White Hat Hacking with TDL | Magento Shopping Cart Compromised



Malware scores 100 against Australian e-Stores

Earlier reports this year from staysafeonline and various media outlets advised that up to 100 online stores that utilise the popular Magento shopping cart software in Australia have been compromised with credential scraping Malware. Malware-hunter Willem De Groot published on twitter results showing that 4% of worldwide sites running Magento were leaking payment and customer data. If you’ve transacted online recently, particularly coming into the festive season, then it’s a good idea to double-check your statements to ensure that no fraudulent transactions have been made. For site owners, a patch is available to address this vulnerability.

Setting IoT standards 

A set of standards have now been defined and agreed upon for the inherent security properties of IoT devices. Given their current proliferation and expected continuing growth, a baseline set of standards around security capabilities, patch-ability, data encryption and password protection have been created. The set of standards is below and while the list is not mind-blowing with what it covers; it draws a line in the sand for manufacturers of IoT devices moving forward.

  1. Password Management – Device supports local password management
  2. Authentication – Device supports user authentication
  3. Access Controls – Device enforces role-based access control
  4. Patch Management – Device supports automatic and manual installation of patches from an authorized source
  5. Software Upgrades – Device supports manual installation software upgrades from an authorized source
  6. Audit Log – Device supports the gathering of audit log events and reporting them to an EMS using IPsec, SSH, TLS, or DTLS for encryption and integrity protection
  7. Encryption of Data in Transit – Device supports encrypted communications using IPsec, SSH, TLS or DTLS
  8. Multi-Factor Authentication – Device supports multiple authentication factors
  9. Remote Deactivation – Device can be remotely deactivated by the EMS
  10. Secure Boot – Device supports a secure boot process to protect its hardware
  11. Threat Monitoring – Device supports logging of anomalous or malicious activity based on configured policies and rules
  12. IoT Device Identity – Device provides an IoT Device Type and a globally unique IoT Device Identity
  13. Encryption of Data at Rest – Device supports an effective mechanism for encrypting data stored on the device
  14. Digital Signature Generation and Validation – Device supports generation and validation of digital signatures
  15. Tamper Evidence – Device has the ability to alert a monitoring system when it is physically opened
  16. Design-In Features – Device includes features to fail secure, provide boundary security and ensure function isolation

Contact Us today to find out how Thomas Duryea Logicalis can support you with your organisation's security concerns and posture.

Tags Security, Privacy, IoT, HTTP, Google Chrome, 2-Factor-Authentication, 2FA, HTTPS Sites, Crypt worm, SamSam, Databreach, Reddit, OAIC, Cybercriminals, Spyware, Human Error, Malware


Contact Us