Do as I say, not as I do. INFRAGARD.ORG.

John Selden’s quote, “Do as I say, not as I do.” This is one of the oldest admonishments against hypocrisy in the English language.

Today we will discuss an egregious example of hypocrisy, www.infragard.org. Infragard.org is sponsored by the Federal Bureau of Investigation (FBI), a division of the U.S. Department of Justice. 

The web site www.infragard.org is, and I quote: “… is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. With thousands of vetted members nationally, InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia and state and local law enforcement; each dedicated to contributing industry specific insight and advancing advancing national security.” 

https://www.infragard.org

One would think that a site with such an important role, impressive pedigree, and important users would have “Quantalytics Diamond-Hard?” security to prevent hacking and Man-In-The-Middle attacks. They are not even close. Cyber security for this site is almost non-existent. 

For implementing HTTP Headers, the infragard.org site gets a solid “D”. The following HTTP Headers are all missing, and with them, the anti-hacking protection they provide. 

·        Content-Security Policy

·        X-Frame-Options

·        X-Content-Type-Options

·        Referrer-Policy

·        Feature-Policy

Also, we disagree with their exposure of their web server information. Even though the web server probe publicly states “Microsoft-IIS/8.5”, we prefer to provide “Unknown”. In addition, the site shows that it is being powered by ASPI.net, version 4.0.30319. ASPI (.net 4) has been rife with security holes, and remains a target of great interest to hackers. 

 At Quantalytics, we believe that to successfully defend against hackers, the first step is that one must deny them any information at all that might make their efforts easier and less likely to be caught.  The FBI has saved any potential hackers the need for reconnaissance, and has made it easy for hackers to look for security holes.

A review of our domain (www.quantalytics.com) will show that the Web Server is “Unknown” and that all the above HTTP Headers are locked down. Quantalytics has no exposure as a result. At Quantalytics, we call this level of configuration and protection “Quantalytics Diamond-Hard?” – and expect nothing less from the FBI and its infragard.org site.

(For a complete explanation of HTTP Headers, please see my LinkedIn article, "Resistance is Futile." - The Borg. HTTP Headers published on September 10, 2019.)

The next infragard.org website cyber security problem is the failure to use, or if used, configure properly, a Web Application Firewall (WAF).  

We suspect the absence of a well-configured Web Application Firewall (WAF) because we can see the HTTP Headers problems noted above, in addition to the exact web server software being used. These can be fixed at the web server software level, or information about their status blocked by a properly configured Web Application Firewall (WAF). Without a properly configured Web Application Firewall, even a web browser can be turned into a weapon to attack the infragard.org HTTP Header security holes.

(For a complete explanation of Web Application Firewalls (WAFs), please see my LinkedIn article, And the Walls Came Tumbling Down. Web Application Firewalls, published on September 3, 2019.) 

Given our surprise and disappointment in how the FBI has failed to secure their web server through correct and full implementation of HTTP Headers and a Web Application Firewall, we decided to dig deeper and look at their DNSSec (DNS Security). DNSSec is used for preventing Man-In-The-Middle (MITM) attacks. These are especially worrisome if the user is going to a site such as infragard.org, where there is an implicit promise of full cyber security, given the site’s purpose, sponsorship, and user base.

The following is a partial map of the DNS Levels of Trust chain for infragard.org. It shows the end of the DNS Levels of Trust chain.

The diagram shows on the right hand side how the domain, infraguard.org, feeds NSEC3 into the DNS records. (The DNS delegation from org to infragard.org.) This step is insecure. 

 DNS Delegation:

The following are the details, including the DNS A record, making the site potentially vulnerable to a Man-In-The-Middle (MITM) attack. This is especially worrisome because the infragard.org site has a login. So a Man-In-The-Middle attack, if successful, would mean that login credentials are being harvested.

 DNS A record:

DNS NS record:

DNS SOA record:

DNS MX record:

DNS DMARC Record:

All of these DNS records are insecure, and lead to the unsurprising conclusion that DNS is completely insecure. This includes e-mail (MX and DMARC), making e-mail, in addition to the website, potentially hackable.

 The last thing we did was review the source code on the home page of infraguard.org. I quote from line 125 through 127, which is the section for logging into the site. 

<form action="/Application/Account/Login?cid=2499" autocomplete="off" class="form-horizontal" method="post" role="form">                                <div>
 
<input name="__RequestVerificationToken" type="hidden" value="-QtJVaG1ZgTnG4fv0J-1z0XKoIj_3K0bzd2maA9lGj96Ci68dISEwJ0msUOXv4LyCEkzVzAjxJWdj33O9011f-bu9yMPFAqVOywIGb_nBdk1" />

Both the last user login (“cid”) and the security token (“RequestVerificationToken”) issued to the user are revealed. Tokens can be thought of as a type of password. (A technical discussion of tokens, tokenization, and use are outside the scope of this article.)  

The lack of a properly configured web site and the failure to use a Web Application Firewall exposes crucial login info for potentially hacking the site. Combined with the lack of HTTP Headers and exposure of the server type (IIS 8.5), this is all an invitation for hackers. 

This is not an example of “leadership by example”. Instead, it is the FBI’s cyber leadership offering hackers carte blanche. 

The net result is that the infragard.org (“seamless cooperation”) web site and its related DNSSec have major failures in cyber security. This FBI-sponsored site is not even close to being “Quantalytics Diamond-Hard?”. 

We have a modest recommendation to offer the FBI. Establish an office of Web Security Inspector General for ALL FBI sites which has a basic checklist for security that all FBI sites must pass. These should be HTTP Headers, DNSSec, and a properly configured Web Application Firewall (WAF). 

This entire report is based on the publicly facing Web infrastructure for infragard.org. No laws were broken in examining the public-facing Web and Internet settings for infragard.org. Anyone with sufficient skills, and using publicly available tools, can replicate these findings. 

This likely includes a significant number of infragard.org’s public sector members, who will probably be furious when they learn about the acute security weaknesses in this site. 

At Quantalytics, we have a saying we recommend for, among others, the FBI: Trust nothing. Verify everything. This is how we create “Quantalytics Diamond-Hard?” network security for our network security appliances, and for our clients. 

Do as I say, not as I do. INFRAGARD.ORG. 

Arthur Carp | Quantalytics, Inc. | [email protected] | @quantalytics