Home » Canvas Host blog

Dealing With Hacks

At Canvas Host, we pride ourselves in operating as secure a network as we can. We work hard every day to provide a safe hosting environment, to help you run a successful website. In recent months, a few hacks have circulated around the Internet, and we thought this would be a good time to update you on the steps we have taken, and changes to our procedures we continually employ, to protect you and your data.

Patching Is Crucial

Every software vendor on the planet has at some point or another issued a patch for their code. Some providers and frameworks, like WordPress, are constantly releasing updates, not only for the core code base, but also themes and plugins. While some of the updates are to roll out functionality improvements, many of the incremental releases are to patch vulnerabilities — weakness in the code that can be exploited — and which have come to light through testing, or in some cases, pure chance.

Code updates are a good thing. They are necessary to ensuring your website and hosting environment are kept running quickly and securely. Update notices can be annoying, but they’re there for a good reason.

Alerts Are There For A Reason

If you subscribe to our WordPress hosting service line, you should receive regular alerts about vulnerabilities our own scanning systems have detected in your installations. It could be due to an outdated code base or old plugin, or we may have detected a suspicious file that is lying dormant in your website.

In our notifications, we try to address the precise file or set of files that are of concern. As a customer, it is your responsibility to clean up your website, have your webmaster/webmistress do it for you, or hire us to do it. If you don’t act on our warnings, and we later determine that your site has been compromised, we will most likely suspend the account until you have a chance to address and resolve the issue(s).

We understand how this may impact you, and even informing you of potential concerns may be alarming, but that’s the point. It’s our responsibility to protect our systems and network, so in turn we can protect you and all customers of our services.

That said, no system is foolproof. Inevitably, any system is going to have weakness. Sometimes, those weaknesses will be exploited.

Understanding The Impact Of Vulnerabilities

In January, we issued a statement about a previously unknown set of vulnerabilities that potentially impacted every CPU on the planet, including those in our web servers, that we had been made aware of, known as Spectre and Meltdown. Hardware vendors worldwide scrambled to release patches for operating systems, including some that we use, to prevent the vulnerabilities from becoming a major issue. We applied those patches, and all was well.

In mid-April, we became aware of an update to an operating system technology we utilize called CloudLinux. CloudLinux provides a virtualized environment that functions in ways very similar to virtual private servers, in that we can allocate precise amounts of RAM and CPU processes to a given website. It’s a fantastic technology that can prevent server spikes and website outages.

It was not indicated that the release was an urgent patch. At that same time, we were diagnosing a mystery hack for a handful of websites hosted on one of our servers that use CloudLinux. In the release notes, we learned the patch corrected an issue that was related to the site hacks. We applied the patch as soon as we became aware of it, but unfortunately, the hack had already occurred. Though not considered a zero day exploit, it is our belief hackers immediately seized upon the vulnerability, before we and other providers had an opportunity to apply the patch. In the end, fewer than 40 websites were defaced, and we communicated directly with those customers throughout the process.

It could have been much, much worse. Take, for example, this release from Drupal about an extremely critical vulnerability that could lead to an entire server becoming compromised. We have been in communication with several Drupal developers whose own websites were hit by that vulnerability, and unfortunately, it impacted their entire server.

Responding To A Hack

When a hack happens, how a service provider responds is crucial. And yet, disclosure of a vulnerability is one of the greatest challenges in dealing with a hack. As a B Corporation, we champion transparency throughout our operations, including admitting errors or faults in our systems. At the same time, when we’re dealing with a potential security risk, we don’t want to broadcast it to the world. It’s not because we’re afraid of admitting fault; Rather, we don’t want to draw additional attention and risk to the situation than is necessary. We also don’t want to unnecessarily raise alarms to customers that were not affected.

Every situation is a learning opportunity, and a chance to improve a process. In the case of the CloudLinux hack, we identified a weakness in one our Managed WordPress service line, and have implemented a change to how we manage backups for those websites. The change has dramatically improved its utility, not to mention added security for those customers subscribed to it.

As part of the service, we make weekly backups of WordPress websites prior to applying patches and other updates. Historically, those backups were being stored locally, within the customer’s hosting account. We have amended this process, and are now storing those backups at our secondary datacenter in Bend. Beyond protecting those backups from a potentially compromised hosting account, the data is also stored in an Earthquake-proof hosting environment. This is one silver lining that has come out of a situation of concern.

How You Can Protect Your Website

Here are a few tips you can employ to protect your website against hacks:

  1. Patch, patch, and patch again! Keep your website updated.
  2. When we notify you of a vulnerability, act on it.
  3. If you’re managing your own website, look for announcements from the application’s project team.
  4. If you’re not sure how to patch or manage your website, ask us for help.
  5. Change your website and hosting account passwords frequently.
  6. If it’s been a while since you last patched your website, revisit step 1, or ask us to perform a free vulnerability scan of your website.

If ever you have questions or concerns about our hosting services, please ask us. We’re always open to your inquiries and suggestions. We recognize that no system is perfect, and it is our goal to learn from a situation, and from it create an even better service to you.

Thank you,

David Anderson


Meeting GDPR Compliance

Hello! I say this because it’s probably the only article you’ve read about GDPR compliance that will ever begin with “Hello!”

GDPR is a set of regulations that protect the personal contact information of all residents of the European Union, that take effect on May 25, 2018. It sets forth rules for which companies worldwide must protect how they process and store information about their EU-residing customers, up to and including how those customers’ personal data is to be destroyed on request. Failure to protect the data can be costly, albeit through international litigation. The basic point is, EU-based customers have rights over their personal information, and if you’re a company working with those customers, you need to pay attention, and now, or else.

That sounds a bit dire, but GDPR is here and real. It’s something we all need to talk about, and it’s not something to be feared. Believe it or not, it is to be celebrated and supported. It is a platform from which companies worldwide can learn many lessons from which to ensure their own customers’ personal data is protected, whether they reside within the EU or not.

Since the creation of Canvas Host in 2002, we have endeavored to protect the personal information about all of our customers. From day one, we have held in our minds the notion that each customer is like a member of our family. Each of you have entrusted us with your business and personal data. Since that point, we have always maintained a hard line that we will never sell your data, nor use your data in any way other than to provide you the services for which you have contracted us to deliver you.

In recent months, as GDPR’s launch has approached, our company has reflected on the many things we already do to protect your personal information, and steps we take to further protect your hosting account’s data backups. We’ve taken pride in a strict Privacy Policy, and we have amended it to signify our compliance with GDPR.

As a B Corporation, we go to the ends of the Earth to be an ethical host amidst a sea of swirling uncertainty.

We’ve also resisted the tide towards “all things cloud”, and to this day host 100% of our data within our network and direct control. We do operate a secondary data center space in Bend, Oregon, for the sole purpose of storing and serving data for select customers.

What does that mean towards GDPR?

As a Data Controller and Data Controller, we have legal basis to store and manage your personal contact information. In layman’s terms, because you are a customer, we need to store your name, email address, credit card number, IP address, and so forth, because that is all part of how we are able to provide you service to your hosting account, authenticate you as a paying customer in your hosting account and the Support area, and tell you apart from a random hacker.

It is true that in the “Latest Patch” emails we send to customers, there are links we provide for services and special deals we are running. At the same time, that is solely driven by us. We have not, nor will ever sell or provide your personal contact information to a third party, unless forced by a court order. We treat the protection of your personal contact information extremely seriously.

Because of the global reach of GDPR, we have decided to apply its restrictions to all customers residing outside of the United States. And, if you are a resident of the United States, we will honor your request that we abide by GDPR’s same requirements.

If you are a resident of the EU, we have already unsubscribed you from our Latest Patch newsletter. If you wish to re-subscribe to it, you may do so at this link:

Latest Patch Newsletter Signup Form

If you have any concerns whatsoever about the protection of your personal data, please email sales@canvashost.com and let us know. We are here, we are listening, and we want only to serve your needs as best we can.

Additionally, if you are a EU resident, and you are concerned about your own website visitors’ activities on the site you host with us, please contact us if you need a contract (composed in English) noting how Canvas Host acts to protect your website and its visitors. We understand this is a complex component of GDPR, and are still working to understand the full scope of how this may impact our customers in various countries.

Finally, I want to state this to every single customer: One of GDPR’s requirements is that a company elect a Data Protection Officer (DPO), who regularly reviews the company’s policies to ensure it is meeting compliance, and corrects any lapses in those spaces. Canvas Host is a relatively small team, but I have elected to take on that role. As the company’s founder, and now as the DPO, I want to personally communicate to you my intent, as I have since 2002, that this company is here because of you; We are here to serve you; And we will never sell your data, nor intentionally compromise your privacy.

Canvas Host is the only certified B Corporation web host in the world. GDPR is but a formal set of policies that for many years, we have already upheld, and we are here to learn from it. We are not a perfect business; We are a human business; And together, you have our commitment that we will work to improve what we do, and how we do it.

Thank you,

David Anderson, Founder and Co-Owner


To B or not to B: Transparency in Business

Transparency in business is like a two-way sheet of glass, with you on one side, and the world on the other.

It shows others a clear window into who you are, the ethics you uphold, and the reasons behind your business decisions. Transparency allows others to see the real you. It serves to affirm your authenticity, and provides accountability through your actions.

In the absence of transparency, a business owner essentially operates from behind a one-way mirror. Your view of the other side might be blinded by the avarice, ego, and prejudice reflected back on you. The rest of the world can still see you from the other side, but you’ve blinded yourself from seeing them.

I’ve encountered businesses over the years that would like to believe they are transparent, but are not: Business owners who seem unable to accept any responsibility for their actions, who cast blame on former employees, and who think they can do no wrong. What these companies don’t realize is that “the fish rots from the head”. Accountability and responsibility both begin, and end, with those actually running the business.

We have entered an age of “purpose washing”, or as I like to say, “B washing”, in which companies project a much more socially responsible image of their company than truly exists. I am continually reminded of the need for transparency in business. No longer is it enough to take one’s words. We must look at the actions of a company, how it treats its staff and truly upholds the community, to understand the real ethics at work.

This is why I’m so strongly supportive of the B Corporation certification and movement. I strongly believe it to be the absolute highest standard of certification for socially responsible businesses. It cannot be subverted by the whim of the business owner. It is a window of transparency at a time when it is needed most.

When you hire a B Corporation, you can trust in that certification, and further, that its team, from ownership to management to staff, are united by a vision of driving business as a force for good.

To B, or not to B? That is the question you should ask the companies engaging you.


Spectre and Meltdown CPU Vulnerabilities: What are they?

This week, we learned that billions of the microprocessors (CPUs) in existence today contain a flaw that could allow data and instructions to be monitored by an outside listener, as they are being processed. Affected CPUs are found in hardware devices ranging from smart phones, to PCs, to cloud infrastructures the size of a datacenter. The vulnerabilities are called Spectre and Meltdown, due to how each interacts with the CPU.

In plain English, for affected devices, a programmer (an attacker) could write a program that eavesdrops on a device as it processes data. Once uploaded to a device, it could listen in on the data and transmit it back to the attacker.

Unlike malware, which typically is unknowingly installed during an active user’s session, the Spectre and Meltdown vulnerabilities occur separate from the active user’s session, literally sampling and listening in on the data outside of the virtual programming space. Compare it to wiretapping, but at the bridge point between a CPU’s hardware and how it manages instructions.

The vulnerabilities take place in a way that would never be visible to the data owner or any portion of the programming space handling the data. Because the vulnerabilities exist at the hardware level, operating systems, which run firewall, security, and anti-virus services, would have no ability to prevent such intrusions.

If loaded onto your smartphone, consider that emails, messages, photographs — pretty much all of the data on your device — could theoretically be monitored without you or your phone’s operating system having any clue it was occurring. Now imagine it on a larger scale, such as with a cloud hosting service. With these vulnerabilities, customer data could be obtained, passwords and credit card information copied, and entire social media accounts compromised, all without a hint of anything awry. That’s what is so alarming.

And that leads me to a point regarding our stance on cloud hosting. Cloud has its use, but unless you’re looking at uncontrollable scalability concerns, in our opinion, the risks outweigh benefits. Since its advent, cloud hosting has concerned us due to the level of integration and reliance that both data and hardware share with one another. Your business might be located in Oregon, but your data could also be stored in New York, or Sweden, or Thailand, or all four places, wherever the cloud determined your data should be stored. And, your data neighbors in each of those places could be up to no good. Should there be a lapse in security, as with Spectre and Meltdown, the keys to the entire kingdom could effectively be handed over, all of your data obtained, and no way to know of or prove it.

And now, those concerns are a reality. Cloud computing takes advantage of pooled computer resources that are shared between users (tenants). With these vulnerabilities, one of those tenants could be an attacker, and simply implement their programs throughout cloud platforms, each snooping on countless other customers’ data. In several industry articles we’ve read, cloud hosting has been noted as the platform of greatest concern.

As a customer of Canvas Host, what we want you to know that while we are concerned about the potential impacts of these vulnerabilities, at this time we are confident your data is safe. None of your data is hosted in a cloud environment, and we carefully vet all customers in our network. Though we cannot guarantee your data is entirely safe from these vulnerabilities, through our business operations we have already taken many steps to protect you.

Patches for the vulnerability are already being finalized and released for most active operating systems. It has been noted that at least initially, the patches may cause as much as a 30% slow-down in CPU performance. This could considerably impact all data processing services, including hosting provider platforms like those we use.

We are actively monitoring our software vendors’ communications and are awaiting release of the patches. We will thoroughly test them before rolling them out to all of our hosting platforms, and will communicating directly with all of our dedicated customers to arrange for times when the patches can be rolled out to those systems, as well.

If you have any questions or concerns, please contact us and we’ll be happy to address them as best we can.

Thank you,

David Anderson, Owner

Sources:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://meltdownattack.com/#faq-why-spectre

Spectre and Meltdown logo credits:

Natascha Eibl, Graz University of Technology


Celebrating Four Years as an Oregon Benefit Company

Wow! It’s been four years since we became an Oregon Benefit Company!

On January 2, 2014, we joined 28 other businesses to kick off a brand new Oregon business program. In the years since, it has grown into a statewide movement of more than 1,800 companies united through a common goal of using business as a force for good. (Read about the inaugural signing: Canvas Host: An Oregon Benefit Company)

Signed into law on June 18, 2013, House Bill 2296 enabled Oregon businesses to incorporate social causes into their operating by-laws. We were already a B Corporation, which implements similar corporate by-laws, but Oregon’s implementation of the benefit company structure brought us legal protection and precedence to operate on the triple bottom line.

Over the years, we’ve continued our mandate to uphold a higher level of ethics, transparency, and honesty throughout our business operations. From how we care for our customers, to how we provide meaningful services without the up-sell, to how we’ve improved employees’ lives with benefits most companies our size only dream of, Canvas Host is walking the talk.

What does the term, “benefit company” mean to you? It looks something like this: When you connect with us, we listen to you, and we break down the complicated technical stuff into plain English. We provide you the tools you need, and help you make the most of them. We’re here to help you succeed, period.

Our annual benefit report details the programs we’ve implemented and are actively working on. One of them is the creation of a statewide directory featuring Oregon benefit companies. Our objective is to help unify the community and enhance its capacity to effect positive change throughout the State.

We welcome your input as we enter 2018, and look forward to connecting with you and earning your trust.

Thank you,

David Anderson, Owner