Cracking Magento passwords for $1


hashcat logo

TL;DR: Find weak passwords on your Magento stores before the bad guys do. If you spend some serious money ($1) on high-performance computing power, you can find easily guessable passwords. Here’s - step by step - how you can check your stores for vulnerable admin accounts.

A password guessing attack (aka “brute force”) has become the most successful attack vector recently. Hackers try zillions of passwords on authenticated pages (/admin, /downloader, /rss) until they hit the jackpot.

Now, you (the admin) can easily find weak passwords, because you have a major advantage over remote attackers: speed. Potential hackers test passwords over HTTP, which is relatively slow. With a botnet and fast servers, at best (worst) they can try a few hundred passwords per second per store. You, on the other hand, have direct database access. With the proper setup (read on!) you can test 4 billion passwords per second.

What is password hashing?

When big companies are hacked, they always say your password is safe because it was stored in an unreadable manner.

What they actually mean is that they stored a hash of your password. Hashing is a one-way algorithm to translate some data (your password) into a unique code. Say, you have password qwerty123. The MD5 hash for this password is 3fc0a7acf087f549ac2b266baf94b8b1. It is not possible to revert this. However, nothing stops you from hashing random passwords and see if they match 3fc0a7acf087f549ac2b266baf94b8b1. You would only have to try enough combinations, starting with aaaaaaaa, then all the way to ZZZZZZZZ (and beyond).

The MD5 method is not a very safe hash, because it is unbelievably fast. A 5-year old PC can compute about 70 megahashes (MH) per second. And a juicy videocard can do 4500 MH per second.

Get the machinery in place

Magento 1 CE uses the fast MD5 hash to store admin passwords. To find weak ones, you need:

Amazon released their P2 GPU servers recently, to jump on the machine learning money wagon. P2 servers happen to be also really good at hashing. Equipped with Nvidia’s Tesla K80 cards, those servers are nothing but hash grinding beasts. The smallest P2 server is still pricey, but for $1, you may tame it for a whole hour.

Boot a p2.xlarge with Amazon EC2. Root disk 8GB is ok. Pick Ubuntu 16.04 AMI. Download keyfile (pem). Run these commands in terminal.

Extract hashes from your Magento stores

Almost ready to start cracking: you just need the password hashes. If you have magerun, you can do this (run on your Magento server):

n98-magerun db:query "select concat(username,':',password) from admin_user where is_active=1" | tail -n +3 | tee maghashes.txt

Now, maghashes.txt contains lines with username:hash:salt like this:

admin:90EFkDlbNgMIVq6oJZfXJ7XrifM4TI80:ToV9inml5MawidrOTCgcKvwSwn1xIApE
backup:ep0NXnY2MeRI9JzXDHefnRdQDyNmhkH7:8M

Copy this file to your hash grinder and start the magic:

scp maghashes.txt ubuntu@<AWS-IP>:/data

# back to your AWS terminal
cd /data/hashcat
./hc -m20 --username -r rules/best64.rule ../maghashes.txt ../phpbb.txt

The One Dollar Challenge

Show all the guessed passwords:

./hc --show --username -m20 ../maghashes.txt

In practice, 10-15% of the admin passwords appears easily guesseable. This is more than I expected. Notable cases are test/test123 and admin/123. Magento 2 forces strong passwords by default, but for anyone still running M1, it’s a good idea to give your admin passwords a boost.

Bonus

MD54,231,000 hashes/sec
PHP’s password_hash()53 hashes/sec

Visbot malware found on 6691 stores [analysis]


visbot

Visbot does what you would expect from any self-respecting malware: steal customer data and credit cards (aka skimming). And it is not even new: the first case was documented as early as March 2015. But getting out of the shadows did not stop it from spreading. Today I found active Visbot skimming on 6691 online stores.

How’s that possible? Contrary to other skimming malware, Visbot nestles itself in code running on the server. This makes it harder to detect from the outside, as the malware operates completely invisible for anyone but the store owner. And many store owners are not equipped to detect these security breaches.

How Visbot works

For devs, here’s a beautified copy

Visbot injects itself into existing site code. It stays dormant until it detects that data was entered by store visitors (an order or a password). Submitted data is then encrypted and saved to a fake image file. This “image” is then later retrieved by the perpetrator and - presumably - sold on the black market.

Clever..

I hear you ask, “how can you be sure that Visbot exists on all these stores? If it is so well hidden?” Here comes the crux: the Visbot author added a feature so s/he could detect whether the money machine is still running. If you send a specific code (a “password”) to an infected store, it will say:

Pong

If you know how to use a terminal, try it right now:

curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)' \
    http://your-site.com

For everyone else, I’ve added an online check to MageReport.com

Recent activity

In the last week, I found Visbot activity from servers in Sweden (62.102.148.187), Ukraine (95.211.197.194) and Germany (81.169.144.135).

Private data is stored in somewhat random image files. So far I have seen these filenames used:

bkg_btn-close2_bg.gif
btn_back_bg_bg.gif
btn_cancel_bg_bg.gif
left_button_back.gif
mage.jpg
nav1_off_bg.gif
notice-msg_bg.png
section_menu_link_bg_bg.gif
sort-arrow-down_bg.png

The public key used to encrypt the stole data is included in the malware, but the private key is not. Until it surfaces, it is not possible to decrypt the contents.

Solution

I have sent the list of malware-ridden stores to the authorities and major providers, so they can contact owners and agencies to fix skimming stores.

Are you a consumer?

  1. Never enter your payment details on a site other than your bank or Paypal.
  2. Assume that anything you do on the Internet, will be hacked and revealed one day.

Are you a merchant?

  1. Test your store periodically at MageReport.com
  2. Outsource technical maintenance to a specialized agency
  3. Agree on a fixed-hour support contract, so that your agency does not have to wait for your approval to perform critical maintenance.
  4. Software requires maintenance and maintenance is costly. A standard store requires typically 10-30 developer hours ($1k-$3k) per year, just for upkeep.

Are you an agency or sysadmin?

  1. Implement filters to protect your sites against common attacks (Shoplift, Bruteforce) or pick a provider that does this
  2. Implement periodic malware scanning. You could use my malware collection to scan for Visbot and much other crap. If you find new signatures, please submit a PR.
  3. Use version control (git) to detect unauthorized changes of your code
  4. Make periodic database dumps and check for changes to html header/footer includes.

People reporting Visbot cases:


Ten ideas to fix Magento's reverse brand ambassadors


Ecommerce people have been making long hours, as more stores were hacked in 2016. Magento saw a rise of Shoplift and brute force attacks. Stores that follow best practices should not worry. But a majority of stores do not keep up with patches and strong passwords, and get hacked sooner or later. These negligent merchants become reverse brand ambassadors. Which is ultimately a bad thing for everybody but.. Demandware.

The bottomline is: how to secure thousands of badly maintained stores? Nobody has found a really good solution yet, and - interestingly - there has been little public debate so far. Here are 10 ideas to get the conversation started!

  1. Crawl all 300K contact forms of vulnerable stores to reach the beneficial owner. So far, Magento has been contacting people who entered an email on the download page (ie, technicians). The response rate has been “very low”. Academic research claims only 5.8% of actual website owners can be reached in case of a vulnerability issue. Now, I think we have an edge with Magento because of the standardized contact form implementation (easy to scrape). Second, the recipient of the contact form has likely a larger interest in fixing the site than the tech who did the initial install but is no longer on the project.

  2. Encourage hosting companies (HSPs) to enforce secure installations. Magento Inc could promote HSPs that actively engage in protecting their merchants’ security. All of Magento’s official hosting partners are “committed to security” but few actively block the latest threats. HSPs can leverage intrusion prevention systems (IPS), and assist their customers with patching and incident response. Hacked, abandoned stores should be locked-down pro-actively to stop them spreading malware.

  3. Publish a nematode: a friendly, autonomous worm that crawls the Internet and fixes vulnerable stores. Slightly unconventional, but nevertheless proven valuable in the past. A well written nematode would fix all Shoplift-susceptible stores globally within 30 minutes. In fact, this is slowly happening right now, but by the bad guys: hacker groups are already closing the Shoplift hole after they got in, to keep competing hackers out.

  4. Government could tighten incident disclosure laws, so that hacked stores would actually notify their customers upon data theft. At the moment, this is certainly not the case, and merchants get away with sloppy maintenance. (Proof: I have placed canary orders at stores that I knew were hacked, and I was never notified afterwards. Were you ever?) This would be a great incentive for merchants to spend money on maintenance. Current laws are lobbied down to be very vague, and where the law actually dicates disclosure, enforcement agencies are seriously understaffed (eg in Holland).

  5. Set up a malware signature collection, and empower system administrators to easily detect security breaches (and submit new signatures). So far, two HSPs have shared their malware rules: NBS and Byte. The effectivity of these rules would get a boost if more HSPs joined. Both Magemojo and Lexiconn have already pledged to contribute.

  6. Set up a searchable archive of ecosystem vulnerabilities, similar to wpvulndb for Wordpress. At the moment, only Magento Inc and a few vendors have processes to disclose vulnerability information. And this information is not standardized or even accessible from a single place. Most vendors fix security bugs but write a small note deep in their release notes (if at all). Standardizing and vetting security announcements is quite a lot of work, but let’s start with a low-effort centralized repository of statements. Once we have that, somebody will publish a n98-magerun plugin the same day.

  7. Implement and enforce an immutable document root in Magento (and offload somewhat volatile data such as media to a CDN). This would prohibit attackers to hide malware on the server. The required technical changes are no deal breaker for the Magento core, but several 3rd party modules assume a writeable document root. Supporters include Max Pronko, Ivan Cherpurnyi and Fabrizio Branco.

  8. Magento could enforce Content Security Policy headers by default. This would make it harder for hackers to inject malicious javascript in a site. Scott Arciszewski has written a proposal for this. Max Chadwick also has a few insights on restricting “Miscellaneous HTML” in the backend.

  9. Magento could encourage Google to block compromised sites in Chrome. At the moment, Google’s Safe Browsing team has about 10% of compromised stores in its filter. Blocking is a rude measure, but without it, the hijacking of private data continues and total damage increases.

  10. Magento Inc could hire more vulnerability researchers to find bugs before they get released. Magento has many top of the bill engineers already, but hunting security flaws is a specialized art. To identify the best Magento bug hunters globally, one would simply have a look at the credits in the latest patch releases. I posit that if Magento Inc paid the best bug hunter $200k per year and s/he would find just a single RCE exploit in unreleased code, it would be an absolute bargain.

  11. Organize a dedicated MageStackDay to increase patch rates globally. Or, as Anna Völkl called it, a MagePatchDay! Enthusiastic volunteers would teach merchants why and how to get their security on par. Especially the “why”.

  12. Give small time merchants a discount for Shopify. The long tail of Magento installations are people who chose Magento just because it is a “free download”, but have only 3 SKUs. They will not pay an agency $20k for proper maintenance and will certainly not pay Magento Inc for an Enterprise license. So it would be good for everybody if these stores converted to a SaaS solution with zero maintenance.

Yes, more than ten, the ideas just kept coming! I must still have missed a couple though. Are you a concerned professional? What works and what doesn’t?


Fixing Jekyll --watch and 404 errors


When you edit drafts locally, a very handy Jekyll feature is the –watch flag, which triggers Jekyll to rebuild whenever you save your post:

$ bundle exec jekyll serve --drafts --incremental --watch

However, on my Ubuntu 16.04 desktop, this yields erratic 404 errors.

jekyll 404

After cursing Jekyll for a few weeks, I decided to dig into it using my favorite tool strace. And indeed, Jekyll removes the draft after a save. When run with --verbose, it becomes clear:

Skipping: _drafts/world-domination-howto.md has a future date

I added some debug to lib/jekyll/readers/post_reader.rb and it appears that the file’s ctime is a few microseconds off from the its mtime. Curious?

A quick fix is to run Jekyll with the --watch --future option.

A thorough fix probably involves digging into the internals of my ecryptfs home folder (which is a standard Ubuntu feature by the way).


Magento and upcoming SSL requirements


At the end of January, Google will release Chrome 56 with two important changes:

  1. Sites using SHA1 SSL certificates will be blocked
  2. Sites accepting passwords or credit cards without SSL will show a warning

Other browsers such as Firefox have also announced stricter SSL handling.

Old SHA1 SSL certificates

Old SSL certificates use SHA1 hashing, which is considered insecure. New certificates use SHA256 or even SHA512. The quest to eliminate insecure SSL certificates has been going on for a few years. Browsers have displayed incrementally intrusive warnings. The latest Chrome warning is a red mark in your address bar:

chrome sha1 warning

But from January onwards, Chrome 56 will actually block you from visiting the site.

Half a year ago I wrote that 37.000 Magento sites were using insecure SSL certificates. Now, that was an awful lot. The good news is that certificates have to be renewed periodically, and SSL providers have not handed out insecure certs since 2016.

So what is the verdict today? I have reran my scan of all 305K known Magento stores globally and detected .. only 432 stores with outdated SSL! These stores have an old insecure certificate with multi-year validity (beyond 2016) and their owners probably forgot about them.

To summarize, less than 0.2% of Magento stores will break once Google releases Chrome 56. I think that is an amazing result.

No SSL at all

Until now, Chrome showed a small exclamation mark for non-SSL stores. Chrome 56 will show a slightly bigger warning:

chrome non ssl warning

While this isn’t exactly terrifying yet, it will hopefully encourage a couple more store owners to go SSL-only. Because that isn’t quite commonplace: out of 305.000 Magento stores, only 31.000 (<11%) enforce SSL site-wide.

In June 2017 I will run a new scan. How many Magento sites will be HTTPS only by then? Place your bet in the comments below.


Pagination