Cyber Security Advice.

[Matthew Beddoes]

Over the past six months I have had clients who's websites were hacked into and confidential information stolen.

If you have an eCommerce based website I have the following advice.

• Encrypt everything in the database, even the most insignificant information could be useful to an attacker. Think about how much email lists are worth, or contact details to your clients.

• Regular security testing can prevent %90 of cyber attacks on your website or network as you can locate potential attack vectors before hackers or your rivals do.

• Updating your website plugins and themes are crucial for wordpress or drupal websites as in this day and age they can contain security vulnerabilities useful to an attacker.

• If possible replace prices with images as this will stop scrapers from logging your prices so your rivals can undercut you.

• Use strong passwords and strong password encryption and hashes as md5 / sha can easily be broken. I suggest the use of SHA512 hashes and AES encryption.

By following this advice your business will be protected from MOST attacks. I hope this helps.

 

[antropy]

Best bit of advice here?

• Use strong passwords

That means a password like this: txNCPBEUSm7SWXC

From somewhere like: https://strongpasswordgenerator.com/

Use it on FTP, the admin area, the database.

N.B. Encrypting the whole database would be pointless because to read the data back out you'd need to store the key somewhere in the code anyway.

 

[fisicx]

I've read in numerous places that using symbols, upper and lover case and numbers makes no difference. Hackers use scripts that run through all keyboards symbols anyway so making it hard to remember makes little difference. Making it longer will slow things down but the best protection is to block brute force attacks.

 

[andygambles]

Encrypting everything in the database is pointless since it must be possible to decrypt to make the data useful.

With passwords you should be using a one way hash so they can not be decrypted. Card details you can just store tokens provided by your payment provider rather than card numbers.

Your Database should have no external access from the internet. Internal network IP's only.

FTP should be disabled when not in use and when in use restricted by IP. FTPS for more security.

Use web services to call your database records rather than direct DB calls. This restricts what a hacker can obtain if they manage to circumvent your site security using.

Build queries within the database or using web services. Reduces the ability for attackers to amend queries and obtain data they shouldn't see.

Have multiple DB usernames which provide different levels of access. For example the shop frontend probably only needs access to load prices. It doesn't need access to the whole database.

Utilise scans to identify potential XSS and CSRF vulnerabilities. These can be provided by reputable security firms.

There is a lot more but then you would need to hire us

 

[antropy]

I've read in numerous places that using symbols, upper and lover case and numbers makes no difference.

Well, you don't need to read anything anywhere to see that it does make some sort of difference, you just need to do some basic maths - if you use 26 letters, upper and lowercase you have 52 possibilities for each character.

If you also use symbols you have a whole load of extra possibilities which mean the number of possible passwords increases exponentially. That means the amount of time/processing power you'd need for a brute force attack increases exponentially.

making it hard to remember makes little difference.

I'd disagree. If you can remember your password (and your name isn't Dominic O'Brien), it's probably not strong enough.

I do agree though that you should block brute force attacks in the first place.

 

[antropy]

Encrypting everything in the database is pointless since it must be possible to decrypt to make the data useful.

With passwords you should be using a one way hash so they can not be decrypted.

Exactly that. Which makes me doubt the OP is a "Cyber Security Specialist with a past" lol

Card details you can just store tokens provided by your payment provider rather than card numbers.

Or just don't even store these at all.

 

[Matthew Beddoes]

Yes the password will need to be stored somewhere for the data to be decrypted however it would protect your data from being read remotely. An attacker would need to locate a vulnerability that would give him access to the file system and then steal the decryption keys.

However if the database is not encrypted fully, then if the website has an SQL injection vulnerabiltiy then they can pull the data in clear text.

Dont just think about protecting credit card or payment data, think about protecting your clients contact details, your suppliers details and anything that would give your competition an advantage. BTW if you doubt my past google.

 

[fisicx]

....anything that would give your competition an advantage.

Are you suggesting my competitors are involved in hacking?

 

[antropy]

Yes the password will need to be stored somewhere for the data to be decrypted however it would protect your data from being read remotely. An attacker would need to locate a vulnerability that would give him access to the file system and then steal the decryption keys.

However if the database is not encrypted fully, then if the website has an SQL injection vulnerabiltiy then they can pull the data in clear text.

Fair point!

Dont just think about protecting credit card or payment data, think about protecting your clients contact details, your suppliers details and anything that would give your competition an advantage. BTW if you doubt my past google.

Wow okay, I take it back haha, I thought your first post might be the forum/blog spam type post we sometimes get here but apparently not! Welcome to the forum!

 

[fisicx]

If you also use symbols you have a whole load of extra possibilities which mean the number of possible passwords increases exponentially. That means the amount of time/processing power you'd need for a brute force attack increases exponentially.

Not sure that is the case, most people use the characters and numerals on their keyboard so the 52 would increase to about 80. Not a huge increase in processing. My password could be something like: plausibilesheetwobbler. This would take as long to crack as the shorter /P!3ad_78#.

 

[andygambles]

However if the database is not encrypted fully, then if the website has an SQL injection vulnerabiltiy then they can pull the data in clear text.

If the data is obtained via SQL Injection then it doesn't matter if it is encrypted as the query will most likely just decrypt it.

I'm not saying encrypting the database is a bad thing just that it gives a potential false sense of security.

 

[antropy]

I've read in numerous places that using symbols, upper and lover case and numbers makes no difference.

Not sure that is the case, most people use the characters and numerals on their keyboard so the 52 would increase to about 80. Not a huge increase in processing.

Let's do the maths:

Using just upper and lower with 5 chars:
52 x 52 x 52 x 52 x 52 = 380204032
80 x 80 x 80 x 80 x 80 = 3276800000

Meaning using upper and lower gives 2,896,595,968 (nearly 3 billion) more combinations, and this increases dramatically the more characters you have.

Your example "plausibilesheetwobbler" is 22 chars long but is only lower case so it would be: 13,471,428,653,161,600,000,000,000,000,000 in theory but it contains just 3 words making it susceptible to a dictionary attack:
https://en.wikipedia.org/wiki/Dictionary_attack

Assuming there are about 2m words, that would give: 2m x 2m x 2m =
8,000,000,000,000,000,000 = 8 quadrillion possibilities, so pretty secure.

There are some other drawbacks though - if someone saw your password even for a few seconds they could easily remember it, and if they saw most of the characters somehow, perhaps with a man in the middle attack, they could probably guess the rest.

I must admit, the 3 dictionary words appear more secure than I at first thought.

 

[Matthew Beddoes]

For a nice long password think about using a song lyric with spaces with a space at the end. Alot of hackers get confused by this.

 

[antropy]

The only problem with that is when you phone up your bank and they ask you for your password and you start singing

 

[Matthew Beddoes]

Are you suggesting my competitors are involved in hacking?

In my past my biggest clients have been businesses wanting the supplier/customer database. So yes they could be.

 

[fisicx]

For a nice long password think about using a song lyric with spaces with a space at the end. Alot of hackers get confused by this.

Spaces at either end - I like this idea.

 

[fisicx]

The only problem with that is when you phone up your bank and they ask you for your password and you start singing

I get emails from my bank saying my account has been compromised so I don't need to call them, I just click on the myacccounthasbeenhacked.com link and they can check to see if the money from Nigeria has been deposited.

 

[andygambles]

In my past my biggest clients have been businesses wanting the supplier/customer database. So yes they could be.

This is much more prevalent than many realise.

 

[edmondscommerce]

passwords - https://xkcd.com/936/

 

[fisicx]

Randall's never been wrong before.

 

[Matthew Beddoes]

I prefer to use either song lyrics or a phrase, as the most common way to brute force a password is dictionary attack where an attacker will fill a file with common passwords and check each one. By using a phrase with spaces or special characters there is not really any chance of an attacker finding it.

 

[Matthew Beddoes]

If someone calls you from your bank, cloud or anything, ask for their name and hangup and call them directly quoting the name.

 

[KM-Tiger]

If someone calls you from your bank, cloud or anything, ask for their name and hangup and call them directly quoting the name.

Yes, but there is a well known scam where the caller does not hang up and therefore holds the line open, ready to answer with the correct name.

Wise people will ensure they hear a dial tone, but many do not.

 

[Matthew Beddoes]

Then wouldnt that be a provider issue nothing you can really do about that.

 

[DoubleSpeed]

My advice would be to not use open source software in a commercial site.

 

[Matthew Beddoes]

Open source software has thousands of people going through the source code, commercial software does not. Thats how i see it I prefer a community behind the software.

 

[fisicx]

My advice would be to not use open source software in a commercial site.

Why?

 

[Matthew Beddoes]

So the bugs can be located and fixed before attackers, think about it. It does not mean your commercial software is safe because it might not withstand blackbox testing. If a problem is located it would take longer for a patch in commercial software.

 

[fisicx]

Exactly. Which is why DoubleSpeed is wrong. Some open source software might be dodgy but I'd rather use a well supported product than something bespoke created by an inhouse team.

 

[Matthew Beddoes]

Look at wordpress or drupal as a prime example, they have been around for a while. They are open source and because the code has been analysed, they have found the majority of the bugs. Its third party plugins and themes that are the problems not the framework.

 

[Matthew Beddoes]

If you look at exploit-db.com you will find exploits for various web frameworks. My suggestion would be to keep an eye out forsoftware you are using and then take action when an exploit appears. Usually each exploit has a mitigation which you can implement and sometimes its just a case of updating the system.

 

[Matthew Beddoes]

Once I work out why php isnt working properly on my host, i will test it out and let you guys know what I find.

 

[edmondscommerce]

My advice would be to not use open source software in a commercial site.

lol trying to start a flame war?

open source software powers the vast majority of commercial sites

 

[DoubleSpeed]

My opinion on this is driven by experience and having seen (and had to deal with the aftermath of hacked open source sites), as the code is open source as you all know its freely available to everyone including people with malicious intent i.e. hackers. Having full access to the source code enables them to very easily spot security holes. This is really very efficient for hackers as they then send out automated software searching across the internet for vulnerable sites and to break into them on mass either just take the site down or inject Advertising, malicious code, spyware, Trojans that then infect visitors to the site.

Lets be clear I'm not saying that commercial software is any more secure than open source what I am saying is you are not giving the keys to the city to the hackers when using commercial software the hackers have to try to find any vulnerability rather than just being able to examine code line by line.

 

[Matthew Beddoes]

Actually I dissagree, Attackers can attack ANY platform regardless of if its open or closed source. To me the availablility of the sourcecode allows security specialists analyse the source themselves and find potential problems before attackers do. Im not saying its infaliable im just saying if we cant see the source then there is more chance of an attacker finding problems before the specialists.

 

[edmondscommerce]

I suspect most hacks are now discovered by automated tools that can either perform static analysis of the code (open source for example) or, more likely, scan a live website directly for vulnerabilities.

Open source is of course more suspecptible to the first, but arguably has better defence against the second.

 

[Matthew Beddoes]

Thats true in alot of cases however automated scanning is just a stage in the process.