Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Site hacked, what are possible liabilities? 
 
poskit
Jr. Member
 
Total Posts:  8
Joined:  2009-08-06
 

hi everyone,

about 2 weeks ago i tried to login to my cpanel account where my magento is installed. the password didn’t work, which was odd since it is stored in my browser. i thought foul play could be at hand, but i had my host reset the pw and forgot about it.

yesterday i tried to make a backup of my web files, and in the field where the email address notification goes, i saw an email address that i didn’t recognize. these two facts together lead me to believe that my hosting was compromised.

my initial thought was that the attacker was after my db records on the chance that i stored all the CC information locally. i don’t do that, so it wouldn’t be a problem. however, this morning i wondered if it was possible that they inserted some script to intercept the CC information as it is being processed through the credit card processor that i am using.

does anyone have experience with this scenario? should i be worried?

Mark

 
Magento Community Magento Community
Magento Community
Magento Community
 
Incognito
Guru
 
Total Posts:  322
Joined:  2008-08-07
Michigan
 

You could always reinstall magento.  Just to be sure nothing has been tampered with.  You will just have to copy the media directory, skin, and, template files to the new install and use the original database.

 
Magento Community Magento Community
Magento Community
Magento Community
 
willamm
Jr. Member
 
Total Posts:  6
Joined:  2009-12-20
 

hello,

I think this information will be helpful to you.

Any computer that’s connected to the Internet with a high-speed connection has the potential to be used as a weapon of mass destruction or disruption by terrorists, hackers, criminals and pranksters. If your computer is used that way, you may find yourself being sued for the ensuing damage.

About a month ago, in a column that I wrote about the infamous Love Bug, I wrote, “Prediction — it’s just a matter of time before computer crime becomes an instrument for killing or injuring people.” I still don’t know of that happening; however, if you don’t believe it will, let’s look at two of the most recent news stories of the last few weeks. Things are “progressing.”

Cell phone attack
Reuters reported that the worm-type virus, called Timofonica, had hit customers of Spain’s Movistar service, sending text messages scrolling across the screens of their cellular phones.

It was the first virus known to target cell phones. Its significance is that copycat virus writers will take the cue and now start targeting cell phone and other hand-held smart devices like Palms and Microsoft’s Pocket PC computers.

Security is always measure, countermeasure, counter-counter measure and so on. So, one response was that Symantec announced the development of the first antivirus software for the Palm OS platform. This, just days after the discovery of the first cell phone virus, proved that viruses can move swiftly to the world of hand-held smart devices. Isn’t capitalism amazing?

Your home computer may be a zombie
Next, we have reports that investigators had unraveled a possible future attack on major websites. Its method was insidiously simple. The hackers planted a rogue program on unprotected home computers connected to high speed Internet connections. If you have a cable modem or DSL connection, you’re vulnerable. Your computer could become somebody else’s zombie foisting an attack on other computers.

2,000 computers are known to be compromised. At any point, the hackers could order this army of zombie computers to launch crippling attacks on other computers.

Don’t underestimate the computing power of your home Pentium III. Part of an army of 2,000 zombie computers — it’s tremendous computing power.

Potential liability
Can you be sued if a hacker uses your computer as a weapon in an attack against other computers? Usually, framing the question in terms of “sued” is the wrong way to do it because the answer is always “yes.” After all, anyone can sue anybody for anything.

Generally, the question should be framed as can you be held “liable” or in other words, will you lose if you’re sued. The short answer to this question is that my research has failed to find a case where that was the result.

Generally, the law is reluctant to hold a person or corporation responsible for the wrongful acts of another. Having said that, there are many examples of situations where a court may hold you responsible for the criminal or civil wrong of another. Two examples would include lending your car to somebody you know is drunk who then has an “accident” and leaving a gun readily available to a child who then kills or injures somebody with it.

If you have a computer connected to the Internet, whether it’s your home or office system, the question that should concern you is “can you be sued?” It should concern you because you can be if your computer is used by a hacker to inflict harm on other computers.

Computer law is simply not a well-developed area of the law yet. It’s all too new and since law always develops behind new technology, the right answer to the question, “can you be held responsible” is “yes” you can be although you might be the first case where it happened.

You shouldn’t take comfort in my statement that I couldn’t find a case finding liability. The threat is too new and it will take 50 states a bit of time to develop case law and statutes to cope with this new type of threat.

My prediction is that courts will find liability against computer owners who negligently allow their computers to be a launching pad for attacks by hackers, terrorists and others. It’s an area that’s ripe for new law and you should be responsible for acting like a responsible computer owner.

You can’t leave a weapon of mass destruction lying around available to the first taker and defend with “but I didn’t do it, he did.” Every computer has the ability to become part of a weapon of mass destruction. Moreover, if you don’t think a computer can be a part of a weapon of mass destruction, then think about the billions of dollars of damage caused by the Love Bug.

I think that courts will begin to find computer owners responsible for their insecure systems connected to the Net. The legal standard will be “negligence” and that’s the key to this being a reasonable doctrine.

It’s unfortunate, but sometimes it seems that our legal system and Americans have forgotten about the concept of negligence. All too often, I would summarize the attitude of many as “if something bad happens, somebody else should pay.”

That’s wrong, but it’s so darn American. People slip on perfectly clean floors in a supermarket and they’re calling their lawyer on their cell phone before they hit the ground. Sometimes bad things happen and nobody should pay.

In law school, I remember going through a series of slip and fall cases involving banana peels. The point the cases made was that you needed to consider the color of the banana peel.

If it was perfectly yellow at the time of the fall, the storeowner shouldn’t be held responsible because a “reasonably prudent store owner” cannot be expected to clean up banana peels immediately after they hit the ground. On the other hand, if the peel were dark and dry, that would be evidence that the peel had been there a long time. In that case, a storeowner could be held responsible because a “reasonably prudent store owner” could be expected to periodically clean the floors to prevent accidents.

The point that I’m trying to make is that “negligence” is the key concept.

I’m not suggesting that courts will or should find liability every time a computer is hijacked and turned into a zombie. Rather, I’m suggesting that if you don’t act like a “reasonably prudent computer owner,” you may find yourself at the wrong end of a losing lawsuit.

Law usually develops from a needed public policy. As a burgeoning Internet dependent society, we need people to quickly learn good computing habits. The law can foster the development of these habits by holding people responsible for the misuse of their computers if they act negligently.

What that means is that if your business controls computers tied to the Net through a high-speed connection, and you have a firewall in place, and take other reasonable measures to insure security, you will not be liable if your computer is misused.

The flip side, however, is that if you choose to ignore the obvious threat, you will pay for your sheer stupidity.

The company with the firewall that was breached is a sympathetic figure and as much a victim as the company attacked. The company without any security or an insufficient or “negligent” security scheme in place is begging for a court to make it pay for its stupidity and carelessness.

The answer is to be a responsible computer owner. The law will never expect you to have perfect security in place. It’s not possible. Reasonable security is the key. Consult your technical experts on how you get that in place — immediately.

thanks

________

Windows 7 Easy Access

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 
poskit - 07 January 2010 06:32 AM

which was odd since it is stored in my browser.

And now you know where they get their passwords from when they hack you. Stored passwords are a liability. Store them in your head, or in a super duper password manager. I have such a manager software for which I physically need to enter a key before it opens. Hackers would have to be here next to my computer to get access. Do not store passwords in software you ultimately can’t trust (FireFox, FileZilla etc.) especially not in your FTP clients.

More than likely 1) your PC is compromised. Clean that first. 2) your server will also be compromised. A mere password reset won’t suffice. Check Google’s cache for example, chances are you’ll find stuff in the text-only version you didn’t put there. Also look in the source HTML, especially the footer. There may be encoded scripts in there. And yes, for good measure, you can also assume your payment method is compromised too. It depends on the type of payment method whether they can actually intercept anything.

Wipe you own PC and build your server from scratch. That’s the best you can do. And then stop storing passwords. It’s like writing your bank card codes on your bank card. Or your safe code on the painting in front of the safe. It’s a newbie mistake.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top