Make Security Part Of Your New Year’s Resolutions

We’re at the doorstep to a new year, so there’s no better time than the present to check your site for security risks and brush up on your security habits.

Areas to focus on to get you started:

  1. Have all security patches been applied? (ask us to check or start with a free patch scanner at magereport.com)
  2. Have you changed your password recently?
  3. Have you run anti-virus/anti-malware scans on all computers/devices that access your store’s backend?
  4. Is your store’s backend URL unique?
  5. Do you have a backup plan in place?
  6. Is all the software in your site’s software stack updated/patched? (including Magento, WordPress, server side code such as PHP, etc)
  7. Are you adhering to the appropriate PCI Compliance level?
  8. Have you run, at the very least, an external malware scan on your site? (running one from the server side is always recommended, but a quick scan from Quttera or similar tool will quickly show you if you have any major problems)
  9. Have you been blacklisted? (here’s a good tool)

Hope that helps! Contact us if we can help out with anything or if you have any questions. Here’s to a safe & secure 2017!

Ps – Here’s some more security tips from a previous blog post: Magento Security Tips

Magento Releases SUPEE-6788 Security Patch

Recently Magento released a major security patch (SUPEE-6788) which closes up holes that could lead to remote code execution, information leaks and cross-site scripting. However, this particular patch has been affecting many, many extensions. This is not a complete list, but if you have installed anything above & beyond the default Magento install, please check out this crowd-sourced Google Doc & then do your research (contact the extension developer directly if you can) about whether your extension may be affected — and take action accordingly before installing the patch.

Note: once you apply the patch, compatibility mode is turned on by default (meaning you’re not protected until this is switched). To enable the security patch once installed, you’ll need to go to system > configuration > advanced > admin …and change “Admin routing compatibility mode for extensions” to “disable”.

Another Note: make sure you have the previous patches applied.

This is how we’d proceed with applying the patch:

  1. Research all your extensions/custom code
  2. Backup both live & dev sites
  3. Apply SUPPE-6788 patch (download here) on dev site & turn off compatibility mode. Dump Magento cache. Test all appropriate functions. Apply extension updates. If everything bodes well, continue on to next step.
  4. Apply SUPEE-6788 patch on production site & turn off compatibility mode
  5. Apply extension updates (if appropriate)
  6. Dump Magento cache
  7. Test everything from CMS pages, to transaction emails

This is a very simple overview — as always, if you have any questions, let us know!

Is IE your browser of choice?

If so, listen up. You could be vulnerable. According to Microsoft attacks are targeting versions 9, 10, and 11, but this affects every version of Internet Explorer back to 6. (Yes 6, a small sliver of the internet still uses this. Sigh.)

What’s going on?

If you are like 26% of the web, you may be vulnerable to a recently discovered security hole in IE. Microsoft explains it best:

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Is there a fix? How do I stay safe?

Currently, there is NO FIX released by Microsoft. In the meantime, use another browser (ie – Chrome or Firefox) – or if you must use IE, just be very, very careful about what links you click on (especially those received via email).

The Heartbleed Bug And You

heartbleed openssl attack

What’s going on?

On Monday (April 7, 2014), Neel Mehta of Google Security & his team reported a bug, with potentially massive consequences, to the OpenSSL team. When I say massive, I mean experts predict that over 50% of all sites are or have been affected in the past and present.

Anyone use Pinterest? Yahoo? Airbnb? We recommend you listen up.

So, what is Heartbleed bug?

To boil it down, there’s a hole in the encryption process allowing hackers to access security keys & undermining a site’s security that is using a SSL certificate. They can move in, steal your important data, and leave without a trace. Most, if not all of these attacks can be done in such a way that they’ve been going on for the past 2 years & no one, not even Google, knew about them. That’s scary!

What are we doing about it?

Here at Wex Marketing, we develop all of our e-commerce sites around the latest & greatest security features & practices – including implementing at least a 256-bit SSL security certificate. Unfortunately the bug that was just announced has been “open season” for a long time (up to 2 years!). The affected versions are listed as: 1.0.1 through 1.0.1f on servers running Apache and Nginx software.

Since the announcement, we have been hard at work communicating with our host companies (who handle the SSL side of things) to make sure all our sites have been updated with the latest OpenSSL fix that came out shortly after the announcement.

What can you do about it?

As we touch up the SSL versions, we recommend you change all important passwords – including, but not limited to email, site backends, payment gateways, etc…even personal bank accounts! By now, we expect all the major institutions to have applied the fix, but just to be safe, change all important passwords!

Curious if your site (or a site you use) is vulnerable? Check it with this tool by LastPass

What to know more?

If you want to dig deeper, check out heartbleed.com or read the official announcement put out by the US-CERT (Computer Emergency Readiness Team, part of the Department of Homeland Security)