Anzeige
Anzeige

Más contenido relacionado

Similar a What could possibly go wrong? Security in Magento Shops(20)

Anzeige
Anzeige

What could possibly go wrong? Security in Magento Shops

  1. What could possibly go wrong? Security in Magento Shops • integer_net (Aken / Germany) • Consultant / Developer / Trainer / CEO • Specialist for Magento and Solr • @avstudnitz PHOTO Andreas von Studnitz
  2. PHOTO Real Life Example • One line of code added • Reads all requests in admin and checkout areas • Encodes and stores data in media/cache_6e0a32[…]d53ee065da
  3. PHOTO Real Life Example • Active for 6 months! • 5,628 datasets (email address, name, telephone) • 1,612 passwords • All admin usernames and passwords
  4. Overview Consequences of Attacks Types of Attack Prevention
  5. PHOTO What can possibly go wrong? Consequences of Attacks
  6. PHOTO www.ibm.com/security/data-breach/
  7. PHOTO Stolen User Data
  8. PHOTO Stolen Login Data
  9. PHOTO Stolen Payment Data
  10. PHOTO This guy lost more than 50,000 $ in a data breach
  11. PHOTO Server Attacks
  12. PHOTO
  13. PHOTO
  14. PHOTO How can this happen with Magento? Vulnerabilities
  15. PHOTO Magento Unpatched • Neither installed the latest version • Nor applied important security patches • (Insecure PHP version)
  16. PHOTO Example: Shoplift Bug (patched February 2015)
  17. PHOTO 50,581 Source: byte.nl, April 2016 Magento shops vulnerable to Shoplift: (out of 255.558)
  18. PHOTO Weakly secured Admin Area • http://magento.site/admin/ • http://magento.site/downloader/ • Username “admin” • Low security passwords
  19. PHOTO What can an Attacker do with Admin Access? (1) 1. Log in 2. Upload a custom extension in the Magento Connect Manager (downloader)
  20. PHOTO What can an Attacker do with Admin Access? (2) 1. Log in 2. Inject custom JavaScript in System => Configuration
  21. PHOTO
  22. PHOTO Security issues in extensions • Custom or purchased extensions • SQL Injection, XSS, … • Backdoors • Installation service
  23. PHOTO How can I prevent Attacks?
  24. PHOTO 1. Follow basic Guidelines • Update Magento and PHP • Secure the admin area • Subscribe to the security mailing list
  25. PHOTO 2. Check your Site
  26. PHOTO 3. Do security reviews Severe security issues found in more than 50% of my reviews
  27. PHOTO Q & A Please contact me! @avstudnitz avs@integer-net.com @integer_net www.integer-net.com
Anzeige