May 2018 Security Newsletter

Stephen Kennedy - Lead Web Developer

General Security News

In the good news column for April, Dutch Police raided and took down the online DDoS marketplace Webstresser, which sold DDoS attacks for relatively low prices.

Additionally for the first time ever, Microsoft developed their own Linux Kernal. Azure OS is designed to work in concert with a custom Microsoft chipset to bring security to every level of Internet of Things (IoT) devices. The OS and chip combined will secure both hardware and software, and the plan is to utilize a cloud service maintained by Microsoft (and not the individual hardware manufacturers) to continue to push out security updates for the devices over time, tackling one of the largest downsides to IoT devices.

But in the other column we have a lot of items that might effect you.

Hackers are making a concerted effort to infiltrate health care providers and gain sensitive information about patients and medical records. Compromised devices include X-Ray machines, MRI machines, and kiosks set up to help patients fill out paperwork. This is an international issue, but the US is currently leading the world in victims.

If you are a Google Chrome user, security researchers have discovered a number of Ad Blocking plugins that are designed to turn your browser into a member of a bot-net, some major ones that Google has removed include:

  • AdRemover for Google Chrome™ (10 million+ users)
  • uBlock Plus (8 million+ users)
  • [Fake] Adblock Pro (2 million+ users, and easily confused with the Real Adblock Plus)
  • HD for YouTube™ (400,000+ users)
  • Webutation (30,000+ users)

All of the above have been removed for download, but if you still have them installed you should remove them as soon as possible.

Drupal was found to be vulnerable to a Cross Site Scripting (XSS) exploit, as well as a more serious Remote Code Execution exploit, and it is highly recommended that if users are running Drupal 6, 7, or 8 they install the relevant patch or update as soon as possible. The XSS exploit is isolated to versions of CKEditor, and if the plugin was installed manually, it will need to be updated as well.

For those unaware for a month last year, CCleaner's offical servers were compromised and serving a malicious copy of the software between August and September of 2017. Avast, who bought them out in July of that year, revealed this month that it is likely the attackers were in the company's computers for a few months before, and from the software installed and the tools used, the group behind the hack has likely been doing this for years in many different companys with varying levels of success.

A recent report has also revealed that a number of Android hardware manufacturers are lying about their security updates. This has been an ongoing problem that Google has addressed somewhat with the archetecture of Android 8 (Oreo), but still effects many users.

So, what is Armor Techs Doing about it?

We've started an iniative for Hormone Free Virus removal, and while the marketing might be very silly, we can assure you the results prove themselves. If you suspect your device is acting up, or even not running as quickly as it should, bring it in and we'll take a look at it with our suite of tools.

We are actively developing our infrastructure to allow automatic security updates clients using the Arrow framework. Soon you'll be able to rest easy knowing you are running the most recent and most secure versions of our code. This is a service we hope to offer by the end of this year.

We are continuing to reach out to Clients using older and out of date frameworks, and are offering discounts to those willing to upgrade or transfer into the Arrow ecosystem.

Server News and Notices

In time with the launch of our automated update system, we will be dropping support for all versions of Arrow below 3.4, these earlier versions of the framework make use of a database driver that can allow a number of exploits, and after careful consideration, moving it to End of Life support is the best way to ensure that our clients and server are protected. We will be contacting you in a few months if your framework will be effected by this change, and offering you a number of options on how to proceed.

We will continuing to phase out support for OpenCart 1.x, and customers still using the older version of the framework should be aware that it is no longer PCI compliant, and if you are running credit card transactions through your website, you will need to change to a model where those are handled off-site, or upgrade to a more secure framework.

On The Horizon

As mentioned above, we are aiming to provide automated updates to Arrow users by the end of the year.

We are also streamlining the deployment methods for Arrow so that we can spend less time setting up the environment for your site, and more time building and designing it to fit your needs.

We are currently prototyping a new spam filtration system and looking to improve the built in spam processing behavior for our contact form processors.