(817) 439-3051

Cyber Security

Two PHP Versions Are Being Terminated, Putting Millions of Websites at Risk
Two PHP Versions Are Being Terminated, Putting Millions of Websites at Risk

In December 2018, PHP 7.0 and 5.6 are reaching the end of their lifecycles. Find out what PHP is and why it is so important to upgrade it.

Even though you might not have heard of PHP, you probably have seen it in action. Websites use this coding language to dynamically generate web pages, retrieve the data people enter into web forms, and perform numerous other tasks. Almost 80% of websites use PHP because it is quick, works well on sites of any size, and is open source. However, most of these websites are using versions that will soon become a security liability.

In December 2018, two PHP versions are reaching the end of their lifecycles, which means security updates will no longer be issued for them. Here are the dates to remember:

  • On December 3, PHP 7.0 is being terminated.
  • On December 31, PHP 5.6 is reaching the end of its lifecycle. The security support for this version was extended an extra year due to its popularity. More than 40% of websites use PHP 5.6. There are currently around 200 million active websites, so about 80 million of them are using PHP 5.6.

Note that PHP went directly from version 5.6 to version 7.0. There was never an official release of PHP 6.

Why It Is Important to Upgrade

WordPress, Joomla, Drupal, and other content management systems (CMSs) use PHP, so your business’s website might be using PHP without you realizing it. If your site is using PHP 5.6 or 7.0, you should upgrade it to a more recent version as soon as possible. At the time of this writing, PHP 7.2 is the most current version, with PHP 7.3 scheduled for release sometime in December 2018.

Upgrading is important. If your website is using PHP 5.6 or 7.0, it will be more vulnerable to new attack vectors because security updates will no longer be issued for these PHP versions. To make matters worse, hackers often keep track of when versions of popular technologies like PHP reach the end of their lifecycles. Once that day arrives, they intentionally launch new attacks that target the unsupported technology.

Besides being more secure, your website will also be faster if you upgrade, thanks to performance enhancements in the newer versions. For example, PHP 7.2 runs 20% faster than version 7.0 and 260% faster than PHP 5.6, according to Phoronix.

What to Do

Upgrading to a newer version of PHP is not always an easy task, which could explain why so many websites are using older versions. There are several reasons why an upgrade might be complex.

For starters, PHP is a server-side coding language, which means it runs at the server level. So, you need to make sure your hosting provider or your web server is running the PHP version you want to use. If you have a hosting provider and it does not support the desired PHP version, you will need to ask them to do so. If they refuse, you might consider switching to a provider that does offer it. If you have a web server and it is not running the desired PHP version, the PHP software will need to be updated.

You also need to make sure that your website’s software is compatible with the desired PHP version. This includes not only the CMS software but also other programs, such as plugins, themes, extensions, and templates. Any noncompatible software will need to be upgraded. If the software developer does not support the PHP version you want to use, you will need to ask them to update the software or switch to a program that does support it.

Finally, while configuring a website to use the desired PHP version is just a matter of selecting it in the appropriate spot in the site’s settings, the site needs to thoroughly tested afterward to make sure it runs smoothly. It is essential to have a backup of the site before the upgrade in the event there are significant problems encountered during or after the update.

Don’t Let Your Business’s Website Become an Easy Target for Hackers

Upgrading to a newer PHP version can be a lot of work, but we can handle the hassle for you. That way, it won’t become an easy target for hackers.

Are Your Employees a Security Liability or a Security Asset?
Are Your Employees a Security Liability or a Security Asset?

While many companies realize they should provide IT security training, they often do not know where to begin. If your business is one of them, here are some suggestions to get you started.

The actions of careless and uninformed employees are a leading cause of serious IT security breaches, second only to malware attacks, according to a study by Kaspersky Lab and B2B International. Even when a security incident is caused by malware, employees’ actions are often a contributing factor.

These study findings point to the need for IT security training. This training can mean the difference between employees being a security liability or a security asset. While many businesses know they should be training their employees, they often do not know how often to provide the training, what to cover, and how to make it effective.

How Often

When it comes to IT security training, taking a “one and done” approach is not advisable. Instead, companies need to provide ongoing training because cybercriminals are constantly changing their tactics and devising new cyberthreats. The organization that oversees the United States’ Health Insurance Portability and Accountability Act (HIPAA) recommends monthly security updates in addition to bi-annual training. Yet, only a quarter of employees receive cybersecurity training at least once a month, according to a Finn Partners survey.

Although there are expenses associated with providing ongoing training, the costs incurred from a serious IT security incident would be much higher. In 2017 alone, phishing and business email compromise (BEC) scams set US companies back $705 million.

What to Include

Your training program should be tailored to meet your company’s needs. It should cover the specific types of IT security risks that your employees might face on the job. The program also needs to address the security requirements employees are expected to meet. This is particularly important if your business must comply with any industry or government regulations such as HIPAA or the European Union’s General Data Protection Regulation (GDPR).

Topics commonly covered in IT security training include:

  • The need for strong, unique passwords and how to create them
  • The different types of malware (e.g., ransomware, spyware) and how they are spread
  • Email security, including how to spot phishing emails and BEC scams
  • What employees should do if they receive a suspicious email or encounter another type of IT security problem
  • How to safely use the Internet
  • Social engineering threats
  • How to use mobile devices securely
  • Physical IT security measures being used
  • Your company’s IT security policies

All employees — including managers and executives — should receive basic security training. Some employees might need additional instruction that is specific to their particular jobs.

How to Make the Training More Effective

The IT security training will be pointless if your employees do not remember any of it. Fortunately, there are several ways to help make your IT security training more memorable and effective. For starters, you should hold short training sessions rather than marathon meetings. Bombarding employees with information for many hours will result in information overload, which means they will likely forget most of it. Providing ongoing training in small chunks is a more effective way to get employees to retain information. Plus, it will be easier for them to fit shorter training sessions into their work schedules.

Including hands-on activities in the training sessions will also help employees remember the information presented. For example, in addition to discussing on how to spot phishing scams, you could place the employees into small groups, give them copies of emails, and have them pick out the ones they think are phishing scams.

Another way to increase the effectiveness of your training is to make the information relevant to employees on a personal level. For example, a good way to get employees interested how to use company-owned mobile devices securely is to start by discussing how they can protect their personal smartphones (e.g., only use hotspots known to be safe and reliable). Once they learn good security habits in their personal lives, they will be more likely to practice them at work.

Finally, after employees have completed their training on a particular topic, you might consider testing what they have learned. For instance, after covering how to spot phishing emails, you could send out a fake phishing email with a suspicious link. If clicked, the link could lead to a safe web page that states the phishing email was an IT security training exercise. This type of testing can reinforce what employees have learned. It can also help determine the effectiveness of the training.

It is important to follow up with employees after the test, especially with the individuals who clicked the suspicious link. However, you should never embarrass or scold these employees during this discussion. Instead, you should offer them additional training and resources.

Your Employees Are an Important Part of Your Line of Defense

Educating employees about IT security is important. With training, they can bolster your line of defense against cyberattacks rather than be a weak link in it. To make this happen, you need to develop an effective IT training program that will teach your employees what they need to know to help keep your business secure. If you are uncertain of what to include, contact us. We can suggest topics based on your business’s IT environment.

Thousands of WordPress Websites Hijacked
Thousands of WordPress Websites Hijacked

Cybercriminals hijacked thousands of WordPress websites in September 2018. Learn how hackers carried out these attacks and what you can do to protect your business’s website.

Hackers hijacked thousands of websites in September 2018 and installed malicious code in them. All the sites were using the WordPress content management system. WordPress sites are a popular target for cybercriminals because they are so common.

The September Attacks

The security researchers who discovered the barrage of attacks in September believe that the cybercriminals accessed the sites through outdated WordPress plugins and themes. Once the hackers gained access, they modified the sites’ code for malicious purposes. For example, in some cases, the code sent site visitors to tech support scam pages. The cybercriminals also planted backdoors in the sites so they could easily access them in the future.

Don’t Become the Next Victim

Many small and midsized businesses use WordPress because it is free yet full-featured. If your business is one of them, you need to protect your WordPress site. A good place to start is to:

  • Keep the number of plugins and themes to a minimum. Each plugin and theme you use increases your site’s attack surface, so only use the ones your site needs.
  • Keep your site’s plugins and themes updated. It is important to install any updates released for your site’s plugins and themes. Besides providing new and improved features, the updates often patch any recently discovered security vulnerabilities. Outdated plugins and themes can give hackers the opening they need to access your site.
  • Update the WordPress CMS software. Although the hackers exploited outdated plugins and themes in the September 2018 attacks, they sometimes exploit vulnerabilities in the core WordPress software instead. Thus, you need to keep the core software updated.
  • Make sure your hosting service is doing its part. Your hosting service needs to keep its security measures up-to-date and regularly update its infrastructure. Failure to do so will leave your site vulnerable to cyberattacks.

There are also other measures you can take. For example, if visitors log in to any part of your WordPress site, you should implement a password policy or possibly use a two-step authentication system. We can evaluate your site and devise a customized plan to protect it from hackers.

Why Using Gmail’s Confidential Mode Is Not a Good Idea for Businesses
Why Using Gmail’s Confidential Mode Is Not a Good Idea for Businesses


As part of Gmail’s redesign in 2018, Google introduced the Confidential Mode to protect sensitive information sent by email. Learn how it works and why you should avoid using it in your business.


As part of Gmail’s redesign in 2018, Google introduced the Confidential Mode to protect sensitive information sent by email. However, the Electronic Frontier Foundation (EFF), an international nonprofit digital rights group, notes that calling this new mode “confidential” is misleading as it lacks the privacy features needed to be considered a reliable and secure communications option for most users.


To understand the potential problems with Gmail’s Confidential Mode, your first need to understand how it works.


How the Confidential Mode Works


Gmail’s Confidential Mode is designed to protect sensitive information by:


    • Allowing you to set an expiration date for an email, thereby limiting the amount of time the recipient has to view it


    • Allowing you to immediately revoke access to an email you already sent, regardless of its expiration date


    • Preventing the email’s recipient from forwarding, copying, printing or downloading the email’s contents


    • Requiring the recipient to enter a one-time passcode to view the email (this is optional)


The Confidential Mode is possible because Google stores the email’s message (the body of the email) and any attachments on its servers, creating a link to the stored information. It then sends the email’s subject line and link to the recipient using a standard email protocol (Simple Mail Transfer Protocol, or SMTP).


What the recipient sees depends on the email address to which the message was sent. If the email is sent to a Gmail address, the message and attachments will automatically render. The email will appear like any other, except it will include a note like that shown in Figure 1.



If the email is sent to a non-Gmail address, the recipient will be sent the link, which they can click to access the message, as Figure 2 shows.


The Potential Problems


Some security experts warn that emails sent using the Confidential Mode might not be private nor secure. One of the EFF’s main concerns is that Google can read the confidential emails people send because end-to-end encryption is not used. In addition, the EFF is concerned that Google has the technical capability to store these emails indefinitely, regardless of their expiration date. Google is not sharing any information about how long they are keeping them. “We’re not able to comment on internal procedures,” stated one Google official.


Online copies of expired confidential emails might also exist in a different location: in the “Sent” folders of the people who emailed the messages. When a Gmail user sends a confidential email, the full email (including the body of the email and any attachments) remains in the person’s “Sent” folder until it is manually deleted.


Another concern with confidential emails is the ease in which the recipients can share the messages, despite the forward, download, and copy options being disabled in confidential emails. A recipient could simply take a screenshot or photo of the email’s message and share it with others. So, using the Confidential Mode to provide proprietary or sensitive business data is not a good idea.


Furthermore, using the Confidential Mode might violate a company’s email retention policy. Failing to adhere to this policy could potentially put the business in harm’s way if it must comply with regulations such as the Sarbanes-Oxley Act (SOX) in the United States.


Finally, all businesses — even those that do not use the Confidential mode — need to watch for phishing attacks that use spoofed confidential emails. The emails sent to non-Gmail addresses (like the one in Figure 2) would be ideal for spoofing since they tell recipients to click a link to view the confidential message.



Better Alternatives


Because of all the potential problems, you might want to avoid using Gmail’s Confidential Mode. There are more secure ways to share sensitive information with people outside your company, including:


    • Encryption


    • Using an email to let someone know the information is available and having that person log in to an access-controlled share on a company’s network or server


We can help you set up a secure system that will protect your business’s data.