Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Real Security
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

cboyda
Starting Member

3 Posts

Posted - September 18 2007 :  10:36:12  Show Profile  Reply with Quote
I am looking for anyone else that is seriously concerned about security. Specifically is there anyone operating on VPASP v6.5 that has HACKER PROOF certification?

This is a little expensive but they basically maintain constant attacks on your system looking for holes and reporting vulnerabilities - www.scanalert.com

Thanks!

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 18 2007 :  11:47:25  Show Profile  Visit devshb's Homepage  Reply with Quote
oooh; I like that, I think we'd definitely consider using them for one of our pending (non-vpasp) sites (it's kind of connected to things like escrow services etc which we're also interested in for the pending site in question)

I'd be curious about people's experience with that scanalert option too; looks really cool.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

portion
VP-CART New User

86 Posts

Posted - September 18 2007 :  12:02:47  Show Profile  Reply with Quote
What kind of pricing are we looking at to use Scan Alert (funny they dont mention pricing on the site)

$$$
Go to Top of Page

cboyda
Starting Member

3 Posts

Posted - September 18 2007 :  12:10:37  Show Profile  Reply with Quote
We paid:
$600USD for cleanup
~$2000USD annually

Absolutely brilliant staff, and nice automated reports - a little deep on the technical side so most end users would be completely lost without an IT tech - but nice to know I can sleep better at night.

I just told the client - this is the cost of running an online store - think of it as insurance.
Many large vendors use them - www.tigerdirect.ca etc...

If you do smaller traffic (revenue wise) it may be cheaper.
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 19 2007 :  00:58:53  Show Profile  Visit devshb's Homepage  Reply with Quote
those prices sound fairly good/normal to me; I'm guessing that the pricing will depend on lots of factors; if I were in their shoes I'd be a bit defensive/wary about giving away too many details about prices or the nature of the checks/reports in a public domain, because there are 2 "danger" areas for their business on that front:

1) for prices, it might be a "how long's a piece of string" kind of question, ie the more complex your site is and the more detailed the checks are, the more time it'll take, hence I assume the higher the price. one site might be really basic and only need a handful of pre-existing scripts to be run to check things out, but another site might need a thorough manual trawl through the code/database and a detailed "attack plan" formulated/custom-made/done for that site.

2) for details of the checks/reports; the more info they give away about that on their site, the more info they're giving hackers to circumvent their checks and find other ways of hacking.

I'm glad their reports are quite technical; I know that a normal site-owner wouldn't be able to understand some things like that, but then again if they don't understand the technical nature of the vulnerability then they probably wouldn't be able to fix it without help either, so if they wanted the gap plugged they'd need to use a techie anyway.

anyway; those prices sound about right to me; I think it's roughly in line with what an hourly-rate would be to do those things for an average shopping site.

I agree with the last posting too, ie it is basically a kind of insurance; if you had a vulnerability then it would be nice to know/fix it before a real hacker exploited it; you could in theory save yourself millions of dollars from a law suit by customers who would have had had their cards stolen from your site. Or if you don't store card details you could save yourself from a few weeks of downtime following a foiled hack.

Does depend on the nature of the site though; if I stored credit cards on my site then there's no way I'd even consider storing those cards without a massive security investment, otherwise I'd use a gateway to store/process them. All a case of risk assessment really.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on September 19 2007 01:06:49
Go to Top of Page

Kidd
VP-CART Super User

Australia
373 Posts

Posted - September 19 2007 :  01:06:34  Show Profile  Reply with Quote
but i just wonder if its really worth it to pay that much for it. i usually ask the support team to do an audit once a year
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 19 2007 :  01:09:58  Show Profile  Visit devshb's Homepage  Reply with Quote
depends on what your site is/does I suppose; for example it's definitely worth it if you're storing credit cards or using a custom-created "cart".

also depends on the real nitty-gritty of how they formulate/do their checks

what I think would be good would be for software itself to be checked/certified rather than just sites; that way things like vpasp itself (or our software) could be certified as off-the-shelf-safe.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

Kidd
VP-CART Super User

Australia
373 Posts

Posted - September 19 2007 :  01:14:55  Show Profile  Reply with Quote
by law you are not allowed to store credit credit card on your database anyway right? if i remember correctly VISA and Mastercard can fine you?
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 19 2007 :  01:22:13  Show Profile  Visit devshb's Homepage  Reply with Quote
maybe so, but if processing them (even using a gateway) where you let the user physically enter cards on your own site then you'd need to store them somehow/somewhere, even if it's just temporary via posting the url to itself to encode the card numbers.

so, when I say that the biggest danger is "storing" card numbers, I don't necessarily mean in the database, I just mean that the user physically enters the card numbers while on your own site's url; even that smallest and most temporary nature of storage is still open to a potential attack.

That's why I'd always advise against any site owner letting people enter card details while on their own url unless they have a big budget for security (or an unlimited insurance policy)

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on September 19 2007 01:24:02
Go to Top of Page

cboyda
Starting Member

3 Posts

Posted - September 19 2007 :  01:23:23  Show Profile  Reply with Quote
The security patches/audit did not stop us from being hacked.
It comes down to a question of liability, how much are you willing to accept vs pay to ensure your customers are safe. Our website had no cc info, but started giving our customers viruses via javascript.
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 19 2007 :  01:27:41  Show Profile  Visit devshb's Homepage  Reply with Quote
those javascript viruses are one of the nastiest hacker tools around; they are true viruses in that once one person gets one it can easily spiral all the way across the web because they do things like track key-presses so that the hackers then gets the hacked customer's login details and so they can then grab things like ftp info etc.

on the subject of hacks, anyone browsing this topic who hasn't already downloaded this, I'd advise you to do it right away; it's free and you don't need a byz license for it etc:

VP-ASP (V4.5/V5/V5.5/V6/V6.5) SQL Injection Hack Finder:
http://www.bigyellowzone.com/shopexd.asp?id=146

My 2 cents worth on those guys' service is basically:
I've got no idea if the service is any good because I've never tried it, but hats off to them for coming up with a good/simple idea.

(our hack check tool will do some basic checks to see if you've been hacked and you don't know about it, whereas those guys' services seem more tailored to finding out if/how you can be hacked in the first place)

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on September 19 2007 01:31:12
Go to Top of Page

support
Administrator

4679 Posts

Posted - September 19 2007 :  06:32:25  Show Profile  Visit support's Homepage  Reply with Quote
Hi everyone,

Very interesting topic.

Basically if you have all patches applied then earlier releases of the default VPASP store are secure against the most common type of attacks which are SQL Injections.

If using older versions than 650 then you will not be protected fully against XSS attacks but there is only one type that has so far been in use against VPASP and this was blocked with the patches a fair while back:

This is the relevant patch:
http://www.vpasp.com/helpnotes/fixes.asp?version=v600#8

Simons tool will tell you whether you have been infected. This patch will stop it occurring. Version 650 users can ignore this as 650 has all patches applied already.

I recommend downloading Simons tool and checking to see if you have been infected and then make sure the patches are up to date.

Not a 100% guarantee but if upgrading is not feasible then you will be at least 99% protected.

Simon:
The big issue with certification is that we are an open source solution which means that as soon as the product is delivered it will lose any certification it had as the customer can make whatever changes to the code they like.

We have the software audited and certified by an outside security company now regularly which is how we know version 650 is secure so the core package is safe. But older versions need to have all patches applied and even then Hackersafe and auditing companies will return warnings about vulnerabilities as still the potential for low level XSS issues.

We are however yet to see one work or be shown how it can be used to successfully obtain information though beyond the IJK issue which has already been rectified.

Cboyda:
The audit we carried out secures your site from being hacked in a real sense for the default VPASP files.

Your site though is incredibly heavily customised and will take a lot of work to secure your custom changes. We have had a look through your files but it will take a lot of work to fix these and we recommend you contact the developers who made the changes and see if they will update them for you so they are secure. We can do so but it will be a big job as we did not write the code.

Am happy to continue going through this with you in the help desk further as to the best way to proceed.

Everyone:
Please everyone make sure you are up to date with the patches. If you are and you have been careful with your customisations then you "should" be safe. By "should" I mean always make sure you are up to date with your patches and have applied any security updates needed.

Hackersafe:
Hackersafe can give you a list of vulnerabilities in your site. You need to ensure that all mid and high level threats are taken care of. Low level threats I believe you can safely ignore.

The big things to watch out for here are:

Apply all patches
Do NOT store credit cards

Realistically a hacker will not invest much time on your site if the only information they can gain is what they could from a phone book as there is no financial gain involved. So if you are not storing cards and have applied the patches your customers wil be able to trade securely.

Thanks
Cam

VP-ASP Support
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - September 19 2007 :  09:41:14  Show Profile  Visit devshb's Homepage  Reply with Quote
re: The big issue with certification is that we are an open source solution which means that as soon as the product is delivered it will lose any certification it had as the customer can make whatever changes to the code they like

yep; that's true; same logic would apply to our addons too; once any changes are made to them by the customer then it'd lose its certification; I like the idea of certification for the off-the-shelf software, but agree that if doing that then there needs to be a big caveat put on it when selling, explicitly saying that the software is only certified pre-customisation (ie as-is), and any problems following customisations are not covered (ie that it's totally safe to start with, but changing the code you then do at your own risk)

In this instance, the certification would be the software seller's certification (eg vpasp's or ours), and *not* the customer's. ie the people selling the software would have the software certified, but the people using the software can't use that certification as a flag on their own site.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on September 19 2007 09:43:22
Go to Top of Page

apswater
VP-CART Super User

444 Posts

Posted - September 24 2008 :  14:59:26  Show Profile  Visit apswater's Homepage  Reply with Quote
Here is a little code I added to the shop$db (4.5) to catch all those sql injects.

what is does is read the query string with each page load, looks for some specific words like declare or execute and then sends those users over to a script that ads their IP to a banned database.

I then have another snippet that looks up te user ip from that database on page load and if they are on the list they get redirected away.

You need to have auto banning becasue they have infected so many computers out there with the virus that sends these out, you would be doing manual banning for ever.

After a month or 2 I have a few thousand banned IPs. Most are in Asia.

Maybe Cam wants to consider adding something like this as an added security stop.

--------------------------------------------------------------
dim ds,dsr,dsx

ds=request.servervariables("query_string")

session("trap")=ds
session("script")=request.servervariables("script_name")

for dsx = 1 to len(ds)

dsr = mid(ds,dsx,7)

'response.write "<font color='white'>" & dsr & "-"

if lcase(dsr)="declare" then

response.redirect ("syserror.asp")
end if


next

for dsx = 1 to len(ds)

dsr = mid(ds,dsx,5)

'response.write "<font color='white'>" & dsr & "-"

if lcase(dsr)="char(" then

response.redirect ("syserror.asp")
end if

next

etc etc... you can add all the words you want.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00