Author Archives: admin

CodeGuard Honored at Georgia CIO of the Year Awards

Twitter Facebook

On October 31st, CodeGuard was honored at the Georgia CIO of the Year Awards ceremony, in the “Emerging” category. Attended by over a thousand technology leaders in the state, the event is one of the largest gatherings of its kind. Excellence was recognized across five categories of company type and size: Non-profit, Emerging (under 250 employees), Corporate (up to 1,000 employees), Enterprise (up to 10,000 employees), and Global (over 10,000 employees).

George_Conrades_Akamai

George Conrades, the Chairman and former CEO of Akamai, gave the keynote. George has been a leader in the technology industry for over 50 years, and his career began 30 years ago at IBM, rising to a senior leadership role under the legendary John Akers. He then joined internet pioneer Bolt, Beranek & Newman as CEO and led their transformation from ARPANET into today’s internet. Over the last 15 years at Akamai, George has helped lead the transformation from premises to cloud computing.

CIO_Awards_Wide

The event was held at the Cobb Galleria and featured a balanced mix of programming, with videos of the finalists, award presentations, and longer videos of the winners. CodeGuard was honored to be one of four finalists in the Emerging category, and though we did not win, were thrilled to have made it to the last stage. Finalists for the CIO Awards are selected by a distinguished panel of CIO judges, including prior Award winners, based on their contributions in innovation, leadership, business value, and community involvement.

The event was organized by the Georgia CIO Leadership Association (GCLA), Georgia’s preeminent professional association for senior technology leaders. Founded in 2003, its membership is comprised exclusively of chief information officers or individuals in equivalent positions from public and private companies, government, education and non-profit organizations throughout the state. The GCLA is a 501(c)(6) professional association led by a CIO Advisory Board from organizations including: Georgia-Pacific, GE Energy, American Cancer Society, NCR Corporation, and The Coca-Cola Company.

CIO_Awards2

 

 

CodeGuard restore just got more powerful

Twitter Facebook
Many of our customers find themselves captivated with our Automatic Restore feature, and we don’t blame them! The ability to automatically restore your website back to any date in time with the click of a button is a powerful tool indeed. For some of our customers though, this tool is a little too powerful for their needs. That’s why we recognized the value in having multiple restore options available: Automatic Restore, Individual File Restore, Download Zip.
If you only wanted to restore one folder, out of the 40 folders in your website, our best recommendation to date was for you to download a zip file of the entire backup and restore that one directory manually via SFTP/FTP. Sounds quick and easy, right? Well our customers with larger websites helped us understand very quickly that downloading a 50 GB website was not an option for them!
We knew the time had come to upgrade our Download Zip restore. Today we are proud to announce an enhancement that dramatically improves this feature: Selective Download.

Selective Download

CodeGuard Download Zip Backup Restore
Now when you request a zip backup from your CodeGuard dashboard you are given the option to download the entire backup, or select specific files and folders to download into a zip file. For our customers who added their own websites to CodeGuard this interface will feel very familiar, and look  similar to our website addition process. You can expand folders and uncheck or check as many boxes as your heart desires. We will wrap it all up into a zip file and email you the download link.
CodeGuard Download Zip Backup
In addition to emailing you the link, we will make these zip files available to you in the dashboard for days after they were requested. So instead of hunting through your email inbox to find where that zip file went, you can simply log in to CodeGuard and re-download your zips right from the Restore tab.

Behind the scenes

The final set of improvements we made to this feature are ones that can’t be seen in the interface. Our engineering team put their heads together to create a new, much more efficient way of requesting zips from our system. Zip downloads complete much faster now, and you can also request as many zips as you want for any given website or backup.
Our old process for requesting zips was slightly inefficient, in that you could only request one zip at a time. You could not request another zip backup until the first zip was done being created. With new and improved logic driving this feature, you can now request as many zips as you want. So not only are our zips faster and more accessible with an improved UI, they are also much more accessible to you, and available for longer periods of time. That is quite the list of improvements!

What’s next?

In the next week or two we hope to extend this new logic to also include our Individual File Restore feature. This will include the improved UI for searching through your files and folders, and a faster back-end driving the restore once it’s started. The last few months our team has been extremely focused on improving our restore experience from every angle. Once we are done with our improvements to the Individual File Restore feature we guarantee that no matter what your restore needs are, CodeGuard will have a method that is perfect for you to get the job done.
So no matter what restore type you choose to initiate, we promise it will be intuitive, easy, and fast. Keep a look out on our blog for future updates!
Natalie

CVE-2014-3704 Drupal SQL Injection Vulnerability – How can you fix it?

Twitter Facebook

This is a critical vulnerability. If this is the first you are hearing about it and you manage a Drupal website, I would highly recommend that you go read the Drupal PSA and follow the instructions there before doing anything else.

 

CVE-2014-3704

The situation with CVE-2014-3704

On October 15th, 2014 the Drupal core team released the details of a vulnerability, CVE-2014-3704, that was classified as the most severe type of vulnerability: Highly Critical. This CVE-2014-3704 SQL injection attack can allow remote, anonymous users to take control of your Drupal installation and gain access to all of your content. The Drupal team describes it in a bit more technical detail:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This vulnerability can be exploited by anonymous users.

The website firewall company, Sucuri, observed attacks on Drupal sites starting only 8 hours after the vulnerability was disclosed. Those attacks have become systematized and are now widespread. As a result, the Drupal team is advising all website owners to assume “[…] that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC […].”

What should website owners do about CVE-2014-3704?

Unfortunately, the patch that Drupal provided for CVE-2014-3704 can only prevent a future attack. If your site has already been compromised, as the Drupal team and Sucuri data suggest is very likely, the patch can not undo an attack that has already occurred. The recommendation from Drupal is to restore your website to a time before October 15th to remove the backdoor and then apply the patch to prevent re-infection.

If you have your website backed up with CodeGuard, restoring to a time before October 15th should not be an issue. If you do not have daily backups, CodeGuard or otherwise, you could also check with your hosting provider. However, while they may have a disaster recovery backup of their servers (including your website content) that was taken some time between 24 hours and 7 days ago, that would not help in a case like this where backdoors could have been inserted weeks ago. If you do not have a viable backup, the only other option that Drupal provides is to rebuild your website from scratch. Ouch. Backdoors can be incredibly difficult to find manually, so if you do not have a comprehensive backup, rebuilding is the only other truly safe option if you have been compromised by CVE-2014-3704.

Backups are a necessary part website infrastructure

Just like reliable hosting, a comprehensive backup strategy should be high on the list of priorities when building a new website or maintaining an existing property. In addition to providing some measure of insurance against events like CVE-2014-3704, they can also save you time in cases where files are accidentally deleted or when plugin updates go awry.

In addition to 99.99% levels of reliability and daily backups, CodeGuard’s ChangeAlert feature can also be helpful in bringing unauthorized file content changes to your attention. In the event that the backdoor was inserted in a file or your static content was defaced, CodeGuard can provide you with a notification of the change and the tools to roll back the malicious activity.

In this age of rapidly exploited vulnerabilities like CVE-2014-3704, a comprehensive backup strategy is no longer a nice-to-have option, it’s a must-have for every website owner or administrator.

– Jonathan

Why Do WordPress Websites Go Down?

Twitter Facebook

CodeGuard and WordPress

WordPress is a great tool for creating and managing websites. With over 60 million websites using WordPress, it is by far the most popular content management systems on the web. Not only that, WordPress is also open source which means that it is constantly being updated and improved. Why then, is it so common for WordPress websites to go down?

Unreliable Hosts

Often, the problem is not the user’s fault, but their host’s or even other people on their shared server. Failing hardware, outdated software, or mismanaged resources, can all cause server crashes. When this happens any websites on the server will go down. If you’re lucky, the server will be back up shortly, and you will have access to your website again. Sometimes, though, files and databases can become corrupt. In this case, your website might not be accessible, or it might look or behave differently. It often takes an experienced user to fix this type of problem.

WordPress Vulnerabilities

Problems can also arise within WordPress itself. Because WordPress is so easy to install, users often fail to properly secure their installation against outside attacks, and with so many on the web, WordPress installations are a popular target for hackers. The fact that all of the WordPress bugs and vulnerabilities are posted online makes it even easier for attackers to compromise a WordPress site. CVEDetails.com keeps an up-to-date list with information about many known WordPress vulnerabilities.

Once a hacker has access to your website, you might not even know that anything has changed. Many hackers create networks of compromised websites that they can use for DDOS attacks, click fraud, and adware/spyware/malware distribution.

Plugin Vulnerabilities

Plugin vulnerabilities are possibly the largest contributor to WordPress failures. In mid July, ZDNet published an article that described how vulnerabilities in just four WordPress plugins affected over 20 million WordPress installations. One of the vulnerabilities even allowed “attackers to upload malicious PHP files or backdoors to the target server without needing admin privileges.” Just like WordPress, many plugin bugs and vulnerabilities are published online for everyone to see. On one hand, the fact that everyone has access to this information is good, because it prompts developers to fix the problems, if they haven’t already, and it gives users a heads up that their website may be susceptible. Unfortunately, though, this information also makes it easier for hackers to find and exploit vulnerable plugins.

Besides being vulnerable, WordPress plugins are often buggy, bloated, or poorly maintained. In addition, multiple plugins can conflict with each other. Plugin incompatibility is one of the reasons why we at CodeGuard discontinued support for our WordPress plugin in favor of a more reliable and platform-agnostic website backup strategy.

What can you do?

There are several things you can do to make sure your WordPress website stays up and running.

  1. Choose a reputable host
    If you want your website to available 24/7 make sure you choose a reliable hosting provider. Do a little bit of research beforehand to see if other users have had problems with the host you have in mind.
  2. Secure your WordPress installation
    WordPress has published an excellent guide to help you harden your WordPress installation against outside attacks.
  3. Keep your plugins up-to-date
    Old plugins with known vulnerabilities are easy targets for hackers. Keeping your plugins up-to-date will help ensure that they are bug-free and harder to attack. Limiting the number of plugins you have is also a good idea, because it reduces the number of attack vectors that hackers can potentially exploit.
  4. Have a backup
    If all else fails, it’s important to have a plan for recovery. CodeGuard provides easy backups for your WordPress installation, and we have specific WordPress features that make restoring your site even easier.
    Website_Backup_in_the_Cloud___CodeGuard

– Taylor

Product Development at Scale

Twitter Facebook

We know that our customers see our service as a critical part of their infrastructure, and this is a responsibility that we take seriously. Unlike other software-as-a-service companies, we don’t have the luxury of hoping that a customer will notice an issue and report it or try again later. CodeGuard provides an automated service and for customers that rely on us for daily backups, that means that we have a 24 hour window, 365 times a year where we have to perform at our very best. Our process for developing and maintaining the service has to reflect that reality.

Just as we have scaled our service to accommodate hundreds of thousands of website and database backups on a daily basis, we’ve had to scale our product development process to consistently deliver high-quality results for our customers while maintaining the 99.99% levels of reliability we have achieved. We can’t haphazardly release features or change functionality without thoughtful preparation, focused execution and thorough testing.

What does this look like?

It can vary slightly from project-to-project depending on the components involved, but we generally follow an Agile-based workflow. As a result, the entire team participates in every phase of the project from brainstorming through maintenance.

1. Brainstorming

523001_434980639899033_150466711_n

Brainstorming allows everyone the opportunity to share ideas and get everything out into the open. These discussions are not structured and often cover topics from from high-level deliverables to specific implementation details. Not only are they helpful for getting good (and bad) ideas into the group consciousness, they also serve as an opportunity for everyone to reach a common understanding of the project at hand, any potential complexities and options for execution.

2. Planning

 

Restore_Improvement_Plan_v1_0_-_2Sept14_-_Google_Sheets

After brainstorming, we move on to planning. This is a very important, but often incredibly difficult part of the process. The high-level product goals have to be deconstructed into small enough pieces for an engineer to build. Knowing how small or large to make these units of work and how to estimate their size relative to the other units of work in this project can be a tedious exercise. Make the pieces too small and it’s difficult to adjust the plan as new information arises and divide the work amongst the team. Make the units too large and you may end up waiting for a big piece of functionality to be completed which delays progress on other components. How this process works exactly will vary greatly based on the composition of personalities on your team. For us, it’s usually a spirited discussion that lasts two or three hours every other week. The result is often flow charts of functionality and a plan with the individual units of work.

3. Execution

_D1A0488_v1fs

As an engineer, this is the most fun part of the product development cycle. Everyone on the team starts implementing the items that were defined in the plan. We meet formally every morning to talk about progress and areas that we need help, but there is constant communication within the team during the day. During this process, we often work in ad-hoc pairs to get through the more complex bits of functionality or in cases where we are modifying existing components related to our core backup or reporting systems.

4. Testing

In addition to automated unit testing and functional testing, we also do a lot of team testing ahead of releasing new functionality. Our service connects to a wide variety of hosting providers, platforms and server types. As a result, we are extremely suspicious of the software that we build. Having humans devise test scenarios and directly interact with any new features we have built gives us an extra level of assurance that we did not miss anything in our automated testing. For functionality that requires user interface changes, it also give us the opportunity to make sure that everything works as expected in all of the popular browsers.

5. Deployment and Maintenance

Unlike other development teams, once we’ve built a new feature, thoroughly tested it and agree that it is ready for release, we can’t just give it to the client as say that it’s finished. We have to deploy the changes to all of our customers and maintain all of the functionality that we build. This reality of being both the development and operations team makes us very cautious about how things are implemented. If you know that your phone could be the one ringing at 2am when something breaks, you’re going to think twice before modifying code that you don’t completely understand or writing a super-clever, elegant, one-line and completely unreadable piece of code.

Conclusion

I believe that this process, which represents our intentionality, intense focus and commitment to delivering a high-quality product to customers is one of things that sets us apart from other backup solutions. An open-source plugin may have had more developers looking at the the source code, but the ultimate responsibility for ensuring that a backup runs every day is still up to you, the website owner. And, what about those times that you inevitably need assistance? Community support is a wonderful thing, but is it the best option for mission-critical infrastructure services?

These limitations do not apply to CodeGuard. Our service isn’t free, but that is because we have a team of professionals that are dedicated to the success of your backups. Every CodeGuard customer has a whole team working for them to ensure that their backups happen as scheduled and we have developed a process that allows us to do that while continuing to improve and add features to our service.

– Jonathan