Starting from a fresh installation of Magento on Linux, we have conducted the common steps of a cyber-attack, through both ways of running automatic tools and performing manual penetration tests, in order to analyze the security features of the platform on it’s default configuration in a standard environment.
Addressing the security features of the platform with the simulation of both automated and targeted attacks, the study has the goal of discover it’s average level of security, in order to better understand which are the security patterns offered “by design” and where to intervene with specific hardening configuration and strategies when comes the time of customizing, deploying and maintain a Magento production environment.
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Andrea Zwirner - Magento security and hardening strategies
1.
2. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 2
Magento security and hardening strategies
Andrea Zwirner
andrea@linkspirit.it
@AndreaZwirner
Sicurezza informatica
3. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 3
● Linux, Apache, MariaDB, PHP
● Magento 1.9.x.y
– We will be as platform independent as possible
Environment
4. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 4
● Magento is a good product, security is never underestimated
– Fast security patches for both 1.9.x and 2.x versions
– URL protection (via secret keys addition)
– Sessions validation (session poisoning, hijacking, fixation attacks)
– CSRF protection
– CAPCHA for admin login (brute force)
Magento average security
5. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 5
● Sensitive data are encrypted via additional encryption key (cards, integration
passwords)
● There also is a lot of documentation on security and hardening
Magento average security
6. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 6
● Anyway, the team is doing a great job!
● But it might all be useless if…
Magento average security
7. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 7
A secure platform in an insecure world
Hardware
Operating System
LibrariesApplication Services
8. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 8
Full of unprepared users...
Hardware
Operating System
LibrariesApplication
User
Services
9. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 9
● Workstations that work with the backend need to be hardened
● The same applies to the environment in which workstations work
– And the environments it is connected to, including suppliers, clients, etc
● Users need to be made aware of the risks they might expose the application to
Backend security
10. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 10
What’s the strategy?
11. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 11
“Ensuring cybersecurity is a common responsibility. End users play a crucial
role in ensuring the security of networks and information systems: they need to
be made aware of the risks they face online and be empowered to take simple
steps to guard against them.”
Cybersecurity Strategy of the European Union
European Commision, Feb 2013
Never understimate end users importance
13. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 13
● If you want to crack it, you need to know it
● The quieter you become, the more you’re able to hear
● You can’t just try every single weapon you have in your armory
● This would alarm any kind of IPS at any level
Enumeration is the key
14. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 14
Enumeration – /magento_version
15. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 15
Enumeration - /downloader
16. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 16
● /skin/frontend/default/default/css/styles.css
Enumeration – static files 1
17. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 17
Enumeration – static files 2
18. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 18
Enumeration in web application scanners
19. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 19
It’s attack time!
● We have to do a couple of assumptions
– Magento vulnerable version (1.9.1.0 CE or 1.14.1.0 EE)
– Not patched with SUPEE-5344
– It means RCE… Uh ohhh…
20. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 20
It’s attack time!
21. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 21
It’s attack time!
22. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 22
It’s attack time!
23. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 23
It’s attack time!
● backdoor.tgz adds backdoor.php (a meterpreter reverse shell) in /errors
24. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 24
It’s attack time!
● Misconfigurations
– Downloader is exposed and unprotected
– File system permissions has not been reset (maybe after last extension install)
25. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 25
TCP reverse shell
26. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 26
Getting DB credentials
27. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 27
It’s attack time!
28. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 28
DB dump!
29. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 29
Passwords
● md5/sha-256(salt+password):salt no bcrypt, scrypt, pbkdf2 :-(
30. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 30
Let’s crack them, with hashcat!
31. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 31
Option two: frontend malware (common!)
32. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 32
And your card number is?
33. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 33
● Using vulnerable components (at any level of the stack)
– It doesn’t matter the Magento version you use, it has to be (quickly) patched!
Why all this stuff works?
34. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 34
● Using vulnerable components (at any level of the stack)
– It doesn’t matter the Magento version you use, it has to be (quickly) patched!
● Misconfigurations
– Who works inside the environment has to (well) know what he is doing!
Why all this stuff works?
35. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 35
● Monitor issues for every single component of the stack, and patch accordingly
● Restrict access to administrative functions from specific IP addesses
● Hide sensitive URLs (admin / downloader / extensions) with custom URLs
● Block access to development / staging / test environments
So, let’s harden it – basic
36. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 36
● Run Magento inside a dedicated environment
● Always apply the principle of the least privilege
● Automate the deployment process
– Extensions should not be installed in production
– Implement automated checks (unit test, static code analisys, etc)
● Audit user list and enable 2 factor authentication (Nexcess, miniOrange, etc)
So, let’s harden it – mid
37. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 37
● Check Admin Action Logs and compare with policies / timing / etc
● Check file integrity (compare production with clean version) / mtimes, etc
● Monitor all system logins and compare with policies / timing / etc
● Choose extensions accordingly (e.g. ASVS compliance / code review / pen-test)
– If possible, avoid using extensions with upload functions
So, let’s harden it - advanced
38. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 38
● Monitor for common malicious functions or code
– curl(, FILE_APPEND, file_put_, fwrite, , http.open, http.send, mail, <script, etc
● Monitor for files bigger than 2-3 Mb
– They can contain stolen data to be sent to the attacker
● Monitor for common backdoor code
– A lot: base64, exec, wget, system, move_uploaded_file, encodeURI, etc
So, let’s harden it - advanced
39. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 39
● Do anything you can to make enumeration harder
– Remove service banners
– Metadata
– Remove/change static files
● *_version, README, etc
● *css, *js
So, let’s harden it - advanced
40. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 40
A common attack: brute force
41. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 41
● Should we just wait for the attacker to guess the password?
● Intrusion Prevention Systems
– Policy verification trough log analysis
● Web application firewalls
– Configuration (platform dependent)
– Review (at least on application changes)
Intrusion Prevention
42. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 42
● Should we just wait for the attacker to find the right path?
● Attacks informations must be collected and analyzed
● You have to understand who is the attacker and what’s his goal
Know your enemy
43. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 43
● Make sure your governance level is granular enough to understand what’s happening
● You have to know what the system is doing and not just that it is “working”
● And if everything has been fucked up, the keywords are
– Backup
– Restore
– Disaster recovery plan
And then… Shit happens!
44. Mar 2, 2017
Meet Magento 2017, Milan
Andrea Zwirner – Linkspirit
Magento security and hardening strategies 44
Magento security and hardening strategies
Andrea Zwirner
andrea@linkspirit.it
@AndreaZwirner
Sicurezza informatica