GDPR: What is the EU General Data Protection Regulation?

The General Data Protection Regulation (GDPR) will have an impact on how organisations handle the personal information that they look after.

GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

GDPR will have a role in four main areas:

1. Easier Access
Users will have easier access to their own data. Individuals will be better informed as to how their information is processed and stored and organisations will need to inform users in the clearest way possible.

2. Portability
Users should easily transfer their own information between service providers.

3. Right to be forgotten
Users that no longer want you to control or store their personal information you have processed should be able to easily have their data removed from your system unless there are legitimate grounds for keeping it.

4. Data breaches
Users should know that their information has been lost/stole or otherwise compromised. If your systems have been breached the users affected should be informed as soon as possible.

The implementation of the four points will depend on how you currently store and access user information. You will also need to be clear what you are using that information for.

 

Checkout problems upgrading to Magento 1.9.3.4+

Magento version 1.9.3.4 include patch SUPEE-9767 V2 which includes security patching for the checkout process.

For your current front-end templates to work with this patch you will need to include a form key value to a number of forms in the checkout process.

<?php echo $this->getBlockHtml('formkey') ?>

Load the templates below from your  app/design/frontend/<package>/<theme> directory and add the Form Key code above between the <form> and </form> tags on each.

The basic templates that will need upgraded:

  • /template/checkout/cart/shipping.phtml
  • /template/checkout/onepage/billing.phtml
  • /template/checkout/onepage/shipping.phtml
  • /template/checkout/onepage/payment.phtml

If persistant checkout is enabled:

  • /template/checkout/onepage/shipping_method.phtml
  • /template/persistent/checkout/onepage/billing.phtml

If you allow shippinng to multiple addresses:

  • /template/checkout/multishipping/billing.phtml
  • /template/checkout/multishipping/shipping.phtml

Upgrading Magento 1 through the Magento Connect Downloader

If you don’t fancy upgrading Magento 1 through command line, you can upgrade Magneto core using Magento’s in-built Magento Connect Downloader.

  • Load yoursite.com/downloader.
  • Login with a user who has full Magento permissions.
  • Make sure to click the “Clear all sessions after successful install or upgrade” option before proceeding.
  • Click the Check for Upgardes button
  • This will load all the packages with upgrade options beside them.
  • Find the package name Mage_All_Latest
  • In the dropdown choose the most recent version of Mage_All_Latest
  • Use the checkbox beside it to include it in the upgrade
  • Click Commit Changes

If you login and don’t see any packages, this may be due to the way the site was built.

At the top of Magento connect downloader enter magento-core/Mage_All_Latest  in the in put box, this will install all latest MagentoConnect core packages on top of existing files and will allow future upgrades through Magento Connect Downloader.

Upgrading Magento 1 through command line

Alternative: Upgrade Magneto using the Magento Connect Downloader

Upgrading Magento is a must to keep your store in top-top condition, protect your customers and your business.

Upgrading Magento through command line is the easiest way to make sure you are running the latest version of the Magento Software

  • Load the root directory of your Magento store
  • Make sure the “mage” file has the right permissions: chmod 777 mage
  • Then launch Magento set-up: ./mage mage-setup
  • If all goes well you can then pull the latest version of the code source code:
    ./mage install http://connect20.magentocommerce.com/community Mage_All_Latest --force

If things didn’t go well with mage-setup you may need to run set som preferences….

  1. Make sure your prefered code is set: ./mage config-set preferred_state stable
  2. Then sync your changes: ./mage sync

You can then try the install command again.

That should do the trick.

 

Anonymous Browsing

A few links to help secure your online activities private and secure.

In the United Kingdom the Investigatory Powers Act has been signed into law by HM The Queen. The powers grant the Government new surveillance powers including rules that force internet providers to keep complete records of every website that all of their customers visit.

The links below will allow you to continue to enjoy privacy online.

Browsing the web

The Tor Browser is one of the best known anonymous browsing tools out there. It is often described as a ‘censorship circumvention tool’. It is a free network of servers, or ‘nodes’, that randomly route Internet traffic between each other in order to obfuscate the origin of the data. The Tor Browser can significantly increase a user’s privacy and anonymity online. In internal documents, the NSA even refers to Tor as “the king of high-secure, low latency Internet Anonymity.”

torproject.org

Email

Proton Mail is a Swiss-based email provider which incorporates complete end-to-end encryption of emails. All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.

protonmail.com

Messaging

Many messaging platforms already provied end-to-end encrypted messaging. This includes WhatsApp and iMessage. Signal is a messaging app designed so they themselves cannot read your messages, and no one else can either. Everything is always end-to-end encrypted and painstakingly engineered in order to keep your communication safe.

whispersystems.org on WhatsApp

Why use an SSL? Number 3: Search Engine Optimisation

Previously: 2. User Confidence

Google has, since 2014, been giving sites with a secure certificate installed a small boost within their ranking algorithm. Google has been telling web masters for years that it is safe and indeed now beneficial for users to switch from HTTP to HTTPS.

Based on their own internal tests Google has said that the change impacted fewer than 1% of global search queries most importantly they said they may decide to strengthen the weight applied to a secure site because they want to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

It should not really come as any surprise that Google prefers sites that are trusted and certified using an SSL certificate. This is because users clicking onto secure websites can be guaranteed that the their information will be handled securely.

Google and other search engines have decided that an SSL is an important indicator as to the quality of a website so whether you’re handling multi million pound transactions or posting the odd blog post an SSL certificate isn’t just about security any more.

Series Why use an SSL?

  1. Part 1: Security
  2. Part 2: User Confidence
  3. Part 3: Search Engine Optimisation

Why use an SSL? Number 2: User Confidence

Previously: 1. Security

As well as providing important security to your users the presence of an SSL certificate also enhances user confidence in your website and removes some of the fears they might have about giving their data over to you.

Many websites have a section where users can at least log in and perform some tasks such as check messages, manage their personal information, or make a purchase of a service or product.

Without an SSL certificate all this information is open to the public and many more people are becoming aware that their personal security depends on the security of the websites they use.

Users now know to look for the padlock symbol or green address bar. If displayed, the padlock gives peace of mind that their information is being kept secure. It’s a simple and increasingly inexpensive thing but, to your user, that little symbol is a big deal.

If you are asking for users to provide you with their information keeping it private and secure should be your number one priority.

Series Why use an SSL?

  1. Part 1: Security
  2. Part 2: User Confidence
  3. Part 3: Search Engine Optimisation

Why use an SSL? Number 1: Security

The main reason to use an SSL certificate on your website is to secure sensitive information sent across the Internet. Keeping data encrypted so that only the intended recipient can understand it.

This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in-between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information in plain text and easily readable if it is not first encrypted using an SSL certificate.

When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects you from hackers and identity thieves.

How an SSL protects your data

For example when you visit an ecommerce website to view their catalogue. When you’re ready to order, you will be sent to a order form or checkout with an address that starts with https://.

When you click “Send”, to submit your order details back to the retailer, your browser’s HTTPS layer will first encrypt the information. At the other end only the website which knows the SSL encryption can decrypt your information and use it to complete the purchase.

The acknowledgement you receive from the server will also travel in encrypted form and arrive with an https:// address that can be decrypted for you by your browser.

Next: Why use an SSL? Number 2: User Confidence

Series Why use an SSL?

  1. Part 1: Security
  2. Part 2: User Confidence
  3. Part 3: Search Engine Optimisation

Google Chrome getting a new Security Panel for developers

Google is set to add a new Security Panel to the Chrome browser to help developers visualise and
troubleshoot network connections.

The security panel provides developers with connection information for every request. Allowing them to see what connection errors are getting in the way of the glorious green lock that represents a secure connection. It will show the status of the TLS certificate verification and highlight any insecure HTTP resources.

Google has been pushing to make HTTPS the standard way users browse the internet. Even this site – with no private or personal data stored/shared is provided over a secure connection because it’s what Google prefers these days.

Still in the beta build the new feature has made it into Chromium. Google says it will begin to update browsers with the new features in the coming days.

More: Chromium Blog

# keithgreer.uk

Web Application Security Testing

Free and open source web application security test tools.

Burp Suite
Free and commercial tool. Excellent adjunct to manual testing and has a good scanner capability as well. Of professional web application testers I know, most use this.

W3af.orh
Open source scanning tool, seems to be developing quite a bit at the moment, primarily focuses on the automated scanning side of things, is still requires quite a bit of knowledge to use effectively.

Commercial Scanning Tools which should be used.