AbleCommerce would like to thank Neal Culiner, president of NC-Software, who has provided this interesting and informative document about his AbleCommerce experiences, along with some important information on securing a server that is running AbleCommerce.
A customer’s real world guide from a real world experience.
Hello, my name is Neal, and my site was hacked.
It was a peaceful Saturday morning in November 2010. I wake up, go to my computer in my home office and login to my AbleCommerce web site to tend to orders. Only, I can’t login! I see an e-mail about a password reset notification for my AbleCommerce account which I know I did not initiate. Something is very wrong and I’m the only one that has Admin access to my web site as I’m the business owner of a small software company. I remote in to the web server and grab the error log file in the AbleCommerce logs folder to find errors about a table missing from the database, something must be corrupt I’m thinking. I run the latest Symantec anti-virus on all servers so I checked for anything there and the quarantine log shows quarantines for the Backdoor.Trojan in the AffiliateWiz folder area. I restore the most recent database backup and I’m able to login again and continue my investigation as to how this could have possibly happened and what did happen. There is a lot more to this story and tremendous lessons learned that resulted from this which is the story I want to share. Being hacked was the best thing that ever happened to me for security awareness and this document is written to help you learn the same lessons to minimize your risk and increase your awareness.
I’m the owner of a small business and have a very high attention to detail (read: OCD). I own all of my own hardware, outstanding Dell PowerEdge servers, a WatchGuard Firewall hardware appliance and I try to stay up to date with the latest and greatest, i.e. I like to be on the bleeding edge. I lease rack space in an outstanding data center in Ashburn, VA not too far from my residence in Richmond, VA. I do all I can to ensure a secure and reliable platform for my business which is heavily cloud centric in this day in 2015 with mobile and cloud as the focus. However, as any one like myself “jack of all trades…” wearing the DBA hat, CEO hat, graphics designer hat, marketing hat, security hat, customer service hat, developer hat…you know the list, we have so much to know and learn and typically learn from each other. On top of that, keep up with the pace of technology much less security risks that come out on a daily basis. I’ve been in the software business over 20 years and I have a passion for learning and a passion for technology, i.e. I love to write code. We hear day after day how millions and even billions of accounts have been breached, it’s becoming a more common occurrence. Each day I’ve taken to write this document new breaches emerge, something new every day! So let’s get started on my lessons learned to prevent you from ever learning the hard way, as I did.
As I write this a story has broken about celebrity photo’s being hacked, the cause most likely, someone got their login information either via phishing scheme or who knows how. This is how my attack started as well, someone found out my e-mail login and took it from there. Most likely a vulnerability in a forum product that I use which allowed a hacker to gain access to my e-mail account, trigger a password reset and allowed them to gain access to various sites including AbleCommerce. At that time, I used a common e-mail address across many logins, I’m not talking password, and I’m talking E-MAIL ADDRESS for my login. Yes, my passwords were shared across various web sites I administer too, don’t we all have limited brain bytes for remembering passwords?
If you’re an administrator of any web site whether a forum, affiliate portal, AbleCommerce admin portal, do not use the same e-mail address for your logins. Use a dedicated e-mail address for your AbleCommerce admin and of course a unique password for this login as well. Make sure all logins are unique per web system.
For passwords, set and follow a strong password policy. You can set the password policy in AbleCommerce both for admins as well as customers. For admins such as yourself use a mix of upper and lower case, letters and numbers, and also special characters. Try to avoid family members or pets i.e. anything you may post about on any public web site.
Databases should NEVER use a password you come up with by yourself. Use a strong password generator for your database access as it is something you need to SET once and not use for a login that you use should you be connecting to your database such as via SQL Server Management Studio (SSMS) which can use alternate logons including Windows Auth. I personally use a strong password generated by the web site below:
How old is the operating system (OS) you’re running on your servers? Are you over two versions out of date? As with all software, updates not only add features but also resolve quite a few security issues as technology evolves. While your Windows 2003 server may run just fine, it is severely out of date as compared to the latest server OS as of this writing which is Windows Server 2012 R2 – a phenomenal operating system if I may say so myself! In addition to the OS is also the .NET Framework, I cannot stress enough how important it is to keep the .NET Framework updated as well as target it. The latest as of today is .NET 4.5.2 and your web site should be configured to target .NET 4.5.1 in the web.config. There are numerous vulnerabilities the later .NET Frameworks resolve so be sure to not only keep your server(s) updated but also use the latest technology that AbleCommerce supports to ensure the most secure configuration against web site attacks.
Do you run anti-virus software on your servers? Yes, it is needed, I personally use Symantec EndPoint protection and highly recommend it. If you’re the type that goes for freeware, you’re in the wrong business especially in the realm of e-commerce. Use the proper technology, secure it both physically and in software, and protect yourself from liability issues that may arise from neglect. Do the job right or don’t do it at all is my motto.
For those that have dedicated hardware owned or leased, you must use extreme discipline to only enable features that you will need on your server. In the breach that occurred to me the hacker used .asp files to do the damage and position files for the attack. ASP files are script based just like PHP and do not required a compiled assembly (DLL) to execute its code. There are also other ramifications in security that are different between ASP and ASPX file types. Microsoft moved away from ASP for a reason to a compiled model and code access security in the .NET framework for very important reasons. Allowing a server to execute ASP files should be restricted and in my opinion, not enabled on a server. Do not just enable all features in the Roles and Features configuration which has changed over various OS’s over the years. As you can see in the image below, I do not have ASP enabled.
Figure 1. Roles & Features Wizard
Again, limit the functionality of your server to only that which you require. If you are still using old/legacy/obsolete technology, consider upgrading it to prevent security vulnerabilities. In the breach I experienced, the attacker gained access to my server via AffiliateWiz’s file upload, uploaded ASP files, hit them from a web browser which executed code to do various things. The attacker then uploaded AbleCommerce .aspx files into the web site and executed AbleCommerce specific code manipulation gaining access to the database, etc. How? Read on.
In addition to ASP files being script based and not requiring compilation, AbleCommerce offers its latest GOLD in two .NET models: “Web Site Project” and “Web Application Project” (WSP, WAP respectively). Microsoft around Visual Studio 2005 moved away from the compilation model for a dynamic compilation “scripted” model similar to that of ASP. In other words you can upload a file and it will dynamically compile and run just as any other page, no assembly (DLL) changes required in the /Bin folder. .NET will automatically generate a DLL for each ASPX page in its dynamic compilation model. As a result, the hacker was able to upload AbleCommerce code files and work against my AbleCommerce 7.0.7 web site and do hacker’ish bad things, fortunately I don’t store credit card data so they got nothing and they were blocked nearly instantly as I was online when it was occurring. But the point is that while you disable ASP and should you should also consider the vulnerability that still exists in the “WSP” model. Granted, someone needs web site access and breach some other way but if they get in via FTP for example and can upload files, they can run that code without much more effort and you have a severe problem. This is why I worked very hard in communication with AbleCommerce to offer the WAP model in GOLD. Microsoft retracted their efforts, while they still maintain support for the dynamic compilation model, they have moved back to the default Web Application Project model for new web sites. This requires you to compile your project and then the DLL is generated into your /Bin folder and this is how the site executes. In my opinion significantly more secure. Be very careful on your choice of WSP vs. WAP. My choice is for GOLD is WAP.
Configuring your web site properly and with great discipline is beyond critical. AbleCommerce lists the required permissions in their documentation, be sure to follow it carefully. Don’t give broad access to files such as granting from the root folder down MODIFY permissions. Only give file and folder permissions the required security access rights as needed and this goes to configuring your web server at its root level as well. You may need granular permissions such as sitemap files, specific folders, etc. Follow the AbleCommerce installation documentation carefully and test. Watch the error log for any issues as well as use their security tester if they still offer such a system to test permissions as they once did.
Do not mix web sites such as using virtual directories embedding AffiliateWiz or forum’ware into your folder structure. Allowing products such as AffiliateWiz to be nested in your AbleCommerce folder structure can offer an avenue of uploading files into your AbleCommerce folder structure as other web systems offer their own file uploaders which may have security vulnerabilities. Keep web sites isolated not only in IIS but also in their file/folder structure on disk. AbleCommerce allows you to control the file types that can be uploaded, pay careful attention to this only allowing the minimal and required file types and not types that can be executed such as EXE, BAT, or even ASPX pages.
Figure 2. File Upload Allowed Extensions (File Types)
In addition to the above is also ASP.NET security in trust levels. I won’t go into that here but you can refer to MSDN for more information:
The discussion related to IIS is similar to the prior section about Web Site configuration and concerns. Keeping your web sites isolated, setup properly with dedicated Application Pools, one per site and not sharing Application Pools among sites. One protection item that can defeat just about any hacker is IP address security. Granted, this can be difficult if you have a lot of people with admin access to your AbleCommerce site or if you travel frequently, and finally, if you don’t have a static IP address. Even if you don’t have a static IP address such as your residence keep an eye on your IP address as providers rarely change this now. I have Verizon FIOS at my residence without a static IP and as I leave my router on all the time it rarely if ever changes the IP. If it does, it’s a simple update. Regardless, protecting specific folders to IP address restrictions is a tremendous security feature that I highly recommend. AbleCommerce keeps all of its admin functionality in the /Admin folder and this is quite common. All of my web sites from forums, support portal, and AbleCommerce are all locked down to my home and office IP addresses. Regardless of someone breached your login info they still could not do anything unless they gained access to your server (IIS) to remove IP address restrictions. Configuring IIS IP security is quite simple as demonstrated below but here is a link with even more good info:
Login to your web server and click on your web site and expand the site so you can see the sub-folders. Click on the “Admin” folder as indicated below. With the Admin folder selected double-click the IP Address and Domain Restrictions button.
Figure 3. Accessing IP Address and Domain Restrictions
Figure 4. Feature Settings
Figure 5. Default Feature to “Deny” for access
The most important change to make first is the “Edit Feature Settings” to change the default to DENY as in Figure 5 above. This way if the IP address is not granted “Allow” then the visitor will not be able to access the folder. Add the “Allow” entries adding the IP addresses that can access the Admin folder area of your web site. I suggest doing this for all web sites that have an Admin area that you want protected to specific IP addresses.
As mentioned in the introduction that when the hacker gained access to my web site they dropped a table, i.e. deleted it from SQL Server which covered up the audit logs. This tells you not only did I have permissions set too high as most do but also there are hackers that are savvy in AbleCommerce both in code as well as database schema. Most people when setting up their database give the user “db_owner” permission. DON’T!!! While I don’t know that AbleCommerce puts out guidance on security configuration my recommendations are as shown in Figure 7 below. Create a dedicated user for SQL Server security solely for your AbleCommerce web site to connect to the database. This may be different than something you use personally to connect to any SQL Server Management tools such as SQL Server Management Studio (SSMS). When creating the user do not choose a password yourself, use a strong password generator to generate a very strong password as this will go into the connection string which should also be encrypted per Figure 6 below. You can also set any security policy as you require.
The required permissions should be set as: public, db_datareader, db_datawriter. The final permission to allow use (executing) of stored procedures can be done either from the GUI or more easily by running the script below which would also set all permissions as outlined above.
exec sp_addrolemember db_datareader, YourUserNameHere
exec sp_addrolemember db_datawriter , YourUserNameHere
GRANT EXECUTE TO YourUserNameHere
Figure 6. Choose the Encrypt option from AbleCommerce Admin
Figure 7. Database permissions for the User granted access
As the optimal configuration is to have your database server completely separate from your web server you should not allow public access to your database server. There are PCI compliance rules you need to follow but also common sense to protect your database. I suggest using a firewall whether a dedicated hardware appliance such as I use or the Windows Firewall to restrict access to SQL Server. Again, there should never be public access to your SQL Server. You can setup firewall rules for IP address specific access granted if you want to access your SQL Server as a developer and also consider disabling your external network interface while you do not need access for any management activities. AbleCommerce’s web server should access the database via a dedicated internal high speed (GigE or better) network.
Finally, just as with Windows, SQL Server being too far out of date can be a security vulnerability. Microsoft has been releasing fantastic updates to SQL Server, I personally use SQL Server 2014 as of this writing and am truly impressed. SQL Server licensing is not cheap, it is probably the most expensive element of your e-commerce experience if self-owned, if you lease be sure to stay on the latest versions your provider has available. If you are using a SQL Server edition prior to 2008 R2, I highly recommend considering an upgrade as you are over three versions old and I consider out of date for today’s standards of what AbleCommerce’s minimum required versions are for the product.
Hopefully this document helps you learn from the lessons I learned the hard way. Now it’s up to you to take action before someone gains access to your resources and causes you disruption or worse such as compromising user data, credit card data, and affecting the trust of your customer base. Basic security steps as outlined above are easy to implement and allow you to form good habit patterns across all of your web sites, servers, etc. There will always be vulnerabilities so be sure to keep all of your software up to date including AbleCommerce with an active subscription to receive updates, as well as updating your web and database servers as your budget allows.
~ Neal Culiner