Your SlideShare is downloading. ×

Word camp orange county 2012 enduser security


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Good morning everyone.. No no no.. That’s just not going to do.. I said GOOD MORNING FOLKS…Oh yeah, now that’s what I’m talking about… Let’s see if we can’t get the blood flowing up in this room.. When I point to that side I want you to give me a WordPress, when I point to this side I want you to give me a Security… ready here we go… you – WORDPRESS, you – Security, me – YUT, you – WordPress, you – Security, me – YUTOUTSTANDING – little mexican dance… nice to see you guys as excited as me..Oh and if you get tired, please realize I can see all your eye balls.. That includes the white… that’s right… I’m watching you… 
  • So as you might or might know, my name is Tony Perez – go by @perezboxI’m a Columbian / Cuban with a bad attitude living in a world of Mexicans. I spent a better part of a year and a half doing to combat tours in Iraq in 2002 – 2003 and 2004 – 2005… I now work for a little company focusing on web security, specializing in integrity monitoring and remediation – might have heard of us – Sucuri SecurityI’m a Gun carrying, Harley riding junior martial artist… And finally my life has been engulfed by a little thing called web-malware
  • Well obviously we are going to talk about some good ole web security…not exciting, but it’s a necessary evil. Its important to understand though that its but one small slice of the information security pie and it’d be impractical to think we can cover it in 50 minute… but hopefully I’m able to give you a much better understanding of the concept and empower you with knowledgeWe’ll take a quick peak at some numbers that I am personally intrigued by as it helps put things into perspective around the web and web malware and specifically their relationship to WordPressThen before we get into hardening tips and real tangible take-aways I want to provide a better understanding of the threat landscape and how and where you fit in that. How’s that sound? Do we need to stretch? Sing?
  • As we talk about Web Security I want us to keep in mind these three area of interest – Access, Containment, and Knowledge.. These will be the three areas of discussion during the next 40 minutes.
  • These are some astronomical numbers.. In 2011 there were 300 million websites that came online.. In December of 2011 there were total of 555 million websites running… holy smokes.. In one year we had 300 million websites come online.. I just want that to sink in, before that we were at about 200 million..Over 10.8 BILLION indexed pages.. That’s just an astronomical number to wrap your head around… So how does WordPress fit into the mold…
  • So as it stands of all the websites out there… its estimated that WordPress owns about 16% of the market – that’s blogs, CMS’s.. Etc… so that is 16% of approximately 555 Million websites..In the US alone 22 out of every 100 websites are WordPress powered.. Here is an interesting fact.. In the CMS domain, WP is dominating the space with something close to 54% market share.. Wow.. Impressive I must admit
  • In 2011, according to Symantec, they captured about 403 million unique malware variants.. Now to caveat that is malware across desktops, mobile devices, web etc.. Still an astronomical number. This was a 140% growth over 2010In 2011, approximately 55, 294 malicious domains were detected.. That’s a 130% growth from 2010 andAs for web-based atacks, there was an 81% increase__________________________Previous:286 Million – Variants in 201042,926 – malicious web domains in 2010
  • So what does this mean.. Easy..The web is a very large large place and the platform we all love and use is quickly gaining market share at a very astronomical rate. More important to our discussion is the growth of web-malware and how important it is that its not an after thought, but part of your administration and / or project lifecycles if you’re managing a WordPress instance and / or developing it for a client. It is a problem we must all share responsibility in.
  • That being said.. Let’s get into some Web Security folks…
  • You might remember this slide from the beginning.. As we walk through the next few slides I want you to think about these three domains.. Specifically on CONTROLLING and AUTHENTICATING ACCESS, while we all wish that an infection will never affect us, plan and ensure that you reduce your threat profile and minimize the total impact. Lastly, allow yourself to learn such that you are able to put a plan in place to both prevent and remediate, being preapared is the key and you will accomplish this through knowledge.
  • So malware – by definition designed to disrupt the function of the system… whatever it may be, your mobile device, notebook or website.. In 2011 however, the concept of malnets – or malware networks – began to make a real impact on the web malware domain. Most of you will know and recognize malnets as BOTS.. These are highly complex networks designed to scale according to their needs and last well beyond any one attack… If you look closely at the image hat you’re actually seeing is the top 5 malnets being tracked by BlueCoat and how they scale over time.. Often dependent on what activities are being planned or executed…The network will shrink waiting for a reason to grow.. And as an event arises – say a death of a super start, an election, a holiday, something that warrants an action – it will grow to impact as many people as possible.. This is what a BOT is…
  • Social Engineering – the art of manipulating users to divulge credentials and other sensitive informationXSS – allows you to inject client-side scripts into the web pagesXSRF – Sesion is hijacked and unathorized commands are executed under an authenticated user
  • Everyday at least twice a day I get a client ask… Please make this go away for good… and I find myself going into a discussion of the threat landscape… I swear, I literally feel their eyes rolling into the back of their heads on the phone…So I decided to include this slid because it illustrates best what makes up the threat landscape..Is it all encompassing? Absolutely not.. But does it work to bring home the point? Absolutely… The risk can never be 0 and this is why.. Too many variables to account for.
  • White-Hat’s – those that work at companies like mine, or the Symantecs, Trend’s, Norton’s of the world…Ethical / Grey Hat’s – Obviously between the white’s and black’s.. Not usually out to intentionally harm, often find vulnerabilities and disclose.. Sometimes more appropriately than others.. Script Kiddie’s – kind of a derogatory term in the community for the newbie’s that know enough to be dangerous. As the name implies, they often employ existing scripts used to exploit known vulnerabilitiesHacktivist – by far one of the fastest growing types of attackers – driven by politics, culture, religion – you wake up one day and you’re flying the Syrian flag or pleading for the release of Libyan fighters..Black hat’s – known as crackers – these are the guys intent on taking something good and turning it into some thing bad – highly intelligent, technically sound
  • Gah.. If I had anickle for every time someone asked us this…What I can say is its not the day of version 1.5, as the product has matured so have the controls that help ensure that at every release a safe product is being released. While not perfect, there is a great team within the core contributors designed to quickly address issues and push patches once identified. So then why do we see so many WordPress sites infected? Well, I think the answer comes down to two things – extensibility and ease of use. It is to the point where the application is so easy to use that almost anyone is able to install, operate and manage an instance. The same applies to the extensibility, by its nature it’s an extensible platform, which is great, but its also its most vulnerable point and often where we see attack vectors introduced. Lastly, the darn thing is popular folks for the reasons I mentioned before… Remember the stats? That popularity brings about a target… I would say that in 80% of the attacks we see, it’s the road of least resistance that has allowed your WordPress instance to be compromised.
  • Don’t worry, I won’t bore you with the specifics of these but I wanted to quickly show of some of the more recent issues in the past 6 months.. Just to show have valid of an issue this is.. And yes.. TimThumb is still very much a problem today…
  • You are the webmaster of today! Recognize it, embrace it.Your local environment is as important as your web server. When was the last time you ran a local anti-virus?Did you know that most anti-virus only catch 70 – 80% of infection? Run multiple.
  • Move out of web directoryUp a directoryBe weary of plugins that hardcode the locationAvailable since 2.6
  • Caution 600 could break some thingsFTP user and PHP user are not going to be the same – ideal setupsIDEALLY one is the owner of the file and others in the group660 is okThe Lowest Permission that Works!!
  • Caution this would block wp-signup.php – WP Multisite file
  • Transcript

    • 1. WordPress SecurityKnowledge is Power
    • 2. Who Am I Hi, my name is Tony Perez | @perezbox Marine Corps – War Vet Sucuri Security Objectivity and rationalism Gun carrying, Harley riding, Martial Artist . Web-malware is my life@sucuri_security @perezbox #wcoc 2 6/2/2012
    • 3. What are we going to talk about? Web Security Look at some statistics… Provide an understanding of web malware Understand the threat scape a bit… Look at some of the recent trends… Give some hardening tips Get into the recommendations…@sucuri_security @perezbox #wcoc 3 6/2/2012
    • 4. Thinking about Web Security Web Security Access Containment Knowledge@sucuri_security @perezbox #wcoc 4 6/2/2012
    • 5. The Stats
    • 6. Web Numbers > 700 Million websites – As of May 2012– Netcraft 300 Million – Number of websites in 2011 – Pingdom 10.82 Billion – Number of indexed pages – WorldWebSize 2.1 Billion – Number of internet users worldwide Pingdom Projected that: 1 Billion – 2013 2 Billion - 2015@sucuri_security @perezbox #wcoc 6 6/2/2012
    • 7. WordPress Numbers 73 Million + – Number of WP powered sites 16% - Of all Websites run WordPress 22 – Out of every 100 new domains in the U.S. 54% - CMS marketshare 62% - Market share of top 1,000,000 Sites 53% - Market share of top 100,000 sites 55% - Market share of top 10,000 sites Projection 300 – 500 Million - 2015@sucuri_security @perezbox #wcoc 7 6/2/2012
    • 8. Web Malware Numbers 403 Million – Unique variants of malware 2011 140% Growth – 2010 – 2011 in unique variants 55,294 – Malicious web domains in 2011 130% Growth – 2010 – 2011 in malicious domains 81% - Increase malicious web-based attacks between 2010 / 2011 42 Billion – Global SPAM per day 2011 (Source: Symantec Internet Security Threat Report, Vol 17)@sucuri_security @perezbox #wcoc 8 6/2/2012
    • 9. Gah… NO MORE NUMBERS The web is growing at an unprecedented pace. WordPress growth – astronomical and gaining Web-based malware is not far behind To have a virtual presence you must consider the security of your website@sucuri_security @perezbox #wcoc 9 6/2/2012
    • 10. Web Security
    • 11. Thinking about Web Security Web Security Access Containment Knowledge Minimize Control Authentication Reduce Threat Have a Plan Be prepared Impact@sucuri_security @perezbox #wcoc 11 6/2/2012
    • 12. Web-based Malware Malware – Short for malicious software. This software is designed to disrupt operation of an information system (i.e., local machine, server, mobile device, etc…) In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures last beyond any one attack. - BlueCoat 2012 Web Security Report@sucuri_security @perezbox #wcoc 12 6/2/2012
    • 13. Types of Malware Obfuscated JavaScript Stupid, Pointless, Annoyi ng Messages (SPAM) Hidden & Malicious iFrames Defacement Embedded Trojans Anomalies Phishing Attempts IP Cloaking Malicious Redirects Drive by Downloads Backdoors (e.g., C99, R57, Webshe lls)@sucuri_security @perezbox #wcoc 13 6/2/2012
    • 14. Attack Vectors User Issues Out-of-Date Software Social Engineering Compromised Credentials Software Issues SQL Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (XSRF) Remote Execution@sucuri_security @perezbox #wcoc 14 6/2/2012
    • 15. Most Common Distributions Social Engineering Trick you into installing malware Compromising credentials Websites, Email, Twitter Drive-by-Downloads Install malware after exploiting a vulnerability – big issue for us in the WP community iFrame (52.6%) and JS injections (26.5%) Malicious redirects Redirect user to another site often distributing malware@sucuri_security @perezbox #wcoc 15 6/2/2012
    • 16. Threat Landscape End User Local Application Environment Web Server Administration Network Threat Environmental Landscape@sucuri_security @perezbox #wcoc 16 6/2/2012
    • 17. The Attacker Types Culture Has code of ethics, heroes and White-Hat villains and competing gangs Ethical / Grey Hat Knowledge is power Most Believe information and Script Kiddie computer access should be freely shared Hacktivist Major motivation among hackers is status Cracker / Black Hat Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal@sucuri_security @perezbox #wcoc 17 6/2/2012
    • 18. But I only write about lazy lizards!!!!• Opportunistic Attacks• Road of least resistance• Political Agenda / Further Cause• Mass Exposure• In short – it doesn‟t matter what you write about, you have a virtual presence@sucuri_security @perezbox #wcoc 18 6/2/2012
    • 19. Is WordPress insecure? Out of the box, core is well built and secure It‟s no longer the days of 1.5 Security team is in place to quickly address and patch issues Extensibility – both its strength and weakness With popularity comes a target… think Windows for local environments Easy target because of its exposure, attackers focusing on the platform Road of least resistance@sucuri_security @perezbox #wcoc 19 6/2/2012
    • 20. Recent Vulnerabilities and Infections Vulnerabilities Campaigns PHP-CGI Vulnerability - Malware Campaign Patched Nikjju Mass Injection WooThemes Campaign Vulnerability – Patched GetMama Conditional Malware Campaign TimThumb Vulnerability – Patched .RR.NU Malware Campagin Sweepstake Malware Campaign@sucuri_security @perezbox #wcoc 20 6/2/2012
    • 21. Top reasons why we see these infections Poor credential Management Poor System Administration Soup Kitchen Servers Out of Date Software Lack of Web knowledge Use of self-proclaimed “experts” Cutting Corners@sucuri_security @perezbox #wcoc 21 6/2/2012
    • 22. So what can you do? Glad you asked
    • 23. Reduce Threat Risk Update Credentials Communicate Securely Themes / Plugins Harden Your Install Don‟t forget your local environment Knowledge - Resources@sucuri_security @perezbox #wcoc 23 6/2/2012
    • 24. Update, Update, Update Leading cause of infections If your theme is so coupled with core it can‟t be updated, consider purchasing a new one PHP, Core, Themes, Plu gins, JavaScript…@sucuri_security @perezbox #wcoc 24 6/2/2012
    • 25. Credentials (user / password) Basics Take-Aways Avoid using „Admin‟ & Complex Unique password „Administrator‟ Upper / Lower Symbols Numbers Use Strong Passwords Longer than 18 characters Online Generator: http://www.onlinepasswordgen Passphrases Use one time – Password manager Use Password Manager LastPass – Free – Online / In short: Mobile Access No Dates No Names No Pets 1Password No Places A = @, E = 3, S= $, O = 0 word They know this@sucuri_security @perezbox #wcoc 25 6/2/2012
    • 26. Data Dictionary / Defacement@sucuri_security @perezbox #wcoc 26 6/2/2012
    • 27. Communicate Securely Communication mechanisms File Transfer Protocol (FTP) Secret File Transfer Protocol (SFTP) Secure Shell (SSH) Tools Filezilla Coda NCFTP SFTP / SSH - Best Approach Google: How to create SFTP account on [Host Name] Google: How to enable SSH on [Host Name]@sucuri_security @perezbox #wcoc 27 6/2/2012
    • 28. Safe Themes / Plugins WordPress Repository is a good place to start 19.6k+ - Available Plugins 1.5k+ - Available Themes Look for good descriptions of the theme or plugin Look to see versions and updates Active change log is always good Theme-check & Plugin-check are good tools to check potential issues Free Theme? wordpress-themes-in-google-or-anywhere-else/@sucuri_security @perezbox #wcoc 28 6/2/2012
    • 29. Plugins To Avoid SPAM – Fake Advanced Search Plugin SEO poisoning – Bad plugin.html Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0) Upload / Server control - Very Bad pwwangs-code-for-wordpress-version-1-0-0.html Absolute Privacy Plugin Known vulnerability ToolsPack Plugin Dangerous backdoor – full access - Very Bad @perezbox #wcoc 29 6/2/2012
    • 30. Whatwebsites aredangerous?@sucuri_security @perezbox #wcoc 30 6/2/2012
    • 31. Hardening Getting er done!
    • 32. HTACCESS is your Friend Configuration file for web servers using Apache Features: Error Documents Redirects Password Protection Deny visitors by IP Hot link prevention Access prevention More? Apply these changes at your own peril – run risk of blowing up site@sucuri_security @perezbox #wcoc 32 6/2/2012
    • 33. Protect HTACCESS Permission <= 640 #PROTECT HTACCESS <Files HTACCESS> Order Allow, Deny Deny from all </Files>@sucuri_security @perezbox #wcoc 33 6/2/2012
    • 34. Protect WP-Config .htaccess Permissions <= 640 #PROTECT WP-CONFIG <Files wp-config.php> Order Allow, Deny Deny from all </Files>@sucuri_security @perezbox #wcoc 34 6/2/2012
    • 35. Authentication Keys wp-config.php Encrypts information stored in user‟s cookies Resource: @perezbox #wcoc 35 6/2/2012
    • 36. Database Prefix Default is “wp_” wp-config.php@sucuri_security @perezbox #wcoc 36 6/2/2012
    • 37. Admin User Created by “default” < = 3.0 In higher version you can define your own administrator Create new user, apply “administrator” role Be mindful of any posts created by “admin” user Delete “admin” user@sucuri_security @perezbox #wcoc 37 6/2/2012
    • 38. Disable Directory Listing Nobody show know the color of your skivvies Default in most hosts, not always # PREVENT DIRECTORY LISTINGS Options -Indexes@sucuri_security @perezbox #wcoc 38 6/2/2012
    • 39. Disable Plugin / Theme Editor wp-config.php file Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@sucuri_security @perezbox #wcoc 39 6/2/2012
    • 40. Permissions Directories 755 Files Directories: 644 find [path to install] -type d -exec chmod 755 {} ; Important Files .htaccess = 644 Files: Find [path to install] -type f -exec chmod 644 {} ; wp-config.php = 600 php.ini = 600 php.cgi = 711 php5.cgi = 100 Reading: @perezbox #wcoc 40 6/2/2012
    • 41. Protect WP-Admin If you have a dynamic IP this might be problematic Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple) # SECURE Access to WP-ADMIN <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address] </FilesMatch>@sucuri_security @perezbox #wcoc 41 6/2/2012
    • 42. Harden WP-Includes Create .htaccess in wp-includes directory #PROTECT WP-INCLUDES <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files>@sucuri_security @perezbox #wcoc 42 6/2/2012
    • 43. Harden WP-Content Create .htaccess in wp-content directory Most vulnerable, contains Uploads directory, often the attack vector It can be moved, but if you‟re an end-user don‟t touch – hire a pro – lots of dependencies #PROTECT WP-CONTENT <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files>@sucuri_security @perezbox #wcoc 43 6/2/2012
    • 44. Limit Upload Most shells < 1 mb Good idea anyway - //limit file upload to 10mb LimitRequestBody 10240000@sucuri_security @perezbox #wcoc 44 6/2/2012
    • 45. Protect Against Bots Malnets are a growing problem, proactively protect against them using a Web Application Firewall Perishable Press – 5G Blacklist 2012 /5g-blacklist-2012/@sucuri_security @perezbox #wcoc 45 6/2/2012
    • 46. 5G WordPress Add-On Don‟t want to add all that other stuff? No problem, try this condensed version for WordPress Doesn‟t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests Source: Careful – wp-signup required for MultiSite@sucuri_security @perezbox #wcoc 46 6/2/2012
    • 47. Secure Login Page There are a number of plugins you can use for this, or, you can turn to your .htaccess again Might be an issue if its not static.. <Files wp-login.php> Order Deny,Allow Deny from All Allow from [Your IP] </Files>@sucuri_security @perezbox #wcoc 47 6/2/2012
    • 48. Protect against XSS Deny bad query Strings – in short, don‟t become a victim to cross-site scripting # QUERY STRING EXPLOITS <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>||"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L] </IfModule>@sucuri_security @perezbox #wcoc 48 6/2/2012
    • 49. SPAM Comments SPAM in your comments can get you blacklisted just as fast as injections on your pages Disable comments on pages if you don‟t want them Setting to close comments after a certain amount of time. Settings > Discussion > Other Comment Settings Automatically close comments on articles older than XX days Use AKISMET@sucuri_security @perezbox #wcoc 49 6/2/2012
    • 50. Cross-Site Contamination Most of the things provided so far help you from external attacks. Internal attacks are as prevalent Growing problem – “Soup Kitchen” servers Development, Staging, Testing, Productions – 1 environment cross-contamination.html contamination-blackhat-seo-spam-malware.html@sucuri_security @perezbox #wcoc 50 6/2/2012
    • 51. Security Plugins Sucuri Clients – Sucuri Security – Free to Clients Web Application Firewall Integrity Monitoring Auditing Hardening More: Not a client? No problem, other good options include – Login Lock WordPress File Monitor WordPress Firewall 2 BulletProof Security @perezbox #wcoc 51 6/2/2012
    • 52. Still have a malware problem?
    • 53. Two Approaches Do it Yourself Hire a Professional Forums are you friend Will cost money Requires time and Alleviates the stress patience Gets you up and running Leverage free tools in hours, if not days Know when you‟re in over your head Can take time – hours, days, weeks, mo nths@sucuri_security @perezbox #wcoc 53 6/2/2012
    • 54. Support Forums Hacked: Malware: @perezbox #wcoc 54 6/2/2012
    • 55. Things to Know when Engaging Professionals Know who your host is and how to contact them in the event of an emergency Know how to access your server – FTP, SFTP, SSH, FTPS Have a backup accessible Tips: know-when-engaging-a-web-malware-company.html@sucuri_security @perezbox #wcoc 55 6/2/2012
    • 56. Tips & Tricks After all this you might still become infected, and if you do here are a few tips to keep you going: 1. Immediately Change all credentials – wp- admin, database, cpanel 2. Log into your database and check all the users 3. Replace WP manually – avoid the default updater 4. Defacements – look at your index files (watch out for “.html” and “index2.php”) 5. Use live scanner: 6. Use terminal to GREP and FIND issues reported 7. Restore site from clean backup 8. Purge your cache 9. Disable plugins, validate each plugin 10. Engage a professional@sucuri_security @perezbox #wcoc 56 6/2/2012
    • 57. Online Resources
    • 58. FREE Real Time Virus Scanners Sucuri SiteCheck: Unmask Parasites: @perezbox #wcoc 58 6/2/2012
    • 59. Blacklisting Authorities Google Chrome, FireFox Search Engine Results Page (SERP)[your site] Bing Internet Explorer Norton Facebook AVG Opera @perezbox #wcoc 59 6/2/2012
    • 60. Useful Plugins Know what you‟re using: Theme-Check Authors: Pross, Otto42 Plugin-Check Author: Pross Protect Against Comment SPAM Akismet Authors: Matt, Ryan, Andy, mdawaffe Still offers free service Backups are your friend: Author: iThemes @perezbox #wcoc 60 6/2/2012
    • 61. Online Reading security-webinar-with-dre-armeda.html hacker-and-ensure-your-site-is-locked.html know-when-engaging-a-web-malware-company.html @perezbox #wcoc 61 6/2/2012
    • 62. Online Tools @perezbox #wcoc 62 6/2/2012
    • 63. Tony Perez Company: Sucuri Security Company site: Company blog: Personal blog: Twitter: Linkedin: Email: @perezbox #wcoc 63 6/2/2012