One day a company much like yours -let’s call them “The Company”- called us to get our help with a serious problem. Someone had hacked into to their ColdFusion server and encrypted all of their important data files. Subsequently, The Company received an email asking for $100,000 to decrypt these files. The Company had been both hacked and “datanapped”.
Could this happen to your company?
How Secure is Your ColdFusion Server?
These are some of the problems you can experience with an insecure ColdFusion server:
After a breach, personnel job security goes into rapid decline
If you are datanapped, monetary demands may be excessively high
Your customer’s sensitive data could be posted in the Darknet for scamming purposes
If news of the breach goes public, company PR will be damaged
The scope of the problem may be far greater than one particular system
Your CF site slows/crashes due to hackers using the server for spam email sending
Now let’s find out some background from The Company and see if we can gain some insight into the problem.
A Short Look at The Company’s ColdFusion Security Issues
When we arrived at The Company, it was chaos. People were scrambling and unsure of how to handle the situation.
We set up our team and accessed their server. One of the first things we noticed is that regular interval maintenance had not been completed. Tasks such as applying security patches and updates were still needing to be done.
The hackers had infiltrated most of the areas of the ColdFusion server. They had been inside the system for over six months! Many of the server’s systems were affected including the central database.
In addition, the hackers had been using The Company’s CF server to send out an enormous amount of SPAM. In fact, that spam is how The Company finally noticed they had been hacked because it was slowing down the server performance greatly. The hacker’s presence also affected The Company’s email deliverability due to their SMTP server being blacklisted.
What Were the Main Issues Uncovered in the ColdFusion Security Audit?
As part of the initial security audit, we looked at the following issues:
Scanned the server for security holes
Reviewed the server configuration for security
Reviewed the ColdFusion configuration for security
Reviewed database configuration for security
Tuned ColdFusion, database, and server configuration for high security
After audit, we recognized that we had to do something about the files that had been datanapped and repairing the affected systems. A quick check revealed that they had been doing regular backups. Instead of paying the hackers, an older backup of the files was applied to the system after all traces of the hackers’ presence was gone.
Upon finishing repairs, we turned our sights to preventing this event from ever happening again. We looked at a sample of code for security holes and made recommendations for future prevention best practices. Our team recommended continuing server backups and implementing a scheduled plan for future updates and security patches.
As Pete Freitag says in episode 020 of the ColdFusion Alive Podcast, “Secrets of High-Security ColdFusion Code”:
“Why should someone even care about the security in their ColdFusion code? It's something that's a very important topic. If you've got security vulnerabilities within your code base–eventually at some point if you don't address them– you might find out the hard way; which is a really horrible thing to have to go through. Having somebody hack your server and all the potential things that they might be able to do.
It could be deleting important assets that are difficult to recover; corrupted databases that might be very difficult to restore back to a reasonable state. There's just all sorts of things that an attacker could potentially do to your applications, and they can really be a costly problem for you to recover from.”
Should Other Security Issues be Explored?
One of the ways the hackers gained access to The Company’s database was through SQL Injection. SQL Injection is the placement of malicious code in SQL statements. This is one of the most common issues our clients have reported to us here at TeraTech and to others. David Epler touches on this in his webinar, “ColdFusion Security and Web Hacking Tools”.
Consider the story of Lauri Love, a British hacker who infiltrated many U.S. government ColdFusion servers using SQL Injection. This can give you an idea of how widespread the use of SQL Injection is by hackers.
Your ColdFusion servers can be protected by using CFQueryParam in SQL queries and remaining vigilant!
Related: Top 5 Security Issues Solved with Adobe ColdFusion 2018
Wrapping Up and Going Forward with ColdFusion Security
Just like we told The Company, there are ways you can learn best practices and troubleshooting for your ColdFusion server. Charlie Arehart’s “ColdFusion Troubleshooting Blog” is a great resource to do just that.
After solving the issues at The Company, we were able to set them up on a plan to success. This plan included CFML best practices for security and regular maintenance/updates of their ColdFusion server. Their server is now secure.
Don’t let the same thing happen to your company. Follow the advice above and learn from The Company’s unfortunate situation.
Your ColdFusion server security and business depend on it!
Related: Adobe ColdFusion Comprehensive Guide (More Powerful, More Modernized, More Alive)
And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.
Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.
What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.
And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.
You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.
All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything—your project, your hard-won CF skills, and possibly even your job.
Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.
No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next
ColdFusion Alive Best Practices Checklist
Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.
√ Easily create a consistent server architecture across development, testing, and production
√ A modern test environment to prevent bugs from spreading
√ Automated continuous integration tools that work well with CF
√ A portable development environment baked into your codebase… for free!
Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.
Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks "What Would It Take to make CF more alive this year?" The answers still inspire her to continue to write and interview new speakers.
Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.