Sunday, 13 April 2014

What is Heartbleed?

Here is a link that should help explain what the Heartbleed bug is:
http://heartbleed.com/

Are my users affected?

Any service or website that is connected to the internet and uses SSL encryption is potentially vulnerable to the Heartbleed bug.

Did you fix the issue?

Yes, upon receiving the news that Heartbleed existed and a patch was made available, we immediately patched our services to remediate any potential vulnerability. We also re-issued our SSL certificates.

If it's been patched, then why should I change passwords?

While we have applied the patch earlier this week, there is still a potential that your password could have been previously exposed and extorted as it passed through the internet via the encrypted SSL tunnel. Again, we have no confirmed reports of suspicious activity or hijacked passwords, but in the spirit of security we strongly urge users to proactively update their passwords. We urge you to do your diligence and change any online passwords you may have and confirm with your other providers (hosting, banking, social media, etc) that their SSL protocols have been patched.

Will you force a password change?

Since we have no confirmed compromise and do not assume there was any with the Heartbleed bug, we are simply notifying our customers and strongly urging them to change their passwords.

Can you setup a policy to force users to change passwords on next login?

Unfortunately, we cannot provide this service at this time.

Is there a way to mass change passwords?

  1. Administrators can change passwords on individual mailboxes via the control panel at admin.thexyz.com.
  2. Email users can change their own passwords via the Webmail portal at webmail.thexyz.com.

How can I send a message to email all of my users?

You can send an email to everyone on your domain. To email everyone, log into the control panel, and perform the following steps:
  1. Mouse over the Go to section drop-down menu and select Domains.
  2. In the Tools section, click the Email Everyone link.
  3. If you have multiple domains, select the appropriate domain name. Or, to change domains at any time, click the change domain link.
  4. Click the Email Everyone link.
  5. Enter the following information in the spaces provided:
    • Sender's Name—Enter the first and last name of the sender.
    • Sender's Email Address—Enter the email address of the person sending the email.
    • Subject—Enter a subject for the email.
    • Message Body—Enter the message for your email.
  6. Click the Send button.

I have changed passwords for my users and now they are reporting various password issues, what happened?

  • Check to see if that mailbox is currently locked by looking in the Control Panel for that specific user mailbox.
  • Check what devices they're using to connect to their HEX mailbox! PC at work, iMac at home, work-issued iPhone, personal iPad, etc. Why? If they're Exchange account is set up on any of these devices AND they updated the password recently, they're going to need to update all of their devices for that new password. Meaning, any one of these could be locking out the mailbox.
  • Unlock the mailbox through the Control Panel. Once it shows that it's no longer locked using the aforementioned tools, have your user log into Outlook Web App (webmail.thexy.com) to verify that they are, in fact, using the correct password.
  • Clear out remembered passwords. Particularly on Windows or Macs, we see issues with the Credential Manager (Windows) or Keychain Access (Mac) remembering the "old" password.
    • Once this is cleared out, have them open their email client again. Since you just had them clear the Credential Manager for this account, they should be prompted for the email address and password again.
    • Have them re-enter that information correctly. It would be safe for them to "remember" the password. This, in turn, will create a new entry in the credential manager.
Thursday, 10 April 2014

Everyday Thexyz support team deal with multiple requests from users that they have forgotten their password. When we look back at our logs, we can see that password related issues are the most common type of problem that our users deal with. These support requests can be prevented by adopting a Password Policy. Whether you are a company or a single user, you are going to need a system in place to ensure you remember your password. An IT network can be as secure as can be, but it can be weakened tremendously by a weak password. 

A strong password is a minimum of of 8 characters in length, includes uppercase and lowercase letters, numbers and special characters.

With recent password breaches at Apple, Yahoo, Linkedin and last.fm we can see that most people use really simple passwords, and the same password.

Most popular passwords

  1. 123456
  2. password
  3. welcome
  4. ninja
  5. abc123
  6. 123456789
  7. 12345678
  8. sunshine
  9. princess
  10. qwerty

Top base words


  1. password
  2. welcome
  3. qwerty
  4. monkey
  5. jesus
  6. love
  7. money
  8. freedom
  9. ninja
  10. writer
  • It takes 10 minutes to a crack a lowercase 6-charachter password
  • Adding 2 uppercase letters extends 6 years to crack the password
  • If your password 10 characters, with 4 uppercase, 1 number and a special

Varied password restrictions

There is no universal criteria for creating a password, websites impose restrictions like:
  • Maximum 8 characters
  • Maximum 16 characters
  • Maximum 64 characters
  • No symbols or special characters
  • No “.” allowed
  • No “#,$,%” allowed
  • Cannot start with a number
Length is becoming less of a restriction these days, as I learned from a thread at Stack Overflow.

So now we know what not to use, we can get started created a secure password.


How To Create A Secure Password

Tips to keep in mind...
  • Change your passwords periodically
  • Do not use the same password for multiple sites

1. Pick a base word

This is a word that will be difficult to guess, it should not be password or qwerty or anything that can identity you. Some good random ideas could be:
  • school
  • panda
  • swiss
  • tequila

2. Vary your base word

Select your base word and make different variations to vary your password for different sites. For the purpose of this tutorial I have chosen the word “school” as my base word.

school can be varied to become the following
  • school
  • Sch00l
  • $CH00l
  • sKH00l

3. Add additonal words

Create another word used or series of words to make your password unique for different sites.

Using my “school” base word, I am going to make different passwords for different sites, without making it easy for a hacker to guess any other password it they know one.

  • Email password: sCH00lbooks
  • Facebook password: scho0Lmates
  • Twitter password: scho0Lbird
  • Youtube password: scho0Lwatch
  • Bank password: $ch00Lnumblock
  • A low security version: Schooldays

4. Dealing with change

Some sites will periodically advise you to change your password, to keep your password practice consistent, you could adopt some of the following sequences:
  • Planets
  • Seasons
  • Moon phases
  • Current favorite video game
  • Year
Passwords would change like this (using low security version as example):
  • SchooldaysMars > SchooldaysVenus > SchooldaysMoon
  • SchooldaysWinter > SchooldaysSummer > SchooldaysFall
  • SchooldaysWaxingcresent > Schooldaysthirdquarter > Schooldayswaninggibbous
  • Schooldaystetris > Schooldaysangrybirds > Schooldaysdoom
  • Schooldays2011 > Schooldays2012 > Schooldays2013
If we were to apply this to our list it would it would look like:
  • Email password: sCH00lbooksMars
  • Facebook password: scho0LmatesWinter
  • Twitter password: scho0LbirdWaxingcresent
  • Youtube password: scho0Lwatchtetris
  • Bank password: $ch00Lnumblock2011
After a change it could look like:
  • Email password: sCH00lbooksVenus
  • Facebook password: scho0LmatesSummer
  • Twitter password: scho0Lbirdthirdquarter
  • Youtube password: scho0Lwatchdoom
  • Bank password: $ch00Lnumblock2012

A great tip for added security

Another great tip I learnt when working at other tech companies was that when they write down a password they add 3 random characters to beginning or end of the password. When entering the password you disregard these additional characters. If someone was to see your secret password list, this would prevent them from knowing your internal policy for writing down passwords. 
When writing your passwords down you could add 3 random characters to the end like so:
  • Email password: sCH00lbooksVenusRfd
  • Facebook password: scho0LmatesSummery4e
  • Twitter password: scho0Lbirdthirdquarterr32
  • Youtube password: scho0Lwatchdoom0po
  • Bank password: $ch00Lnumblock2012032
 
Password requirements for Thexyz Webmail users and Microsoft Exchange users.

If you have any other password tips for a secure password, please leave a comment below.
Wednesday, 9 April 2014
Upon learning of the recent Heartbleed issue, an update was made to the SSL certificate for secure mail servers, some customers may be prompted to accept the new certificate. Users should accept the new certificate which should clear the pop up.

At this time we have no reason to believe any sensitive user information was accessed due to the recent Heartbleed issue, however, out of an abundance of caution, we recommend that all users change their password as soon as possible.
Monday, 7 April 2014

Over the past few weeks our system administrators have detected an unusually high amount of traffic towards WordPress login pages.


We have analyzed the traffic and have come to the conclusion that is part of a global massive bruteforce attack against WordPress sites.


Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'

They are, in short, an attack on the weakest link in any website's security: You.

Due to the nature of these attacks, you may find your server's memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.

This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.

As such we would like to offer you few very simple tricks to protect your wordpress site:

Limit Access to wp-admin by IP


If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via an .htaccess file.

Create a file in a plain text editor called .htaccess or simply edit the existing one (if any) and add:

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all

Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x as many times as IPs you wish to whitelist.

Password Protect /wp-admin folder


You can easily password preotect your /wp-admin folder via your hosting control panel: Advanced -> Password Protection
1. Select your host i.e. the website where wordpress is installed.
2. Browse the path to the /wp-admin folder and select it.
3. Enter the username and password you want to use and hit PPA.

Update your robots.txt file


Add the following lines in your robots.txt file or create a file named robots.txt with the following content:

User-agent: *
Disallow: /wp-admin
Disallow: /wp-login.php
Disallow: /administrator

This will essentially block the indexing of those folders in the search engines as the brute force attackers generate lists of such URLS ( intitle: Log In and inurl: wp-login) with the help of the major search engines. This method is more of a long-term prevention as it will take few months for the search engines to update this information but it should resolve any bruteforce attempts for good.

Our partners at TweakDorks also have an affordable WordPress security hardening service here.
Sunday, 6 April 2014

We asked our in-house developer Perry Toone a few questions about managing a website after we made a few minor changes to our website over the past few months.


Many of the changes we made to become fully compliant with Google's updated terms.


What was a key factor in the recent improvements?


I would say that the biggest area of improvement is speed. Many of the recent changes were made based on improving page load time.

How do you measure page load time?


It is as simple as visiting a website and measuring how many milliseconds it takes to load. There are as couple of useful tools I used to check which also break down all the elements of a page, which allows you to see what exactly is putting the greatest load on the server. Pingdom is one and Google has one too.

What did you do to reduce the page load time?


I reduced the size of all images and then compressed then. I then complied all the css and JavaScript code into one file. This shaved off a couple of bytes which slightly improved the page load time. I then looked at which elements on the page where causing the highest load on the server, and took steps to either replace or remove them.

What was causing the highest load on the server?


Third party JavaScript was the biggest. This is hosted on another server which in turn ensures a slower page load time. We were using AddThis social connect buttons and the AddThis share widget. When I saw how much removing AddThis helped with reducing load time, I had to get rid of them.

What did you use instead of AddThis?


The AddThis social tools area really good, they are easy to setup and have a lot of customization functionality. The only thing negative with them is how many milliseconds they add to the page load time. I built custom social icons for the footer which removed reliance on JavaScript, as for the share buttons (found on Thexyz forum) I used this lightweight option from digital point.

What if you have to use third party applications?


Displaying them in Ajax or i frame is a good practice to help increase the page load time of these elements. Also if the third party application goes down, it ensures your site load is not affected.

Do you have any other tips for reducing page load time?


Use css as much as possible. Buttons are a good example of this. Instead of using an image you can create some fancy looking buttons with css. I also posted a tutorial on this here.

Is improving the page load really that important?


Yes. Not only does Google now say that it does have an impact on how they rank websites, it also improves the user experience. Nobody wants to wait a few seconds for a website to load.

Friday, 4 April 2014

After three years of development Thexyz is retiring the cloud backup software in favor of an open source platform called OwnCloud. This allows us to offer our users with more features and apps developed by a dedicated community. You can take a look at the additional apps supported here


We will continue to offer a managed cloud backup hosting service, the only difference will be that the software will not be developed in-house.

If you are currently using Thexyz Cloud legacy software your application will simply stop backing up files. You are advised to contact support for a free upgrade on one of our new servers or if you no longer have a subscription, you can order a new one here. This ensures maximum compatibility, adds many new features and gives our small team more time to work on what we do best which is supporting our email users.
Tuesday, 25 March 2014

Todo® Exchange Tasks

Quickly view your to-do lists in a beautifully-designed interface with this app that is fully compatible with Thexyz Premium Email using mobile sync.

Subscribe by email

Enter your email address:

Delivered by FeedBurner

Popular Posts

Tags

News (77) Web Hosting (44) Advertising (19) Tutorials (16) Thexyz Cloud (13) Video (5) Email (3) resellers (3)