When I first met expression “ethical hacker”, I grinned. It sounded like “humane murderer” for me. Googling its meaning I found myself at Oxymoron List, where such terms as “Good morning”, “Customer Satisfaction” and even “Marketing strategy” are listed as oxymora.
Well, if good mornings and marketing strategies are the phenomena which one may never meet, to my surprise ethical hackers do exist. They’re also referred to as white hats, experts who attack the system on behalf of its owners, looking for vulnerabilities that a malicious hacker could exploit. Oh, if only all the hackers were that “ethical”…
Unfortunately, they’re not. Day after day site owners should stand against this Evil. And when IT experts come to the Dark Side, what they’re after is, obviously, not only the cookies…
Why everyone and their uncle keep trying to break into your store?
- Internet allows hackers to stay anonymous and keep the source of their attacks untraceable (at least, beginner hackers think so).
- A young but ambitious hooligan may treat it as a perfect challenge to his skills. Passion is what moves him. But even if his goals are rather innocent, the site owner will still bear losses.
- This may be as “productive” as taking a gun and robbing a bank but requires less effort. The sophisticated attacker finds a vulnerability in a similar type of software (say, a particular software version is vulnerable to SQL injections or XSS attacks), and tries to use it to exploit the system. Given there are thousands of installations online, what is the probability that a system administrator forgot to apply a patch? The hacker can even automate the process of checks and patiently wait for results.
- What they really need is money. To be exact, the digital wallets of your customers. Since financial transactions are the backbone of eCommerce, an online store becomes a great target for their attacks.
Your site represents a complex system where several components interact with each other:
- Web application
- Users (Admin and Customers)
- Network connection (between Shopper/Admin and Website’s server)
This system is like a house — with front and back door, windows, and walls. And depending on the degree of your dedication to details (or slovenliness) in security questions, you may have steel doors and burglar alarm installed, or vice versa, leave the front door and all windows wide open. But even if you’re sure that you have closed all the doors (say, ran some security check and the report returned no problems) you may never relax. This system is ever changing, and because of a single tiny fault, your efforts may get flushed down the drain.
What “tiny faults” am I speaking about?
1. You’ve hired an amateur developer.
You have hired a programmer who hurried to develop the functionality in accordance with the specification and in a timely manner. He managed to, but in a hurry (or being not skilled enough) he has left a “hole” in the wall of your “house”, and the hacker is already here, trying to squeeze into it.
2. You applied security patches far too late.
You do monitor all the security updates from software vendors, but you (or your webmaster) were on vacations when the recent email was delivered, so you placed this task aside… While the malefactor is already looking for the site or server which is not patched yet.
3. You use FTP.
Your hosting provider still use insecure FTP for transferring data. PCI compliant servers have already stopped using FTP in favor of secure protocols (SFTP, FTPS, SSH). But because of the difficulty involved with utilizing and administering secure FTP servers, or due to the inevitable complaints that come from clients who do not have the proper software installed to use SFTP, some hosting providers may still allow it’s insecure predecessor (traditional FTP). By default, FTP transmits data completely in the clear and thus does not provide any level of security at all. And our bad guy is here to eavesdrop on your conversations and builds plans on burglar alarm bypassing.
4. You shared your passwords with colleagues.
You or your employee tend to use the same credentials on several accounts: email, admin area of the store, several forums, Facebook page and Twitter account. Moreover, I’ve seen a person who set up the same password for MySQL, FTP and even root SSH access. It actually looks like locking the door and hanging a clear instruction on where to find the key for it.
Once at least one of these accounts is hacked, the others are also vulnerable, and it’s only a question of time when the hacker will finally open the door with the keys you left for him.
5. You use shared hosting.
You’re only a startup, and you can not afford an expensive dedicated server or VPS. Instead, you use the cheapest possible shared hosting. Do you know who your neighbors are? Are you sure their accounts — together with all the possible software they host — are secure? I bet you aren’t. And once their account is compromised, you’re in the risk group, too.
6. You take advantage of free Wi-Fi.
Your laptop is always with you. And often you’re deceived by free WiFi. Why not combine useful with pleasant, have a cup of cappuccino in a relaxing atmosphere and check if there are any new orders. You may forget that lots of wireless hotspots these days are completely unencrypted, as usually, they’re easier to connect to (baristas don’t need to be giving out the internet password to everyone that walks in). This leaves you unprotected against malicious users in the same coffee shop. So you’re supplying the username and password… And the hacker has already saved the credentials.
7. Your username is pretty standard, and password is weak.
A brute-force attack, or exhaustive key search, may be successful.
8. Keyloggers and spyware are up-and-doing.
Even if your site and server and account are secure, you may still suffer from malicious activity: keyloggers and spyware on your customer’s computer allow to steal Credit Card info and place fraudulent orders in your store. If you don’t detect it’s fraud and hurry to ship the goods, you will be just out the inventory and the money, when chargebacks are processed.
Prevention is better than cure
If the hacker’s attempt is a success, along with losing the money you’re also saying goodbye to your perfect reputation, lose loyal customers and thus sales, and to finish you off Visa may pay a visit — after which you pay penalties. And it’s not fun at all, at least for a merchant, who feels furious, or upset, or both.
That’s why you should start working on security hardening right now (and keep working on it daily!). But what can you set against ubiquitous hackers?
Actually, you do have something up your sleeve.
1. External website monitoring service is widely used too, so you — not your customers — are the first to know about a problem on your website. When something breaks, (and as Murphy’s Law reads, anything that can go wrong, will — at the worst possible moment), you’re immediately alerted. Thus, you can quickly notify the customers about this temporary problem and proceed with the investigation and fix.
This is exactly what OSSEC intrusion detection system offers. In addition to real-time analytics of your system security events and server uptime monitoring, it keeps an eye on the file system, reporting modifications in core X-Cart files (you can even view the diff), as well as permissions changes. You should either approve of these changes or restore the previous version. It means that even if the malicious person has modified the files, you will notice it right away — and fix the problem BEFORE your customers are deceived. I believe this tool is one of the best safeguards a store owner can imagine.
Another useful tool is X-Cart integrity check, which allows you to improve the quality of data structures in your store’s MySQL database. For example, if you add a new product, but fail to add a price for that product, MySQL will not be able to perform the selection of data properly. This tool helps you to detect any flaws that may appear in the database.
2. Prove that you are a human being and let your customers do the same with Google reCAPTCHA for X-Cart 4 and for X-Cart 5, providing extra protection from robots and spam. This tool is quite straightforward for your customers, as they don’t need to identify some symbols or pick “images with street signs”. Just one click and they are ready to move on.
3. Two-factor authentication (when in addition to your login details you need to supply a 1-time passcode which is sent to you in an SMS, or as a PUSH notification, or is shown in some mobile application) is a more and more known and common nowadays. You may benefit from Google’s two-step authentication in Gmail, you’re encouraged to connect your MailChimp account with AlterEgo, Login Approvals feature is available in Facebook, PayPal adds an extra layer of protection to your account by means of “PayPal Security Key”.
This feature is also available in X-Cart — all you need is a Two-Factor Authentication module for X-Cart 4 ($99.00) and a free one for X-Cart 5. The module requires an account with Authy, and the free plan which includes up to 100 logins per month is more than enough to secure the admins’ accounts of your store!
4. When did you last backup your file system and database? If it’s not a part of your routine, this article is for you. When the site is already destroyed by the hacker, it may be too late.
Luckily, we have two ready-made modules for both X-Cart versions: these are CloudBackup module for v4 ($99.00) and Backup Master ($49.00) for X-Cart 5, so you won’t have to carry out complicated back-up operations all by yourself. You press the button, and a dump of your website database is created and included into the backup file. The modules will be particularly useful when upgrading your store from one version to another to flawlessly save all the valuable information. What is more, those who host their stores with us, enjoy automatic daily backups.
5. Catching the fraudulent orders is a good preventive action if you want to decrease chargebacks. There are three built-in modules available: AntiFraud Service Connector (best for merchants selling digital goods) and two top-notch fraud prevention services accessible through X-Payments — NoFraud and Kount.
The first one is already built in X-Cart software, so you’ll find it in your admin area straight after you install and register your version, be it free or paid. All you need is to purchase a package of requests. The price starts from $49 a year (not much for top-level securitization, right?) plus you get 30 requests for free at the start to test how it works. The module uses a sophisticated algorithm to calculate the fraud risk factor and returns value from 0 to 10. It takes into account such criteria as address match, IP distance, order total, even email and previous orders placed by this customer.
Another way to combat online fraud is enabling NoFraud built-in X-Payments addon. A sophisticated technology, based on the fusion of machine learning and human intelligence, reduces fraud to below 0.01%. You will totally forget that fishers exist.
Here are some of the fraud prevention technologies, producing the most precise fraud detection algorithms: device fingerprinting to gain the “root” info about the customer, IP geolocation and Proxy Piercing to analyze effected payments according to customer’s location, Intelligent Monitoring to flag past transactions as fraudulent when new data becomes available, Verify Identity through pulling data from social media databases, global customer blacklists monitoring… And a lot of other ways to detect scammers. Good news is that a free trial is also available.
Kount fraud prevention service connector is here to beat fraud and maximize sales opportunities, and it also requires using X-Payments. Starting from X-Payments v2.2.0, this refine new module is built-in, so you won’t even have to struggle with installation, just enable it in your admin back-end. Our statistics shows that bottom-line sales grow by an average of 2.2% – 5.8% after implementation.
6. Actually, this paragraph is about PCI compliance, which is a must for ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.
Starting from X-Cart version 4.5.x (let alone our brand new X-Cart) ability to collect and store Credit Card details was completely removed from X-Cart code and the admin can either select web-based payment integrations, when the user is redirected to payment gateway site to enter this sensitive info, or use PA-DSS certified payment solution X-Payments. But if you use an older version, you should apply a PCI patch. What does it give you? Even if the store IS compromised, credit cards details are safe and sound, as you (your application) doesn’t ever touch credit cards. Our partners — Comodo — offer PCI scans, which are aimed at finding all the security problems of your server and application. If you host your store with us, lucky you, our hosting gurus perform these PCI-compliance scans on a quarterly basis. But note that this feature is available only for the Enterprise plan subscribers.
7. Now about the #1 thing — PHP 7. Have you heard about it? If not, shame on you, here you will find a webinar recording and PDF-slides on this. Alex Dyachkov, Head of X-Cart Hosting and Tech Support, explains the very essence of using PHP 7 for your business. To put it simply, this is the first major release of PHP in over a decade and making your store PHP 7-compatible will greatly reduce memory consumption, boost speed and security of your servers. Let me say it again, I strongly recommend that you should make your store PHP 7-compatible. Just make sure you applied compatibility patches if necessary.
8. Host your store in a secure place. The very same article (see the above passage) centers around the Dirty Cow vulnerability. This “unclean” malicious animal has been lurking in the code for more than 9 years and lots and lots of servers are at risk now. Something tells me there’s going to be even more of such “holes” in the nearest future, so you (or your hosting engineers) should work hard to combat them all in a timely manner. Or, a sure-fire option, host your store on our fully-managed VPS hosting, it is already fully-protected from all the latest malware threats, including this “filthy” security hole.
9. HTTPS/SSL is also about security. This network protocol is designed to secure all sensitive data transfers, such as credit card transactions, logins, and other personal data passed from your customers’ browsers to your store. This is done with the help of data encryption, data Integrity control and authentication, that prevents your store from “man in the middle” attacks. As a matter of fact, Google takes HTTPS seriously, you should do it as well, here’s why.
How much does your security cost? Don’t be penny-wise and pound-foolish.
As you may understand, none of the solutions listed above, if used separately, can be treated as a silver bullet. Security is a kind of complex tasks where each component matters.
1. Use reliable hosting. Better — a PCI compliant one.
2. Don’t install the software from a non-verified vendor. Only trusted developers!
3. Make sure RIGHT NOW that your software (Server-side software and web-applications) is up to date or at least all the security patches are applied.
4. Use secure server connection and secure networks.
5. Change ALL your passwords regularly, use strong alphanumeric passwords.
6. Install antivirus on the PCs of EVERY admin who manages the store
7. Set up firewall rules.
8. Monitor your server uptime, keep a close watch on what happens on your server. Whatever strange thing (new files or pieces of code in existing files start to appear, while you didn’t change anything; your traffic suddenly increases dramatically; new types of PHP/MySQL errors are recorded into the server log; new admin’s accounts appear) may be symptom that your website is hacked. You can use, say, Watchlog and Login Failure Daemon (LFD) extensions to analyze log files. The following programs will be rather helpful for monitoring file system changes: RKHunter, debsums or yum-verify (for system files), Git (for apps and configuration files).
9. Make sure you don’t collect and store credit card details. Or you do it in a secure way, say, via X-Payments.
10. Scan your store for the POODLE vulnerability, which affects older standards of encryption, specifically Secure Socket Layer version 3. Use SSL server test tool to find out if SSLv3 is already disabled. If not, I recommend you to remove SSLv3 in favor of at least a TLS connection. It is more secure. The POODLE vulnerability may also be used to exploit TLS 1.0 and TLS 1.1. Make sure that both are disabled, too.
If you don’t brush aside these recommendations, but follow them minutely, you may reach the level, which will be high enough to drive it home to the “burglar”, that he should better try another “house”, not your “fortress”.
And may all your mornings be good, hackers — ethical, customers — satisfied! 😉