resilient than previously, which means I get to sleep more soundly at night!

Posted by Michele Neylon at 10:25 AM | Permalink

We mentioned the pending "death" of php4 some time ago.

It now seems that some people have got together to help push the move to php5 forward and have set a deadline of sorts.

The "go php5" site lists software projects that support php 5.2 and greater natively ie. without "dirty hacks" or any other messing about.

As I mentioned previously, most scripts should work properly under php 5, but there will always be exceptions!

If you'd like to find out more about why switching to php5 makes sense have a look at their FAQ.

The idea behind this is to give people that extra "push":

PHP version 5 adds a number of new features and design changes that make developing robust, secure, feature-rich software faster and easier. Those features do not exist in older versions of PHP 4, however, and many are very hard to emulate. Such features include fast and easy XML support for improved web services, better timezone handling, vastly improved database tools and input tools to make PHP applications more secure, and many others.

Projects that support PHP 4 cannot make use of those newer features, however. That means projects have to choose between supporting PHP 4, which has been in maintenance-only mode for over three years, or enabling modern web applications and services. For a long time many projects have chosen to support PHP 4 because of the large number of web hosts running PHP 4. Unfortunately that has resulted in a "chicken and egg" problem where web hosts have no incentive to upgrade to PHP 5, which means PHP developers can't use PHP 5's new functionality even if they want to.

By announcing that many leading open source projects will drop legacy support for PHP 4 at a fixed later date, we believe we can break that cycle and encourage web hosts to upgrade and allow open source developers to build faster, more secure, more powerful web applications.

Now if only we could persuade people to stop using MS SQL 2000 and FrontPage!!

Posted by Michele Neylon at 11:59 AM | Permalink

As it's a Friday evening I thought I'd have a quick look at the spam filtering stats to see what's been going on.

I haven't looked at ALL the figures yet, but just to give you a flavour of what's going on...

One of our filtering nodes was sent 372,460 emails yesterday. It rejected 88% of those mails!!
Of the 30 thousand plus emails that it filtered nearly 30% was marked as spam.

Can you imagine that amount of junk hitting your office mail server on a dsl line?

I'd rather not!

Posted by Michele Neylon at 6:36 PM | Permalink | Comments (2)

Just got this email from the IEDR:

It has once again come to the attention of the IEDR that a company operating under the name “Internet Register Ireland” is in the process of contacting businesses with registered .ie domain names by post and by fax, soliciting them to register their domain name with the “Internet Register Ireland”. The “Internet Register Ireland”, a German based company will request you to fill out their form and return it to them signed. It should be noted that they charge an excessive fee of approximately €958 for the registration of the .ie domain name in their database.

We would like to reassure all of our customers that no such organisation has been authorised to act on behalf of the IEDR. If you are contacted in this manner we would recommend that you disregard this letter and advise your customers to be aware of this activity.

The IEDR are responding to enquiries from concerned domain holders, by recommending them to contact an official IE Reseller if they require any further Internet services for their website.

We mentioned their activities last year.

Posted by Michele Neylon at 11:58 AM | Permalink | Comments (2)

Following on from last Tuesday's incident we are following through on our promises.

Our technical team had been discussing the finer points of various firewalls for some time. When it comes to choosing equipment they always spend quite a bit of time evaluating the options. They have to take into account a lot of different factors.
How well will it work with existing equipment?
Will it scale?
How long before we have to replace it?
How much does it cost?
Do we have staff who know how to use it?
Does it support ipv6?
How much traffic can it handle?
How many concurrent connections can it handle?
How much RAM does it need?

The list goes on and on...

In the end we decided to go with Cisco ASA 5500 series.

And since we love our camera phones here are a couple of snaps of the new firewalls. Before anyone asks - I'm not 100% sure when they'll be installed.

And from behind:

And a slightly further away shot:

Posted by Michele Neylon at 10:33 AM | Permalink | Comments (9)

Yesterday at lunchtime there were some issues on our network.

I'll try to explain what happened in simple terms and also explain what we are going to do to avoid this type of issue arising in the future.

If anyone has any queries about the explanation please feel free to ask via comments or email us directly.

Timeline: 13:55 - 14:18
Affected Customers: Any customer on the shared firewall that has a dedicated server or has colo with us was affected during this incident. This also included our shared hosting clients.
What happened?

At around 2pm yesterday afternoon a segment of our main network was sluggish and people would have experienced latency and packet loss.

Why?

As you may know our main network is firewalled. We have a pair of firewalls setup in HA (high availability) to protect the bulk of our clients, which includes all our shared hosting clients on both windows and linux, as well as a large number of clients on dedicated servers or with colocated machines.

Firewalls are basically computers. Depending on how much money you want to spend on them you get different capabilities. While our firewalls are perfectly adequate under most conditions they have limits.

When a server behind the firewall was compromised and started pumping out large amounts of traffic the firewalls were pushed to capacity. While the network was up at all times it would have been slow and unresponsive until our engineering team were able to take action.

What action was taken?

The server that had been compromised was disconnected from the network until the issue had been resolved / removed.

How can we avoid this in the future?

We had been planning to upgrade the firewalls in any case, this is now being moved forward. The new firewalls will be able to carry larger amounts of traffic so this kind of issue will have a lower impact should it arise again.

For the last few months we have also been actively encouraging clients to opt for their own firewall(s).

And now for the more detailed breakdown:

Outage Information with Timeline of Events

13:53 C program downloaded onto a customer's machine via a hole in their
programming code.
13:55 Code compiled and executed. A result of this was 80mbit/s of
additional traffic heading towards the shared firewall service during peak lunch time traffic.
14:05 Our engineering team noticed latency of SSH and terminal services connections to machines on the network behind the firewall were laggy or intermittent.
14:06 Senior onsite engineers begin to investigate the issue.
14:08 One of our external traffic links was carrying approx 50mbit/s more
traffic than normal (some traffic from the affected host never made it past the firewalls) and they begin to check access switches for which equipment cabinet has the infected host.
14:15 The host responsible for this increase in traffic was identified and
their switch port was shutdown by a network engineer.
14:16 Services begin to return to normal and the load on the firewalls CPU
drops back to acceptable limits.
14:18 All services are back to normal

Posted by Michele Neylon at 7:29 PM | Permalink | TrackBacks (1)

Over the course of the next few weeks I'll be doing an occasional series of posts on making the most of your dotmobi domain.

If anyone has any suggestions or ideas that they'd like to share please let me know!

The topics I intend to cover will include things like building a site, checking it, making money from it and any other topics that people suggest to me.

Posted by Michele Neylon at 11:44 AM | Permalink

There are several reasons why this blog exists and one of them is to get feedback from clients.

It may come as a surprise to people, but we actually do pay attention to what they say to us and about us.
I'd love to think that we do a good job all of the time, but there may be aspects of our service that fails to meet your expectations and if that's the case I'd like to know about it. (If you don't want to comment in public you can always email me directly: michele@blacknight.eu ). It might be something as simple as the way we worded our product or service offering ... If people don't let us know we have no way of knowing!

We are currently working on rolling out a new suite of websites and we will be unveiling a whole range of new products and services over the coming months. I'll be teasing you all with little details as we finalise the details, but now is also the ideal time for us to take your feedback. If you want us to offer something that is feasible then we might just do that. Of course we might think your idea is crazy ... but if you don't talk to us we will never know.

What kind of services would you like to see hosting providers like us providing in the future?

What elements of our current hosting plans would you like us to change? (I'm not saying we will change them, but I am more than willing to listen)

Which technologies would you like to see us offering in the future?

Posted by Michele Neylon at 12:56 PM | Permalink

For about 20 minutes this morning users may have noticed that connection speeds / response times from some servers were slower than normal.

This was due to a denial of service attack the details of which are outlined below.

Timeline: 08:15am till 08:38am

Location: DEG, Blacknight Dub1 data centre

Problem and Resolution:

At approx 4am this morning a client machine started spewing data out of our network. At this time the traffic was not significant enough to trigger any alarms or cause any downtime.

At approx 8:15am this morning, a second attack started from the same machine with a significant increase in traffic. This traffic was tiny UDP datagrams aimed at an external host. The sheer volume of packets overloaded the CPU in the primary Firewall and as such it was dropping large numbers of packets.

We disabled the switch port that this machine was attached to and network flow resumed. We took preventative measures on the routers facing the customer machine to filter traffic from hitting the firewalls. We then re-enabled this customer port and logged into the machine to diagnose the issue.

The machine has since been removed from the network and is being examined by our security team.

Posted by Michele Neylon at 12:26 PM | Permalink | Comments (2)

I don't want to bore people with security, but unfortunately I have to keep coming back to it time and again...

Over the past few days there has been a spate of attacks on websites using the Joomla CMS (Content Management System)

If you are using Joomla we would urge you to check that you are using the most recent version available and if you aren't to upgrade.

Even if you cannot upgrade immediately we would urge clients to check that the configuration file is not writeable.

Posted by Michele Neylon at 3:13 PM | Permalink

A lot of people signup for hosting using free email accounts or maybe their "current" work email address.

Unfortunately nobody on our end can possibly know if those email addresses are valid weeks, months or years later.

If you change your email address or telephone number you can easily update it via the control panel, or contact our accounts team and get them to do it for you.

If you don't keep the details up to date you may miss important emails from us about your hosting account, your domain renewal or even the chance to get something for nothing :)

Seriously, though, it is important that people keep their contact details up to date.

If you change jobs or stop using your free email account you do run a very serious risk of missing an important email from your hosting provider, registrar or ISP.

Take the time to check that the details on your .com domains are correct, especially if you have transferred them from another provider.

Under ICANN rules the WHOIS data has to be accurate at all times.

With other registries, such as Eurid, only a very small amount of personal data is viewable to the public via standard whois. It is very hard to spam the contacts on a .eu domain, for example, so please do not let a fear of spam lead to you losing out on a domain's renewal.

Posted by Michele Neylon at 4:49 PM | Permalink

We have been notified by clients of a new domain scam.

The emails come from a company calling themselves "Domain Renewal"

These emails are not from us and should be ignored. If you want to forward them to us please do.

The emails follow the following format:

It is time to renew your domain name www.domain.com

-------------------------------------------------------------------------------------------------------------------------------------
Your domain name www.domain.com will expire within 90 days.
You may renew your domain automatically with Domain Renewal. Click on the link in this
e-mail to renew the domain for another year. You should renew your domain as soon as
possible in order for it to continue to be registered in your name.

Click here if you wish to renew your domain
--------> http://www.domainrenewalonline.com/for.php?d=domain.com

As soon as we have received your payment, you will receive a confirmation that your domain
has been renewed.

-------------------------------------------------------------------------------------------------------------------------------------
Services and information about Domain Renewal
Domain Renewal maintains domain addresses, and registers and consults companies in
relation to Internet domain ownership. We inform businesses about which domains are
registered, and remind them if a domain is due to expire, or when it is time to renew a domain.
If you want Domain Renewal to extend the domain for you, we ask you to click on the link in
this e-mail. If you do not wish to use your domain after the due date for renewal, you may
disregard this e-mail. When Domain Renewal extends your domain no information will be
changed in the “Whois” information section. The domain will be extended for 1 year. You will
therefore continue with your current supplier. You may also request your Internet Service
Provider to renew the domain for you. If you have any further questions please do not hesitate
to contact our customer service centre by sending an e-mail to
support@domainrenewalonline.com

DO NOT CLICK ON THE LINK

The insecure website it takes you to will ask you for your credit card information and will try to charge you USD69 for the domain renewal. (We only charge EUR8.25)

If you have any queries about the status of domains registered through our services please feel free to contact us.

Posted by Michele Neylon at 12:39 AM | Permalink

PHP4 will be discontinued at the end of 2007.

The PHP developers have announced that they will no more releases of php4 after the end of 2007.

We've been rolling out php5 on both our Windows and Linux servers for the last few months and will be discontinuing support for php4 at the end of 2007.

Most popular 3rd party scripts should work fine on php5, but some older ones may have issues. We'd recommend that people look into upgrading their scripts to support PHP5, as they're probably vulnerable in other ways also.

If you have any queries about this please let us know.

Posted by Michele Neylon at 3:04 PM | Permalink

Security should not be an afterthought and when you flaunt it too much you will end up regretting it.

While a hosting provider can do their utmost to make their network and servers as secure as possible there are limits.
Our clients want to be able to use technologies such as PHP, Ruby on Rails, Perl, ASP etc., and there are many fine open source (and commercial) software solutions out there to help them make the most of their online presence.
Unfortunately there are also plenty of nasty people out there that will try to take advantage of any possible security holes that may exist.
That, unfortunately, is life.

Here at Blacknight our technical team work very hard to ensure that the network is as secure and resilient as possible, which is why we offer a fully firewalled network to both our shared, dedicated and colo clients.

On our shared servers our team keeps a very close eye on all the relevant security bulletins and will act proactively wherever necessary.

Of course no matter how much we may do issues will still arise.

The most common issues stem from weak passwords.

If your password is a dictionary based word or a string of numbers then it is simply too weak and can be cracked.

If you cannot trust yourself to come up with a strong password then why not use the ones our systems generate for you? They're completely random and usually quite long.

If you are using software from our auto-installers you check from time to time that a newer version is not available. Most of the software available via the control panel is upgradeable, though this will depend a lot on how much customisation you have done.

If you need help with your security then why not contact us to let us know?

Posted by Michele Neylon at 10:05 AM | Permalink

Over the last couple of weeks the Wordpress development team have released two updates to Wordpress.

The most recent release, version 2.0.7, was released last night (full details here)

If you are using Wordpress we urge you to upgrade to the latest version as soon as possible.

There are two ways to upgrade, however, in both cases, it is recommended that you make a backup of your blog first. You can do this easily via your control panel.

If you installed Wordpress via our auto-installer (Installatron) you will find an upgrade option within your control panel.

If you installed Wordpress manually please follow the upgrade instructions on the Wordpress site (here)

We endeavour to post important security notices on our forum, so subscribing to the Security Board can help to keep you informed (use this link if you have signed up for our forum already)

If you have any questions, queries or issues, please let us know

Thanks

Michele

Posted by Michele Neylon at 11:28 PM | Permalink