MageCart Defense Strategies

Transcript

1. MageCart Defense Strategies Tom Robertshaw @bobbyshaw

2. 1. What is MageCart? 2. How do I protect against

   it? 3. What’s my responsibility as a site developer? Overview

3. Computer viruses are functionally similar to biological pathogens

4. Malaria Transferred through mosquito bites Lots of bites but only

   a small number cause infection Infection through a third-party

5. Supply Chain Attacks Similar to being infected by compromised dependencies

   Infection through a third-party

6. Tuberculosis Most successful against the ill, malnourished and dehydrated Target

   unhealthy hosts

7. Brute Force Attacks Automated attacks of weak admin credentials or

   unpatched applications Target unhealthy hosts

8. Tuberculosis Infect others while there are no symptoms Long incubation

   periods

9. MageCart Malware that’s too aggressive gets caught Long incubation periods

10. JS that duplicates form submissions to a dead drop Invisible

    to the merchant and customer MageCart

11. Injects script foobar.com/js/extjs/fix-defer-after.js Looks for payment form & saves values

    to cookie Adds image with src=deaddrop.com?paymentdetails=encoded_data ...but only if dev tools isn’t open Example

12. 1. Identify, preserve & remove cylon 2. Investigate activity &

    breach 3. Add further protections 4. Report 5. Monitor Attack Response

13. Protections

14. Keep dependencies patched and up-to-date Secure admin passwords IP protect

    admin area, magmi and other admin tools Remove Magento 1 downloader MageCart Protections

15. Technology comes with security risk & training burden Prepare for

    worst case scenario The rational strategy is to have an intruder alarm Assume vulnerabilities

16. Monitoring

17. Security Scanners

18. @gwillem Scanners from the community @_talesh

19. A CSP gives the browser a whitelist of sites that

    requests can be made to Anything else is blocked Content Security Policies

20. content-security-policy: default-src 'self' 'unsafe-inline' *.sagepay.com www.gstatic.com www.google.com *.newrelic.com *.nr-data.net; report-uri

    https://xcvb435746uwefddfgjk654.report-uri.com/r/d/csp/enforce HTTP Response Header

21. The wearing medieval armour to go to the store approach

    to security We need to balance security with user needs Overkill

22. content-security-policy -report-only: default-src 'self' 'unsafe-inline' *.sagepay.com www.gstatic.com www.google.com *.newrelic.com *.nr-data.net;

    report-uri https://xcvb435746uwefddfgjk654.report-uri.com/r/d/csp/reportOnly CSP Report Only Example

23. Example CSP Report { "document-uri": "https://tomrobertshaw.net/", "referrer": "", "violated-directive": "style-src-elem",

    "effective-directive": "style-src-elem", "original-policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://test-report.trackcsp.com/v1/494b06af-eb50-4c85-9097-aa7c31e591b9", "disposition": "report", "blocked-uri": "https://fonts.googleapis.com/css?family=Open+Sans:400,400italic", "status-code": 0, "script-sample": "" }

24. Results in a huge number of reports In practice is

    very noisy, e.g. browser extensions Need a tool to analyze Collecting Reports
25. None
26. None

27. 1. MageCart can be a silent killer 2. Good security

    hygiene reduces attack vectors 3. Security Monitoring fundamental part of application stack Summary

28. Thanks @bobbyshaw

29. https://nnt.es/Functional%20similarities%20between%20computer%20worms%20and%20biological%20pathogens.pdf https://developers.google.com/web/fundamentals/security/csp/ https://www.linkedin.com/pulse/magical-thinking-internet-security-paul-vixie/ https://en.wikipedia.org/wiki/Security_breach_notification_laws http://www.mondaq.com/unitedstates/x/165468/Privacy/Data+Security+Breach+Notification+Requirements+In+The+United+States+What+Y ou+Need+to+Know https://speakerdeck.com/mikispag/so-we-broke-all-csps-dot-dot-dot-you-wont-guess-what-happened-next-michele-spagnuolo-and-lukas-weich selbaum?slide=10 https://dzone.com/articles/using-csp-nonces-effectively-with-a-service-worker https://scotthelme.co.uk/csp-nonce-support-in-nginx/

    Resources