>30 Days From Patch – No Hacker Liability – Civil or Criminal

Potent, in-the-wild exploits imperil customers of 100,000 e-commerce sites by Dan Goodin.

From the post:

Criminals are exploiting an extremely critical vulnerability found on almost 100,000 e-commerce websites in a wave of attacks that puts the personal information for millions of people at risk of theft.

The remote code-execution hole resides in the community and enterprise editions of Magento, the Internet’s No. 1 content management system for e-commerce sites. Engineers from eBay, which owns the e-commerce platform, released a patch in February that closes the vulnerability, but as of earlier this week, more than 98,000 online merchants still hadn’t installed it, according to researchers with Byte, a Netherlands-based company that hosts Magento-using websites. Now, the consequences of that inaction are beginning to be felt, as attackers from Russia and China launch exploits that allow them to gain complete control over vulnerable sites.

“The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the Web server,” Netanel Rubin, a malware and vulnerability researcher with security firm Checkpoint, wrote in a recent blog post. “The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system.”

This flaw has been fixed but:

Engineers from eBay, which owns the e-commerce platform, released a patch in February that closes the vulnerability, but as of earlier this week, more than 98,000 online merchants still hadn’t installed it,…

The House of Representatives (U.S.) recently passed a cybersecurity bill to give companies liability protection while sharing threat data. As a step towards more sharing of cyberthreat information.

OK, but so far, have you heard of any incentives to encourage better security practices? Better security practices such as installing patches for known vulnerabilities.

Here’s an incentive idea for patch installation:

Exempt hackers from criminal and civil liability for vulnerabilities with patches more than thirty (30) days old.

Why not?

It will create a small army of hackers who pounce on every announced patch in hopes of catching someone over the thirty day deadline. It neatly solves the problem of how to monitor the installation of patches. (I am assuming the threat of being looted provides some incentive for patch maintenance.)

The second part should be a provision that insurance cannot be sold to cover losses due to hacks more than thirty days after patch release. As we have seen before, users rely on insurance to avoid spending money on cybersecurity. For more than thirty day after patch hacks, users have to eat the losses.

Let me know if you are interested in the >30-Day-From-Patch idea. I am willing to help draft the legislation.


For further information on this vulnerability:

Wikipedia on Magento, has about 30% of the ecommerce market.

Magento homepage, etc.

Analyzing the Magento Vulnerability (Updated) by Netanel Rubin.

From Rubin’s post:

Check Point researchers recently discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data, affecting nearly two hundred thousand online shops.

Check Point privately disclosed the vulnerabilities together with a list of suggested fixes to eBay prior to public disclosure. A patch to address the flaws was released on February 9, 2015 (SUPEE-5344 available here). Store owners and administrators are urged to apply the patch immediately if they haven’t done so already.
For a visual demonstration of one way the vulnerability can be exploited, please see our video here.

What kind of attack is it?

The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system.

This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions. Check Point customers are already protected from exploitation attempts of this vulnerability through the IPS software blade.

Rubin’s post has lots of very nice PHP code.

I first saw this in a tweet by Ciuffy.

Comments are closed.