Google Security Blog
- Written by Bruce Moore
- Hits: 5400
Protecting Externally Generated HTML Reports in Joomla
A number of reporting applications will generate extensive interactive HTML web sites that are very useful, but can be hard to secure behind a login, especially when you must incorporate HTML from a number of different report generators. Fortunately, there is a relatively simple way to do this in Joomla using the “wrapper” menu item type. The example that follows shows how to do this in situations where you want to secure the HTML report from scanning and indexing by search engines, but do not require absolute security. This might apply to content that is not confidential or proprietary, but which would generate unwanted email inquiries were it to be indexed. This approach will meet many low security needs but does not provide total security; see the discussion during the section on modifying
.htaccess for more information on security issues with this approach.
Step 1: Upload the HTML Web Report
The first step is to upload the HTML report into its own directory; you do not want to mix your report files in with anything else. It should be a directory that is only accessible to people who are trusted and authorized, so it probably should not be a subdirectory in the
images or other media directory. The directory name should not be identical to the names used for any categories, tags or articles, as this will make URL collisions a problem and create issues for SEO. If you will have a lot of reports, you will probably want to create some kind of directory hierarchy.
For security reasons that will be described later, your directory name should contain a random string that is eight or more characters.
Step 2: Fix Permissions on HTML Web Report Using Akeeba Admin Tools
The next step is to make sure that the directory and file permissions are secure–755 for directories and 644 for files. Many of the report generator tools do not pay attention to this.
In Akeeba Admin Tools, go to the Custom Permissions option shown in Figure 1 and make sure that your directories are listed with the proper permissions, and select
Apply; using shell access or some other means, verify that the permissions were set properly using
ls -l or some other command.
Step 3: Create Menu Option for HTML Wrapper
Next, create a new menu options using the Wrapper option as shown in Figure 2. Put your HTML report’s URL in the option field as shown in Figure 3. If you want to restrict access, change the Access from “Public” to a particular group as shown in Figure 3.
If you used a secure group for access, only logged in users will be able to locate the information, and search engines will not find the pages for indexing. However, if someone knows the URL, they could still get to it directly without any difficulty; we still need to secure access by changing the
Step 4: Add Custom Rules to .htaccess Using Akeeba Admin Tools
To secure the HTML report from direct access, you must add lines to the
.htaccess file that is used to control Apache. There are perhaps a million ways to do this but the easiest relies on the way that Joomla implements the wrappers. For the wrapper menu option, Joomla uses the
iframe HTML tag; this has the side effect that all accesses to these HTML pages through your site will have your site as the referrer. We will write
.htaccess rules that prevent access to the files if the referrer is not your site. This still leaves open the hole that someone could spoof the referrer and guess the correct URL and get access to the files, thus the recommendation that you use unique random strings in the directory names.
The URL will be visible to logged in authorized users via “View Source”. If one of those logged-in, authorized users decides that the HTML report should be publicly visible, that uses can post the URL at which point it will be possible for a malicious user to spoof the referrer and gain access. Well-behaved search engines still would not index the page, unless the logged-in, authorized user posted the link in a publicly accessible and indexable area of your site.
For many applications this is an acceptably small attack window, but it should be recognized that it is an open window, however small.
Figure 4 contains the code that you should use in your
.htaccess file. Make sure to replace the domain and directory in the example with your own domain and directory.
Step 5: Modify Module Display for Report Menus
The final step in the process of adding an HTML report to your Joomla website is optional and depends on the report and template that you are using. Many reports will benefit from having a wide column layout. If you have navigation, recent articles, popular articles or other Joomla modules to the left and right of your HTML report, you might get some awkward or unusable line wraps. To give your report a wider column, you may want to omit these Joomla modules from the menu options that drive these HTML reports as shown in Figure 5.
- Written by Bruce Moore
- Hits: 2120
SSL Changes in Chrome 56–March, 2017
In Google Chrome Release 56, Google appears to have revoked ALL certificates issued by StartSSL and WoSign rather than just those certificates issued after October 21, 2016. If you have not already replaced otherwise valid StartSSL certificates, you should do so now. While StartSSL was for a long time the best source for free domain verification certificates, Let’s Encrypt and Cpanel are now the perferred approach for most webmasters.
Viewing a Certificate in Chrome 56
To streamline the user interface for non-technical users that do not know what a cerficate is, Google has removed the ability to view a certificate from the normal user interface; you must now go to the developer tools via F12 and the Security tab to look at the certificate characteristics.
- Written by Bruce Moore
- Hits: 2366
The Mess with Cellphone Security Updates
My then 2 1/2 year old Google Nexus 5 stopped getting security updates last October (2016), but it was not until the recent Broadcom Wi-Fi chipset vulnerability that I got serious about getting a new phone that gets security updates. I am frustrated that I’m replacing functioning hardware because the manufacturer’s (Google) security update policy has made it unsafe to continue to use the device.
In looking for a new phone, I decided that there were a few key requirements:
- Monthly or immediate upon discovery security patches supported by a published policy.
- A price to security update life of less than $150/year.
- Availability of an email client that supports S/MIME for IMAP/SMTP email accounts.
- Availability of an end-to-end encrypted messaging app that is widely used. My preference is Signal, but there are others that meet this requirement.
- Supports Google Authenticator or another authenticator that provides two-factor authentication for Joomla-based web sites.
I ended up getting an iPhone SE, but my research and observations follow.
Alternative Firmware for Nexus 5
There are alternative firmwares available for some Android phones; although the Cyanogen project has collapsed, the follow-on LineageOS project is alive and well, and supports the Nexus 5. I’m comfortable flashing devices, but I do not want to do this for my primary phone. I will flash the Nexus 5, but will only use it as a backup device.
I looked at new Android, iPhone and Windows devices; a summary of my research follows.
Apple has a very clear hardware support policy and a history of providing security updates for about four years. Assuming three years, most Apple devices get ruled out by the $150/year cost limit that I have imposed, but the smallest (32G) iPhone SE does meet my annual cost requirement and the other requirements. Apple has the best S/MIME support of any vendor by a huge margin, and Signal is available on the iPhone. Two-factor authenticators are available.
Lumia Phones by Microsoft
Microsoft has a clear phone security update policy, and there are several Lumia models that meet my cost requirements. There are secure messaging apps available. Unfortunately, I could not find an S/MIME application. The default email application will do S/MIME when connected to a Microsoft Exchange server, but not for IMAP/SMTP servers. It looks like the Microsoft Authenticator App follows the same standard as the Google Authenticator, but I did not research this conclusively.
I was really frustrated by the lack of an S/MIME email app, as I really like the Windows 10 phone user interface. For most users looking for an inexpensive secure phone, I would strongly consider the inexpensive Lumia models. My requirement for S/MIME was the primary thing that prevented me from getting a Windows phone.
All Android devices meet my requirements for availability of an S/MIME client, secure messaging and Google Authenticator. For Android devices, the manufacter’s security policy and cost were the primary considerations.
Google has a published security policy and I could probably expect no more than three years of updates, so at $649, the Pixel does not meet my annual cost requirement. There are third-party S/MIME clients available in the Google Play Store and Signal is available on Android.
Motorola G4 and G5
I looked at the Motorola G4 and G5 at Best Buy (which had about 15 unlocked phones), and both had Android 7.0 installed with the December 1, 2016 and January 1, 2017 security updates installed respectively. At $180 and $230, both devices met my cost, S/MIME and messaging requirements. Unfortunately, Motorola does not have a published security update policy that I could find, and does not have a good reputation for security update timeliness.
LG X Power
The LG X Power meets my price and function requirements, but I could not find a published security update policy.
Samsung has a published security update policy. Samsung’s flagship S series gets monthly security updates and meets my functional requirements, but it does not meet my $150/year cost requirements. The J series only gets quarterly updates and the J1 at Best Buy was only running Android 5.1.
Phone Security is a Mess
The lack of security awareness of phone manufacturers other than Apple, Google and Microsoft is absolutely disgraceful, especially for low-end devices. For Android devices, you need to pay about $225/year in order to get security updates, and as far as I am concerned, that is too high. My biggest frustration in this research exercise was the difficulty of finding a manufacturer’s security update policy.
If there were a clear security update policy for two or three years for the Motorola G4, that would have been my first choice. If there were a clear security update policy for the LG X Power, it would easily have been my second choice.
- Written by Bruce Moore
- Hits: 2162
A couple of weeks ago, the Independent Bankers Association of Texas (IBAT) asked members for stories on regulation problems that the Association’s leadership could use in lobbying efforts to support the passage of the TAILOR act and other efforts to roll back some of the provisions of Dodd-Frank. I decided to write an article on the subject rather than just a letter, to at least get some search engine optimization value for the time spent.
Strategic Planning Surrendered
My primary product, a loan rate sheet profit optimization tool, has not sold. People with quantitative backgrounds are very excited about what I am doing, but bankers are not. The primary reason for this is my poor sales ability, but when I speak to bankers, they clearly understand what I am doing and then state “but that isn’t how we do business.” At the 2014 IBAT Convention, the exhibit hall was poorly arranged and few bankers were hanging out with the vendors who were exhibiting, so I had a chance to have some extended conversations with several accountants and other vendors with no bankers present. I got some disheartening, but ultimately very helpful comments:
- “This makes a lot of sense, but they (bankers) won’t do this unless the regulators tell them to.”
- “They (bankers) have surrendered all strategic planning to the regulators.”
How did this happen? In today’s banking world, you can still see the vestiges of the pre-1980 era when interest rates were regulated and banks competed strictly on customer service and personal relationships; community bankers today overwhelming come up through the loan sales ranks rather than operational or financial career paths. The sales career path is how they do business. This vestige of the pre-1980 era manifests itself with bankers who do not have strong quantitative skills by the standards of current business practice, and are less prepared to recognize, adapt or adopt new technologies than are managers in other industries. Until someone with a strong quantitative background gets to C-level at a bank, the prospects are not good for quantitative approaches like mine. As one person said of my business prospects, “waiting for someone to die is not a good business strategy.”
After the passage of Dodd-Frank, Community Bankers have been overwhelmed with the volume of regulation and regulatory change. While I am not an expert on the specific changes, I have heard of numerous examples of regulations that clearly address abusive practices at high-volume too-big-to-fail banks, but which make no sense for low-volume small banks where loan officers have very visible and personal responsibility for the loans they sell. I have commented that bankers are so consumed with regulatory change that the building could be burning down and they would not notice.
Interest rate regulations from a generation ago did not require bankers with quantitative skills and have constrained the current pool of executives to those without strong quantitative backgrounds; current regulations, and regulatory churn require executives with legal and compliance skills but not the analytical and quantitative skills that are used by executives in virtually all other industries. Current regulations will constrain the executive pool for the next generation to executives with legal, but not quantitative skills. This will continue to make it difficult for banks to even think about the future even when forward-thinking leadership is in place. For vendors like me, this means that getting traction will be difficult until the succession of past regulated-rate era executives is complete and the analytics-era executives are not tied up with regulatory spaghetti.
Fair Lending and Disparate Impact
In recent years, Fair Lending regulation has focused on disparate impact where a bank can be penalized for policies or procedures that have disparate impact for different racial and ethnic groups even when there was no intent to discriminate. While I have not met any bankers that I believe were racist, I think that unintentional racially disparate pricing is probably far more common than anyone would like to admit; read the discussion in How a Bank Can Get in Trouble with Fair Lending Statistical Analysis for an understanding of why price discrimination is probably common for minority borrowers even without intentional discrimination on the part of bankers.
Some bank lobbyists hope to require that regulators show that the bank intended to discriminate against minorities in order to trigger a Fair Lending violation. I think this approach is wrong and short-sighted. The problem with the current regulatory approach stems not from being laborious; the problem is that current methods will not readily identify banks that do have price discrimination problems and sometimes falsely identify a bank as having a Fair Lending problem. Changing the regulatory standards to require “intent” for a violation will not improve the accuracy of identifying instances where discrimination is occurring, nor will it reduce the labor required for analysis. Requiring intent for a violation would probably increase the labor required for both regulators and bankers without improving the situation for borrowers who have experienced race-related price discrimination.
Banks will make much more progress in reducing the regulatory burden and the fights over regulation by admitting that minorities do face unintentional discriminatory pricing and then working to eliminate the causes of discriminatory pricing. About 20 years ago, the Wall Street Journal published an article about different approaches taken by medical professional societies to reducing malpractice insurance (if you do not have a WSJ subscription, How Anesthesiologists Reduced Medical Errors provides a summary). The association with the highest premiums, anesthesiologists, took the approach of studying anesthesia-related deaths and changing practice to reduce deaths. All other associations took the approach of pursuing legal limits on malpractice insurance. Anesthesiologists ultimately ended up with the lowest insurance rates. Bankers should take the same approach; admit the problem and fix it.
The current approach depends upon an error-prone estimate of a borrower’s race and ethnicity; the current surname and geographic race estimation method is especially error-prone for blacks descended from slaves. The errors effectively hide discriminatory pricing when it occurs.
One possible approach would be to offer a safe-harbor for loan products where no rate negotiation is allowed; compliance could then be measured by auditing applications for accurate pricing classification. When a pricing classification error is noted, two things would occur:
- Determine the race and ethnicity of the borrower by contacting the borrower directly, and then look for patterns within the pricing classification errors.
- Increase the size of the audit pool to improve the power of the statistical analysis.
Banks need to recognize that there are problems and address them, or plan for additional generations of fighting related regulatory oversight.
Fair Lending, and Indirect Lending
Indirect lending is perhaps the highest risk area for Fair Lending violations, but it is one where current regulatory practices will not identify a dealer that is intentionally discriminating against minorities; a discriminatory dealer’s loans are diluted with loans from non-discriminating dealers so that analysis at the bank level will not identify the problem dealer (unless the dealer decides to intentionally create problems for a bank). Analysis of loans at the dealer level must occur to fix this problem.
- Written by Bruce Moore
- Hits: 2418