When it comes to why website security is in such bad shape there are lots of parties that play a role. Journalists could play a critical role is shining a light on what is wrong with the security industry, but for the most part they instead act as stenographers for claims made by security companies without a concern for the accuracy of the claims or if they are newsworthy.
An example of that this week that we happened across (there are in all likelihood plenty of others just this week) involved what seems like an insignificant claim. Multiple outlets including The Register, SecurityWeek, and Bleeping Computer ran with a story of a claim that a thousand Magento websites had been hacked. A hack of that size alone doesn’t seem all that significant and highlighting it might not be helpful if it leads people to think of Magento being less secure than other solutions that are in fact less secure. What might make this newsworthy is if the method of the hacking was significant, say a new vulnerability was being exploited. As we will get to in a bit, it seems like the claimed source of the hacks might not be accurate, but if true, it doesn’t seem all that significant and isn’t Magento related.
It isn’t that security journalist haven’t had anything to cover recently were there could be some real journalism done when it comes to hacked websites. Recently we have been discussing a situation where a relationship between a web hosting company and a security company looks to have lead to the web hosting company ignoring hackers targeting their customers and possibly ignoring that their systems have an insecurity that is leading to the hackings. Questioning those companies could provide more insight on the situation and might lead to corrective action being taken.
The claims about the Magento websites being hacked came from a company named Flashpoint, which promotes itself delivering business risk intelligence, which they describe thusly:
Business Risk Intelligence (BRI) broadens the scope of intelligence beyond threat detection in the cyber domain to provide relevant context to business units not traditionally afforded the benefits of intelligence from the Deep & Dark Web. By informing decision-making and improving preparation, BRI mitigates risk across the enterprise.
BRI can not only bolster cybersecurity but also confront fraud, detect insider threats, enhance physical security, assess M&A opportunities, and address vendor risk and supply chain integrity. The results are better decisions that protect a company’s ability to operate.
To us that sounds like something that probably isn’t of much value when so often security basics are still failing to be done, but it seems to be easier to sell people on more advanced things than on what they really need to be doing.
If their claims about Magento websites being hacked are any indication that intelligence seems to be of little value. Here is the kind of insight that provides:
Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.
Hackers being interested in hacking websites shouldn’t be news to those in the security industry. That they would interested in popular software also shouldn’t be news. What might useful intelligence is if it was discovered that hackers were exploiting a zero-day vulnerability, which is a vulnerability being exploited before the developers of the software are aware of it, but that isn’t the case here.
Here is the claimed cause of the hacks:
The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.
There isn’t an explanation of how they determined that was the case and we can’t think of what “known default Magento credentials” would refer to, so that leaves us to wonder if they actually know how the websites were hacked (or have even a basic understanding of Magento).
Later they made additional reference to “default credential usage” usage that seems unconnected to Magento:
In the meantime, the rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at a number of high-value targets including DNS provider Dyn, French webhost OVH, and journalist Brian Krebs’ website in order to carry out crippling distributed denial-of-service attacks.
The Mirai attacks involved trying to gain access to Internet of things (IoT) devices using factory default usernname/passwords, but Magento doesn’t have a default username/password like that, so we are at loss to understand what they are talking about (it might be that they have no idea what they are talking about).
For a moment let’s assume what they are claiming about trying to log in using common passwords is true, since that is certainly a real issue. What seems to be the biggest take away from that is that security basics (like using a strong password) are still not being done, while companies like Flashpoint are selling people on the need for additional security services. You would hope that these companies might consider that they might be part of the problem instead of the solution for the poor state of security, but we have seen no indication that they do.
What also sticks out to us is that Flashpoint doesn’t seem to understand basic security terminology, as they are mixing up two different types of attacks. What they are talking about, trying to log in using common passwords, is a dictionary attack. They instead refer to it as a brute force attack, which actually refers to trying to log in using all possible passwords. How you would protect against those is very different, so understanding the difference is important for those in the security industry. That the Wikipedia manages to get this right and Flashpoint doesn’t seems like an indication that they don’t have the best grasp of security, which might explain them trying to sell people on business risk intelligence instead of something that will have a better effectiveness at improving security.