SlideShare a Scribd company logo
1 of 63
WordPres
s Security
Knowledge is Power
Who Am I
       Hi, my name is Tony
       Perez | @perezbox
       Marine Corps – War Vet
       Sucuri Security
       Objectivity and
       rationalism
       Gun carrying, Harley
       riding, Martial Artist .
       Web-malware is my life


@sucuri_security @perezbox #wcoc   2    6/2/2012
What are we going to talk
                  about?
       Web Security

       Look at some statistics…

       Provide an understanding of web malware

       Understand the threat scape a bit…

       Look at some of the recent trends…

       Give some hardening tips

       Get into the recommendations…


@sucuri_security @perezbox #wcoc   3             6/2/2012
Thinking about Web
                    Security

                 Web Security

     Access                    Containment   Knowledge

@sucuri_security @perezbox #wcoc    4              6/2/2012
The Stats
Web Numbers
       > 700 Million websites – As of May 2012– Netcraft

       300 Million – Number of websites in 2011 – Pingdom

       10.82 Billion – Number of indexed pages – WorldWebSize

       2.1 Billion – Number of internet users worldwide Pingdom

       Projected that:
          1 Billion – 2013
          2 Billion - 2015




@sucuri_security @perezbox #wcoc   6                        6/2/2012
WordPress Numbers
          73 Million + – Number of WP powered sites

          16% - Of all Websites run WordPress

          22 – Out of every 100 new domains in the U.S.

          54% - CMS marketshare
             62% - Market share of top 1,000,000 Sites
             53% - Market share of top 100,000 sites
             55% - Market share of top 10,000 sites

          Projection
             300 – 500 Million - 2015



@sucuri_security @perezbox #wcoc        7                 6/2/2012
Web Malware Numbers
       403 Million – Unique variants of malware 2011
          140% Growth – 2010 – 2011 in unique variants

       55,294 – Malicious web domains in 2011
          130% Growth – 2010 – 2011 in malicious domains

       81% - Increase malicious web-based attacks between
       2010 / 2011

   42 Billion – Global SPAM per day 2011
   (Source: Symantec Internet Security Threat Report, Vol 17)




@sucuri_security @perezbox #wcoc           8                    6/2/2012
Gah… NO MORE NUMBERS

       The web is growing at an unprecedented pace.

       WordPress growth – astronomical and gaining

       Web-based malware is not far behind

       To have a virtual presence you must consider the security
       of your website




@sucuri_security @perezbox #wcoc   9                         6/2/2012
Web Security
Thinking about Web
                    Security
                 Web Security
      Access                    Containment                  Knowledge


                                                Minimize
  Control     Authentication   Reduce Threat               Have a Plan   Be prepared
                                                 Impact



@sucuri_security @perezbox #wcoc           11                              6/2/2012
Web-based Malware
      Malware – Short for malicious software. This software is
      designed to disrupt operation of an information system
         (i.e., local machine, server, mobile device, etc…)

      In 2011, malnets (malware networks) emerged as the next
      evolution in the threat landscape. These infrastructures last
        beyond any one attack. - BlueCoat 2012 Web Security
                                  Report




@sucuri_security @perezbox #wcoc   12                          6/2/2012
Types of Malware
       Obfuscated JavaScript            Stupid, Pointless, Annoyi
                                        ng Messages (SPAM)
       Hidden & Malicious
       iFrames                          Defacement

       Embedded Trojans                 Anomalies

       Phishing Attempts                IP Cloaking

       Malicious Redirects              Drive by Downloads

       Backdoors
       (e.g., C99, R57, Webshe
       lls)

@sucuri_security @perezbox #wcoc   13                        6/2/2012
Attack Vectors
       User Issues
          Out-of-Date Software
          Social Engineering
          Compromised Credentials

       Software Issues
          SQL Injection
          Cross-Site Scripting (XSS)
          Cross-Site Request Forgery (XSRF)
          Remote Execution



@sucuri_security @perezbox #wcoc    14        6/2/2012
Most Common Distributions
       Social Engineering
          Trick you into installing malware
          Compromising credentials
          Websites, Email, Twitter

       Drive-by-Downloads
          Install malware after exploiting a vulnerability – big issue for
          us in the WP community
          iFrame (52.6%) and JS injections (26.5%)

       Malicious redirects
          Redirect user to another site often distributing malware

@sucuri_security @perezbox #wcoc      15                                6/2/2012
Threat Landscape

                                        End User
                                                      Local
                         Application
                                                   Environment




            Web Server                                           Administration




         Network
                                         Threat                       Environmental
                                       Landscape



@sucuri_security @perezbox #wcoc          16                                      6/2/2012
The Attacker
                Types                           Culture
                                        Has code of ethics, heroes and
       White-Hat                        villains and competing gangs

       Ethical / Grey Hat               Knowledge is power

                                        Most Believe information and
       Script Kiddie                    computer access should be
                                        freely shared
       Hacktivist                       Major motivation among
                                        hackers is status
       Cracker / Black Hat
                                        Financial gain is a strong
                                        motivation with crackers –
                                        Robin Hood mindset – ok to
                                        steal


@sucuri_security @perezbox #wcoc   17                                6/2/2012
But I only write about lazy
                   lizards!!!!
• Opportunistic Attacks

• Road of least resistance

• Political Agenda / Further
  Cause

• Mass Exposure

• In short – it doesn‟t matter
  what you write about, you have
  a virtual presence


@sucuri_security @perezbox #wcoc   18   6/2/2012
Is WordPress insecure?
       Out of the box, core is well built and secure

       It‟s no longer the days of 1.5

       Security team is in place to quickly address and patch
       issues

       Extensibility – both its strength and weakness

       With popularity comes a target… think Windows for local
       environments
          Easy target because of its exposure, attackers focusing on the
          platform

       Road of least resistance
@sucuri_security @perezbox #wcoc    19                             6/2/2012
Recent
      Vulnerabilities and Infections
         Vulnerabilities                    Campaigns

       PHP-CGI Vulnerability -          Recovery-hdd.eu Malware
                                        Campaign
       Patched
                                        Nikjju Mass Injection
       WooThemes                        Campaign
       Vulnerability – Patched          GetMama Conditional
                                        Malware Campaign
       TimThumb Vulnerability
       – Patched                        .RR.NU Malware
                                        Campagin
                                        Sweepstake Malware
                                        Campaign

@sucuri_security @perezbox #wcoc   20                           6/2/2012
Top reasons why we see these
              infections
       Poor credential Management

       Poor System Administration

       Soup Kitchen Servers

       Out of Date Software

       Lack of Web knowledge

       Use of self-proclaimed “experts”

       Cutting Corners


@sucuri_security @perezbox #wcoc   21     6/2/2012
So what can you do?
      Glad you asked
Reduce Threat Risk
       Update

       Credentials

       Communicate Securely

       Themes / Plugins

       Harden Your Install

       Don‟t forget your local environment

       Knowledge - Resources


@sucuri_security @perezbox #wcoc   23        6/2/2012
Update, Update, Update
       Leading cause of
       infections

       If your theme is so
       coupled with core it can‟t
       be updated, consider
       purchasing a new one

       PHP, Core, Themes, Plu
       gins, JavaScript…




@sucuri_security @perezbox #wcoc    24   6/2/2012
Credentials (user / password)
                Basics                                   Take-Aways
       Avoid using „Admin‟ &                       Complex Unique password
       „Administrator‟                                  Upper / Lower
                                                        Symbols
                                                        Numbers
       Use Strong Passwords
                                                        Longer than 18 characters
          Online Generator:
          http://www.onlinepasswordgen             Passphrases
          erator.com/password.php
                                                   Use one time – Password manager
       Use Password Manager
          LastPass – Free – Online /               In short:
          Mobile Access                                 No Dates
                                                        No Names
              https://lastpass.com/
                                                        No Pets
          1Password                                     No Places
              https://agilebits.com/onepass             A = @, E = 3, S= $, O = 0
              word                                             They know this




@sucuri_security @perezbox #wcoc              25                                     6/2/2012
Data Dictionary / Defacement




@sucuri_security @perezbox #wcoc   26   6/2/2012
Communicate Securely
       Communication mechanisms
          File Transfer Protocol (FTP)
          Secret File Transfer Protocol (SFTP)
          Secure Shell (SSH)

       Tools
          Filezilla
          Coda
          NCFTP

       SFTP / SSH - Best Approach
       Google: How to create SFTP account on [Host Name]
       Google: How to enable SSH on [Host Name]

@sucuri_security @perezbox #wcoc     27                    6/2/2012
Safe Themes / Plugins
       WordPress Repository is a good place to start
          19.6k+ - Available Plugins
          1.5k+ - Available Themes

       Look for good descriptions of the theme or plugin
       Look to see versions and updates
       Active change log is always good
       Theme-check & Plugin-check are good tools to check potential
       issues
       Free Theme?
          http://wpmu.org/why-you-should-never-search-for-free-
          wordpress-themes-in-google-or-anywhere-else/

@sucuri_security @perezbox #wcoc       28                         6/2/2012
Plugins To Avoid
       WPStats.org SPAM – Fake Advanced Search Plugin
          SEO poisoning – Bad
          http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search-
          plugin.html

       Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0)
          Upload / Server control - Very Bad
          http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with-
          pwwangs-code-for-wordpress-version-1-0-0.html

       Absolute Privacy Plugin
          Known vulnerability
          http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html

       ToolsPack Plugin
          Dangerous backdoor – full access - Very Bad
          http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html




@sucuri_security @perezbox #wcoc                 29                                            6/2/2012
What
websites are
dangerous?




@sucuri_security @perezbox #wcoc   30   6/2/2012
Hardening
 Getting er done!
HTACCESS is your Friend
       Configuration file for web servers using Apache

       Features:
          Error Documents
          Redirects
          Password Protection
          Deny visitors by IP
          Hot link prevention
          Access prevention
          More?

       Apply these changes at your own peril – run risk of blowing up
       site
@sucuri_security @perezbox #wcoc    32                             6/2/2012
Protect HTACCESS
       Permission
          <= 640


                                   #PROTECT HTACCESS
                                   <Files HTACCESS>
                                   Order Allow, Deny
                                   Deny from all
                                   </Files>


@sucuri_security @perezbox #wcoc      33               6/2/2012
Protect WP-Config
       .htaccess

       Permissions
          <= 640
                                   #PROTECT WP-CONFIG
                                   <Files wp-config.php>
                                   Order Allow, Deny
                                   Deny from all
                                   </Files>



@sucuri_security @perezbox #wcoc    34                6/2/2012
Authentication Keys
          wp-config.php
          Encrypts information stored in user‟s cookies
          https://api.wordpress.org/secret-key/1.1/salt/
          Resource: http://codex.wordpress.org/Editing_wp-config.php




@sucuri_security @perezbox #wcoc   35                            6/2/2012
Database Prefix
       Default is “wp_”

       wp-config.php




@sucuri_security @perezbox #wcoc   36   6/2/2012
Admin User
       Created by “default” < = 3.0

       In higher version you can define your own administrator

       Create new user, apply “administrator” role

       Be mindful of any posts created by “admin” user

       Delete “admin” user




@sucuri_security @perezbox #wcoc   37                        6/2/2012
Disable Directory Listing
       Nobody show know the color of your skivvies

       Default in most hosts, not always




     # PREVENT DIRECTORY LISTINGS
     Options -Indexes



@sucuri_security @perezbox #wcoc   38                6/2/2012
Disable Plugin / Theme Editor

       wp-config.php file

       Remove the ability modify your files via your wp-admin
       panel – force to use SFTP / SSH and your local IDE




     # Disable Plugin / Theme Editor
     Define(„DISALLOW_FILE_EDIT‟,true);


@sucuri_security @perezbox #wcoc   39                           6/2/2012
Permissions
    Directories
       755

    Files                          Directories:
       644                         find [path to install] -type d -exec chmod 755 {} ;

    Important Files
       .htaccess = 644             Files:
                                   Find [path to install] -type f -exec chmod 644 {} ;
       wp-config.php = 600
       php.ini = 600
       php.cgi = 711
       php5.cgi = 100

    Reading:
    http://codex.wordpress.org/Changing_File_Permissions
@sucuri_security @perezbox #wcoc          40                                   6/2/2012
Protect WP-Admin
       If you have a dynamic IP this might be problematic

       Consider HTTPS (Heavy / Complicated) or Basic
       Authentication (Effective / Simple)


           # SECURE Access to WP-ADMIN
           <FilesMatch ".*">
           Order Deny,Allow
           Deny from all
           Allow from [IP Address]
           </FilesMatch>

@sucuri_security @perezbox #wcoc   41                       6/2/2012
Harden WP-Includes
       Create .htaccess in wp-includes directory




                #PROTECT WP-INCLUDES
                <FilesMatch “.php”>
                Order Allow, Deny
                Deny from all
                Deny</Files>


@sucuri_security @perezbox #wcoc   42              6/2/2012
Harden WP-Content
       Create .htaccess in wp-content directory

       Most vulnerable, contains Uploads directory, often the
       attack vector

       It can be moved, but if you‟re an end-user don‟t touch –
       hire a pro – lots of dependencies

               #PROTECT WP-CONTENT
               <FilesMatch “.php”>
               Order Allow, Deny
               Deny from all
               Deny</Files>
@sucuri_security @perezbox #wcoc   43                             6/2/2012
Limit Upload
       Most shells < 1 mb

       Good idea anyway -




               //limit file upload to 10mb
               LimitRequestBody 10240000



@sucuri_security @perezbox #wcoc   44        6/2/2012
Protect Against
          Bots
       Malnets are a growing
       problem, proactively
       protect against them using
       a Web Application Firewall

       Perishable Press – 5G
       Blacklist 2012
          http://perishablepress.com
          /5g-blacklist-2012/




@sucuri_security @perezbox #wcoc       45   6/2/2012
5G WordPress Add-On
       Don‟t want to add all that other stuff? No problem, try this
       condensed version for WordPress

       Doesn‟t require the 5G Blacklist and helps protect against
       bad URL request – i.e., helps take the load off your server
       from these very annoying requests
          Source: http://perishablepress.com/wordpress-5g-blacklist/

       Careful – wp-signup required for MultiSite




@sucuri_security @perezbox #wcoc    46                             6/2/2012
Secure Login Page
       There are a number of plugins you can use for
       this, or, you can turn to your .htaccess again

       Might be an issue if its not static..

               <Files wp-login.php>
               Order Deny,Allow
               Deny from All
               Allow from [Your IP]
               </Files>

@sucuri_security @perezbox #wcoc    47                  6/2/2012
Protect against XSS
       Deny bad query Strings – in short, don‟t become a victim
       to cross-site scripting

   # QUERY STRING EXPLOITS
   <IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} ../ [NC,OR]
    RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp: [NC,OR]
    RewriteCond %{QUERY_STRING} http: [NC,OR]
    RewriteCond %{QUERY_STRING} https: [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
    RewriteRule ^(.*)$ - [F,L]
   </IfModule>
@sucuri_security @perezbox #wcoc             48                                       6/2/2012
SPAM Comments
       SPAM in your comments can get you blacklisted just as
       fast as injections on your pages

       Disable comments on pages if you don‟t want them

       Setting to close comments after a certain amount of time.
          Settings > Discussion > Other Comment Settings
          Automatically close comments on articles older than XX days

       Use AKISMET




@sucuri_security @perezbox #wcoc   49                            6/2/2012
Cross-Site Contamination
       Most of the things provided so far help you from external
       attacks.
       Internal attacks are as prevalent
       Growing problem – “Soup Kitchen” servers
       Development, Staging, Testing, Productions – 1
       environment
       http://blog.sucuri.net/2012/03/a-little-tale-about-website-
       cross-contamination.html
       http://blog.sucuri.net/2012/03/website-cross-
       contamination-blackhat-seo-spam-malware.html
@sucuri_security @perezbox #wcoc   50                            6/2/2012
Security Plugins
   Sucuri Clients – Sucuri Security – Free to Clients
      Web Application Firewall
      Integrity Monitoring
      Auditing
      Hardening
      More: http://sucuri.net/services/preventive

   Not a client? No problem, other good options include –
      Login Lock
          http://wordpress.org/extend/plugins/login-lock/
      WordPress File Monitor
          http://wordpress.org/extend/plugins/wordpress-file-monitor/
      WordPress Firewall 2
          http://wordpress.org/extend/plugins/wordpress-firewall-2/
      BulletProof Security
          http://wordpress.org/extend/plugins/bulletproof-security/
@sucuri_security @perezbox #wcoc          51                            6/2/2012
Still have a malware
       problem?
Two Approaches
          Do it Yourself                Hire a Professional
       Forums are you friend            Will cost money
       Requires time and                Alleviates the stress
       patience
                                        Gets you up and running
       Leverage free tools              in hours, if not days
       Know when you‟re in
       over your head
       Can take time –
       hours, days, weeks, mo
       nths
@sucuri_security @perezbox #wcoc   53                           6/2/2012
Support Forums
       WordPress.org
          Hacked: http://wordpress.org/tags/hacked
          Malware: http://wordpress.org/tags/malware


       BadwareBusters.org
          https://badwarebusters.org/




@sucuri_security @perezbox #wcoc    54                 6/2/2012
Things to Know when
             Engaging Professionals
       Know who your host is and how to contact them in the
       event of an emergency

       Know how to access your server –
       FTP, SFTP, SSH, FTPS

       Have a backup accessible



   Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-
   know-when-engaging-a-web-malware-company.html


@sucuri_security @perezbox #wcoc   55                         6/2/2012
Tips & Tricks
       After all this you might still become infected, and if you do
       here are a few tips to keep you going:
       1. Immediately Change all credentials – wp-
           admin, database, cpanel
       2. Log into your database and check all the users
       3. Replace WP manually – avoid the default updater
       4. Defacements – look at your index files (watch out for “.html”
           and “index2.php”)
       5. Use live scanner: http://sitecheck.sucuri.net
       6. Use terminal to GREP and FIND issues reported
       7. Restore site from clean backup
       8. Purge your cache
       9. Disable plugins, validate each plugin
       10. Engage a professional
@sucuri_security @perezbox #wcoc    56                              6/2/2012
Online Resources
FREE
          Real Time Virus Scanners
       Sucuri SiteCheck: http://sitecheck.sucuri.net

       Unmask Parasites: http://unmaskparasites.com/




@sucuri_security @perezbox #wcoc   58                  6/2/2012
Blacklisting Authorities
       Google
          Chrome, FireFox
          Search Engine Results Page (SERP)
          http://www.google.com/webmaster/tools
          http://www.google.com/safebrowsing/diagnostic?site=[your site]

       Bing
          Internet Explorer
          http://www.bing.com/toolbox/webmaster/

       Norton
          Facebook
          http://safeweb.norton.com/

       AVG
          Opera
          http://www.avgthreatlabs.com/sitereports/



@sucuri_security @perezbox #wcoc               59                          6/2/2012
Useful Plugins
       Know what you‟re using:
          Theme-Check
              Authors: Pross, Otto42
              http://wordpress.org/extend/plugins/theme-check/
          Plugin-Check
              Author: Pross
              http://wordpress.org/extend/plugins/plugin-check/

       Protect Against Comment SPAM
          Akismet
              Authors: Matt, Ryan, Andy, mdawaffe
              http://wordpress.org/extend/plugins/akismet/
              Still offers free service

       Backups are your friend:
          Author: iThemes
          http://pluginbuddy.com/purchase/backupbuddy/

@sucuri_security @perezbox #wcoc             60                   6/2/2012
Online Reading
       http://blog.sucuri.net/2012/04/lockdown-wordpress-a-
       security-webinar-with-dre-armeda.html
       http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-
       hacker-and-ensure-your-site-is-locked.html
       http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-
       know-when-engaging-a-web-malware-company.html
       http://codex.wordpress.org/Hardening_WordPress
       http://codex.wordpress.org/FAQ_My_site_was_hacked
       http://wpsecure.net/

@sucuri_security @perezbox #wcoc   61                             6/2/2012
Online Tools
       http://www.botsvsbrowsers.com/SimulateUserAgent.asp

       http://www.tareeinternet.com/scripts/base.html

       http://www.tareeinternet.com/scripts/decrypt.php




@sucuri_security @perezbox #wcoc   62                     6/2/2012
Tony Perez
       Company: Sucuri Security

       Company site: http://sucuri.net

       Company blog: http://blog.sucuri.net

       Personal blog: http://perezbox.com

       Twitter: http://twitter.com/perezbox

       Linkedin: http://linkedin.com/in/perezbox

       Email: tony@sucuri.net


@sucuri_security @perezbox #wcoc   63              6/2/2012

More Related Content

What's hot

Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
How to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHow to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHacker Combat
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentationxia_bofa
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackerstomasperezv
 
Cocoon On Internet Security
Cocoon On Internet SecurityCocoon On Internet Security
Cocoon On Internet SecurityCOCOON
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Privacy security
Privacy securityPrivacy security
Privacy securityhanjunxian
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Ferruh Mavituna
 

What's hot (20)

Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Unit6
Unit6Unit6
Unit6
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
Staying safe-on-internet
Staying safe-on-internetStaying safe-on-internet
Staying safe-on-internet
 
WannaCry Ransomware
 WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Wannacry
WannacryWannacry
Wannacry
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
How to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress WebsiteHow to Easily Secure Your WordPress Website
How to Easily Secure Your WordPress Website
 
Speaker profile
Speaker profileSpeaker profile
Speaker profile
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentation
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
 
Cocoon On Internet Security
Cocoon On Internet SecurityCocoon On Internet Security
Cocoon On Internet Security
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
Privacy security
Privacy securityPrivacy security
Privacy security
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0
 

Similar to Word camp orange county 2012 enduser security

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Global Technologies and Risks Trends
Global Technologies and Risks TrendsGlobal Technologies and Risks Trends
Global Technologies and Risks TrendsCharles Mok
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationFoCAS Initiative
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hackingBeing Uniq Sonu
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020SecPod Technologies
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
3 Hkcert Trend
3  Hkcert Trend3  Hkcert Trend
3 Hkcert TrendSC Leung
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 

Similar to Word camp orange county 2012 enduser security (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
Global Technologies and Risks Trends
Global Technologies and Risks TrendsGlobal Technologies and Risks Trends
Global Technologies and Risks Trends
 
Code protection
Code protectionCode protection
Code protection
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Search Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software DiversificationSearch Diverse Models for Proactive Software Diversification
Search Diverse Models for Proactive Software Diversification
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
 
Ethi mini1 - ethical hacking
Ethi mini1 - ethical hackingEthi mini1 - ethical hacking
Ethi mini1 - ethical hacking
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
3 Hkcert Trend
3  Hkcert Trend3  Hkcert Trend
3 Hkcert Trend
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 

More from Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 

More from Tony Perez (16)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 

Recently uploaded

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfUK Journal
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 

Recently uploaded (20)

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 

Word camp orange county 2012 enduser security

  • 2. Who Am I Hi, my name is Tony Perez | @perezbox Marine Corps – War Vet Sucuri Security Objectivity and rationalism Gun carrying, Harley riding, Martial Artist . Web-malware is my life @sucuri_security @perezbox #wcoc 2 6/2/2012
  • 3. What are we going to talk about? Web Security Look at some statistics… Provide an understanding of web malware Understand the threat scape a bit… Look at some of the recent trends… Give some hardening tips Get into the recommendations… @sucuri_security @perezbox #wcoc 3 6/2/2012
  • 4. Thinking about Web Security Web Security Access Containment Knowledge @sucuri_security @perezbox #wcoc 4 6/2/2012
  • 6. Web Numbers > 700 Million websites – As of May 2012– Netcraft 300 Million – Number of websites in 2011 – Pingdom 10.82 Billion – Number of indexed pages – WorldWebSize 2.1 Billion – Number of internet users worldwide Pingdom Projected that: 1 Billion – 2013 2 Billion - 2015 @sucuri_security @perezbox #wcoc 6 6/2/2012
  • 7. WordPress Numbers 73 Million + – Number of WP powered sites 16% - Of all Websites run WordPress 22 – Out of every 100 new domains in the U.S. 54% - CMS marketshare 62% - Market share of top 1,000,000 Sites 53% - Market share of top 100,000 sites 55% - Market share of top 10,000 sites Projection 300 – 500 Million - 2015 @sucuri_security @perezbox #wcoc 7 6/2/2012
  • 8. Web Malware Numbers 403 Million – Unique variants of malware 2011 140% Growth – 2010 – 2011 in unique variants 55,294 – Malicious web domains in 2011 130% Growth – 2010 – 2011 in malicious domains 81% - Increase malicious web-based attacks between 2010 / 2011 42 Billion – Global SPAM per day 2011 (Source: Symantec Internet Security Threat Report, Vol 17) @sucuri_security @perezbox #wcoc 8 6/2/2012
  • 9. Gah… NO MORE NUMBERS The web is growing at an unprecedented pace. WordPress growth – astronomical and gaining Web-based malware is not far behind To have a virtual presence you must consider the security of your website @sucuri_security @perezbox #wcoc 9 6/2/2012
  • 11. Thinking about Web Security Web Security Access Containment Knowledge Minimize Control Authentication Reduce Threat Have a Plan Be prepared Impact @sucuri_security @perezbox #wcoc 11 6/2/2012
  • 12. Web-based Malware Malware – Short for malicious software. This software is designed to disrupt operation of an information system (i.e., local machine, server, mobile device, etc…) In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures last beyond any one attack. - BlueCoat 2012 Web Security Report @sucuri_security @perezbox #wcoc 12 6/2/2012
  • 13. Types of Malware Obfuscated JavaScript Stupid, Pointless, Annoyi ng Messages (SPAM) Hidden & Malicious iFrames Defacement Embedded Trojans Anomalies Phishing Attempts IP Cloaking Malicious Redirects Drive by Downloads Backdoors (e.g., C99, R57, Webshe lls) @sucuri_security @perezbox #wcoc 13 6/2/2012
  • 14. Attack Vectors User Issues Out-of-Date Software Social Engineering Compromised Credentials Software Issues SQL Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (XSRF) Remote Execution @sucuri_security @perezbox #wcoc 14 6/2/2012
  • 15. Most Common Distributions Social Engineering Trick you into installing malware Compromising credentials Websites, Email, Twitter Drive-by-Downloads Install malware after exploiting a vulnerability – big issue for us in the WP community iFrame (52.6%) and JS injections (26.5%) Malicious redirects Redirect user to another site often distributing malware @sucuri_security @perezbox #wcoc 15 6/2/2012
  • 16. Threat Landscape End User Local Application Environment Web Server Administration Network Threat Environmental Landscape @sucuri_security @perezbox #wcoc 16 6/2/2012
  • 17. The Attacker Types Culture Has code of ethics, heroes and White-Hat villains and competing gangs Ethical / Grey Hat Knowledge is power Most Believe information and Script Kiddie computer access should be freely shared Hacktivist Major motivation among hackers is status Cracker / Black Hat Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal @sucuri_security @perezbox #wcoc 17 6/2/2012
  • 18. But I only write about lazy lizards!!!! • Opportunistic Attacks • Road of least resistance • Political Agenda / Further Cause • Mass Exposure • In short – it doesn‟t matter what you write about, you have a virtual presence @sucuri_security @perezbox #wcoc 18 6/2/2012
  • 19. Is WordPress insecure? Out of the box, core is well built and secure It‟s no longer the days of 1.5 Security team is in place to quickly address and patch issues Extensibility – both its strength and weakness With popularity comes a target… think Windows for local environments Easy target because of its exposure, attackers focusing on the platform Road of least resistance @sucuri_security @perezbox #wcoc 19 6/2/2012
  • 20. Recent Vulnerabilities and Infections Vulnerabilities Campaigns PHP-CGI Vulnerability - Recovery-hdd.eu Malware Campaign Patched Nikjju Mass Injection WooThemes Campaign Vulnerability – Patched GetMama Conditional Malware Campaign TimThumb Vulnerability – Patched .RR.NU Malware Campagin Sweepstake Malware Campaign @sucuri_security @perezbox #wcoc 20 6/2/2012
  • 21. Top reasons why we see these infections Poor credential Management Poor System Administration Soup Kitchen Servers Out of Date Software Lack of Web knowledge Use of self-proclaimed “experts” Cutting Corners @sucuri_security @perezbox #wcoc 21 6/2/2012
  • 22. So what can you do? Glad you asked
  • 23. Reduce Threat Risk Update Credentials Communicate Securely Themes / Plugins Harden Your Install Don‟t forget your local environment Knowledge - Resources @sucuri_security @perezbox #wcoc 23 6/2/2012
  • 24. Update, Update, Update Leading cause of infections If your theme is so coupled with core it can‟t be updated, consider purchasing a new one PHP, Core, Themes, Plu gins, JavaScript… @sucuri_security @perezbox #wcoc 24 6/2/2012
  • 25. Credentials (user / password) Basics Take-Aways Avoid using „Admin‟ & Complex Unique password „Administrator‟ Upper / Lower Symbols Numbers Use Strong Passwords Longer than 18 characters Online Generator: http://www.onlinepasswordgen Passphrases erator.com/password.php Use one time – Password manager Use Password Manager LastPass – Free – Online / In short: Mobile Access No Dates No Names https://lastpass.com/ No Pets 1Password No Places https://agilebits.com/onepass A = @, E = 3, S= $, O = 0 word They know this @sucuri_security @perezbox #wcoc 25 6/2/2012
  • 26. Data Dictionary / Defacement @sucuri_security @perezbox #wcoc 26 6/2/2012
  • 27. Communicate Securely Communication mechanisms File Transfer Protocol (FTP) Secret File Transfer Protocol (SFTP) Secure Shell (SSH) Tools Filezilla Coda NCFTP SFTP / SSH - Best Approach Google: How to create SFTP account on [Host Name] Google: How to enable SSH on [Host Name] @sucuri_security @perezbox #wcoc 27 6/2/2012
  • 28. Safe Themes / Plugins WordPress Repository is a good place to start 19.6k+ - Available Plugins 1.5k+ - Available Themes Look for good descriptions of the theme or plugin Look to see versions and updates Active change log is always good Theme-check & Plugin-check are good tools to check potential issues Free Theme? http://wpmu.org/why-you-should-never-search-for-free- wordpress-themes-in-google-or-anywhere-else/ @sucuri_security @perezbox #wcoc 28 6/2/2012
  • 29. Plugins To Avoid WPStats.org SPAM – Fake Advanced Search Plugin SEO poisoning – Bad http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search- plugin.html Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0) Upload / Server control - Very Bad http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with- pwwangs-code-for-wordpress-version-1-0-0.html Absolute Privacy Plugin Known vulnerability http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html ToolsPack Plugin Dangerous backdoor – full access - Very Bad http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html @sucuri_security @perezbox #wcoc 29 6/2/2012
  • 32. HTACCESS is your Friend Configuration file for web servers using Apache Features: Error Documents Redirects Password Protection Deny visitors by IP Hot link prevention Access prevention More? Apply these changes at your own peril – run risk of blowing up site @sucuri_security @perezbox #wcoc 32 6/2/2012
  • 33. Protect HTACCESS Permission <= 640 #PROTECT HTACCESS <Files HTACCESS> Order Allow, Deny Deny from all </Files> @sucuri_security @perezbox #wcoc 33 6/2/2012
  • 34. Protect WP-Config .htaccess Permissions <= 640 #PROTECT WP-CONFIG <Files wp-config.php> Order Allow, Deny Deny from all </Files> @sucuri_security @perezbox #wcoc 34 6/2/2012
  • 35. Authentication Keys wp-config.php Encrypts information stored in user‟s cookies https://api.wordpress.org/secret-key/1.1/salt/ Resource: http://codex.wordpress.org/Editing_wp-config.php @sucuri_security @perezbox #wcoc 35 6/2/2012
  • 36. Database Prefix Default is “wp_” wp-config.php @sucuri_security @perezbox #wcoc 36 6/2/2012
  • 37. Admin User Created by “default” < = 3.0 In higher version you can define your own administrator Create new user, apply “administrator” role Be mindful of any posts created by “admin” user Delete “admin” user @sucuri_security @perezbox #wcoc 37 6/2/2012
  • 38. Disable Directory Listing Nobody show know the color of your skivvies Default in most hosts, not always # PREVENT DIRECTORY LISTINGS Options -Indexes @sucuri_security @perezbox #wcoc 38 6/2/2012
  • 39. Disable Plugin / Theme Editor wp-config.php file Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); @sucuri_security @perezbox #wcoc 39 6/2/2012
  • 40. Permissions Directories 755 Files Directories: 644 find [path to install] -type d -exec chmod 755 {} ; Important Files .htaccess = 644 Files: Find [path to install] -type f -exec chmod 644 {} ; wp-config.php = 600 php.ini = 600 php.cgi = 711 php5.cgi = 100 Reading: http://codex.wordpress.org/Changing_File_Permissions @sucuri_security @perezbox #wcoc 40 6/2/2012
  • 41. Protect WP-Admin If you have a dynamic IP this might be problematic Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple) # SECURE Access to WP-ADMIN <FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address] </FilesMatch> @sucuri_security @perezbox #wcoc 41 6/2/2012
  • 42. Harden WP-Includes Create .htaccess in wp-includes directory #PROTECT WP-INCLUDES <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files> @sucuri_security @perezbox #wcoc 42 6/2/2012
  • 43. Harden WP-Content Create .htaccess in wp-content directory Most vulnerable, contains Uploads directory, often the attack vector It can be moved, but if you‟re an end-user don‟t touch – hire a pro – lots of dependencies #PROTECT WP-CONTENT <FilesMatch “.php”> Order Allow, Deny Deny from all Deny</Files> @sucuri_security @perezbox #wcoc 43 6/2/2012
  • 44. Limit Upload Most shells < 1 mb Good idea anyway - //limit file upload to 10mb LimitRequestBody 10240000 @sucuri_security @perezbox #wcoc 44 6/2/2012
  • 45. Protect Against Bots Malnets are a growing problem, proactively protect against them using a Web Application Firewall Perishable Press – 5G Blacklist 2012 http://perishablepress.com /5g-blacklist-2012/ @sucuri_security @perezbox #wcoc 45 6/2/2012
  • 46. 5G WordPress Add-On Don‟t want to add all that other stuff? No problem, try this condensed version for WordPress Doesn‟t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests Source: http://perishablepress.com/wordpress-5g-blacklist/ Careful – wp-signup required for MultiSite @sucuri_security @perezbox #wcoc 46 6/2/2012
  • 47. Secure Login Page There are a number of plugins you can use for this, or, you can turn to your .htaccess again Might be an issue if its not static.. <Files wp-login.php> Order Deny,Allow Deny from All Allow from [Your IP] </Files> @sucuri_security @perezbox #wcoc 47 6/2/2012
  • 48. Protect against XSS Deny bad query Strings – in short, don‟t become a victim to cross-site scripting # QUERY STRING EXPLOITS <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> @sucuri_security @perezbox #wcoc 48 6/2/2012
  • 49. SPAM Comments SPAM in your comments can get you blacklisted just as fast as injections on your pages Disable comments on pages if you don‟t want them Setting to close comments after a certain amount of time. Settings > Discussion > Other Comment Settings Automatically close comments on articles older than XX days Use AKISMET @sucuri_security @perezbox #wcoc 49 6/2/2012
  • 50. Cross-Site Contamination Most of the things provided so far help you from external attacks. Internal attacks are as prevalent Growing problem – “Soup Kitchen” servers Development, Staging, Testing, Productions – 1 environment http://blog.sucuri.net/2012/03/a-little-tale-about-website- cross-contamination.html http://blog.sucuri.net/2012/03/website-cross- contamination-blackhat-seo-spam-malware.html @sucuri_security @perezbox #wcoc 50 6/2/2012
  • 51. Security Plugins Sucuri Clients – Sucuri Security – Free to Clients Web Application Firewall Integrity Monitoring Auditing Hardening More: http://sucuri.net/services/preventive Not a client? No problem, other good options include – Login Lock http://wordpress.org/extend/plugins/login-lock/ WordPress File Monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/ WordPress Firewall 2 http://wordpress.org/extend/plugins/wordpress-firewall-2/ BulletProof Security http://wordpress.org/extend/plugins/bulletproof-security/ @sucuri_security @perezbox #wcoc 51 6/2/2012
  • 52. Still have a malware problem?
  • 53. Two Approaches Do it Yourself Hire a Professional Forums are you friend Will cost money Requires time and Alleviates the stress patience Gets you up and running Leverage free tools in hours, if not days Know when you‟re in over your head Can take time – hours, days, weeks, mo nths @sucuri_security @perezbox #wcoc 53 6/2/2012
  • 54. Support Forums WordPress.org Hacked: http://wordpress.org/tags/hacked Malware: http://wordpress.org/tags/malware BadwareBusters.org https://badwarebusters.org/ @sucuri_security @perezbox #wcoc 54 6/2/2012
  • 55. Things to Know when Engaging Professionals Know who your host is and how to contact them in the event of an emergency Know how to access your server – FTP, SFTP, SSH, FTPS Have a backup accessible Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html @sucuri_security @perezbox #wcoc 55 6/2/2012
  • 56. Tips & Tricks After all this you might still become infected, and if you do here are a few tips to keep you going: 1. Immediately Change all credentials – wp- admin, database, cpanel 2. Log into your database and check all the users 3. Replace WP manually – avoid the default updater 4. Defacements – look at your index files (watch out for “.html” and “index2.php”) 5. Use live scanner: http://sitecheck.sucuri.net 6. Use terminal to GREP and FIND issues reported 7. Restore site from clean backup 8. Purge your cache 9. Disable plugins, validate each plugin 10. Engage a professional @sucuri_security @perezbox #wcoc 56 6/2/2012
  • 58. FREE Real Time Virus Scanners Sucuri SiteCheck: http://sitecheck.sucuri.net Unmask Parasites: http://unmaskparasites.com/ @sucuri_security @perezbox #wcoc 58 6/2/2012
  • 59. Blacklisting Authorities Google Chrome, FireFox Search Engine Results Page (SERP) http://www.google.com/webmaster/tools http://www.google.com/safebrowsing/diagnostic?site=[your site] Bing Internet Explorer http://www.bing.com/toolbox/webmaster/ Norton Facebook http://safeweb.norton.com/ AVG Opera http://www.avgthreatlabs.com/sitereports/ @sucuri_security @perezbox #wcoc 59 6/2/2012
  • 60. Useful Plugins Know what you‟re using: Theme-Check Authors: Pross, Otto42 http://wordpress.org/extend/plugins/theme-check/ Plugin-Check Author: Pross http://wordpress.org/extend/plugins/plugin-check/ Protect Against Comment SPAM Akismet Authors: Matt, Ryan, Andy, mdawaffe http://wordpress.org/extend/plugins/akismet/ Still offers free service Backups are your friend: Author: iThemes http://pluginbuddy.com/purchase/backupbuddy/ @sucuri_security @perezbox #wcoc 60 6/2/2012
  • 61. Online Reading http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i- know-when-engaging-a-web-malware-company.html http://codex.wordpress.org/Hardening_WordPress http://codex.wordpress.org/FAQ_My_site_was_hacked http://wpsecure.net/ @sucuri_security @perezbox #wcoc 61 6/2/2012
  • 62. Online Tools http://www.botsvsbrowsers.com/SimulateUserAgent.asp http://www.tareeinternet.com/scripts/base.html http://www.tareeinternet.com/scripts/decrypt.php @sucuri_security @perezbox #wcoc 62 6/2/2012
  • 63. Tony Perez Company: Sucuri Security Company site: http://sucuri.net Company blog: http://blog.sucuri.net Personal blog: http://perezbox.com Twitter: http://twitter.com/perezbox Linkedin: http://linkedin.com/in/perezbox Email: tony@sucuri.net @sucuri_security @perezbox #wcoc 63 6/2/2012

Editor's Notes

  1. Good morning everyone.. No no no.. That’s just not going to do.. I said GOOD MORNING FOLKS…Oh yeah, now that’s what I’m talking about… Let’s see if we can’t get the blood flowing up in this room.. When I point to that side I want you to give me a WordPress, when I point to this side I want you to give me a Security… ready here we go… you – WORDPRESS, you – Security, me – YUT, you – WordPress, you – Security, me – YUTOUTSTANDING – little mexican dance… nice to see you guys as excited as me..Oh and if you get tired, please realize I can see all your eye balls.. That includes the white… that’s right… I’m watching you… 
  2. So as you might or might know, my name is Tony Perez – go by @perezboxI’m a Columbian / Cuban with a bad attitude living in a world of Mexicans. I spent a better part of a year and a half doing to combat tours in Iraq in 2002 – 2003 and 2004 – 2005… I now work for a little company focusing on web security, specializing in integrity monitoring and remediation – might have heard of us – Sucuri SecurityI’m a Gun carrying, Harley riding junior martial artist… And finally my life has been engulfed by a little thing called web-malware
  3. Well obviously we are going to talk about some good ole web security…not exciting, but it’s a necessary evil. Its important to understand though that its but one small slice of the information security pie and it’d be impractical to think we can cover it in 50 minute… but hopefully I’m able to give you a much better understanding of the concept and empower you with knowledgeWe’ll take a quick peak at some numbers that I am personally intrigued by as it helps put things into perspective around the web and web malware and specifically their relationship to WordPressThen before we get into hardening tips and real tangible take-aways I want to provide a better understanding of the threat landscape and how and where you fit in that. How’s that sound? Do we need to stretch? Sing?
  4. As we talk about Web Security I want us to keep in mind these three area of interest – Access, Containment, and Knowledge.. These will be the three areas of discussion during the next 40 minutes.
  5. These are some astronomical numbers.. In 2011 there were 300 million websites that came online.. In December of 2011 there were total of 555 million websites running… holy smokes.. In one year we had 300 million websites come online.. I just want that to sink in, before that we were at about 200 million..Over 10.8 BILLION indexed pages.. That’s just an astronomical number to wrap your head around… So how does WordPress fit into the mold…
  6. So as it stands of all the websites out there… its estimated that WordPress owns about 16% of the market – that’s blogs, CMS’s.. Etc… so that is 16% of approximately 555 Million websites..In the US alone 22 out of every 100 websites are WordPress powered.. Here is an interesting fact.. In the CMS domain, WP is dominating the space with something close to 54% market share.. Wow.. Impressive I must admit
  7. In 2011, according to Symantec, they captured about 403 million unique malware variants.. Now to caveat that is malware across desktops, mobile devices, web etc.. Still an astronomical number. This was a 140% growth over 2010In 2011, approximately 55, 294 malicious domains were detected.. That’s a 130% growth from 2010 andAs for web-based atacks, there was an 81% increase__________________________Previous:286 Million – Variants in 201042,926 – malicious web domains in 2010
  8. So what does this mean.. Easy..The web is a very large large place and the platform we all love and use is quickly gaining market share at a very astronomical rate. More important to our discussion is the growth of web-malware and how important it is that its not an after thought, but part of your administration and / or project lifecycles if you’re managing a WordPress instance and / or developing it for a client. It is a problem we must all share responsibility in.
  9. That being said.. Let’s get into some Web Security folks…
  10. You might remember this slide from the beginning.. As we walk through the next few slides I want you to think about these three domains.. Specifically on CONTROLLING and AUTHENTICATING ACCESS, while we all wish that an infection will never affect us, plan and ensure that you reduce your threat profile and minimize the total impact. Lastly, allow yourself to learn such that you are able to put a plan in place to both prevent and remediate, being preapared is the key and you will accomplish this through knowledge.
  11. So malware – by definition designed to disrupt the function of the system… whatever it may be, your mobile device, notebook or website.. In 2011 however, the concept of malnets – or malware networks – began to make a real impact on the web malware domain. Most of you will know and recognize malnets as BOTS.. These are highly complex networks designed to scale according to their needs and last well beyond any one attack… If you look closely at the image hat you’re actually seeing is the top 5 malnets being tracked by BlueCoat and how they scale over time.. Often dependent on what activities are being planned or executed…The network will shrink waiting for a reason to grow.. And as an event arises – say a death of a super start, an election, a holiday, something that warrants an action – it will grow to impact as many people as possible.. This is what a BOT is…
  12. Social Engineering – the art of manipulating users to divulge credentials and other sensitive informationXSS – allows you to inject client-side scripts into the web pagesXSRF – Sesion is hijacked and unathorized commands are executed under an authenticated user
  13. Everyday at least twice a day I get a client ask… Please make this go away for good… and I find myself going into a discussion of the threat landscape… I swear, I literally feel their eyes rolling into the back of their heads on the phone…So I decided to include this slid because it illustrates best what makes up the threat landscape..Is it all encompassing? Absolutely not.. But does it work to bring home the point? Absolutely… The risk can never be 0 and this is why.. Too many variables to account for.
  14. White-Hat’s – those that work at companies like mine, or the Symantecs, Trend’s, Norton’s of the world…Ethical / Grey Hat’s – Obviously between the white’s and black’s.. Not usually out to intentionally harm, often find vulnerabilities and disclose.. Sometimes more appropriately than others.. Script Kiddie’s – kind of a derogatory term in the community for the newbie’s that know enough to be dangerous. As the name implies, they often employ existing scripts used to exploit known vulnerabilitiesHacktivist – by far one of the fastest growing types of attackers – driven by politics, culture, religion – you wake up one day and you’re flying the Syrian flag or pleading for the release of Libyan fighters..Black hat’s – known as crackers – these are the guys intent on taking something good and turning it into some thing bad – highly intelligent, technically sound
  15. Gah.. If I had anickle for every time someone asked us this…What I can say is its not the day of version 1.5, as the product has matured so have the controls that help ensure that at every release a safe product is being released. While not perfect, there is a great team within the core contributors designed to quickly address issues and push patches once identified. So then why do we see so many WordPress sites infected? Well, I think the answer comes down to two things – extensibility and ease of use. It is to the point where the application is so easy to use that almost anyone is able to install, operate and manage an instance. The same applies to the extensibility, by its nature it’s an extensible platform, which is great, but its also its most vulnerable point and often where we see attack vectors introduced. Lastly, the darn thing is popular folks for the reasons I mentioned before… Remember the stats? That popularity brings about a target… I would say that in 80% of the attacks we see, it’s the road of least resistance that has allowed your WordPress instance to be compromised.
  16. Don’t worry, I won’t bore you with the specifics of these but I wanted to quickly show of some of the more recent issues in the past 6 months.. Just to show have valid of an issue this is.. And yes.. TimThumb is still very much a problem today…
  17. You are the webmaster of today! Recognize it, embrace it.Your local environment is as important as your web server. When was the last time you ran a local anti-virus?Did you know that most anti-virus only catch 70 – 80% of infection? Run multiple.
  18. Move out of web directoryUp a directoryBe weary of plugins that hardcode the locationAvailable since 2.6
  19. Caution 600 could break some thingsFTP user and PHP user are not going to be the same – ideal setupsIDEALLY one is the owner of the file and others in the group660 is okThe Lowest Permission that Works!!
  20. Caution this would block wp-signup.php – WP Multisite file