PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Sep 23, 2018 5:51 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Security Breach Thoughts
PostPosted: Fri Jun 07, 2013 10:31 pm 
Offline
Forum Newbie

Joined: Fri Jun 07, 2013 10:20 pm
Posts: 1
Hey Guys,

I've been thinking over this issue we are having at my work now for many months and we are as yet to find a potential reason for the cause so hopefully someone here can get the juices flowing on ideas on how to proceed.

My company has an email marketing platform that clients use for sending out their monthly newsletters etc. We use Power MTA for mailing out and as a result we have a fairly good reputation for being able to get email to a location and report back simple things like click rates etc.

Probably about a year ago, one of our accounts was hacked and spear phishing campaigns were sent out. The campaign was the typical american greetings or paypal dodgy ones with links and content trying to snare people to give away personal details as they do. This turned out to be the first in a string of attacks both to us plus about 10 other digital marketing platforms so we aren't alone.

After all this we restricted our client administrator logins to Australia only which quelled the issue for a long time however now they have started again and have just hit one of our bigger clients. Cyber crime ain't cool but unfortunately, our product is also filled with legacy code and has some potential issues should they be exploited, however, I have added loggin to every single php file that is hit logging every request (GET or POST) to try and see how these people are getting admin passwords.

They are just logging in after 1 attempt. They just seem to have a valid users username and password and login in one attempt. There is no brute force attempts or anything like that which makes it difficult to work out how it's happening. We run a LAMP stack and our servers are unaccessible unless on a VPN same with our MYSQL servers so it is unlikely that it is the issue. We also can block individual ip addresses after attacks which we do when we see what ip they are coming in from.

I know we could look at introducing a physical code card and renew that every month or so however does anyone at all have some thoughts or have experienced such uissues and have an idea of steps to take?

This is obviously not a heap of info but i'm happy to provide more specific info if asked for. Much appreciated.

Wes


Top
 Profile  
 
PostPosted: Fri Jun 07, 2013 11:01 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
So the problem is that they are able to gain and use valid credentials? Not that there's an exploit or a hole or something that is flawed in the code?

Current trend is to use validation codes that are SMSed to the user's cell phone. See Google and Amazon as examples. That fits the "something the user has" condition* as well as your thoughts of requiring some physical device.

* The trifecta is something the user is (like a fingerprint), has (like a phone), and knows (like a password).


Top
 Profile  
 
PostPosted: Sat Jun 08, 2013 5:34 am 
Offline
Forum Contributor
User avatar

Joined: Wed Apr 14, 2010 4:45 pm
Posts: 375
Location: UK
Just to confirm this, but you say your systems are only accessible by VPN - even if hackers have valid login credentials, it still shouldn't be possible for them to access the servers (unless they have the VPN credentials as well of course).

You also need to look into the possibility that keylogging software has been installed on the user's machines and/or their firewalls have been hacked. If hackers are logging-in with the correct username/password every time, either they have exploited the software or they have stolen the login credentials - you need to ascertain which (if either) of these situations is occurring. You could try resetting passwords for certain groups of users and then see how quickly it takes for the logins to be exploited.

At the moment, it sounds like there are too many unknown variables for you to work with - even if you implement a new password scheme, that could be still be exploited immediately if the underlying problems have not been resolved first.

Good luck with resolving these issues anyway - at the point at which they start costing your organisation money and/or negatively impacting on its reputation, you really need to consider bringing in an independent security consultant to carry out an audit of your own servers as a minimum (btw, this is not a plug as I am not an independent security consultant).

HTH,

Mecha Godzilla


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group