WordPress Security - WordCamp phoenix 2013


Published on

WordPress security at WordCamp Phoenix 2013.

WordPress Security - WordCamp phoenix 2013

  1. WordPress SecurityDealing with Today’s Hacks
  2. If you don’t ask, you don’t get! • Dre Armeda, CISSP • CEO, Co-Founder at Sucuri Inc. • @dremeda • Dre.im Im a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. Im infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place!1/19/2013 Dre Armeda - @dremeda #wcphx
  3. Why listen to me? You don’t have to, but…• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy. – Managed security awareness for Sempra Energy – Deployed security suite for 1-800-Flowers. – Cleaned Martha Steward web properties of malware• Not an expert, passionate enthusiast.• Seriously though – Quick Sucuri stats: – Remediate 200 – 300 infected websites a day, • 24/7/365 – Perform 2 million + malware website scans a month – Support all CMS platforms and custom applications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… ) My goal in life is to make the web a safer place!1/19/2013 Dre Armeda - @dremeda #wcphx
  4. Thoughts To Kick Things Off• Information Security is about risk reduction. – If you’re looking for the “silver bullet” this is the wrong talk for you.• To think that you will never be infected is like saying you will never be sick. – Someone tells you different – Percussion calibration time• Prevention is ideal, but not realistic. – Risk will never be 0% – Detection is key.1/19/2013 Dre Armeda - @dremeda #wcphx
  5. Know Your Enemy• They have time & resources• They are intelligent• Attacks are automated• Goal is to impact quantity• Own one, own them all…• It’s not personal 1/19/2013 Dre Armeda - @dremeda #wcphx
  6. Ok, so what’s the problem?TODAY’S ISSUES:• The Ecosystem / Environment• Access Control• Software Vulnerabilities• Administration• Credential Management• Extensibility1/19/2013 Dre Armeda - @dremeda #wcphx
  7. Today’s Focus• Ecosystem / Environment• Access Control• Dealing with Hacks1/19/2013 Dre Armeda - @dremeda #wcphx
  8. Logical Architecture Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules1/19/2013 Dre Armeda - @dremeda #wcphx
  9. The EcoSystem / Environment• Apache – Malicious module injects iFrames – http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module- injects-iframes/• phpMyAdmin – Mirror Hacked – http://sourceforge.net/blog/phpmyadmin-back-door/• PHP-CGI – Remote Code Execution – http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the- wild.html• Plesk – Vulnerable to SQLi attacks – http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to- malware.html 1/19/2013 Dre Armeda - @dremeda #wcphx
  10. The EcoSystem / Environment • What can you do? – Not much… completely outside of your control if you’re using a shared or managed host • But, you can reduce risk... – Use a Dedicated / VPS Environment • But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step – Go with a Managed Host • Doesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on1/19/2013 Dre Armeda - @dremeda #wcphx
  11. Access is Key• We have to change the way we treat and think about access. All access – Server / Application• We are going through the same mistakes servers and desktops were making in the 90’s with access.• Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?1/19/2013 Dre Armeda - @dremeda #wcphx
  12. Before We Dive In1/19/2013 Dre Armeda - @dremeda #wcphx
  13. WordPress Loving Infections• Defacements• Backdoors• Pharma Hack• Injections – iFrame Specifically• Malicious Redirects• Phishing1/19/2013 Dre Armeda - @dremeda #wcphx
  14. Hacktivism at its finest… you now support a cause!?!?!DEFACEMENTS
  15. Defacements• Hacktivism 101 – Annoying as S*&T• Places to look: – Index.html – Index.php • Root Directory • Wp-Content • Theme Directory• GREP is your friend: – grep –ri ‘sniper399’ .1/19/2013 Dre Armeda - @dremeda #wcphx
  16. It’s ok to cry a little… BACKDOORS
  17. Backdoors• Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan1/19/2013 Dre Armeda - @dremeda #wcphx
  18. Erectile Dysfunction pills are leading ads.. Who knew.. PHARMA HACK
  19. Pharma Hack• Multi-million $ Business• Rarely Distribute Malware• Impression based Affiliate Marketing• Google’s Search Engine Result Pages (SERP)• Odds of malware distribution are actually low• Tricks: – Embedded within core files – Look for “.tmp” directories = >1/19/2013 Dre Armeda - @dremeda #wcphx
  20. Pharma Hack, cntd..• Try using CURL to emulate Google and Windows: Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com – Google Webmaster Tools • Fetch as Google Bot• Check your Theme Index.php file for things like this: – <?php $wp__theme_icon=@create_function(”,@file_get_co ntents(‘/public_html/wp-content/themes/my-really- good-theme/images/s.jpg’));$wp__theme_icon(); ?>1/19/2013 Dre Armeda - @dremeda #wcphx
  21. Pharma Hack, cntd..1/19/2013 Dre Armeda - @dremeda #wcphx
  22. It only hurts for a minute…INJECTIONS
  23. Injections• Invisible iFrame’s - Executing on your browser• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF• Places to check – Pages that generate content: – JS files, Header.php, Index.php, Function.php, Footer.php1/19/2013 Dre Armeda - @dremeda #wcphx
  24. Injections, cntd… • PHP iFrame Injection => – Count##.php – Check all Index.php / Theme JS files – Example below:1/19/2013 Dre Armeda - @dremeda #wcphx
  25. Injections, cntd… • Pharma Link Injections => • Drive-By- Downloads1/19/2013 Dre Armeda - @dremeda #wcphx
  26. WTF?!?! Why don’t I understand what it says?MALICIOUS REDIRECTS
  27. Malicious Redirects • Redirects your user to a domain distributing malware, fundamentally different than an iframe injection that executes in your browser • 8 out of 10 times, check your .htaccess file – all of them – # find /var/www –name .htaccess –type f | wc –l • Check for backdoors also – often a sign of a bigger issue1/19/2013 Dre Armeda - @dremeda #wcphx
  28. Biggest growing problem, exceptionally difficult to detect…PHISHING
  29. Phishing• Growing at a faster pace than traditional web- malware• No impact to readers, but tied to SPAM bots sending out emails like this:1/19/2013 Dre Armeda - @dremeda #wcphx
  30. Phishing, cntd…1/19/2013 Dre Armeda - @dremeda #wcphx
  31. Bringing the Point HomeDEMONSTRATION
  32. Demo Objective• Use good tools for bad things – wpscan• Enumerate the users• Enumrate Passwords• Own target WordPress site• Deface the Website I have 5 minutes – Ready?1/19/2013 Dre Armeda - @dremeda #wcphx
  33. Remember the risk discussion?KEEPING IT REAL
  34. Update • Oldest version found in production – 1.5 • Leading cause of cross-site contamination issues • Perhaps the simplest of tasks, yet we still find this:1/19/2013 Dre Armeda - @dremeda #wcphx
  35. Access is Key• On the Server: – Kill accounts that are not in use – FTP is the devil – slap yourself and switch to SFTP – Disable password auth & use key pairs• WordPress Admin: – Multi-Factor Authentication on wp-admin – Two-Factor Authentication on wp-login.php• Employ least privileged: – Only use admin accounts for admin tasks – Learn to use Editor, Author, Contributor, Subscriber1/19/2013 Dre Armeda - @dremeda #wcphx
  36. Password Dilemma • 15 character pass – 3 months to crack • Long / Complex / Unique – Key to Passwords • Prefer Password Manager – You don’t? ok.. – Passphrases work too • iLuvWCLpHX:2013:S@nT@N b@By • Come up with a process & stick to it: – One scheme: • Remember 8 characters • Write Down 8 characters • Save 20 characters – Second scheme: • Remember 20 characters • Prefix characters with site name • End sequence with some date1/19/2013 Dre Armeda - @dremeda #wcphx
  37. Kill PHP Execution• Kill PHP Execution – Directories: • WP-INCLUDES • WP-CONTENT • UPLOADS – At a minimum <Files *.php> Deny from all </Files>1/19/2013 Dre Armeda - @dremeda #wcphx
  38. Disable Theme / Plugin EditorI’d take it a step further and remove the ability to install, butthat’s just me.Modify WP-CONFIG.PHP With:• Disable the Plugin / Theme Editor – Define(‘DISALLOW_FILE_EDIT’,true); - OR -• Disable the Plugin / Theme Update and Installation – Define(‘DISALLOW_FILE_MODS’,true);1/19/2013 Dre Armeda - @dremeda #wcphx
  39. Plugins That HelpSucuri Clients Non-Clients• Sucuri Security Plugin • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet1/19/2013 Dre Armeda - @dremeda #wcphx
  40. Need a Hand? Support Forums Online Resources • Hacked – • Sucuri Blog: http://wordpress.org/tags/ http://blog.sucuri.net hacked • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: • Malware – http://unmaskparasites.com http://wordpress.org/tags/ • Perishable Press: malware http://perishablepress.com/ca tegory/web-design/security/ • Secunia Security Advisories: • BadwareBusters – http://secunia.com/communit https://badwarebusters.org y/advisories/search/?search= wordpress1/19/2013 Dre Armeda - @dremeda #wcphx
  41. Dre Armeda, CISSP Dre.im @dremeda Sucuri Inc. http://sucuri.net http://blog.sucuri.net @sucuri_security Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.1/19/2013 Dre Armeda - @dremeda #wcphx