Bash Shellshock Vulnerability

On September 24, 2014, information was released about a new vulnerability (CVE-2014-6721) in Bash (Unix shell), the default command processor for Linux and Mac OS X.

This vulnerability, known as Shellshock, could allow for arbitrary code execution, allowing an attacker to bypass imposed environment restrictions. Certain services and applications allow remote unauthenticated attackers to exploit this vulnerability by providing environment variables. As the Bash shell is the most commonly used shell today, the risk of impact from this vulnerability if left unchecked could be severe.

All of the Linux servers JetPack Technology Services maintains for internal use and for our managed hosting customers have been updated with the latest security updates meant to neutralize the Shellshock vulnerability. We exclusively use the CentOS distribution for our Linux servers, and the aforementioned updates were made available shortly after Shellshock was publicly disclosed. All of our Linux servers were patched immediately once these updates were released. There is no evidence that the Shellshock vulnerability was exploited on any of these servers.

None of our Windows servers have any variant of Bash installed, and have had no exposure to this vulnerability.

More detail about the Shellshock vulnerability can be found at this Red Hat Knowledgebase article and at a related FAQ page.

Posted in Company News | Tagged | Comments Off on Bash Shellshock Vulnerability

We’re Hiring: Project Managers, Web Developers

JetPack Enterprises has immediate need for skilled, dedicated, and reliable individuals to fill project management and web development openings within our software development team. These positions have evolved to encompass a unique combination of technology-related disciplines; and a versatile skill set is required of those who successfully assume these roles. While we’re headquartered in Metro Phoenix, all of our employees and contractors work remotely, and relocation is not expected.

Software Development Project Manager

Responsibilities: Work with our clients to assess and document software development projects. Calculate accurate budget and timeline projections. Recruit and manage software developers, web designers, and graphic designers. Document and deliver specifications to software developers. Conduct and/or oversee quality assurance testing and code reviews. Effectively facilitate communication between JetPack Enterprises and our clients. Ensure timely milestone/project completion and quality of deliverables.

Experience/Skills: A minimum of three years of project management or software development experience is required. Familiarity with Agile software development methodologies (Scrum and/or Kanban). Previous web/desktop/mobile software development experience will be integral to quality assurance duties. Software testing and error documentation experience preferred.

Ruby on Rails Web Developer

Responsibilities: Assess and document web development project requirements. Work effectively with project managers, other software developers, web designers, and graphic designers, and — occasionally — our clients. Write and test Ruby, CoffeeScript, and JavaScript code. Create standards-compliant, cross-browser compatible markup and styles. Conduct quality assurance testing and code reviews. Ensure timely milestone/project completion and quality of deliverables.

Experience/Skills: A minimum of three years of web development experience is required. A firm understanding of agile software development practices (Scrum and/or Kanban). Demonstrable experience with Ruby, Rails, MySQL, data modeling, SQL, ActiveRecord, writing/consuming RESTful/SOAP web services, CoffeeScript, JavaScript, AJAX, HTML5, and CSS3. Familiarity with Git and GitHub.

Experience with the following is desirable (not required): Microsoft .NET software development (Visual Studio), PHP, Java, Objective C, Visual FoxPro, Microsoft SQL Server (administration, T-SQL, SSMS, SSRS), PostgreSQL, JIRA. We offer our team members above-average compensation packages, and high productivity is rewarded through our bonus structure. We expect our employees and contractors to work hard; we respect your free time and afford you plenty to do with as you see fit. We’re no-nonsense and ambitious, and we need individuals who will fit in. Ninjas, rock stars, and gurus need not apply. If you’re interested in working on diverse and challenging projects as part of a great team, please contact us for instructions to submit your application.

Posted in Company News | Tagged , , | Comments Off on We’re Hiring: Project Managers, Web Developers

OpenSSL Heartbleed Vulnerability

On April 7, 2014, information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key for maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are.

This vulnerability, known as Heartbleed, could allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. This represents a major risk to large portions of private traffic on the Internet.

None of the Linux servers JetPack Technology Services maintains for internal use or for our managed hosting customers have ever had a vulnerable version (versions 1.0.1 – 1.0.1f) of OpenSSL installed. This is not due to any foresight or planning on our part, but instead is a function of coincidence. We exclusively use the CentOS distribution for our Linux servers, and none of the versions we’ve deployed (6.4 and older) ship with — or have been updated since deployment to — any of the vulnerable releases of OpenSSL.

None of our Windows servers rely upon OppenSSL for SSL/TLS encryption, and have had no exposure to this vulnerability.

If you have an application or web site that relies upon OpenSSL, you can use a test provided by McAffe to determine if the server hosting your resource is vulnerable to Heartbleed.

More detail about the Heartbleed vulnerability can be found at http://heartbleed.com.

Posted in Company News | Tagged | Comments Off on OpenSSL Heartbleed Vulnerability

Technique to Intercept Internet Traffic Observed

internet mapWired’s Kim Zetter reports analysts at Renesys have observed evidence that earlier this year someone hijacked internet traffic headed to government agencies, corporate offices and other recipients, redirected it to Belarus and Iceland, and then sent it on its legitimate destinations.

The vulnerability isn’t the result of a flaw, but an exploit of how BGP (Border Gateway Protocol) is designed to work. The potential for abuse was demonstrated years ago:

In 2008, two security researchers at the DefCon hacker conference demonstrated a massive security vulnerability in the worldwide internet traffic-routing system — a vulnerability so severe that it could allow intelligence agencies, corporate spies or criminals to intercept massive amounts of data, or even tamper with it on the fly.

The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

While data interception and tampering are not the only threats posed by the vulnerability, they do represent the most acute issues. Keep in mind that your ISP — and other networks that transport your data — have always had this level access without having to resort to any such exploit. Now that third parties have been observed hijacking internet traffic, it brings the susceptibility of unencrypted transmissions into focus. If you’re a sysadmin, you have at least one method to protect your users: Install some SSL certificates!

Wired: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

Posted in News | Tagged | Comments Off on Technique to Intercept Internet Traffic Observed

Hiatus

at the beachFor the past year, we’ve loved having Digital JetPack as an outlet for delivering information about topics that our clients, partners and other loyal readers are interested in. With that said, we’re announcing today that Digital JetPack will not be updated for the next few months.

With summer fast approaching, we’re facing the reality that between new clients and staff vacations, our workloads are about to start getting a bit out of control.

We apologize to those who have grown accustomed to reading our posts on a regular basis for the recent stagnation and the hiatus we’ve just announced. Rest assured, Digital JetPack will be revived. We intend to return with interesting, relevant content from more diverse voices. Another objective will be the ability to post more frequently than ever.

While we’re retooling our blogging strategy, please consider continued engagement with Jet-Pack Studio on Twitter and/or Facebook. We sincerely hope that you’ll be ready and willing to offer us your time when we return to production. Thank you.

Update – 11/11/2011: We’ve added another way for you to interact with us. Jet-Pack Studio is now on Google+! Please add us to your circles, and be sure to keep an eye on your stream for an invitation to a hangout.

Posted in Company News | Comments Off on Hiatus