WEBVTT 00:00:00.246 --> 00:00:02.923 I'm going to stay in server side for a bit. 00:00:02.923 --> 00:00:05.945 Talk to me about shopping carts. 00:00:05.945 --> 00:00:11.815 Shopping carts are a forensic analysist's best customer. 00:00:11.815 --> 00:00:12.430 Right. 00:00:12.430 --> 00:00:13.046 Really? 00:00:13.046 --> 00:00:17.122 Yeah, especially some of the more popular open-source carts. 00:00:17.122 --> 00:00:22.560 These are carts that are often free to use, 00:00:22.560 --> 00:00:28.128 and some merchants that are starting off like to take 00:00:28.128 --> 00:00:30.798 advantage of them because they're free, they work, 00:00:30.798 --> 00:00:34.719 they do a good job, they have large followings, 00:00:34.719 --> 00:00:39.658 and you can set up a lot of them with the click of a button. 00:00:39.659 --> 00:00:41.951 The problem is, is with that open-source code, 00:00:41.951 --> 00:00:48.116 the attackers have intimate knowledge of every way that shopping cart works, 00:00:48.117 --> 00:00:50.587 and there is no end to the amount of attacks that 00:00:50.587 --> 00:00:53.433 they can go in and launch against. 00:00:53.433 --> 00:00:57.312 It's the surface area that we talked about. 00:00:57.313 --> 00:01:01.750 There's so many points that the attackers can hit that we're seeing 00:01:01.750 --> 00:01:08.583 zero-day attacks against some of these bigger shopping carts. 00:01:08.584 --> 00:01:13.248 And so, with those carts, they can be great to use, 00:01:13.248 --> 00:01:18.899 but you have to have the IT necessary to know how to implement that cart 00:01:18.899 --> 00:01:22.696 to know what its weaknesses are and monitor that cart. 00:01:22.696 --> 00:01:27.808 And most importantly, you've got to stay up to date on the patches. 00:01:27.809 --> 00:01:32.728 We see it all the time where merchants are six months or even 00:01:32.728 --> 00:01:35.407 one year behind on their critical updates. 00:01:35.407 --> 00:01:41.571 That means that the company maintaining that cart has put out a patch that says, 00:01:41.571 --> 00:01:45.619 hey, this shopping cart is vulnerable to all these exploits, 00:01:45.619 --> 00:01:49.299 which means all the attackers out there got the same notification. 00:01:49.300 --> 00:01:51.381 They now know about it and you don't. 00:01:51.382 --> 00:01:53.661 When I was, I was going to say, when I was at the brands, 00:01:53.661 --> 00:01:57.313 there was one shopping cart, still a very popular commercial shopping cart, 00:01:57.313 --> 00:02:01.655 loads of people use it, therefore, the attacks went after it. 00:02:01.655 --> 00:02:03.832 It had vulnerabilities, like all software's got vulnerabilities, 00:02:03.832 --> 00:02:06.620 but because it was so popular, it was really heavily hit, 00:02:06.620 --> 00:02:10.491 you know the one I'm talking about, and merchants just would not update. 00:02:10.491 --> 00:02:14.679 And I know lots of PFI companies that will scan your shopping cart 00:02:14.679 --> 00:02:18.806 website and notify you when you're vulnerable. 00:02:18.806 --> 00:02:20.493 I guess you do the same stuff for --- Yeah, 00:02:20.493 --> 00:02:23.459 I am --- When we have an e-commerce investigation that 00:02:23.459 --> 00:02:25.037 involves one of these common shopping carts, 00:02:25.037 --> 00:02:28.821 one of the first things we do is just go run a little script 00:02:28.821 --> 00:02:30.718 against it that any merchant could do themselves. 00:02:30.719 --> 00:02:34.144 It just tells us what patches have been applied. 00:02:34.145 --> 00:02:35.686 And there's all these plug-in modules, aren't there, 00:02:35.686 --> 00:02:37.346 that also don't get patched. 00:02:37.347 --> 00:02:42.356 I think the big e-comm learning thing, which any PFI would say, 00:02:42.356 --> 00:02:43.922 I'm sure you'll back me on this, 00:02:43.922 --> 00:02:46.311 is if you run one of these commercial shopping carts, 00:02:46.312 --> 00:02:51.946 especially the one that's been hit by the bad guys because it's so popular, 00:02:51.947 --> 00:02:54.021 not because it's badly written, it's just out there. 00:02:54.021 --> 00:02:58.232 It's like Windows, so that they go where they get the most bang for their attack. 00:02:58.233 --> 00:02:58.933 Patch. 00:02:58.933 --> 00:03:01.033 Scan every day. 00:03:01.034 --> 00:03:03.354 There are free services out there that will tell 00:03:03.354 --> 00:03:05.586 you that you're behind the patch. 00:03:05.586 --> 00:03:07.588 Because the bad guy's doing it to you today. 00:03:07.589 --> 00:03:08.602 He's scanning you. 00:03:08.603 --> 00:03:10.883 He, or she, knows what version you're at. 00:03:10.884 --> 00:03:14.474 As soon as the vulnerability, they've got you. 00:03:14.475 --> 00:03:20.213 Merchants really should be patching just as soon as that patch comes out, 00:03:20.214 --> 00:03:22.979 but certainly no less than 24 hours. 00:03:22.979 --> 00:03:24.809 That's a whole day the attacker has. 00:03:24.809 --> 00:03:27.186 That's not tenable anymore is it? 00:03:27.187 --> 00:03:27.571 No. 00:03:27.571 --> 00:03:30.646 I mean, the attackers don't wait 30 days. 00:03:30.646 --> 00:03:32.742 They don't give you a 30-day head start. 00:03:32.743 --> 00:03:35.258 The moment an exploit is out there and it's known, 00:03:35.258 --> 00:03:39.501 they're trying to find as many carts as they can that have 00:03:39.501 --> 00:03:40.845 that vulnerability that they can get into. 00:03:40.846 --> 00:03:44.640 So our recommendation is always patch it, 00:03:44.640 --> 00:03:45.202 I mean, 00:03:45.202 --> 00:03:49.117 almost to the point of have somebody that you can call and get out of 00:03:49.118 --> 00:03:52.673 bed to get that patch applied the moment it comes out, 00:03:52.673 --> 00:03:55.427 but certainly no less than 24 hours. 00:03:55.427 --> 00:03:58.479 Those bots are going to be running, looking for those vulnerabilities. 00:03:58.479 --> 00:03:59.201 And as a PFI, 00:03:59.201 --> 00:04:01.184 you've seen attacks within the first 24 hours of 00:04:01.184 --> 00:04:01.928 these vulnerabilities coming out? 00:04:01.929 --> 00:04:03.576 Absolutely. 00:04:03.576 --> 00:04:03.994 Wow. 00:04:03.994 --> 00:04:09.921 So, merchants need to be scanning and patching really quickly.