Announcement

Collapse
No announcement yet.

Question about Site Hacking, etc.... HELP!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about Site Hacking, etc.... HELP!

    My friend got her ecommerce site hacked (she's not at 3dcart). Nonetheless, this got me very concerned!

    Just a few questions:
    1. How can you protect your site from getting hacked?
    2. Does 3dcart store backups of your site or am I supposed to be performing my own backups.
    Any other info. would be great.

  • #2
    I found this on 3dcarts e-commerce information page

    Daily Data Backups

    Your store and website data is secure with 3dcart, which includes daily data backups, just in case you delete or overwrite any file that you might need to restore.

    Ecommerce Hosting and Security | Hosted Shopping Cart

    Comment


    • #3
      Can anyone else confirm? 3dcart sites can't get hacked? One thing that is TOTALLY disgusting is that after they hacked her site, they put hacked by"xxx" and listed all their info and even their facebook page with recent hacks. REALLY SCARY stuff!

      ALSO... wondering if something like this would be a good purchase?
      Website Security | Trust Seals | Protect Your Site with SiteLock | Products
      Last edited by ashults74; 11-02-2012, 03:39 PM.

      Comment


      • #4
        unfortunately, no sites are completely hack proof. It would be interesting to know whether 3dcart backups are stored offline in order to be more secure.

        Comment


        • #5
          Makes sure your admin logons and passwords are complex

          I have been wondering the same thing because of my customers accounts contain their business checking account information. One good idea is this. Make sure your login's and passwords are a mixed variety of upper, lower, & special characters. Change it frequently. Just keep an eye on your account and monitor it frequently. Good luck:)

          Comment


          • #6
            As far as I have seen, 3dCart's system is pretty secure. They do enforce a 45 day password expiration policy, which while it does create password fatigue, it also helps combat stale passwords from being leaked, guessed, or cracked (by the time someone can brute force a password it has been changed -- in theory).

            One thing I would note is that it appears that 3dCart does not properly cryptographically hash passwords... This can be deduced by their password requirements (no special characters and no spaces). When you cryptographically hash a password, these requirements are not a problem. It would be my guess they are likely storing the encrypted passwords someplace (which means the un-encryption key has to be stored somewhere as well... possibly on the very server you are trying to protect... ) or worse but not likely (hopefully), storing them in plain text. Not allowing special characters and spaces not only reduces the possible keyspace for passwords, but indicates they are being stored in some database that may have trouble with those characters.

            When a password is cryptographically hashed, it gets run through an algorithm many many times along with a "salt" added for increased complexity. This outputs a hash of your password that is unique to the exact configuration of the algorithm they are using (extremely difficult to replicate without knowing the exact configuration, plus the "salt" adds to that complexity). This hash would then be stored in their database. When a user attempts to login, the entered passphrase gets hashed the same way and compared, if it matches then access is granted. This is superior to encrypted passwords since once unencrypted, you have the plaintext password... also the server must unencrypt the password to make the comparison for a match, and therefore is inherently insecure since this unencryption key may possibly get compromised, leading to every password being exposed instead of just one. This unencryption key would have to be stored someplace the sever has access to (usually on the very server it is attempting to protect).

            More info on password hashing: Cryptographic hash function - Wikipedia, the free encyclopedia

            Anyways, most websites get "hacked' because of weak passwords. If you keep a strong password, then in most cases you will be ok. Also note that any 3rd party modifications you do to your site can possibly expose security vulnerabilities, just be aware. 3dCart does a good job of keeping their stuff updated and secure, so you should be ok for the most part.

            Comment


            • #7
              Not my fault if you have problems sleeping after reading this article :-)

              Kill the Password: Why a String of Characters Can't Protect Us Anymore | Gadget Lab | Wired.com

              Kill the Password: Why a String of Characters Can't Protect Us Anymore | Gadget Lab | Wired.com

              Comment


              • #8
                Best defense to Social Engineering is Training. In the case the wired writer being "hacked", Amazon and Apple had poor employee training that was exploited into granting access. Unfortunate, yes... but not a case to ditch strong cryptographically hashed passwords.

                Comment

                Working...
                X