Good morning everyone.. No no no.. That’s just not going to do.. I said GOOD MORNING FOLKS…Oh yeah, now that’s what I’m talking about… Let’s see if we can’t get the blood flowing up in this room.. When I point to that side I want you to give me a WordPress, when I point to this side I want you to give me a Security… ready here we go… you – WORDPRESS, you – Security, me – YUT, you – WordPress, you – Security, me – YUTOUTSTANDING – little mexican dance… nice to see you guys as excited as me..Oh and if you get tired, please realize I can see all your eye balls.. That includes the white… that’s right… I’m watching you…
So as you might or might know, my name is Tony Perez – go by @perezboxI’m a Columbian / Cuban with a bad attitude living in a world of Mexicans. I spent a better part of a year and a half doing to combat tours in Iraq in 2002 – 2003 and 2004 – 2005… I now work for a little company focusing on web security, specializing in integrity monitoring and remediation – might have heard of us – Sucuri SecurityI’m a Gun carrying, Harley riding junior martial artist… And finally my life has been engulfed by a little thing called web-malware
Well obviously we are going to talk about some good ole web security…not exciting, but it’s a necessary evil. Its important to understand though that its but one small slice of the information security pie and it’d be impractical to think we can cover it in 50 minute… but hopefully I’m able to give you a much better understanding of the concept and empower you with knowledgeWe’ll take a quick peak at some numbers that I am personally intrigued by as it helps put things into perspective around the web and web malware and specifically their relationship to WordPressThen before we get into hardening tips and real tangible take-aways I want to provide a better understanding of the threat landscape and how and where you fit in that. How’s that sound? Do we need to stretch? Sing?
As we talk about Web Security I want us to keep in mind these three area of interest – Access, Containment, and Knowledge.. These will be the three areas of discussion during the next 40 minutes.
These are some astronomical numbers.. In 2011 there were 300 million websites that came online.. In December of 2011 there were total of 555 million websites running… holy smokes.. In one year we had 300 million websites come online.. I just want that to sink in, before that we were at about 200 million..Over 10.8 BILLION indexed pages.. That’s just an astronomical number to wrap your head around… So how does WordPress fit into the mold…
So as it stands of all the websites out there… its estimated that WordPress owns about 16% of the market – that’s blogs, CMS’s.. Etc… so that is 16% of approximately 555 Million websites..In the US alone 22 out of every 100 websites are WordPress powered.. Here is an interesting fact.. In the CMS domain, WP is dominating the space with something close to 54% market share.. Wow.. Impressive I must admit
In 2011, according to Symantec, they captured about 403 million unique malware variants.. Now to caveat that is malware across desktops, mobile devices, web etc.. Still an astronomical number. This was a 140% growth over 2010In 2011, approximately 55, 294 malicious domains were detected.. That’s a 130% growth from 2010 andAs for web-based atacks, there was an 81% increase__________________________Previous:286 Million – Variants in 201042,926 – malicious web domains in 2010
So what does this mean.. Easy..The web is a very large large place and the platform we all love and use is quickly gaining market share at a very astronomical rate. More important to our discussion is the growth of web-malware and how important it is that its not an after thought, but part of your administration and / or project lifecycles if you’re managing a WordPress instance and / or developing it for a client. It is a problem we must all share responsibility in.
That being said.. Let’s get into some Web Security folks…
You might remember this slide from the beginning.. As we walk through the next few slides I want you to think about these three domains.. Specifically on CONTROLLING and AUTHENTICATING ACCESS, while we all wish that an infection will never affect us, plan and ensure that you reduce your threat profile and minimize the total impact. Lastly, allow yourself to learn such that you are able to put a plan in place to both prevent and remediate, being preapared is the key and you will accomplish this through knowledge.
So malware – by definition designed to disrupt the function of the system… whatever it may be, your mobile device, notebook or website.. In 2011 however, the concept of malnets – or malware networks – began to make a real impact on the web malware domain. Most of you will know and recognize malnets as BOTS.. These are highly complex networks designed to scale according to their needs and last well beyond any one attack… If you look closely at the image hat you’re actually seeing is the top 5 malnets being tracked by BlueCoat and how they scale over time.. Often dependent on what activities are being planned or executed…The network will shrink waiting for a reason to grow.. And as an event arises – say a death of a super start, an election, a holiday, something that warrants an action – it will grow to impact as many people as possible.. This is what a BOT is…
Social Engineering – the art of manipulating users to divulge credentials and other sensitive informationXSS – allows you to inject client-side scripts into the web pagesXSRF – Sesion is hijacked and unathorized commands are executed under an authenticated user
Everyday at least twice a day I get a client ask… Please make this go away for good… and I find myself going into a discussion of the threat landscape… I swear, I literally feel their eyes rolling into the back of their heads on the phone…So I decided to include this slid because it illustrates best what makes up the threat landscape..Is it all encompassing? Absolutely not.. But does it work to bring home the point? Absolutely… The risk can never be 0 and this is why.. Too many variables to account for.
White-Hat’s – those that work at companies like mine, or the Symantecs, Trend’s, Norton’s of the world…Ethical / Grey Hat’s – Obviously between the white’s and black’s.. Not usually out to intentionally harm, often find vulnerabilities and disclose.. Sometimes more appropriately than others.. Script Kiddie’s – kind of a derogatory term in the community for the newbie’s that know enough to be dangerous. As the name implies, they often employ existing scripts used to exploit known vulnerabilitiesHacktivist – by far one of the fastest growing types of attackers – driven by politics, culture, religion – you wake up one day and you’re flying the Syrian flag or pleading for the release of Libyan fighters..Black hat’s – known as crackers – these are the guys intent on taking something good and turning it into some thing bad – highly intelligent, technically sound
Gah.. If I had anickle for every time someone asked us this…What I can say is its not the day of version 1.5, as the product has matured so have the controls that help ensure that at every release a safe product is being released. While not perfect, there is a great team within the core contributors designed to quickly address issues and push patches once identified. So then why do we see so many WordPress sites infected? Well, I think the answer comes down to two things – extensibility and ease of use. It is to the point where the application is so easy to use that almost anyone is able to install, operate and manage an instance. The same applies to the extensibility, by its nature it’s an extensible platform, which is great, but its also its most vulnerable point and often where we see attack vectors introduced. Lastly, the darn thing is popular folks for the reasons I mentioned before… Remember the stats? That popularity brings about a target… I would say that in 80% of the attacks we see, it’s the road of least resistance that has allowed your WordPress instance to be compromised.
Don’t worry, I won’t bore you with the specifics of these but I wanted to quickly show of some of the more recent issues in the past 6 months.. Just to show have valid of an issue this is.. And yes.. TimThumb is still very much a problem today…
You are the webmaster of today! Recognize it, embrace it.Your local environment is as important as your web server. When was the last time you ran a local anti-virus?Did you know that most anti-virus only catch 70 – 80% of infection? Run multiple.
Move out of web directoryUp a directoryBe weary of plugins that hardcode the locationAvailable since 2.6
Caution 600 could break some thingsFTP user and PHP user are not going to be the same – ideal setupsIDEALLY one is the owner of the file and others in the group660 is okThe Lowest Permission that Works!!
Caution this would block wp-signup.php – WP Multisite file
WordPress SecurityKnowledge is Power
Who Am I Hi, my name is Tony Perez | @perezbox Marine Corps – War Vet Sucuri Security Objectivity and rationalism Gun carrying, Harley riding, Martial Artist . Web-malware is my life@sucuri_security @perezbox #wcoc 2 6/2/2012
What are we going to talk about? Web Security Look at some statistics… Provide an understanding of web malware Understand the threat scape a bit… Look at some of the recent trends… Give some hardening tips Get into the recommendations…@sucuri_security @perezbox #wcoc 3 6/2/2012
Thinking about Web Security Web Security Access Containment Knowledge@sucuri_security @perezbox #wcoc 4 6/2/2012
Web Numbers > 700 Million websites – As of May 2012– Netcraft 300 Million – Number of websites in 2011 – Pingdom 10.82 Billion – Number of indexed pages – WorldWebSize 2.1 Billion – Number of internet users worldwide Pingdom Projected that: 1 Billion – 2013 2 Billion - 2015@sucuri_security @perezbox #wcoc 6 6/2/2012
WordPress Numbers 73 Million + – Number of WP powered sites 16% - Of all Websites run WordPress 22 – Out of every 100 new domains in the U.S. 54% - CMS marketshare 62% - Market share of top 1,000,000 Sites 53% - Market share of top 100,000 sites 55% - Market share of top 10,000 sites Projection 300 – 500 Million - 2015@sucuri_security @perezbox #wcoc 7 6/2/2012
Web Malware Numbers 403 Million – Unique variants of malware 2011 140% Growth – 2010 – 2011 in unique variants 55,294 – Malicious web domains in 2011 130% Growth – 2010 – 2011 in malicious domains 81% - Increase malicious web-based attacks between 2010 / 2011 42 Billion – Global SPAM per day 2011 (Source: Symantec Internet Security Threat Report, Vol 17)@sucuri_security @perezbox #wcoc 8 6/2/2012
Gah… NO MORE NUMBERS The web is growing at an unprecedented pace. WordPress growth – astronomical and gaining Web-based malware is not far behind To have a virtual presence you must consider the security of your website@sucuri_security @perezbox #wcoc 9 6/2/2012
Thinking about Web Security Web Security Access Containment Knowledge Minimize Control Authentication Reduce Threat Have a Plan Be prepared Impact@sucuri_security @perezbox #wcoc 11 6/2/2012
Web-based Malware Malware – Short for malicious software. This software is designed to disrupt operation of an information system (i.e., local machine, server, mobile device, etc…) In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures last beyond any one attack. - BlueCoat 2012 Web Security Report@sucuri_security @perezbox #wcoc 12 6/2/2012
Most Common Distributions Social Engineering Trick you into installing malware Compromising credentials Websites, Email, Twitter Drive-by-Downloads Install malware after exploiting a vulnerability – big issue for us in the WP community iFrame (52.6%) and JS injections (26.5%) Malicious redirects Redirect user to another site often distributing malware@sucuri_security @perezbox #wcoc 15 6/2/2012
Threat Landscape End User Local Application Environment Web Server Administration Network Threat Environmental Landscape@sucuri_security @perezbox #wcoc 16 6/2/2012
The Attacker Types Culture Has code of ethics, heroes and White-Hat villains and competing gangs Ethical / Grey Hat Knowledge is power Most Believe information and Script Kiddie computer access should be freely shared Hacktivist Major motivation among hackers is status Cracker / Black Hat Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal@sucuri_security @perezbox #wcoc 17 6/2/2012
But I only write about lazy lizards!!!!• Opportunistic Attacks• Road of least resistance• Political Agenda / Further Cause• Mass Exposure• In short – it doesn‟t matter what you write about, you have a virtual presence@sucuri_security @perezbox #wcoc 18 6/2/2012
Is WordPress insecure? Out of the box, core is well built and secure It‟s no longer the days of 1.5 Security team is in place to quickly address and patch issues Extensibility – both its strength and weakness With popularity comes a target… think Windows for local environments Easy target because of its exposure, attackers focusing on the platform Road of least resistance@sucuri_security @perezbox #wcoc 19 6/2/2012
Top reasons why we see these infections Poor credential Management Poor System Administration Soup Kitchen Servers Out of Date Software Lack of Web knowledge Use of self-proclaimed “experts” Cutting Corners@sucuri_security @perezbox #wcoc 21 6/2/2012
Reduce Threat Risk Update Credentials Communicate Securely Themes / Plugins Harden Your Install Don‟t forget your local environment Knowledge - Resources@sucuri_security @perezbox #wcoc 23 6/2/2012
Credentials (user / password) Basics Take-Aways Avoid using „Admin‟ & Complex Unique password „Administrator‟ Upper / Lower Symbols Numbers Use Strong Passwords Longer than 18 characters Online Generator: http://www.onlinepasswordgen Passphrases erator.com/password.php Use one time – Password manager Use Password Manager LastPass – Free – Online / In short: Mobile Access No Dates No Names https://lastpass.com/ No Pets 1Password No Places https://agilebits.com/onepass A = @, E = 3, S= $, O = 0 word They know this@sucuri_security @perezbox #wcoc 25 6/2/2012
Data Dictionary / Defacement@sucuri_security @perezbox #wcoc 26 6/2/2012
Communicate Securely Communication mechanisms File Transfer Protocol (FTP) Secret File Transfer Protocol (SFTP) Secure Shell (SSH) Tools Filezilla Coda NCFTP SFTP / SSH - Best Approach Google: How to create SFTP account on [Host Name] Google: How to enable SSH on [Host Name]@sucuri_security @perezbox #wcoc 27 6/2/2012
Safe Themes / Plugins WordPress Repository is a good place to start 19.6k+ - Available Plugins 1.5k+ - Available Themes Look for good descriptions of the theme or plugin Look to see versions and updates Active change log is always good Theme-check & Plugin-check are good tools to check potential issues Free Theme? http://wpmu.org/why-you-should-never-search-for-free- wordpress-themes-in-google-or-anywhere-else/@sucuri_security @perezbox #wcoc 28 6/2/2012
Plugins To Avoid WPStats.org SPAM – Fake Advanced Search Plugin SEO poisoning – Bad http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search- plugin.html Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0) Upload / Server control - Very Bad http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with- pwwangs-code-for-wordpress-version-1-0-0.html Absolute Privacy Plugin Known vulnerability http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html ToolsPack Plugin Dangerous backdoor – full access - Very Bad http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html@sucuri_security @perezbox #wcoc 29 6/2/2012
HTACCESS is your Friend Configuration file for web servers using Apache Features: Error Documents Redirects Password Protection Deny visitors by IP Hot link prevention Access prevention More? Apply these changes at your own peril – run risk of blowing up site@sucuri_security @perezbox #wcoc 32 6/2/2012
Protect HTACCESS Permission <= 640 #PROTECT HTACCESS <Files HTACCESS> Order Allow, Deny Deny from all </Files>@sucuri_security @perezbox #wcoc 33 6/2/2012
Protect WP-Config .htaccess Permissions <= 640 #PROTECT WP-CONFIG <Files wp-config.php> Order Allow, Deny Deny from all </Files>@sucuri_security @perezbox #wcoc 34 6/2/2012
Authentication Keys wp-config.php Encrypts information stored in user‟s cookies https://api.wordpress.org/secret-key/1.1/salt/ Resource: http://codex.wordpress.org/Editing_wp-config.php@sucuri_security @perezbox #wcoc 35 6/2/2012
Admin User Created by “default” < = 3.0 In higher version you can define your own administrator Create new user, apply “administrator” role Be mindful of any posts created by “admin” user Delete “admin” user@sucuri_security @perezbox #wcoc 37 6/2/2012
Disable Directory Listing Nobody show know the color of your skivvies Default in most hosts, not always # PREVENT DIRECTORY LISTINGS Options -Indexes@sucuri_security @perezbox #wcoc 38 6/2/2012
Disable Plugin / Theme Editor wp-config.php file Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@sucuri_security @perezbox #wcoc 39 6/2/2012
Protect WP-Admin If you have a dynamic IP this might be problematic Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple) # SECURE Access to WP-ADMIN <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address] </FilesMatch>@sucuri_security @perezbox #wcoc 41 6/2/2012
Harden WP-Includes Create .htaccess in wp-includes directory #PROTECT WP-INCLUDES <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files>@sucuri_security @perezbox #wcoc 42 6/2/2012
Harden WP-Content Create .htaccess in wp-content directory Most vulnerable, contains Uploads directory, often the attack vector It can be moved, but if you‟re an end-user don‟t touch – hire a pro – lots of dependencies #PROTECT WP-CONTENT <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files>@sucuri_security @perezbox #wcoc 43 6/2/2012
Limit Upload Most shells < 1 mb Good idea anyway - //limit file upload to 10mb LimitRequestBody 10240000@sucuri_security @perezbox #wcoc 44 6/2/2012
Protect Against Bots Malnets are a growing problem, proactively protect against them using a Web Application Firewall Perishable Press – 5G Blacklist 2012 http://perishablepress.com /5g-blacklist-2012/@sucuri_security @perezbox #wcoc 45 6/2/2012
5G WordPress Add-On Don‟t want to add all that other stuff? No problem, try this condensed version for WordPress Doesn‟t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests Source: http://perishablepress.com/wordpress-5g-blacklist/ Careful – wp-signup required for MultiSite@sucuri_security @perezbox #wcoc 46 6/2/2012
Secure Login Page There are a number of plugins you can use for this, or, you can turn to your .htaccess again Might be an issue if its not static.. <Files wp-login.php> Order Deny,Allow Deny from All Allow from [Your IP] </Files>@sucuri_security @perezbox #wcoc 47 6/2/2012
SPAM Comments SPAM in your comments can get you blacklisted just as fast as injections on your pages Disable comments on pages if you don‟t want them Setting to close comments after a certain amount of time. Settings > Discussion > Other Comment Settings Automatically close comments on articles older than XX days Use AKISMET@sucuri_security @perezbox #wcoc 49 6/2/2012
Cross-Site Contamination Most of the things provided so far help you from external attacks. Internal attacks are as prevalent Growing problem – “Soup Kitchen” servers Development, Staging, Testing, Productions – 1 environment http://blog.sucuri.net/2012/03/a-little-tale-about-website- cross-contamination.html http://blog.sucuri.net/2012/03/website-cross- contamination-blackhat-seo-spam-malware.html@sucuri_security @perezbox #wcoc 50 6/2/2012
Security Plugins Sucuri Clients – Sucuri Security – Free to Clients Web Application Firewall Integrity Monitoring Auditing Hardening More: http://sucuri.net/services/preventive Not a client? No problem, other good options include – Login Lock http://wordpress.org/extend/plugins/login-lock/ WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/ WordPress Firewall 2 http://wordpress.org/extend/plugins/wordpress-firewall-2/ BulletProof Security http://wordpress.org/extend/plugins/bulletproof-security/@sucuri_security @perezbox #wcoc 51 6/2/2012
Two Approaches Do it Yourself Hire a Professional Forums are you friend Will cost money Requires time and Alleviates the stress patience Gets you up and running Leverage free tools in hours, if not days Know when you‟re in over your head Can take time – hours, days, weeks, mo nths@sucuri_security @perezbox #wcoc 53 6/2/2012
Things to Know when Engaging Professionals Know who your host is and how to contact them in the event of an emergency Know how to access your server – FTP, SFTP, SSH, FTPS Have a backup accessible Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html@sucuri_security @perezbox #wcoc 55 6/2/2012
Tips & Tricks After all this you might still become infected, and if you do here are a few tips to keep you going: 1. Immediately Change all credentials – wp- admin, database, cpanel 2. Log into your database and check all the users 3. Replace WP manually – avoid the default updater 4. Defacements – look at your index files (watch out for “.html” and “index2.php”) 5. Use live scanner: http://sitecheck.sucuri.net 6. Use terminal to GREP and FIND issues reported 7. Restore site from clean backup 8. Purge your cache 9. Disable plugins, validate each plugin 10. Engage a professional@sucuri_security @perezbox #wcoc 56 6/2/2012