0
 
DRE ARMEDA,CISSP @ DREMEDA <ul><li>CO-FOUNDER AT SUCURI SECURITY </li></ul><ul><li>ORGANIZER, WORDCAMP SAN DIEGO </li></ul...
THE WEB IS GROWING <ul><li>Over 2 Billion internet users today. 480% growth in the last 11 years.  (Internet World Stats) ...
INNOVATION & CREATIVITY
ITS NOT ALL PEACHY
WHAT IS MALWARE? <ul><li>SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware exa...
 
ATTACKERS LOVE YOU <ul><li>Monitor your web browsing and internet usage </li></ul><ul><li>Forced advertising </li></ul><ul...
HOW BAD IS IT? <ul><li>Over 2 million new malware strings monthly  (McAfee) </li></ul><ul><li>Cost to US consumers alone =...
ENCODED JAVASCRIPT Impact:  Website pages may be used to serve malicious downloads to visitors. Downloads may be used to i...
ENCODED JAVASCRIPT /wp-admin/js/cat.js – CLEAN
ENCODED JAVASCRIPT /wp-admin/js/cat.js – INFECTED
ENCODED JAVASCRIPT /wp-admin/js/cat.js – INFECTION DECODED – Somewhat  
ENCODED JAVASCRIPT <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). At...
ENCODED JAVASCRIPT <ul><li>Encoded JavaScript Resources: </li></ul><ul><li>http://www.schillmania.com/content/entries/2009...
CONDITIONAL REDIRECTS Impact:  When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected...
CONDITIONAL REDIRECTS Infected .htaccess file:
CONDITIONAL REDIRECTS Result of conditional redirect:
CONDITIONAL REDIRECTS <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes)....
CONDITIONAL REDIRECTS <ul><li>Conditional Redirects Resources: </li></ul><ul><li>http://blog.sucuri.net/2011/11/the-new-an...
PHARMA HACK Impact:  Website page and post titles, descriptions and links are changed to display pharmaceutical ads and li...
PHARMA HACK Results of scanning rendered source.:
PHARMA HACK Google Search Engine Results:
PHARMA HACK <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes) </li></ul>...
PHARMA HACK <ul><li>Pharma Hack Resources: </li></ul><ul><li>http://blog.sucuri.net/2010/07/understanding-and-cleaning-the...
WHAT IS SECURITY? PROTECTING THINGS OF VALUE FROM HARM’S WAY.
HOW & WHY
AM I SECURE The percentage of risk can never be 0! The name of the game is minimizing risk.
 
LOCAL MACHINE <ul><li>Ensure your local machine stays updated </li></ul><ul><li>Use an Anti-Virus solution & enable auto-u...
CONNECT TO YOUR SITE <ul><li>Consider using sFTP or SSH instead of FTP. </li></ul><ul><li>If you’re stuck with FTP: </li><...
PASSWORDS <ul><li>Change them often </li></ul><ul><li>Don’t write them down, or share them </li></ul><ul><li>Passwords are...
WHO HOSTS YOU? <ul><li>CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST! </li></ul><ul><li>DO YOUR RESEACH! </li></ul><ul><li>Wh...
GARAGE CLEANING <ul><li>IF YOU’RE NOT USING IT, REMOVE IT! </li></ul><ul><li>UPDATE UPDATE UPDATE UPDATE UPDATE </li></ul>...
BACKUP YOUR WEBSITE <ul><li>NO BACKUPS = BOOOOO! </li></ul><ul><li>BackupBuddy -  http:// pluginbuddy.com/ backupbuddy / <...
MALWARE SCAN <ul><li>IS YOUR SITE INFECTED? </li></ul><ul><li>Unmask Parasites –  http://unmaskparasites.com </li></ul><ul...
MALWARE CLEAN UP <ul><li>IS YOUR SITE INFECTED? </li></ul><ul><li>VaultPress –  http://vaultpress.com </li></ul><ul><li>Su...
WORDPRESS PLUGINS <ul><li>WordPress Exploit Scanner </li></ul><ul><li>BulletProof Security </li></ul><ul><li>Login Lockdow...
 
Upcoming SlideShare
Loading in...5
×

Why My Website Sells Viagra

27,721

Published on

WordPress End-User Security - WordCamp Atlanta - Dre Armeda, CISSP

Published in: Technology
3 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
27,721
On Slideshare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
42
Comments
3
Likes
5
Embeds 0
No embeds

No notes for slide
  • Why My Website Sells Viagra – Don’t Become A Pharmaceutical Marketplace
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • To edit the smart art: click on it the graphic, you will see a panel to the left where you can add or remove elements. If you do not see the panel open, click on the 2 arrows along the left border of the smart art (this will expand the panel). To change the image: Select the image then right click and select “Format Picture”. Select the “Fill” option, and select a file to replace the image.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • Click in the text boxes to edit their content.
  • To change the phone image: There are 2 grouped images, a transparent phone on top of an image. Select the phone, select the top image and (using your arrow keys) move it over to the left to show the bottom image. Then right click the bottom image and select “Format Picture”. Select the “Fill” option, and select a file to replace the image. Move the phone back into it’s original position.
  • Transcript of "Why My Website Sells Viagra"

    1. 2. DRE ARMEDA,CISSP @ DREMEDA <ul><li>CO-FOUNDER AT SUCURI SECURITY </li></ul><ul><li>ORGANIZER, WORDCAMP SAN DIEGO </li></ul><ul><li>12 YEAR NAVY VETERAN </li></ul><ul><li>1 ST WORDPRESS THEME IN 2005 </li></ul><ul><li>LOVES TACOS </li></ul><ul><li>DIEHARD CHARGERS FAN </li></ul><ul><li>RIDES A HARLEY </li></ul>SUCURI .NET DRE .IM
    2. 3.
    3. 4. THE WEB IS GROWING <ul><li>Over 2 Billion internet users today. 480% growth in the last 11 years. (Internet World Stats) </li></ul><ul><li>300 million websites were added to the internet in 2011 (Pingdom) </li></ul><ul><li>100,000+ domains gained weekly (Global Domain Registry) </li></ul>
    4. 5. INNOVATION & CREATIVITY
    5. 6.
    6. 7.
    7. 8.
    8. 9.
    9. 10. ITS NOT ALL PEACHY
    10. 11.
    11. 12. WHAT IS MALWARE? <ul><li>SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware examples. </li></ul>Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.
    12. 14. ATTACKERS LOVE YOU <ul><li>Monitor your web browsing and internet usage </li></ul><ul><li>Forced advertising </li></ul><ul><li>Redirect affiliate marketing revenue </li></ul>
    13. 15. HOW BAD IS IT? <ul><li>Over 2 million new malware strings monthly (McAfee) </li></ul><ul><li>Cost to US consumers alone = over $2.3 billion in 2010. (Consumer Reports) </li></ul><ul><li>Google Safe Browsing issues over 3 million malware warnings a day. (Google) </li></ul>
    14. 16.
    15. 17. ENCODED JAVASCRIPT Impact: Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info. Typical Entry Point: Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials. JavaScript that is obfuscated(hidden) so that you can’t tell what it is. It is injected into files/pages on the site and used to serve malware.
    16. 18. ENCODED JAVASCRIPT /wp-admin/js/cat.js – CLEAN
    17. 19. ENCODED JAVASCRIPT /wp-admin/js/cat.js – INFECTED
    18. 20. ENCODED JAVASCRIPT /wp-admin/js/cat.js – INFECTION DECODED – Somewhat 
    19. 21. ENCODED JAVASCRIPT <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information. </li></ul><ul><li>Backdoor file inserted into the environment. This gives the attacker remote access into your world </li></ul><ul><li>Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files. </li></ul><ul><li>You’ve just enabled your visitors to load fake anti-virus and other cool downloads from your site  </li></ul>How it works:
    20. 22. ENCODED JAVASCRIPT <ul><li>Encoded JavaScript Resources: </li></ul><ul><li>http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation- analysis </li></ul><ul><li>http://www.slideshare.net/yusufmotiwala/reverse-engineering-malicious- javascript </li></ul><ul><li>http://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript- Obfuscation.html </li></ul>QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra
    21. 23. CONDITIONAL REDIRECTS Impact: When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website. Typical Entry Point: Outdated, known vulnerable software. An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system.
    22. 24. CONDITIONAL REDIRECTS Infected .htaccess file:
    23. 25. CONDITIONAL REDIRECTS Result of conditional redirect:
    24. 26. CONDITIONAL REDIRECTS <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). </li></ul><ul><li>Backdoor file inserted into the environment. This gives the attacker remote access into your world </li></ul><ul><li>.htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files. </li></ul><ul><li>You’re now redirecting to some cool malware awesomeness. </li></ul>How it works:
    25. 27. CONDITIONAL REDIRECTS <ul><li>Conditional Redirects Resources: </li></ul><ul><li>http://blog.sucuri.net/2011/11/the-new-and-old-htaccess-attacks-now-using-in- domains.html </li></ul><ul><li>http ://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess- malware.html </li></ul><ul><li>http://sucuri.net/malware-update-timthumb-php-and-htaccess-redirection.html </li></ul>
    26. 28. PHARMA HACK Impact: Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages. Typical Entry Point: Outdated, known vulnerable software. Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results.
    27. 29. PHARMA HACK Results of scanning rendered source.:
    28. 30. PHARMA HACK Google Search Engine Results:
    29. 31. PHARMA HACK <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes) </li></ul><ul><li>Backdoor file inserted into the environment. This gives the attacker remote access into your world </li></ul><ul><li>Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database. </li></ul><ul><li>Payload is dropped into the database and Viva Viagra! </li></ul>How it works: QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra
    30. 32. PHARMA HACK <ul><li>Pharma Hack Resources: </li></ul><ul><li>http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on- wordpress.html </li></ul><ul><li>http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma- hack.html </li></ul><ul><li>http://www.pearsonified.com/2010/04/wordpress-pharma- hack.php </li></ul><ul><li>http://wpdude.com/refreshing-google-index-after-pharma- hack </li></ul>QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra
    31. 33.
    32. 34. WHAT IS SECURITY? PROTECTING THINGS OF VALUE FROM HARM’S WAY.
    33. 35. HOW & WHY
    34. 36. AM I SECURE The percentage of risk can never be 0! The name of the game is minimizing risk.
    35. 38. LOCAL MACHINE <ul><li>Ensure your local machine stays updated </li></ul><ul><li>Use an Anti-Virus solution & enable auto-updates </li></ul><ul><ul><li>Mac – Sophos Anti-Virus for Mac Home Edition </li></ul></ul><ul><ul><li>Windows - AVG Anti-Virus Free </li></ul></ul><ul><li>Don’t store server credentials on your local machine </li></ul>
    36. 39. CONNECT TO YOUR SITE <ul><li>Consider using sFTP or SSH instead of FTP. </li></ul><ul><li>If you’re stuck with FTP: </li></ul><ul><ul><ul><li>Deny anonymous login </li></ul></ul></ul><ul><ul><ul><li>Limit connections </li></ul></ul></ul><ul><li>Practice least privilege </li></ul><ul><li>Don’t store server credentials on your local machine </li></ul>
    37. 40. PASSWORDS <ul><li>Change them often </li></ul><ul><li>Don’t write them down, or share them </li></ul><ul><li>Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others. </li></ul><ul><li>Don’t use the same password across all your accounts </li></ul><ul><li>Use a password manager </li></ul><ul><ul><ul><li>KeePass Password Safe </li></ul></ul></ul><ul><ul><ul><li>LastPass </li></ul></ul></ul><ul><ul><ul><li>1Password </li></ul></ul></ul>
    38. 41. WHO HOSTS YOU? <ul><li>CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST! </li></ul><ul><li>DO YOUR RESEACH! </li></ul><ul><li>What software are they running? How often do they update? </li></ul><ul><li>How are server and support credentials stored & who has access? Are they 1 in the same? </li></ul><ul><li>What is their malware remediation process? </li></ul><ul><li>How many sites have been infected? </li></ul><ul><li>http://www.google.com/safebrowsing/diagnostic?site=google.com </li></ul>
    39. 42. GARAGE CLEANING <ul><li>IF YOU’RE NOT USING IT, REMOVE IT! </li></ul><ul><li>UPDATE UPDATE UPDATE UPDATE UPDATE </li></ul><ul><li>Only load what’s needed to get your job done. </li></ul><ul><li>Check your file and directory permissions. </li></ul><ul><li>Remove user accounts! – Practice least privilege. </li></ul><ul><li>Have you changed your password lately? </li></ul><ul><li>UPDATE UPDATE UPDATE UPDATE UPDATE </li></ul>
    40. 43.
    41. 44. BACKUP YOUR WEBSITE <ul><li>NO BACKUPS = BOOOOO! </li></ul><ul><li>BackupBuddy - http:// pluginbuddy.com/ backupbuddy / </li></ul><ul><li>VaultPress – http://vaultpress.com </li></ul>
    42. 45. MALWARE SCAN <ul><li>IS YOUR SITE INFECTED? </li></ul><ul><li>Unmask Parasites – http://unmaskparasites.com </li></ul><ul><li>Sucuri SiteCheck – http://sitecheck.sucuri.net </li></ul>
    43. 46. MALWARE CLEAN UP <ul><li>IS YOUR SITE INFECTED? </li></ul><ul><li>VaultPress – http://vaultpress.com </li></ul><ul><li>Sucuri Security – http://sucuri.net </li></ul>
    44. 47. WORDPRESS PLUGINS <ul><li>WordPress Exploit Scanner </li></ul><ul><li>BulletProof Security </li></ul><ul><li>Login Lockdown </li></ul><ul><li>Sucuri SiteCheck Malware Scanner </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×