Category Archives: Security

Fight surveillance law in Romania

How does it influence the hosting and cybersecurity industry in Romania?


The law will require:

– Hosting provider to intercept communications, provide customer data and decrypt data if necessary, also at their own expense.

– IP resource hosting providers and electronic communication providers “to grant, at the request of authorized bodies, under the conditions of this law, the decrypted content of communications transited in their networks”


But what would this cause for customers in reality?

– decrypt encrypted content. So for example SSL/TLS based data has to be decrypted on request. In case the provider has access towards your key (for shared and managed hosting this is always the case, the same for most DDOS filter)

– provide details about website visitor (IP log)


How will be FlokiNET affected?


The law does include also foreign provider operating IP / network in Romania. However we and our legal team does clearly sees the proposed law as illegal under Romanian constition as well as under EU law. All passwords, decryption keys, SSL keys etc are managed by FlokiNET ehf Iceland and handing them over would violate Icelandic law. We are more then willing to discuss this in court and will not cooperate in any matter that would break Icelandic law.


Customer data remains safe?

Yes, it does! All our server are encrypted, without the keys stored safely in iceland no data can be decrypted.


Should i move my hosting / server towards a different location?

There is no need for this, in case our legal opinion changes or the law becomes permanent we will adress our customers.
What action will take FlokiNET to ensure customer data safety?Since FlokiNET was founded in 2012 customer data protection is our DNA.

This includes the encryption of all data and several technical and legal measurements to make sure this data remains safe. However in the case the law will become active in Romania we will immidiate challenge this in court and are confident to appeal the law.


Conclusion for our customers:

No changes or worries required for now. In case the situation changes we will let you know.

What can i do?

In our previous blog post we mentioned that the Romanian Senate is due to vote on a piece of legislation that severely crippled the ability that hosting companies have to provide secure services to you, the customers. If you want to take a stand against this, we urge you to send a letter to the Commissions inside the Romania Senate, as well as the representatives of Romanian political parties.

You can use the letter below as a template, add your own position to it, and send it. We recommend you act sooner rather than later, since the vote on this piece of legislation is scheduled, most probably, for Monday, February 14th.

Think of it as sending a Valentine’s Day letter to a secure Internet. 😉

The blog entry with the background:

Penetration Testing with FlokiNET

What’s penetration testing?

Penetration testing is all about evaluating your application’s security before malicious attackers do.

Understood, but why do I need that?

Well, it sucks to get hacked. Nobody likes losing revenue because somebody leaks your customer data on pastebin.com. Such an attack doesn’t only destroy the trust relationship to your clients but could also lead to serious GDPR fines.

Okay, but how are you testing then?

It depends on your environment, our international team can provide you with:

Do you’ve a testing methodology?

Yep! Our web application and API penetration tests focus on the OWASP Top 10 and the OWASP Application Security Verification Standard (ASVS), a detailed methodology can be provided on request.

Sounds good, but I heard hiring penetration testers is damn expensive?

That’s the reason why we’re doing it differently, you only pay if we find something. Furthermore existing FlokiNET clients get a 10% discount! Better get in touch soon, our capacity is limited! Contact us on info@flokinet.is or create a ticket.

Let’s Encrypt

Since Snowden the usage of encryption is steady growing. One of the key points is to encrypt the daily web usage. Each website should run SSL, but for website starter installing an SSL cert and keep it up to date is often to complicated.

And of course it comes with a price, even a standard SSL cert will cost you at least 10 euro per year.

But why paying for an SSL cert when you can have it free?

All shared hosting server support Lets Encrypt certificates!

You dont have to do anything, your website will simply recive (or has already) a valid SSL certificate issued by Lets Encrypt. Try it out!

In case you have already an valid SSl certificate it wont be replaced. SSL certs installed within Cpanel have priority so there wont be overwritten.

The SSL cert will be automaticly installed and renewed by the system, there is nothing you need to do.

If you have any further questions please contact our support team via email or ticket system.

About Let’s Encrypt:

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Let’s Encrypt is a trademark of the Internet Security Research Group. All rights reserved.

HTTP Strict Transport Security (HSTS)

The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server, while the user’s browser has HSTS Policy in effect for that web application

So what we need?

Activate mod headers in apache:

a2enmod headers

HSTS header into VirtualHost:

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

max age set the Time in seconds and includeSubDomains set the HSTS header also into your subdomains (recommended). If you don’t want his just only let it our and close after31536000.

Done.

Secure your TLS with PFS

 

Today’s mostly used SSL is broken. The reason is, RC4 is broken and that is mostly used by SSL active websites. Check your SSL used website about SSL Ciphers (in FF click on the secure bar logo) – you will see for example: RSA_RC4_128_SHA

That means the server uses RSA with RC4 and SHA 128. And that is broken.

But it is getting worse. The NSA is currently building the biggest spy center in the US to save any data they get. Why? It may be true that you can’t break the current secure ciphers now, but what about later?

So what we need is a system which will remain secure in the future. PFS (Perfect-Forward-Secrecy) fulfills this requirement.

How does it work?

When two peers want to establish a TLS tunnel with PFS, after performing the server (or the mutual) authentication, they agree on an ephemeral session key.

The session keys are then used to encrypt the rest of the conversation (session). They are deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely; in other words, to prevent anyone else from learning these keys.

How do we enable it?

First: Use a long SSL Cert Key. We recommend to use RSA 4096 bits.

Also you realy should look foward to get TLS 1.2 active on your server (should be already supported by every unix on latest version)

Activate PFS

You will need Apache 2.3+ , earlier versions are not supporting PFS.

Replace (or add if applicable) the following configuration directives in your SSL module configuration file (most likely to be found in /etc/apache2/mods-enabled/ssl.conf).

 

SSLProtocol +TLSv1.2
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuiteECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

Update your Dovecot mailserver:

ssl_cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
ssl_prefer_server_ciphers = yes

How does it look later? Have a look at our billing system (SSL labs).

 

***SPAM*** Ransom request: DDoS Attack!

Dear valued customer,

yesterday we have recived a blackmailing from the so called “Armada Collective” (see email at the end of this post).

They demand 20BTC (around 8000 Euro), otherwise our networks in Iceland and Finland will be attacked by ddos.

To state it clear:

We are not going to pay any money to those persons, as blackmailer do not stop in such a case.

We informed immediately the Icelandic Police, the FBI (because there are already other cases active about it) and the local CERTS to be aware of it.

To avoid downtime for our customers, we are starting to implement protections, but we have to see how it works in case of such a strong attack.

Our network in Romania is not affected because our ddos protection can filter these size of attack.

In case of an attack which causes the downtime of your product, please stay calm and wait a moment until our protections can start to work.

Please be aware of the fact, that in case of a ddos attack, the whole network at the location can be affected.

We are working now on it, to prevent the worst case and we will continue, in case the attack starts. Please keep in mind, that such kind of danegeld extortion is a strike against freedom of the internet, which we are fighting for.
To comply with the demand would mean to give up the fight!

We hope to have all of you staying behind this decision, as it can affect you as well as it affects us.

We will update regulary our blog, Twitter

@flokinetehf
and our Network status page:
https://www.billing.flokinet.com/serverstatus.php

———————-

from:

to: info@flokinet.is

Subject: ***SPAM*** Ransom request: DDoS Attack!

Ransom request: DDoS Attack!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history.
Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time)
And this: https://twitter.com/optucker/status/666501788607098880

We will start DDoS-ing your network if you don’t pay 20 Bitcoins @ XYZ(modified by us)

Right now we will start small 30 minutes UDP attack on your site IP: 185.100.84.14. It will not be hard, just to prove that we are for real Armada Collective. Check your logs.

If you don’t pay by Wednesday, massive attack will start on your networks in Finland and Iceland, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack.

In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the same on social networks.

Our attacks are extremely powerful – sometimes over 1 Tbps per second.

Prevent it all with just 20 BTC @ XYZ(modified by us)

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

And nobody will ever know you cooperated.


Armada Collective