Through the Looking Glass. Staysafeonline.org. A Travesty.
Alice, the heroine of “Alice in Wonderland”, makes a return trip in “Through the Looking Glass (and What She Found There)”. While playing with her cats, she sees Wonderland in the mirror. She goes through the mirror, and enters Wonderland, where everything is the reverse of what she knows at home, including logic and reason.
The same sort of adventure occurs daily in the cyberverse. We see things that defy logic, as well as boggle the mind, like Tweedledee and Tweedledum in Wonderland. However, in our cyberverse (cyber universe), we have instead of Tweedledee and Tweedledum, the National Cyber Security Alliance (NCSA), which is the sponsor of the web site staysafeonline.org.
For those unfamiliar with the National Cyber Security Alliance, I quote from Wikipedia: “.. a 501c(3) non-profit founded in 2001, is a public-private partnership working with the Department of Homeland Security, private sector sponsors (founding sponsors included Symantec, Cisco Systems, Microsoft, SAIC, EMC , McAfee) and nonprofit collaborators to promote cyber security awareness for home users, small and medium size businesses, and primary and secondary education.”
We reviewed the public-facing cyber security of staysafeonline.org, the Alliance’s website. Given its sponsorship (The National Cyber Security Alliance), its purpose, as stated in the source code of its home page, “Stay Safe Online, the National Cyber Security Alliance’s website, aims to make the internet safer and more secure for everyone.”, we expected to see Quantalytics Diamond-Hard? cyber security. Instead, we have found a mockery and a travesty.
We started with a review of its web site:
https://staysafeonline.org/
For implementing website security using HTTP Headers, the staysafeonline.org site gets a solid “F”. The following HTTP Headers are all missing, and with them, the anti-hacking protection they provide.
· Strict-Transport-Security
· Content-Security-Policy
· X-Frame-Options
· X-Content-Type-Options
· Referrer-Policy
· Feature-Policy
Also, we disagree with their exposure of their web server information. The web server probe publicly states it is being powered by “Cloudflare”; we prefer to provide “unknown”. Showing Cloudflare exposes their Content Deliver Network (CDN). All of this information could be hidden from hackers by the use of a Web Application Firewall (WAF), thereby forcing potential hackers to do recon, which increases the odds of them getting caught.
At Quantalytics, we believe that to successfully defend against hackers, the first step is that one must deny them any information at all that might make their efforts easier and less likely to be caught.
A review of our domain (www.quantalytics.com) will show that the Web Server is “Unknown” and that all the above HTTP Headers are locked down. Quantalytics has no exposure as a result. At Quantalytics, we call this level of configuration and protection “Quantalytics Diamond-Hard?” – and expect nothing less from the National Cyber Security Alliance (NCSA) and its website.
(For a complete explanation of HTTP Headers, please see my LinkedIn article, "Resistance is Futile." - The Borg. HTTP Headers published on September 10, 2019.)
The next staysafeonline.org website cyber security problem is a misconfigured Web Application Firewall (WAF).
Staysafeonline.org, best case, has a misconfigured Web Application Firewall (WAF). However, we suspect that they have not deployed a Web Application Firewall (WAF) because we can see the HTTP Headers problems noted above, in addition to the exact web server (Cloudflare) and Content Management System (WordPress) being used. These can be fixed at the web server software level, or information about their status blocked by a properly configured Web Application Firewall (WAF). Without a properly configured Web Application Firewall, even a web browser can be turned into a weapon to attack the staysafeonline.org HTTP Header security holes.
(For a detailed explanation of Web Application Firewalls (WAFs), please see my LinkedIn article, And the Walls Came Tumbling Down. Web Application Firewalls, published on September 3, 2019.)
Given our surprise and disappointment in how this cyber security advocate is failing to protect itself and its audience by failing to secure their web server through correct and full implementation of HTTP Headers and a Web Application Firewall, we decided to dig deeper and look at their DNSSec (DNS Security). DNSSec is used for preventing Man-In-The-Middle (MITM) attacks. These are especially worrisome if the user is going to a site such as staysafeonline.org, where there is an implicit promise of full cyber security, given the site’s purpose and user base.
The following is a partial map of the DNS Authentication Chain for staysafeonline.org. It shows the end of the DNS Authentication Chain.
The diagram shows DNS records from NSEC3 being fed to staysafeonline.org. This step is insecure. This is where a Man-In-The-Middle attack can be launched.
The following show the insecure status of each DNS Record as a result.
DNS A Record:
DNS AAAA Record:
DNS SOA Record:
DNS NS Record:
DNS MX Record:
DNS TXT Record – SPF:
All of these DNS records are insecure, and lead to the unsurprising conclusion that DNS is completely insecure, and therefore staysafeonline.org is open to Man-In-The-Middle (MITM) attacks.
The net result is that staysafeonline.org, and its related DNSSec have major failures in cyber security. This site is not even close to being “Quantalytics Diamond-Hard?”.
Lastly, we took a look at the underlying construction of the staysafeonline.org website. The site is using WordPress for content management. So we went deeper, to see how WordPress was set up. The following is an abstract of the scan results. There are 3 open security holes in the Advanced Access Manager. There is an open security hole in Yoast SEO Manager. There is two obsolete plugins, Stream and WordPress-SEO.
WordPress itself is a version behind. The latest WordPress version as of the publication of this article is 4.3.0.
Effective URL: https://staysafeonline.org/
Started: Thurs Dec 12 02:06:21 2019
Interesting Finding(s):
https://staysafeonline.org/
Interesting Entries:
WordPress version 5.2.4 identified.
Detected By: Emoji Settings (Passive Detection)
https://staysafeonline.org/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.4'
Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
Enumerating All Plugins (via Passive Methods)
Plugin(s) Identified:
[!] 3 vulnerabilities identified:
Title: Advanced Access Manager 2.8.2 - Admin User File Read/Write
Fixed in: 2.8.3
References:
- https://wpvulndb.com/vulnerabilities/7611
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6059
- https://security.dxw.com/advisories/advanced-access-manager-allows-admin-users-to-write-arbitrary-text-to-arbitrary-locations-which-could-lead-to-arbitrary-code-execution-etc/
- https://seclists.org/fulldisclosure/2014/Sep/21
[!] Title: Advanced Access Manager <= 3.2.1 - Privilege Escalation
Fixed in: 3.2.2
References:
- https://wpvulndb.com/vulnerabilities/8521
- https://www.pritect.net/blog/advanced-access-manager-3-2-1-security-vulnerability
[!] Title: Advanced Access Manager < 5.9.9 - Arbitrary File Access/Download
Fixed in: 5.9.9
Reference: https://wpvulndb.com/vulnerabilities/9873
[+] stream
Location: https://staysafeonline.org/wp-content/plugins/stream/
Last Updated: 2019-09-26T11:40:00.000Z
[!] The version is out of date, the latest version is 3.4.2
Detected By: Comment (Passive Detection)
Version: 3.2.3
Detected By: Comment (Passive Detection)
- https://staysafeonline.org/, Match: 'Stream WordPress user activity plugin v3.2.3'
[+] wordpress-seo
Location: https://staysafeonline.org/wp-content/plugins/wordpress-seo/
Last Updated: 2019-11-28T15:42:00.000Z
[!] The version is out of date, the latest version is 12.6.2
Detected By: Comment (Passive Detection)
[!] 1 vulnerability identified:
[!] Title: Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS
Fixed in: 11.6
References:
- https://wpvulndb.com/vulnerabilities/9445
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13478
- https://gist.github.com/sybrew/2f53625104ee013d2f599ac254f635ee
- https://github.com/Yoast/wordpress-seo/pull/13221
- https://yoast.com/yoast-seo-11.6/
Version: 11.1.1
Detected By: Comment (Passive Detection)
- https://staysafeonline.org/, Match: 'optimized with the Yoast SEO plugin v11.1.1 -'
The net result is that the stayafeonline.org web site, dedicated, per their “About” page, to “encourage a culture of cybersecurity” and its related DNSSec have serious cyber security holes, including multiple open, documented vulnerabilities as of the publication date of this article. The Yoast plugin vulnerability was published on July 9, 2019. The Advanced Access Manager plugin vulnerability dates from 2014. It appears to have been deployed before checking if it was vulnerable.
This web site makes a total mockery as noted at the beginning of this article, of the self-stated “Vision” of the National Cyber Security Alliance. I quote from the “About” page’s Mission statement: “To educate and empower our global digital society to use the internet safely and securely.”, and its “Underlying Value” statement: “Securing our online lives is a shared responsibility.” These statements are also a travesty, as also noted at the beginning of this article, given the extremely poor cyber security of this site.
The staysafeonline.org site is not even close to being “Quantalytics Diamond-Hard?”. Its sponsor, the National Cyber Security Alliance, has created a cyber disaster waiting to happen, rather than a paradigm. The advice being offered may be sound, but the vehicle delivering it – that is another story!
We have some recommendations to offer the National Cyber Security Alliance, which is responsible for staysafeonline.org. Demand from Cloudflare a properly configured Web Application Firewall (WAF), and close the HTTP Headers and DNSSec security holes by fixing them. Update WordPress and the plugins. Serve as an example, rather than as matters currently stand, as a mockery and a travesty.
This entire report is based on the publicly facing Web infrastructure for www.staysafeonline.org. No laws were broken in examining the public-facing Web and Internet settings for www.staysafeonline.org. Anyone with sufficient skills, and using publicly available tools, can replicate these findings.
At Quantalytics, we have a saying we recommend for, among others, the National Cyber Security Alliance: Trust nothing. Verify everything. This is how we create “Quantalytics Diamond-Hard?” network security for our network security appliances, and for our clients.
Through the Looking Glass. Staysafeonline.org. A Travesty.
Arthur Carp | Quantalytics, Inc. | [email protected] | @quantalytics