Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Andrea Zwirner - Magento security and hardening strategies

560 views

Published on

Starting from a fresh installation of Magento on Linux, we have conducted the common steps of a cyber-attack, through both ways of running automatic tools and performing manual penetration tests, in order to analyze the security features of the platform on it’s default configuration in a standard environment.
Addressing the security features of the platform with the simulation of both automated and targeted attacks, the study has the goal of discover it’s average level of security, in order to better understand which are the security patterns offered “by design” and where to intervene with specific hardening configuration and strategies when comes the time of customizing, deploying and maintain a Magento production environment.

  • Login to see the comments

Andrea Zwirner - Magento security and hardening strategies

  1. 1. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 2 Magento security and hardening strategies Andrea Zwirner andrea@linkspirit.it @AndreaZwirner Sicurezza informatica
  2. 2. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 3 ● Linux, Apache, MariaDB, PHP ● Magento 1.9.x.y – We will be as platform independent as possible Environment
  3. 3. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 4 ● Magento is a good product, security is never underestimated – Fast security patches for both 1.9.x and 2.x versions – URL protection (via secret keys addition) – Sessions validation (session poisoning, hijacking, fixation attacks) – CSRF protection – CAPCHA for admin login (brute force) Magento average security
  4. 4. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 5 ● Sensitive data are encrypted via additional encryption key (cards, integration passwords) ● There also is a lot of documentation on security and hardening Magento average security
  5. 5. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 6 ● Anyway, the team is doing a great job! ● But it might all be useless if… Magento average security
  6. 6. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 7 A secure platform in an insecure world Hardware Operating System LibrariesApplication Services
  7. 7. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 8 Full of unprepared users... Hardware Operating System LibrariesApplication User Services
  8. 8. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 9 ● Workstations that work with the backend need to be hardened ● The same applies to the environment in which workstations work – And the environments it is connected to, including suppliers, clients, etc ● Users need to be made aware of the risks they might expose the application to Backend security
  9. 9. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 10 What’s the strategy?
  10. 10. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 11 “Ensuring cybersecurity is a common responsibility. End users play a crucial role in ensuring the security of networks and information systems: they need to be made aware of the risks they face online and be empowered to take simple steps to guard against them.” Cybersecurity Strategy of the European Union European Commision, Feb 2013 Never understimate end users importance
  11. 11. Ok, let’s start!
  12. 12. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 13 ● If you want to crack it, you need to know it ● The quieter you become, the more you’re able to hear ● You can’t just try every single weapon you have in your armory ● This would alarm any kind of IPS at any level Enumeration is the key
  13. 13. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 14 Enumeration – /magento_version
  14. 14. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 15 Enumeration - /downloader
  15. 15. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 16 ● /skin/frontend/default/default/css/styles.css Enumeration – static files 1
  16. 16. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 17 Enumeration – static files 2
  17. 17. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 18 Enumeration in web application scanners
  18. 18. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 19 It’s attack time! ● We have to do a couple of assumptions – Magento vulnerable version (1.9.1.0 CE or 1.14.1.0 EE) – Not patched with SUPEE-5344 – It means RCE… Uh ohhh…
  19. 19. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 20 It’s attack time!
  20. 20. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 21 It’s attack time!
  21. 21. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 22 It’s attack time!
  22. 22. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 23 It’s attack time! ● backdoor.tgz adds backdoor.php (a meterpreter reverse shell) in /errors
  23. 23. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 24 It’s attack time! ● Misconfigurations – Downloader is exposed and unprotected – File system permissions has not been reset (maybe after last extension install)
  24. 24. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 25 TCP reverse shell
  25. 25. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 26 Getting DB credentials
  26. 26. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 27 It’s attack time!
  27. 27. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 28 DB dump!
  28. 28. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 29 Passwords ● md5/sha-256(salt+password):salt no bcrypt, scrypt, pbkdf2 :-(
  29. 29. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 30 Let’s crack them, with hashcat!
  30. 30. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 31 Option two: frontend malware (common!)
  31. 31. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 32 And your card number is?
  32. 32. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 33 ● Using vulnerable components (at any level of the stack) – It doesn’t matter the Magento version you use, it has to be (quickly) patched! Why all this stuff works?
  33. 33. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 34 ● Using vulnerable components (at any level of the stack) – It doesn’t matter the Magento version you use, it has to be (quickly) patched! ● Misconfigurations – Who works inside the environment has to (well) know what he is doing! Why all this stuff works?
  34. 34. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 35 ● Monitor issues for every single component of the stack, and patch accordingly ● Restrict access to administrative functions from specific IP addesses ● Hide sensitive URLs (admin / downloader / extensions) with custom URLs ● Block access to development / staging / test environments So, let’s harden it – basic
  35. 35. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 36 ● Run Magento inside a dedicated environment ● Always apply the principle of the least privilege ● Automate the deployment process – Extensions should not be installed in production – Implement automated checks (unit test, static code analisys, etc) ● Audit user list and enable 2 factor authentication (Nexcess, miniOrange, etc) So, let’s harden it – mid
  36. 36. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 37 ● Check Admin Action Logs and compare with policies / timing / etc ● Check file integrity (compare production with clean version) / mtimes, etc ● Monitor all system logins and compare with policies / timing / etc ● Choose extensions accordingly (e.g. ASVS compliance / code review / pen-test) – If possible, avoid using extensions with upload functions So, let’s harden it - advanced
  37. 37. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 38 ● Monitor for common malicious functions or code – curl(, FILE_APPEND, file_put_, fwrite, , http.open, http.send, mail, <script, etc ● Monitor for files bigger than 2-3 Mb – They can contain stolen data to be sent to the attacker ● Monitor for common backdoor code – A lot: base64, exec, wget, system, move_uploaded_file, encodeURI, etc So, let’s harden it - advanced
  38. 38. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 39 ● Do anything you can to make enumeration harder – Remove service banners – Metadata – Remove/change static files ● *_version, README, etc ● *css, *js So, let’s harden it - advanced
  39. 39. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 40 A common attack: brute force
  40. 40. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 41 ● Should we just wait for the attacker to guess the password? ● Intrusion Prevention Systems – Policy verification trough log analysis ● Web application firewalls – Configuration (platform dependent) – Review (at least on application changes) Intrusion Prevention
  41. 41. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 42 ● Should we just wait for the attacker to find the right path? ● Attacks informations must be collected and analyzed ● You have to understand who is the attacker and what’s his goal Know your enemy
  42. 42. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 43 ● Make sure your governance level is granular enough to understand what’s happening ● You have to know what the system is doing and not just that it is “working” ● And if everything has been fucked up, the keywords are – Backup – Restore – Disaster recovery plan And then… Shit happens!
  43. 43. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 44 Magento security and hardening strategies Andrea Zwirner andrea@linkspirit.it @AndreaZwirner Sicurezza informatica

×