Category Archives: White Fir

Trust Guard and the False Security of Trust Seals

The recent massive credit card breach at Home Depot was yet another reminder that whether offline or online, IT security is often lacking. For consumers the question then is how can they know that their information is secure when they provide it to companies? Numerous security companies have created trust seals – that can be placed on websites if they meet certain requirements – that let the public know that a website is secure. The problem we have found with a number of these is that they are not doing basic security checks and therefore their assurances of security are false. Last week took a look at SiteLock’s and earlier this year we looked Norton’s, now we will look at another bad trust seal that we ran across recently.

While visiting the website of a client’s web host recently our Chrome extension Meta Generator Version Check provided an alert that website was running an outdated version of Joomla:

Hostica is Running Joomla 1.5

It obviously isn’t a great sign that web host is running outdated software on their website (especially when that version hasn’t been supported for two years), but what was more surprising was the Trust Guard security verified trust seal at the bottom of the website:

Hostica's Trust Guard Security Verified Trust Seal

In this case it is easy to detect that the website is running an outdated version of Joomla since there is a meta generator tag in the source code of the website’s pages that tells you exactly that:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

With such an easy to detect security issue a trustworthy trust seal shouldn’t claim that the website is secure. We were curious to find out exactly what security checks Trust Guard was actually doing. Clicking the trust seal brought up a page that explained why they are claiming the website has verified security:

In order for www.hostica.com to qualify for the Trust Guard Security Verified Seal, we verify that their website is using at least 128-Bit SSL Encryption on pages where private information can be entered, such as credit cards, Social Security numbers, loan information, etc. and we monitor the SSL certificates expiration.

While using SSL encryption when sensitive information can be entered is important for security it doesn’t mean a website is secure, just that someone cannot snoop on the information as it sent to the website. For example, we have done plenty of cleanups of hacked websites in which the credit card information was compromised once it made its way to the website. Since a web browser’s user interface already provides notice when a secure SSL connection is in use, it isn’t clear what security value the trust seal is meant to provide, but it doesn’t seem that it out ways how misleading it is to claim that a website’s security is verified based only on the fact that it is using SSL encryption.

Is it Time to Upgrade to Zen Cart 1.5.3?

It has now been a couple of months since Zen Cart 1.5.3 was released and we have now handled enough upgrades to the new version to provide our insights on the question that has been coming up when discussing upgrading Zen Cart with clients, is it time to upgrade Zen Cart 1.5.3?

Let’s start with what is new in Zen Cart 1.5.3. One of the big changes is that version 1.5.3 supports PHP 5.4, 5.5, and 5.6. The new version includes some security enhancements, including better password hashing. It also includes numerous bug fixes and some performance enhancements. You can find the full list of changes in the release announcement.

We have run into couple of issues when doing upgrades to 1.5.3. The first is that many addon modules do not officially support Zen Cart 1.5.3 yet. For some modules they may not need any changes and their maintainer just hasn’t bumped the Zen Cart version supported. Others that modify core Zen Cart files will need to have updated versions of those files included, until they do that you can use those with 1.5.3 if you apply the changes they make to those files to the versions of the file include with 1.5.3. Others need to be modified to work with Zen Cart 1.5.3. The second issue we have found is that some changes in Zen Cart 1.5.3 will require making changes with your current setup, for example changing the time zone now needs to be done differently and custom templates may need to be changed to support more secure redirect links.

With the basics set out, below we provide on advice on whether it is time to upgrade depending on your current situation:

Running Zen 1.3.9, 1.3.8, or older

If you are still running Zen Cart 1.3.9, 1.3.8, or and even older version you are overdue for an upgrade at this point so you should probably go ahead with the upgrade now. While issues with modules and 1.5.3 could cause some issues, you are going to probably run into module issues that will have to be dealt during testing when upgrading from those versions to any version of Zen Cart 1.5.

Need to Be Using a PA-DSS Certified Version of Zen Cart

Zen Cart 1.5.0 continues to be the only version to be PA-DSS certified, so for those that need that for PCI compliance purposes should remain on 1.5.0 for now. In the release announcement for 1.5.3 it says that a new PA-DSS certified version should “hopefully” be released in “only a couple months”.

Web Hosting Account Switching to PHP 5.4, 5.5, or 5.6

The number one reason we are hired do Zen Cart upgrades is that version currently being used is not compatible the version of PHP that the web server the website hosted on is being upgraded to. With the recent end of support for PHP 5.3 web hosts should be moving to at least PHP 5.4 soon (though many web host are only now transitioning off of PHP 5.2 despite support ending in January of 2011). Zen Cart 1.5.3 is the first release to support PHP 5.4, 5.5, and 5.6 so anyone moving to those versions of PHP should upgrade.

Running 1.5.0 or 1.5.1

If you don’t need to upgrade for the new versions of PHP, don’t have an urgent need for an of the bug fixes or improvements, and use a lot of modules you may to want hold off until more modules are updated for Zen Cart 1.5.3. Otherwise, it would be a good idea to do upgrade now.

Companies Trying to Sell Unnecessary Work Along With Needed Web Software Upgrades

When it comes to the security of websites, often the basic security precautions are not being taken. This year we have looked at data showing that many Joomla, Drupal, and WordPress based websites are not being updated in a timely manner, which leaves them at risk from vulnerabilities that have been fixed in subsequent releases. Companies involved with the development or maintenance of websites should be trying to do more to make sure that websites are kept up to date, but a couple of recent situations showed there are some companies out there trying to use people’s needs for updates as an opportunity to sell them unneeded work instead. Below we will take a look at those and provides some advice on preventing being taken advantage of in that type of situation.

Magento Doesn’t Require Incremental Upgrades

While recently discussing a Magento upgrade with a potential client they mentioned that they had tried a test of the upgrade that had had problems and that other companies that they had talked to had told them that the upgrade has to be done through a series of incremental upgrades to prevent that type of thing. That is, instead of going from their current version of 1.5 directly to 1.9 the website would need to be upgraded from 1.5 to 1.6 then to 1.7 then to 1.8 and finally to 1.9. When we heard that we were perplexed, not only are incremental upgrades not needed but in looking over lots of material on Magento upgrades (due to our having dealt with probably about everything that can go wrong with a Magento upgrade) we have never even seen doing that suggested. It also wouldn’t have had any impact on the problems they had. Doing those incremental upgrades was going to increase the cost of the upgrade, which seems to be why the companies would be claiming it was needed.

If incremental upgrades were needed you would expect it to be in the official upgrade documentation, which it isn’t. To better understand why that isn’t needed lets break down the upgrade. The upgrade involves changing two things:

The first is replacing the old Magento files with the new ones. If you directly upgrade to the new version or do incremental upgrades you will end up with the same files in use. The incremental upgrade might leave some left over files that are not used in the new version. So for this part of the upgrade the incremental approach adds nothing.

The second is updating the database to make it compatible with the new version of Magento. Magento will automatically make all the necessary updates from the version were running to the new version. So doing incremental upgrades would just split up the updates, but the end result would be the same updates running. We have never had any problem with database update caused by going directly from as far back as version 1.3.x to the latest version, 1.9.x. It is true to that sometimes servers have problems running through all the database updates, but there are better options for handling that then doing a bunch of incremental upgrades (doing the database portion of the upgrade on a separate server is very effective workaround provided you do this in your test of the upgrade first to insure it doesn’t cause any complications).

Websites Don’t Just Fail and You Can Upgrade Older Zen Cart Versions

The second situation was a lot more troubling. We were first contacted by a potential client about getting a quote for a Zen Cart upgrade and then they wanted quote to replace the store with a new Zen Cart installation. When we asked what was wrong that they needed a new Zen Cart installation they explained that another company had told them that their current Zen Cart installation “will fail and I will wake up one day and it will be gone” and they would need a whole new one. The idea that the website would just fail one day sounds quite scary, but it isn’t true. Websites don’t just fail like that. The only situation we could think of where something close to like that is if a web host upgrades to a newer versions of PHP then older versions of Zen Cart will stop functioning. That can prevented by upgrading to a newer version of Zen Cart. So why couldn’t they just upgrade? Well the other company was claiming that there Zen Cart installation was to old to upgrade. We have no idea why they would say that since the version in use, 1.3.9f, is much newer than versions we frequently do upgrades from. Either the other company, which portrayed themselves as Zen Cart specialists, didn’t have any idea what they are doing or they trying to trick people into unneeded work.

Protecting Yourself

There are two good options to make sure you don’t get taken advantage of in situations like this. First, when you are looking into having an upgrade done contact multiple companies to discuss what they would do in the situation. In these cases when the suggested unneeded work was brought up we were able to explain why it wasn’t needed. The second is to ask in the forum for the software if what the company is telling you is accurate. From what we have seen the information in those forums is generally accurate and in the type of situations we described we are sure someone would have explained that what is being said by the companies isn’t true.

SiteLock Fails To Do Basic Security Check

When it comes to the security of websites what we see is a situation where basic security measures, like keeping software up to date, are not being taken and security companies, most of whom appear to have little interested in actually improving security, are selling security services that are really not needed. A good example of this is SiteLock, which sells a security service that doesn’t provide any of the security measures that need to be taken to protect your website from hackers. Worse than that, we recently found that it is really poor at doing one of things that it is supposed to do, leading the people running websites and their customers to have a false sense of security.

We recently were hired to do an upgrade of website running Magento 1.4.1.1, a rather out of date version (the next version, 1.4.2.0, was released in December of 2010). When we took a look at the website we were rather surprised to see a security seal from SiteLock claiming the website was secure (we have blacked out the domain name in the image):

SiteLock Secure Seal

Version 1.4.1.1 of Magento is old enough that security patches for major issues are no longer released for it and anyone concerned about security would be running at least the most recent major release, 1.9.0.0, as it includes a number of security enhancements:

  • Addressed a potential cross-site scripting (XSS) vulnerability while creating configurable product variants.
  • Addressed a potential security issue that could result in displaying information about a different order to a customer.
  • Users can no longer change the currency if the payment method PayPal Website Payments Standard is used.
  • Removed an .swf file from the Magento distribution because of security issues.
  • Improved file system security.
  • Enhanced the security of action URLs, such as billing agreements.
  • Addressed a potential session fixation vulnerability during checkout.
  • Improved the security of the Magento randomness function.

We don’t really think that a website should labeled as secure in that instance, but we assumed that SiteLock had at least provided a private warning that the website was in need of an update. But according to our client they never heard anything from SiteLock about the issue. This is surprising considering it is something that service is supposed to be providing. On the homepage of their website they start the description of their services as “We scan your website to find and fix existing malware and vulnerabilities “. On the page about the service they further expand on that:

Our scanners identify applications you have installed and which version you have. We compare that to industry and proprietary lists to determine the security of your installation. SiteLock’s comprehensive scanning eliminates reports of “false positives” that are not truly dangerous to your business. If we discover a vulnerability in our testing, we report it to you immediately and can help you upgrade your application version and secure your site.

How did SiteLock miss that the website is running such outdated software? It is not because it is difficult to detect. If you have access to the website’s underlying files, which it appears SiteLock would have, then you can easily get the Magento version number from the file /app/Mage.php in Magento. Without access the underlying files you can still get the version number of Magento in use. One way to do that is with our Magento Version Check extension for Chrome, which had no problem detecting the version in use on the website:

Magento Version Check

For anyone looking for a tool that will actually alert you when your websites are using outdated software our Up to Date? app for Chrome provides just that:

Up to Date? app showing Magento verisons

As for the SiteLock service, you would better off using the money you would spend on their service on the things that will actually keep your website secure.

Setting The Time Zone in Zen Cart 1.5.3

By default Zen Cart uses the time zone of the server the website is hosted on as the time zone for the store, which often isn’t the preferred time zone. In the past changing the time zone required modifying the server or using a module (either the Time Zone Offset module or the subsequent Time Zone Fix module). With Zen Cart 1.5.3 all you have to do to set the time zone is to add your preferred time zone in the file /includes/extra_configures/set_time_zone.php on the line:

$TZ = ” // eg: ‘Europe/Oslo’

For example, if you are in Sydney, Australia you would change it to:

$TZ = ‘Australia/Sydney’ // eg: ‘Europe/Oslo’

The full list of time zones values available can be found at http://www.php.net/manual/en/timezones.php.

If the setting has properly configured your preferred time zone will be shown at the top of the Zen Cart admin pages:

Zen Cart Admin Time Zone Displayed

For those currently using the Time Zone Fix module to set the time zone, you will need to switch to the new method when you upgrade to Zen Cart 1.5.3 as the module no longer functions in 1.5.3.

DreamHost’s Failure to Keep MySQL Updated Blocks Use of Latest Moodle Version

When it comes to the security of websites, keeping the software running them up to date is an important. While web hosts make a point of emphasizing the need to keep the user added software up to date, up to point of often incorrectly jumping to the conclusion that a website must have been hacked due to outdated software, they often fail to their part by keeping the software running the server up to date. In the case of DreamHost, this now not only means that their servers are not properly secured, but also that recent software can’t be used.

The latest version of Moodle, 2.7, requires at least version 5.5.31 of MySQL. This shouldn’t be a problem as MySQL 5.5 is currently the oldest series supported and version 5.5.31 was released 16 months ago. Unfortunately, while we preparing to do a Moodle upgrade for a client hosted with DreamHost we found that they are still on version 5.1.56. Our client contacted them about this and didn’t get any movement on getting this updated. They were not first, as the issue was brought up in May on a thread on DreamHost forum requesting that MySQL be updated. A DreamHost representative replied in the thread before and after that so they should have be aware that it was mentioned.

While the inability to use the latest version of Moodle is of concern, the larger issue is just how out of date DreamHost leaves the software running on their servers. Support for MySQL 5.1 ended at the end of last year, so they have been running an unsupported version for eight months. If they needed to stick to MySQL 5.1 for some reason, then you would expect that would be running the last version of 5.1, but there not. Instead they are running a version that is over three years out of date (5.1.57 was released in May of 2011) and they didn’t update after either of two subsequent releases with security updates were put out (5.1.62 and 5.1.63).

Copyright © 2014. Powered by WordPress & Romangie Theme.