|
Some good points there, Simon.
My take is that CRE Loaded is no easier to "virus" than any other osCommerce variant, and more difficult than osCommerce itself for a number of cases when compared to the base 2.2 MS2 release. By and large, what I tend to see is that viral infections occure when store owners, hosts and IT people who are careless in operating the site, the server, or the clients involved in maintaining a store.
In any release older than 6.4.1 you should apply the PHP_SELF patch which can be found on this forum, Simon's blog or any number of other places. Anyone installing any version of CRE Loaded or indeed, any osCommerce variant whatsoever should check to make sure this vulnerability has been addressed in both application top files, and anywhere else that the global is directly accessed. This PHP flaw accounts for at least a dozen application vulnerabilities that I know of in osCommerce and its variants alone and patching just the application top files provides an effective if rather thin solution for all of them.
Simon's entry includes a link to some useful suggestions for admin security - though I don't put much stock in changing the admin name.
Hosting wise, look for a host which (AT LEAST) supports and requires a secure form of file access (FTP over TLS/SSL, FTP over SSH or equivalent), provides at least one IP address per account to assure the ability to use your own SSL certificate and uses their own SSL certificates on their billing, support and control panel pages. PCI compliance is a helpful indicator, whether you intend to use gateways or not, as any host making a serious effort to operate a compliant server pretty much has to hit most of the major requirements for running a secure server - and definitely has good practices reinforced on a regular basis in the process of completing the checklists.
Those of us who are actually certified can produce documentation which you can use in becoming certified, which independently verifies our compliance. Ask for this when considering a host. If they are vague about how you can get a certificate of compliance or refuse to give one, don't host with them. Look for and give preference to hosts who both specialize in ecommerce hosting and require site owners to operate securely - especially when shopping for shared hosting. In this scenario, if your server neighbors are not secure, neither are you.
I would say hosting company AND IT support. It is essential that your own laptop and desktop client machines (any machine used to connect to your server) be secure as well as the server. If either the client or the server is insecure, both of them are. Make sure you have anti-virus tools, anti-phishing tools and a firewall installed on any machine you use to connect to your server. This includes your Blackberry or other portable device. Make sure any router you use to connect to the net is secured with a firewall and requires authentication to establish a connection. When using a public router, select a connection method that allows you to connect securely (ie - obtain your own IP for the duration of the connection so that you can have a fully secured connection).
We are increasingly seeing what I believe to be clear signs of man in the middle attacks against connections to store admins during post attack forensics - so that last is seriously good advice at this point in time. Generally, we see more attacks coming from within the sites own country and many more coming from the same town. More attacks are coming from IP addresses which are in the same block and often immediately adjacent to the IP most commonly used by store administrators. This could also reflect infections of the store owner or administrators machine by viruses implanted in Awstats or other control panel accessible files. In a few cases we were able to confirm these based on file access allowed by the host and the control panel involved. (IE - we were able to scan the files, locate the trojans on the server, and match them to access records confirming download to the store operators machine).
Beware of phishing. In several attack cases the hosts support staff reported seeing control panel logins from IP addresses located in countries to which the store owners had never traveled. This could be a team doing phishing or man in the middle attacks. Seriously - protect your id and passwords. Don't use them on other sites, change them regularly, keep them random and complex and use them ONLY on SSL/TLS secured pages. Same thing for store admin credentials. Don't commit credentials to hard copy or an unsecured file. Use Roboform , Keepass or some similar password manager if you must.
In the event you are hacked, do a THOROUGH CLEANUP. This should include a comparison to a CLEAN COPY OF YOUR SITE. For this purpose, nothing beats a securely held and recent backup. Unfortunately, we rarely have access to these - and commonly use the stock distribution for comparison purposes, merging store modifcations into stock code to assure the absence of anauthorized code additions rather than deleting them. Merging into such a clean distribution manually is sometimes rather expensive. Why do a comparison if you do have a backup? Any host reasonably committed to security will want to hear about the hack in detail. If they can obtain information on what modifications were made to your files existing files and complete copies of any new files added then their systems can be configured to not accept files which include those modifications, and any files which contain code that provides a backdoor for the hacker to return in future.
It should also include an evaluation of your database. Even if you remove the virus files, database contant which provides links to the hack files have destinctive characteristics, and will continue to impair your site reputation and functionality. They can deface drop downs and other menus, leaving visible signs of past security breaches for the discerning visitor to see.
Stop relying on Hosted payment pages for "site security". All these pages protect is the data transferred at the time payment is completed - and the site protections I frequently see omitted because the store owner thinks "I don't need to secure my site, I use **** (substitute 'Paypal', Cybersource HOP or ANY other hosted payment page brand here) to take my customers payments WILL cost you in lost revenue. The loss of a single $100 order will almost certainly exceed the cost of a low end SSL certificate. This is why I won't touch a site clean up on a non-SSL protected site if the store owner won't remedy that lack during the cleanup. (Note - I am not saying don't use hosted payment pages - just dont' consider them sufficient in themselves to cover your sites security needs!)
We use layered security in our hosting operations and encourage others to follow suit for good reason. It works a heck of a lot better than the alternatives..
David
_________________
My CRE Loaded FAQ List
CRE Loaded Hosting
|
FAQ
Search