April 2018 Security Newsletter

Stephen Kennedy - Lead Web Developer

Chicago-based Orbitz was in the news this month for a data breach. The consensus seems to be that the breach took place sometime between October 2016 and December 2017. If you're wondering how a company that builds itself on successfully looking at logistics data to get travelers the best deals can only offer a very broad window of when the breach was likely to happen, unfortunately, this is actually a pretty common thing. Intrusion detection and logging systems are an area where the IT security industry needs to focus a lot of attention, but that kind of development is expensive, and few businesses can see the benefits until they end up in the news.

Windows users should be aware of a recently disclosed vulnerability in the Windows Remote Assistance application (Quick Assist) effecting windows versions from 7 up. Interestingly, this exploit works not by asking users to give up control of their computer, but by getting the victim's system to send extra data to a remote location while connecting to a system requesting assistance. This exploit does require user action to work, so if you don't interact with the application you will never be vulnerable. It is still recommended to install the patch fix as soon as possible.

Millions of Android phones from the following companies, Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung, and GIONEE were delivered to consumers with data-mining malware pre-installed. The malware disguised itself as the System Wi-Fi service and looks to have been installed somewhere in the supply chain, but not by the manufacturers themselves. The malware is designed modularly and downloads extra components as needed for whatever activity the network needs, be that data gathering to fully fledged botnets. Last year Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo suffered a similar attack that pre-installed malware on their phones before ever delivering them to a retailer.

So, what is Armor Techs doing about it?

We continue to take Internet Security very seriously. We made another major security update to the server last month. We apologize for any email issues that may have occurred as we put these changes into place, but once everything is up and running smoothly, we are hoping to see a major down-tick in spam email activity as well as improved email deliverability.

We have begun alpha tests of a new Shell Protection System: Drawbridge, on a few of our clients. Data is still being gathered, but the system's early results are very promising with minimal added page-load times. The system is compatible with all PHP based frameworks (Arrow, OpenCart, WordPress, Drupal, and Joomla! included), and we are looking to include it for all of our monthly security clients.

Blacksmith's secure backup system is live and in beta tests right now. We have currently installed the system on several client machines, and we are getting good stress test numbers for our current server setup. We will be announcing finalized pricing after we have solid real-world infrastructure maintenance costs determined.

And we continue to offer professional computer optimization and malware scanning services for Desktops, Laptops, and Mobile Devices. If you have a device that seems to be misbehaving, bring it in, and we'll take a look at it for you. We have professionals trained to look for things that a casual user may easily overlook. They know the difference between a relatively benign functionality enhancing PUP and a full-on Trojan payload.

Server News and Notices

We have successfully upgraded our email system, but in the process, we have dropped support for the POP3 protocol entirely. If you use an external mail client to access your email, you will need to make sure your incoming settings are set to IMAP on port 993 using SSL/TLS.

Also, I would like to take a few moments to remind our clients that we do not officially support Outlook 2013. The program is 5 years old and has some serious flaws that subsequent versions of the software went on to solve. Registry edits can be made to your system to alter the application to support the encryption protocols we require, but that work may result in an additional fee, and cannot be warrantied. We highly recommend all of our clients look into the Office 365 suite, as the subscription model means that all of your applications will be up to date and maintained into the future. Mozilla Thunderbird is also a strong—and free—alternative, and what we use in our office.

We have also noticed that a number of our clients are using very large amounts of space in their email. Please be aware that while we do not currently have a space limit on our email services, if a limit proves to be needed, we will tie it into your hosting contract renewal. If you absolutely need to save an email or an attachment, we highly recommend backing it up locally, or using a storage service. Overly large email accounts can slow down email Sync times, searches for individual emails, and most external clients usually keep copies on the server and locally, meaning if you have 20GBs of email, you have those 20BGs in two separate locations, and both your computer and the server need to parse through all that data to find items you might be looking for.

Unfortunately, OpenCart 1.0 has reached the end of our support. There is a relatively large flaw that is allowing those hostings to abuse our email server. We will be approaching clients with this framework this month, and if we do not receive a concrete upgrade plan from those businesses, we will be suspending the ability for that framework to send email. The platform will still be functional, but no email notifications will be sent. OpenCart 1.1.1 was launched in 2009, OpenCart 2.0 was launched in 2014, and OpenCart 3.0 in 2017. Anyone relying on OpenCart 1.0 now is putting their data, and their customer's data, at risk, and we will be discontinuing hostings using it completely in the next few months.

On The Horizon

Arrow 7 is still in development, but some features are starting to be integrated into the current Arrow 6 framework. We have taken a hard look at optimizing our database to work more efficiently with memory, enabling larger applications to run in a web setting with relatively small changes. We hope this will make room for medium-scale data aggregate systems, while we look into options for large-scale support. We have rewritten our Popup Dialog system completely to support multiple resizable and draggable windows. Our Parallax library has been updated to support horizontal movement and infinite scrolling. Our Client portal is entering the last testing stage before being opened to the public. We are a few months from offering up-to-date monitoring of tickets, online job submission, and online payment options to all of our clients all from their web browser.

All and all, Arrow 7 is shaping up to be one of our most flexible, and customizable releases yet, without compromising on speed or security.

Wednesday April 4th, 2018#internet security #server #news #newsletter