These pages discuss basic principles and good practices for the security of web services. In particular, the websites contain security trends and issues relevant to the security of the services that are relevant to the sites in our services.
News
At the moment, there is a more convincing email scam in traffic than normal.
The email is disguised as if it had been sent from the recipient's email. The email claims that the recipient's email account has been hacked and that it would have accessed the user's data, devices or anything like that. In addition, the message may contain an old password of the user that was discovered when another service was hacked. This is an attempt to increase the credibility of the message. The message requires money in one form or another.
Passwords are not stored in a restorable format on our servers, so they cannot be found through our services. Not even by hacking an email account or main account, for example.
You can easily disguise any e-mail address as the sender of an e-mail message. So the message doesn't necessarily mean that the email account has been hacked. If the message contains an old password, make sure that none of the services you are using still have the same password enabled. Passwords should be changed regularly and the same password should not be used in several different services. The actual sender of the e-mail message can only be found by examining the message header information in more detail. If you send us a message under all the headings, then we can check for you where the message has actually been sent.
All cases that have come to our knowledge are pure scams and email or devices have not actually been hacked. However, just in case, it is always worth changing your passwords regularly and checking your used devices for malware.
For more information, see:
Security
Cyber Security Centre
- Cybersecurity Weekly Review - 49/2024 5.12.2024
- Traficom's Cyber Security Centre participated in the NATO Cyber Coalition exercise organised by the Defence Forces 5.12.2024
- Cybersecurity Weekly Review - 48/2024 29.11.2024
- Digital skimming - tips to protect your online business 28.11.2024
- Revised regulation on the technical implementation and safety of emergency services 22.11.2024
WordPress security
- Secure Custom Fields 12.10.2024
- WP Engine Reprieve 27.9.2024
- WP Engine is banned from WordPress.org 25.9.2024
General security guidelines
Always keep web apps on your site up to date
From different web applications (e.g. WordPress, Joomla!, Drupal, etc.) can be found in various security vulnerabilities on a regular basis. Various security vulnerabilities are widely and often machine-exploited, so small sites can also be attacked. Updates to Web applications should be monitored at least every month and installed as soon as possible. If the site is not maintained for a long time for one reason or another, the entire site should be shut down or blocked from being used to prevent the site's web application from being attacked as it expires. Take Joomla, for example! 1.5 or WordPress 3.5 are already badly outdated.
Use secure sign-in methods
Use double authentication for important logins. Our dashboards support double authentication and we recommend activating it from the dashboard. File management is safe to do with SSH/SFTP connections using a password-protected SSH key. You can add the SSH key from the dashboard. Emails should only be logged in via an encrypted connection (SSL).
Update all service passwords as often as possible
Malicious users can gain access to the credentials used by the service, for example through malware. However, the compromised credentials are often not immediately exploited but are made public among the attackers some time after they have been compromised. Often a password that is changed every month will prevent large-scale use of the captured password. In addition, it is always advisable to change all passwords for a service when there is reason to suspect that malware has been present on the computer where the service credentials have been used. You can easily and securely create new passwords at https://suncomet.fi/passwords/.
Check file and directory permissions
You must have as few permissions as possible for files and directories. Commonly performing permissions are 755 (rwxr-xr-x) for directories and files. Files and directories can safely access up to 777 (rwxrwxrwx) permissions because each account is closed to their own file system, but we still recommend more restrictive permissions above. You can change permissions by using file management, FTP, or SSH (chmod) in the dashboard.
Remove unnecessary or unused IDs and web applications from the service
Useless, outdated, and unused IDs and web applications are particularly vulnerable to attack. For example, passwords for useless test IDs are often easy to guess or do not remember to change regularly. Also, test-installed webs applications are often not remembered to be updated, and even if they are not enabled, potential attackers can find them quite easily.
Keep all computers that use service IDs up-to-date
The security of computers that use service IDs must not be underestimated. Very often, malware obtained from an email or through a website manages to pry into service IDs and send them to harmers. Therefore, it is important to keep your computer's operating system up-to-date and to purchase a reliable and comprehensive security application to help protect your computer from malware.
Regularly back up and store them in multiple locations
However, even if the provider takes backups of the accounts, it is always worth taking separate backups themselves and keeping them in different places. This is how you deal with unexpected and exceptional situations. We also offer a separate Additional Security add-on service where a backup of the account is stored in several locations.
How my account or site is hacked?
Internet-based accounts and sites are consistently vulnerable to largely automated attacks. The security of accounts and sites should be taken care of continuously and carefully. Although servers prevent most attacks, an attack with account credentials or unsneed features of the site is not always preventable because they mimic the normal functioning of the account or site.
There is no access to the account or site other than through the account or site. Sites and accounts are isolated from each other at the server level and do not have access to each other, regardless of permissions, such as files or directories. Passwords are stored on the server with one-way encryption and cannot be determined through the server. Even the administrator cannot resolve the account password from the server.
The account or site is hacked in one of the following ways :
1. Account IDs are cleared from the user's devices.
Passwords are often stored in programs on devices in plain language or in an easy-to-determine format. The user's devices should be scanned for viruses and malware.
2. Account IDs have been settled through an external service or by guessing.
Passwords should be complex enough and not easily predictable. The same passwords should not be used in different services. If an unsafe service stores passwords in plain language, then a potential hacker can get the password.
3. The account has been accessed through an outdated/security-free installation in the account.
Web applications (e.g. WordPress, Joomla!, Drupal, etc.) can be found in various security vulnerabilities on a regular basis. Installations should always be kept up to date or removed unused. Add-ons can also contain malware that accesses a site or account. It is also possible that a script is basically unenserated and even updating it doesn't make it safe. It is recommended to use only well-known and popular scripts, add-ons and layouts.
More than 99% of account and site hacks take place in the ways above. As a rule, hacks are carried out automated by malware. The most common purpose of hacking is to be able to add malware to the account that can still be exploited in new hacks. Another common purpose is to use an account or site for spam.
Malware can remain in your account for long periods of time without trying to access them. It is possible that malicious codes may not be detected by the system until they are attempted to be used. Security systems are constantly updated and new malicious codes are found regularly after updates, even if they have not been detected earlier.