Security Breach Thoughts

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wesley.wright
Forum Newbie
Posts: 1
Joined: Fri Jun 07, 2013 10:20 pm

Security Breach Thoughts

Post by wesley.wright »

Hey Guys,

I've been thinking over this issue we are having at my work now for many months and we are as yet to find a potential reason for the cause so hopefully someone here can get the juices flowing on ideas on how to proceed.

My company has an email marketing platform that clients use for sending out their monthly newsletters etc. We use Power MTA for mailing out and as a result we have a fairly good reputation for being able to get email to a location and report back simple things like click rates etc.

Probably about a year ago, one of our accounts was hacked and spear phishing campaigns were sent out. The campaign was the typical american greetings or paypal dodgy ones with links and content trying to snare people to give away personal details as they do. This turned out to be the first in a string of attacks both to us plus about 10 other digital marketing platforms so we aren't alone.

After all this we restricted our client administrator logins to Australia only which quelled the issue for a long time however now they have started again and have just hit one of our bigger clients. Cyber crime ain't cool but unfortunately, our product is also filled with legacy code and has some potential issues should they be exploited, however, I have added loggin to every single php file that is hit logging every request (GET or POST) to try and see how these people are getting admin passwords.

They are just logging in after 1 attempt. They just seem to have a valid users username and password and login in one attempt. There is no brute force attempts or anything like that which makes it difficult to work out how it's happening. We run a LAMP stack and our servers are unaccessible unless on a VPN same with our MYSQL servers so it is unlikely that it is the issue. We also can block individual ip addresses after attacks which we do when we see what ip they are coming in from.

I know we could look at introducing a physical code card and renew that every month or so however does anyone at all have some thoughts or have experienced such uissues and have an idea of steps to take?

This is obviously not a heap of info but i'm happy to provide more specific info if asked for. Much appreciated.

Wes
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Security Breach Thoughts

Post by requinix »

So the problem is that they are able to gain and use valid credentials? Not that there's an exploit or a hole or something that is flawed in the code?

Current trend is to use validation codes that are SMSed to the user's cell phone. See Google and Amazon as examples. That fits the "something the user has" condition* as well as your thoughts of requiring some physical device.

* The trifecta is something the user is (like a fingerprint), has (like a phone), and knows (like a password).
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Security Breach Thoughts

Post by mecha_godzilla »

Just to confirm this, but you say your systems are only accessible by VPN - even if hackers have valid login credentials, it still shouldn't be possible for them to access the servers (unless they have the VPN credentials as well of course).

You also need to look into the possibility that keylogging software has been installed on the user's machines and/or their firewalls have been hacked. If hackers are logging-in with the correct username/password every time, either they have exploited the software or they have stolen the login credentials - you need to ascertain which (if either) of these situations is occurring. You could try resetting passwords for certain groups of users and then see how quickly it takes for the logins to be exploited.

At the moment, it sounds like there are too many unknown variables for you to work with - even if you implement a new password scheme, that could be still be exploited immediately if the underlying problems have not been resolved first.

Good luck with resolving these issues anyway - at the point at which they start costing your organisation money and/or negatively impacting on its reputation, you really need to consider bringing in an independent security consultant to carry out an audit of your own servers as a minimum (btw, this is not a plug as I am not an independent security consultant).

HTH,

Mecha Godzilla
Post Reply