登录查看更多内容

A Tale of Two Web Sites: DIU.MIL & CSIAC.ORG.

Arthur Carp

Founder and CEO of Quantalytics, Inc.

发布日期: 2019年11月7日

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, …” -Charles Dickens. A Tale of Two Cities.

In our modern version of Dickens’s immortal tale, we are going to compare two web sites, diu.mil, and the other, csiac.org, which is sponsored by the U.S. Department of Defense (DoD). After finding all the security failures in public.cyber.mil (See my article: DoD Cyber Exchange. Leadership by Example. NOT!!!, published Oct. 30, 2019), we thought it would be interesting to look at several more DoD web sites.

Unfortunately, as you will read, each sites’ cyber security is dismal.

The United States Department of Defense (DoD) has numerous websites and affiliated sites. One might reasonably expect that DoD would want to maintain its battlefield reputation, recently burnished by the killing of al Baghdadi, head of ISIS, and one of his henchmen, by taking suitable precautions with its cyberverse assets. A strong reputation in both battlefields, realverse and cyberverse, has a strong deterrent effect.

The first site we examined is the Defense Innovation Unit. The Defense Innovation Unit is responsible for, per the website, “Accelerating Commercial Technology For National Security”. It includes a contact form, which, from a cyber security perspective, is an attack surface.

https://www.diu.mil

Given its emphasis on national security and DoD ownership, we had natural expectations that the site’s security would be “Quantalytics Diamond-Hard?. It is not.

For implementing HTTP Headers, the site gets a solid “D”. The following HTTP Headers are all missing, and with them, the anti-hacking protection they provide.

Content-Security Policy

X-Content-Type-Options

Referrer-Policy

Feature-Policy

Also, we disagree with their exposure of their web server information. Even though the web server probe publicly states “Apache”, we prefer to provide “Unknown” on the simple theory that to successfully defend against hackers, the first step is that one must deny them any information at all that might make their efforts easier and less likely to be caught.

A review of our domain (www.quantalytics.com) will show that the Web Server is “Unknown” and that all the above HTTP Headers are locked down. Quantalytics has no exposure as a result. At Quantalytics, we call this level of configuration and protection “Quantalytics Diamond-Hard?” – and expect nothing less from the U.S. Department of Defense and its diu.mil site.

(For a complete explanation of HTTP Headers, please see my LinkedIn article, "Resistance is Futile." - The Borg. HTTP Headers published on September 10, 2019.)

The next www.dui.mil website cyber security problem is the failure to use, or if used, configure properly, a Web Application Firewall (WAF).

We suspect the absence of well-configured Web Application Firewall (WAF) because we can see the HTTP Headers problems noted above, in addition to the exact web server software being used. These can be fixed at the web server software level, or information about their status blocked by a properly configured Web Application Firewall (WAF). Without a properly configured Web Application Firewall, even a web browser can be turned into a weapon to attack the dui.mil HTTP Header security holes.

(For a complete explanation of Web Application Firewalls (WAFs), please see my LinkedIn article, And the Walls Came Tumbling Down. Web Application Firewalls, published on September 3, 2019.)

Given our surprise and disappointment in how DoD has failed to secure their web server through correct and full implementation of HTTP Headers and a Web Application Firewall, we decided to dig deeper and look at their DNSSec (DNS Security). DNSSec is used for preventing Man-In-The-Middle (MITM) attacks. These are especially worrisome if the user is going to a site such as diu.mil, where there is an implicit promise of full cyber security, given the site’s purpose and sponsorship.

A review the domain’s (diu.mil) public DNS records shows that the DNS A record, as of the date of this article, is secure. The site is NOT open to Man-In-The-Middle (MITM) attacks. This saved diu.mil from an “F” grade.

The second site in our tale is The Cyber Security & Information Systems Information Analysis Center (CSIAC). I quote from the home page: “The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.”

https://www.csiac.org/

With the claim of “Center of Excellence in the fields of Cybersecurity …”, and such a pedigree, csiac.org should be not only a source of information on cyber security, but also provide leadership-by-example on how to achieve “Quantalytics Diamond-Hard?” cyber security.

For implementing HTTP Headers, the site gets a solid “F”. The following HTTP Headers are all missing, and with them, the anti-hacking protection they provide.

Strict-Transport-Security

Content-Security Policy

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Feature-Policy

Even worse, they have implemented the P3P (Platform for Privacy Preferences Project) Header. P3P, to quote Wikipedia, “… is an obsolete protocol allowing websites to declare their intended use of information they collect about web browser users. …”

(For a complete discussion of the obsolete Platform for Privacy Preference Project (P3P) Header, please see https://en.wikipedia.org/wiki/P3P.)

Worse, the P3P Header has been implemented incorrectly, with a null value.

So rather than implementing the HTTP Headers of great security value, only an obsolete, valueless header has been incorrectly implemented.

Given our surprise and disappointment in how DoD has failed to secure their web server through correct and full implementation of HTTP Headers, we decided to dig deeper and look at their DNSSec (DNS Security). DNSSec is used for preventing Man-In-The-Middle (MITM) attacks. These are especially worrisome if the user is going to a site such as CSIAC, where there is an implicit promise of full cyber security, given the site’s purpose and sponsorship.

A review the domain’s (csiac.org) public DNS records shows that the following DNS records, as of the date of this article, are incorrectly set up, leading to possible Man-In-The-Middle attacks.

The following is a partial map of the DNS Levels of Trust for csiac.org. It shows the end of the DNS Levels of Trust chain.

The yellow arrow feeding into the bottom box on the left shows that all the DNS entries are “LAME”. We have never before seen this degree of DNSSec problems.

The diagram shows on the right hand side how the domain, csiac.org, feeds NSEC3 into the DNS records. This step is insecure. The following are the details, including the DNS A record, making the site potentially vulnerable to a Man-In-The-Middle attack. This is especially worrisome because the csiac.org site has a login. So a Man-In-The-Middle attack, if successful, would mean that login credentials are being harvested.

DNS A record:

DNS AAAA record:

DNSKey record:

DNS Zone record:

All of these DNS records are incorrect, and lead to the unsurprising conclusion that DNS is completely insecure.

Lastly, we took a look at the underlying construction of the csiac.org website. The site is using WordPress for content management. So we went deeper, to see how WordPress was set up. The following is an abstract of the scan results. There are obsolete plugins highlighted using bolding, and an open security hole in the Events Calendar plugin.

[https://www.csiac.org/

Interesting Entries:

Content-Security-Policy: frame-ancestors 'self' 'unsafe-inline' 'unsafe-eval' https: data:

X-TEC-API-VERSION: v1

X-TEC-API-ROOT: https://www.csiac.org/wp-json/tribe/events/v1/

X-TEC-API-ORIGIN: https://www.csiac.org

P3P: CP="{}"

Found By: Headers (Passive Detection)

Confidence: 100%

Enumerating Plugins (via Passive Methods)

Plugin(s) Identified:

buddypress

Location: https://www.csiac.org/wp-content/plugins/buddypress/

Last Updated: 2019-09-30T21:21:00.000Z

[!] The version is out of date, the latest version is 5.0.0