Web Application Security

Security Insights on The PEI Pass: From a Security Professional and Islander

We’re closer and closer to the end of Covid-19 restrictions and we’re heading to point in this pandemic that privacy and security experts have been fearing for quite some time. It was only a matter of time before Covid-19 vaccination became everyone’s answer for getting back to a normal(-ish) life. The challenge was always going to be in creating a process whereby everyone can provide evidence of vaccination, without breaching anyone’s right to privacy.

I was reading this article this morning on CBC, “Cybersecurity expert warns P.E.I. Pass website is ‘hotspot’ for hackers”, and was expecting to read something substantial about the security of the platform, and was honestly pretty disappointed. In my opinion, this article does nothing but erode more trust in our institutions. It lacks the details necessary for an article with such a title, and could stoke a decrease in use and trust of other online government platforms.

What Is The PEI Pass?

The PEI Pass is a document given by the Government of Prince Edward Island that verifies an individual has been either fully or partially vaccinated, plus an additional 21 days. If you have this document then you are not required to self-isolate for 14-days when entering P.E.I. The PEI Pass is available to almost anyone given they meet one of the 4 requirement categories. Each category has a different set of requirements including differing documentation needs. Categories:

  • Permanent P.E.I. residents
  • Permanent residents of N.S., N.B., N.L, or Magdalen Islands
  • Other Individuals who have been in an Atlantic province for a minimum of 14-consecutive days, not including Magdalen Islands.
  • Non-P.E.I. residents who came to P.E.I. through a Pre-Travel Approval and are currently in PEI

Security Vs Privacy

There are two different concepts being discussed here. Security and privacy are not the same thing. The privacy of the data may depend on factors that include, security.

Privacy Concerns

Although it’s easiest as a Permanent P.E.I. resident, all four requirement categories require you to upload documents or enter information that may not be relevant to the PEI Pass application.

As a Prince Edward Island resident, the government already knows this information about me, which is why they’ve made it easier by being able to lookup my records in the PEI COVID Immunization Registry. For me, I’m not concerned about uploading my driver’s license either, as the government has that too.

Non-permanent residents will be experiencing the most risk to privacy. Especially, with a data breach in P.E.I.’s not too distant past. Any time you give your information and data to an organization or government that didn’t previously have it, you’re increasing the risk of that information being stolen. That’s a risk calculation that you’ll need to make yourself.

Security Concerns

I wasn’t able to find any information on how the Government of Prince Edward Island is securing the transmission and the storage of information being supplied.

The PEI Pass application itself is protected by a valid SSL Certificate, which tells us that the data is being transmitted (data in transit) from your browser to the website server securely.

The unknowns don’t come into play until we attempt to identify what security controls are put into place to protect the data in storage (data at rest), nor do we know if the data is stored on the same server as the website. Unfortunately, outside of the privacy commissioner giving her go ahead, I can’t find any reports on it.

Conclusion

The PEI Pass application process asks not just for personal information, but also for personal documentation. This can lead to you releasing much more personal information then you may have wanted to. Photocopy your documents and use a dark marker to eliminate any information on them that isn’t relevant to the request. Then send the modified photocopy. The Government of Prince Edward Island provides a similar note on their website:

Will Applying To The PEI Pass Be a Risk To My Privacy?

Any time that you provide personal information to a third-party that didn’t have information before, you are compromising your privacy. Sometimes it’s good, sometimes it’s bad. That’s where laws like PIPEDA come in.

Will Applying To The PEI Pass Be a Risk To My Data Security?

Without knowing what security controls are in place, there is simply no way of knowing if applying for the PEI Pass will compromise your data security.

Is The PEI Pass Website a Hotspot for hackers?

No.

Cross Site Scripting Attacks On Your Company Website and How to Protect Against Them

Your business’ website and the domain (.com, .ca, .net, etc..) that goes along with it, is an important part of the identity of your organisation and is slowly becoming the first place that consumers will go to find out more about who you are and what you do. The last thing that you want, especially during an already strained moment in the world’s economy, is for a potential client to receive an ad or get redirected to another website when visiting yours.

Cross-site Scripting Vulnerability
There are many ways for an attacker to take advantage of you through your website including a technique called Cross-Site Scripting or XSS for short-hand. A XSS vulnerability allows an attacker to insert (or inject) a piece of code into your website. One intended result from this action is that the code is then displayed to your visitors in the form of ads, malware, or just about anything else. In effect, the attacker is using your website as a median to deliver malicious content to unsuspecting visitors.

A XSS vulnerability exists when an input on your website doesn’t properly validate or sanitize the data given to it prior to that data being used in an output. These inputs might include contact forms, shopping carts, and login forms. Essentially, any point of data entry on your website can be the target of a XSS attack.

Protecting Against XSS Vulnerabilities
The most effective manor of protecting against a XSS vulnerability is by not allowing your visitors to use any special characters (<,>,/,\,,,!,&,etc) when entering data on your website. HTML encoding is the most common method for ensuring that HTML characters are converted output in safer manner. XSS vulnerabilities can be identified during development by using both Static and Dynamic Application Security Testing (DAST) techniques, and should be remediated prior to pushing code to production.

Many websites, including this one, rely on a Content Management System (CMS) to manage and display content. WordPress and Drupal are just a couple of examples of what a CMS is. When using a CMS you willl rely on plug-ins to provide functionality like contact forms, and while you can’t know with 100% certainty what security controls were used in the development of the plug-in, you do have the ability to keep them updated with the latest software patches. Your CMS will allow you to update your plug-ins through its distinct administration dashboard. WordPress 3.7 introduced the capability to turn automatic update plug-ins, but it needs to be turned on!

Resources
OWASP – Cross Site Scripting (XSS)