2. If you don’t ask, you don’t get!
• Dre Armeda, CISSP
• CEO, Co-Founder at Sucuri Inc.
• @dremeda
• Dre.im
I'm a Harley enthusiast, and a Chargers
fan. I wear many hats, and love tacos. I'm
infatuated with WordPress, web design,
and web security. I work at Sucuri
Security. I hope to help make the web a
safer place!
1/19/2013 Dre Armeda - @dremeda #wcphx
3. Why listen to me? You don’t have to, but…
• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy.
– Managed security awareness for Sempra Energy
– Deployed security suite for 1-800-Flowers.
– Cleaned Martha Steward web properties of malware
• Not an expert, passionate enthusiast.
• Seriously though – Quick Sucuri stats:
– Remediate 200 – 300 infected websites a day,
• 24/7/365
– Perform 2 million + malware website scans a month
– Support all CMS platforms and custom applications (e.g., WordPress,
Joomla, osCommerce, vBulletin, Drupal, .NET, etc… )
My goal in life is to make the web a safer place!
1/19/2013 Dre Armeda - @dremeda #wcphx
4. Thoughts To Kick Things Off
• Information Security is about risk reduction.
– If you’re looking for the “silver bullet” this is the
wrong talk for you.
• To think that you will never be infected is like
saying you will never be sick.
– Someone tells you different – Percussion calibration
time
• Prevention is ideal, but not realistic.
– Risk will never be 0%
– Detection is key.
1/19/2013 Dre Armeda - @dremeda #wcphx
5. Know Your Enemy
• They have time & resources
• They are intelligent
• Attacks are automated
• Goal is to impact quantity
• Own one, own them all…
• It’s not personal
1/19/2013 Dre Armeda - @dremeda #wcphx
6. Ok, so what’s the problem?
TODAY’S ISSUES:
• The Ecosystem /
Environment
• Access Control
• Software Vulnerabilities
• Administration
• Credential Management
• Extensibility
1/19/2013 Dre Armeda - @dremeda #wcphx
7. Today’s Focus
• Ecosystem / Environment
• Access Control
• Dealing with Hacks
1/19/2013 Dre Armeda - @dremeda #wcphx
8. Logical Architecture
Linux Operating System
Apache MySQL PHP
WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules
1/19/2013 Dre Armeda - @dremeda #wcphx
10. The EcoSystem / Environment
• What can you do?
– Not much… completely outside of your control if
you’re using a shared or managed host
• But, you can reduce risk...
– Use a Dedicated / VPS Environment
• But recognize the responsibility that this entails, if you
what I mentioned previously doesn’t make sense, skip to
next step
– Go with a Managed Host
• Doesn’t mean you’ll be safer, but it does mean you’ll have
resources to lean on
1/19/2013 Dre Armeda - @dremeda #wcphx
11. Access is Key
• We have to change the way we treat and think
about access. All access – Server / Application
• We are going through the same mistakes servers
and desktops were making in the 90’s with
access.
• Know where you are surfing the web, do you
really need to log in as an admin at the coffee
shop?
1/19/2013 Dre Armeda - @dremeda #wcphx
12. Before We Dive In
1/19/2013 Dre Armeda - @dremeda #wcphx
19. Pharma Hack
• Multi-million $ Business
• Rarely Distribute Malware
• Impression based Affiliate
Marketing
• Google’s Search Engine Result
Pages (SERP)
• Odds of malware distribution are
actually low
• Tricks:
– Embedded within core files
– Look for “.tmp” directories = >
1/19/2013 Dre Armeda - @dremeda #wcphx
20. Pharma Hack, cntd..
• Try using CURL to emulate Google and Windows:
Curl –L –A
“Googlebot/2.1(+http://www.google.com/bot.html)”
http://someinfectedwebsite.com
– Google Webmaster Tools
• Fetch as Google Bot
• Check your Theme Index.php file for things like
this:
– <?php
$wp__theme_icon=@create_function(”,@file_get_co
ntents(‘/public_html/wp-content/themes/my-really-
good-theme/images/s.jpg’));$wp__theme_icon(); ?>
1/19/2013 Dre Armeda - @dremeda #wcphx
27. Malicious Redirects
• Redirects your user to a domain distributing malware,
fundamentally different than an iframe injection that
executes in your browser
• 8 out of 10 times, check your .htaccess file – all of them
– # find /var/www –name .htaccess –type f | wc –l
• Check for backdoors also – often a sign of a bigger issue
1/19/2013 Dre Armeda - @dremeda #wcphx
29. Phishing
• Growing at a faster pace than traditional web-
malware
• No impact to readers, but tied to SPAM bots
sending out emails like this:
1/19/2013 Dre Armeda - @dremeda #wcphx
32. Demo Objective
• Use good tools for bad things – wpscan
• Enumerate the users
• Enumrate Passwords
• Own target WordPress site
• Deface the Website
I have 5 minutes – Ready?
1/19/2013 Dre Armeda - @dremeda #wcphx
34. Update
• Oldest version found in production – 1.5
• Leading cause of cross-site contamination issues
• Perhaps the simplest of tasks, yet we still find this:
1/19/2013 Dre Armeda - @dremeda #wcphx
35. Access is Key
• On the Server:
– Kill accounts that are not in use
– FTP is the devil – slap yourself and switch to SFTP
– Disable password auth & use key pairs
• WordPress Admin:
– Multi-Factor Authentication on wp-admin
– Two-Factor Authentication on wp-login.php
• Employ least privileged:
– Only use admin accounts for admin tasks
– Learn to use Editor, Author, Contributor, Subscriber
1/19/2013 Dre Armeda - @dremeda #wcphx
36. Password Dilemma
• 15 character pass
– 3 months to crack
• Long / Complex / Unique
– Key to Passwords
• Prefer Password Manager
– You don’t? ok..
– Passphrases work too
• iLuvWCLpHX:2013:S@nT@N b@By
• Come up with a process & stick to it:
– One scheme:
• Remember 8 characters
• Write Down 8 characters
• Save 20 characters
– Second scheme:
• Remember 20 characters
• Prefix characters with site name
• End sequence with some date
1/19/2013 Dre Armeda - @dremeda #wcphx
37. Kill PHP Execution
• Kill PHP Execution
– Directories:
• WP-INCLUDES
• WP-CONTENT
• UPLOADS – At a minimum
<Files *.php>
Deny from all
</Files>
1/19/2013 Dre Armeda - @dremeda #wcphx
38. Disable Theme / Plugin Editor
I’d take it a step further and remove the ability to install, but
that’s just me.
Modify WP-CONFIG.PHP With:
• Disable the Plugin / Theme Editor
– Define(‘DISALLOW_FILE_EDIT’,true);
- OR -
• Disable the Plugin / Theme Update and Installation
– Define(‘DISALLOW_FILE_MODS’,true);
1/19/2013 Dre Armeda - @dremeda #wcphx
41. Dre Armeda, CISSP
Dre.im
@dremeda
Sucuri Inc.
http://sucuri.net
http://blog.sucuri.net
@sucuri_security
Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.
1/19/2013 Dre Armeda - @dremeda #wcphx