SlideShare a Scribd company logo
JoomlaSecurityBare essentials to serious measuresBrendon HatcherTechnical DirectorPhoto: flickr.com/photos/carbonnyc
Understanding     hackers and                 hackingDefinitions of “hacker”Hacker’s motivationsEvidence of hacking
What is a hacker?Someone who deliberately seeks to bypass a server’s securityBlack, grey, white hatsA hacked site is a broken/compromised siteA skilled computer programmerA hacked site is a tweaked and improved siteA script kiddieJunior hacker using otherhacker’s tools and techniques
Hacker’s motivationsTo see if they canTo create mayhemFor social standing in the sub-cultureFor political reasons – hacktivismFor financial reasonsTheft – steal ebooks, videos, games, online services etcSell data – user profiles, credit card details etcIndustrial sabotage - paid to break competitor sitesSet up zombie farmsSteal bandwidthHost phishing pagesCollect passwords
Evidence of hackingNone!Site trashedHacking messageHigh bandwidth useChanged admin passwordNew user with admin rightsServer logs
Why be concernedabout security?No-one is safe Hacking is actually quite easyFixing hacked sites is trickyHacked sites are a big problem
No-one is safe
Why worry about hacking? Sites are targeted at randomHacking is actually quite easyVulnerable sites are easy to findVulnerable sites are easy to hackFixing hacked sites is quite trickyHacks can be invisibleClients may not notice a hacked site for some timeFinding a clean backup may be impossibleDetermining what has been done can be really hardMay be difficult to restoreHardening site to avoid future hacks requires skill and focus
Why worry about hacking? Hacked sites are a big problemBusiness reputationAngry clientsSite shutdown by hostLoss of businessData theftPhoto: flickr.com/photos/gaetanlee/
Hacking aJoomla siteIs Joomla less secure than other systems?The site must be vulnerable3 steps to hacking for fun and profit
Is Joomla less secure than other systems?Yes and NoJoomla has to strike a balance between security and ease of useJoomla an attractive target for hackersThe critical mass of sitesLarge amateur web developer user base Extensions have variable securityThe site must be vulnerable
3 steps to hacking for fun and profitFind a vulnerability (and instructions on how to exploit it)Find a vulnerable siteHack the siteThen, sit back and enjoy fame and fortune!
Find a vulnerabilitySecurity siteswww.exploit-db.com, www.secunia.comVarious hacking sites/forumsJoomlavulnerable extensions listdocs.joomla.org/Vulnerable_Extensions_List
Find a vulnerable siteGoogle Dork - a search phrase to find vulnerable sitesPHPInfointitle:phpinfo()Vulnerable extensionsallinurl:com_acajoom
Cut and paste hack codehttp://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*Photo: flickr.com/photos/tawheedmanzoor
Securityaction planWeb sites are like onionsLevels of securityWeb development toolsStrong, unique passwords everywhereContinuous attention
Web sites arelike onionsServer operating systemApachePHP + MySQLJoomla
Extensions
Users and their behaviourLevels of security[1] Basic actions[2] More complex actions[3] Actions that require significant modification rights on the server (unless already implemented by default)Image by echiner1
Web development toolsWHM – server administrationcPanel – hosting account administrationFileZilla – FTP appKeepass – password vault
General adviceStrong, unique passwords everywhereA password vault removes the need to have a single, simple passwordContinuous attention needed
Creating a safehome for JoomlaShared, VPS or dedicated servers?ApachePHPMySQL
Shared, VPS or dedicated servers?A shared serverYour site(s) live in the same hosting space as other sites that you do not administerThis is the cheapest hosting option.  No say over the security of the other sites on the serverOld shared server is the worst location for your hostingA Virtual Private ServerBetter than sharedStill can’t change many settings
Shared, VPS or dedicated servers?A dedicated serverStill a “shared” serverAllow you to upgrade and tweak all the settings on a dedicated serverHost retains responsibility for maintenance
Additional securitySuhosin – hardens PHPSamhain or TripwireConfigserver firewall
Apache[3] suExecCGI scripts run under the user of the website instead of the Apache user[3] Mod_securityIntrusion detection and prevention engine
PHP[2] PHP5, not PHP4[3] suPHPPHP files are run under the user of the website instead of the Apache userGlobally reset all filesOwner – AccountUsername:AccountUsernamechown -R user:group *Files – 644find . -type f -exec chmod 644 {} Folders – 755find . -type d -exec chmod 755 {}
Hosting account.htaccess files[1] Activate the htaccess file in the Joomla root[1] Use an .htpasswd for the /administrator/ folder[3] Advanced .htaccess filesA LOT more important detail in the manual
Keeping up to dateAvoiding the obviousHide, and be very, very quietSpam form submissionsInstall sh404SEFSecuring aJoomla site
Keeping up to dateMust update Joomla core and extensionsRemove unused extensions
Avoiding the obvious[1] The default database extension is jos_[1] The default admin username is admin[1] The default admin user ID is 62[1] Change administrator access URL
Hide, and be very, very quiet[1] SEF all URLs[1] Clear the default Joomlametatags[1] Clear the default Home page title[1] Remove generator tag[1] Change favicon[2] Hide component credits
Spam form submissionsTrying to inject spam content onto your siteTargets Joomla core forms and extension formsInstall a captcha system
Install sh404SEFSEF URLS hide from Google DorksFlood controlOther security settings
Creating a safe working environmentPC vulnerability to hacksFTP access hacksA note about users“Burglar bars, electric fences, alarms…and a key left under the doormat”
PC vulnerability to hacks[1] Install all operating system patches[1] Install all application system patches[1] Run comprehensive real-time protection apps[1] Install Secunia PSI[1] Secure your PC login[1] Secure your backup storage [2] Use a secure web browser
FTP access hacksIf a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.FTP passwords are stored unencrypted in your FTP program!	FTP authentication details pass unencrypted to the server!There are several common FTP apps that store their passwords in a standard location with a standard name!
FTP configuration[1] cPanel setupMake sure that the FTP password is strong[1] PC setupPassword vault (LastPass , Keepass ) to store the strong passwordMake sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)[1] FileZillaCopy all passwords to the password vault Delete all passwords from the Site ManagerSet FileZilla to run in Kiosk mode
FTP configuration[2] JoomlaRemove the FTP details from the configuration file[3] WHMDisable FTP access and allow only SFTP accessA note about usersYou should ideally create separate user accounts for each staff member
Preparing forthe worstSite monitoringA disaster recovery planJoomla site backupsRestoring a hacked site
Site monitoringDiagnosticsSite downHome page content changesMod_security logs (shows attempts)Bandwidth useSpam blacklisting[3] Searching and browsing server logs
Disaster Recovery PlanDepending on how central your web site is to your business, you may need a DRPSee Tom Canavan’s presentationhttp://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recoveryPhoto: flickr.com/photos/28481088@N00
Joomla site backupsLong-cycle Joomla backups are criticalRedundant backups lead to restful sleepSee my Joomla for Web Developer talk for MUCH more detail
Restoring a hacked siteFixes the obvious problems Does not address:Hidden hacksShell scriptsBackdoorsZombiesContinuing vulnerabilitiesImpacts of data exposurePhoto: flickr.com/photos/andreweason

More Related Content

Viewers also liked

Hulda
HuldaHulda
Leaked! Confessions of a Joomla DEV
Leaked! Confessions of a Joomla DEVLeaked! Confessions of a Joomla DEV
Leaked! Confessions of a Joomla DEV
Joomla Day South Africa
 
Introducing Joomla! 3.2 - Something new for everyone! (Keynote)
Introducing Joomla! 3.2 - Something new for everyone! (Keynote)Introducing Joomla! 3.2 - Something new for everyone! (Keynote)
Introducing Joomla! 3.2 - Something new for everyone! (Keynote)
Joomla Day South Africa
 
Chris Rault - Content construction with ZOO
Chris Rault - Content construction with ZOOChris Rault - Content construction with ZOO
Chris Rault - Content construction with ZOO
Joomla Day South Africa
 
Primera guerra mundial
Primera guerra mundialPrimera guerra mundial
Primera guerra mundial
ccartefacto
 
Implementing and running Joomla at a large South African university
Implementing and running Joomla at a large South African universityImplementing and running Joomla at a large South African university
Implementing and running Joomla at a large South African university
Joomla Day South Africa
 
Yellowfin Business Intelligence (BI) platform
Yellowfin Business Intelligence (BI) platformYellowfin Business Intelligence (BI) platform
Yellowfin Business Intelligence (BI) platform
Joomla Day South Africa
 
Youtube Analytics Google+
Youtube Analytics Google+Youtube Analytics Google+
Youtube Analytics Google+
Joomla Day South Africa
 
Beck bob - take back your power
Beck bob - take back your powerBeck bob - take back your power
Beck bob - take back your power
Costin Serban
 
Number worksheets
Number worksheetsNumber worksheets
Number worksheets
asher45
 
Complexity Simplified? (Seblod CCK walk through)
Complexity Simplified? (Seblod CCK walk through)Complexity Simplified? (Seblod CCK walk through)
Complexity Simplified? (Seblod CCK walk through)
Joomla Day South Africa
 
Rubab rauf mba from tuf
Rubab rauf mba from tufRubab rauf mba from tuf
Rubab rauf mba from tuf
Sumaira Aslam
 
Peter Van Westen - Mastering Module Magic
Peter Van Westen - Mastering Module MagicPeter Van Westen - Mastering Module Magic
Peter Van Westen - Mastering Module Magic
Joomla Day South Africa
 
01 pengantar-tik
01 pengantar-tik01 pengantar-tik
01 pengantar-tik
Anisa AzaCh
 

Viewers also liked (14)

Hulda
HuldaHulda
Hulda
 
Leaked! Confessions of a Joomla DEV
Leaked! Confessions of a Joomla DEVLeaked! Confessions of a Joomla DEV
Leaked! Confessions of a Joomla DEV
 
Introducing Joomla! 3.2 - Something new for everyone! (Keynote)
Introducing Joomla! 3.2 - Something new for everyone! (Keynote)Introducing Joomla! 3.2 - Something new for everyone! (Keynote)
Introducing Joomla! 3.2 - Something new for everyone! (Keynote)
 
Chris Rault - Content construction with ZOO
Chris Rault - Content construction with ZOOChris Rault - Content construction with ZOO
Chris Rault - Content construction with ZOO
 
Primera guerra mundial
Primera guerra mundialPrimera guerra mundial
Primera guerra mundial
 
Implementing and running Joomla at a large South African university
Implementing and running Joomla at a large South African universityImplementing and running Joomla at a large South African university
Implementing and running Joomla at a large South African university
 
Yellowfin Business Intelligence (BI) platform
Yellowfin Business Intelligence (BI) platformYellowfin Business Intelligence (BI) platform
Yellowfin Business Intelligence (BI) platform
 
Youtube Analytics Google+
Youtube Analytics Google+Youtube Analytics Google+
Youtube Analytics Google+
 
Beck bob - take back your power
Beck bob - take back your powerBeck bob - take back your power
Beck bob - take back your power
 
Number worksheets
Number worksheetsNumber worksheets
Number worksheets
 
Complexity Simplified? (Seblod CCK walk through)
Complexity Simplified? (Seblod CCK walk through)Complexity Simplified? (Seblod CCK walk through)
Complexity Simplified? (Seblod CCK walk through)
 
Rubab rauf mba from tuf
Rubab rauf mba from tufRubab rauf mba from tuf
Rubab rauf mba from tuf
 
Peter Van Westen - Mastering Module Magic
Peter Van Westen - Mastering Module MagicPeter Van Westen - Mastering Module Magic
Peter Van Westen - Mastering Module Magic
 
01 pengantar-tik
01 pengantar-tik01 pengantar-tik
01 pengantar-tik
 

Similar to Brendon Hatcher Joomla Security

Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Joomla Security
Joomla  SecurityJoomla  Security
Joomla Security
ViryaTechnologies
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
Ruth Cheesley
 
Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security
Dorothy Firsching (Ursa Major Consulting)
 
OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
Timothy Wood
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialiste
Romain Caisse
 
Joomla Security v3.0
Joomla Security v3.0Joomla Security v3.0
Joomla Security v3.0
Ajay Lulia
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress security
WordPress securityWordPress security
WordPress security
Shelley Magnezi
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
Wilco Jansen
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
Tim Plummer
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
Michael Pignataro
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
Sucuri
 

Similar to Brendon Hatcher Joomla Security (20)

Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Joomla Security
Joomla  SecurityJoomla  Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security
 
OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialiste
 
Joomla Security v3.0
Joomla Security v3.0Joomla Security v3.0
Joomla Security v3.0
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress security
WordPress securityWordPress security
WordPress security
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
 

More from Joomla Day South Africa

Joomla! 101 - Getting started & Finding help (level: Beginner)
Joomla! 101 - Getting started & Finding help (level: Beginner)Joomla! 101 - Getting started & Finding help (level: Beginner)
Joomla! 101 - Getting started & Finding help (level: Beginner)
Joomla Day South Africa
 
Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...
Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...
Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...
Joomla Day South Africa
 
Case Study Upgrading Joomlagov.info to Joomla 2.5 with responsive design
Case Study  Upgrading Joomlagov.info to Joomla 2.5 with responsive design Case Study  Upgrading Joomlagov.info to Joomla 2.5 with responsive design
Case Study Upgrading Joomlagov.info to Joomla 2.5 with responsive design
Joomla Day South Africa
 
Streamlining Joomla Template Deployment and Updates across multiple installat...
Streamlining Joomla Template Deployment and Updates across multiple installat...Streamlining Joomla Template Deployment and Updates across multiple installat...
Streamlining Joomla Template Deployment and Updates across multiple installat...
Joomla Day South Africa
 
Welcome to JoomlaDay Cape Town 2012
Welcome to JoomlaDay Cape Town 2012Welcome to JoomlaDay Cape Town 2012
Welcome to JoomlaDay Cape Town 2012
Joomla Day South Africa
 
Successful Joomla migrations that don't hurt Search Engine Rankings
Successful Joomla migrations that don't hurt Search Engine RankingsSuccessful Joomla migrations that don't hurt Search Engine Rankings
Successful Joomla migrations that don't hurt Search Engine Rankings
Joomla Day South Africa
 
Joomla SEO
Joomla SEOJoomla SEO
Peter Van Westen - No Number Power Squared
Peter Van Westen - No Number Power SquaredPeter Van Westen - No Number Power Squared
Peter Van Westen - No Number Power Squared
Joomla Day South Africa
 
Simon Dowdles - Seblod CCK
Simon Dowdles - Seblod CCKSimon Dowdles - Seblod CCK
Simon Dowdles - Seblod CCK
Joomla Day South Africa
 
Brendon Hatcher Joomla for web developers
Brendon Hatcher Joomla for web developersBrendon Hatcher Joomla for web developers
Brendon Hatcher Joomla for web developers
Joomla Day South Africa
 
Brendon Hatcher Joomla Distros
Brendon Hatcher Joomla DistrosBrendon Hatcher Joomla Distros
Brendon Hatcher Joomla Distros
Joomla Day South Africa
 
Yannick Gaultier - sh404SEF SEO and Analytics
Yannick Gaultier - sh404SEF SEO and AnalyticsYannick Gaultier - sh404SEF SEO and Analytics
Yannick Gaultier - sh404SEF SEO and Analytics
Joomla Day South Africa
 
Case Study: How we Built Joomlagov.info
Case Study: How we Built  Joomlagov.infoCase Study: How we Built  Joomlagov.info
Case Study: How we Built Joomlagov.info
Joomla Day South Africa
 

More from Joomla Day South Africa (13)

Joomla! 101 - Getting started & Finding help (level: Beginner)
Joomla! 101 - Getting started & Finding help (level: Beginner)Joomla! 101 - Getting started & Finding help (level: Beginner)
Joomla! 101 - Getting started & Finding help (level: Beginner)
 
Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...
Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...
Case Study: AGOA.info - Planning and Execution, then disaster... / SEEDINIT.o...
 
Case Study Upgrading Joomlagov.info to Joomla 2.5 with responsive design
Case Study  Upgrading Joomlagov.info to Joomla 2.5 with responsive design Case Study  Upgrading Joomlagov.info to Joomla 2.5 with responsive design
Case Study Upgrading Joomlagov.info to Joomla 2.5 with responsive design
 
Streamlining Joomla Template Deployment and Updates across multiple installat...
Streamlining Joomla Template Deployment and Updates across multiple installat...Streamlining Joomla Template Deployment and Updates across multiple installat...
Streamlining Joomla Template Deployment and Updates across multiple installat...
 
Welcome to JoomlaDay Cape Town 2012
Welcome to JoomlaDay Cape Town 2012Welcome to JoomlaDay Cape Town 2012
Welcome to JoomlaDay Cape Town 2012
 
Successful Joomla migrations that don't hurt Search Engine Rankings
Successful Joomla migrations that don't hurt Search Engine RankingsSuccessful Joomla migrations that don't hurt Search Engine Rankings
Successful Joomla migrations that don't hurt Search Engine Rankings
 
Joomla SEO
Joomla SEOJoomla SEO
Joomla SEO
 
Peter Van Westen - No Number Power Squared
Peter Van Westen - No Number Power SquaredPeter Van Westen - No Number Power Squared
Peter Van Westen - No Number Power Squared
 
Simon Dowdles - Seblod CCK
Simon Dowdles - Seblod CCKSimon Dowdles - Seblod CCK
Simon Dowdles - Seblod CCK
 
Brendon Hatcher Joomla for web developers
Brendon Hatcher Joomla for web developersBrendon Hatcher Joomla for web developers
Brendon Hatcher Joomla for web developers
 
Brendon Hatcher Joomla Distros
Brendon Hatcher Joomla DistrosBrendon Hatcher Joomla Distros
Brendon Hatcher Joomla Distros
 
Yannick Gaultier - sh404SEF SEO and Analytics
Yannick Gaultier - sh404SEF SEO and AnalyticsYannick Gaultier - sh404SEF SEO and Analytics
Yannick Gaultier - sh404SEF SEO and Analytics
 
Case Study: How we Built Joomlagov.info
Case Study: How we Built  Joomlagov.infoCase Study: How we Built  Joomlagov.info
Case Study: How we Built Joomlagov.info
 

Recently uploaded

Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Torry Harris
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
Global Agile Consulting- CLL-Group, LLC
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
Enterprise Wired
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
ssuserd4e0d2
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
ArgaBisma
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
Toru Tamaki
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant
Bert Blevins
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Empowering Businesses in the Digital Age
Empowering Businesses in the Digital AgeEmpowering Businesses in the Digital Age
Empowering Businesses in the Digital Age
Bert Blevins
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 

Recently uploaded (20)

Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Empowering Businesses in the Digital Age
Empowering Businesses in the Digital AgeEmpowering Businesses in the Digital Age
Empowering Businesses in the Digital Age
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 

Brendon Hatcher Joomla Security

  • 1. JoomlaSecurityBare essentials to serious measuresBrendon HatcherTechnical DirectorPhoto: flickr.com/photos/carbonnyc
  • 2. Understanding hackers and hackingDefinitions of “hacker”Hacker’s motivationsEvidence of hacking
  • 3. What is a hacker?Someone who deliberately seeks to bypass a server’s securityBlack, grey, white hatsA hacked site is a broken/compromised siteA skilled computer programmerA hacked site is a tweaked and improved siteA script kiddieJunior hacker using otherhacker’s tools and techniques
  • 4. Hacker’s motivationsTo see if they canTo create mayhemFor social standing in the sub-cultureFor political reasons – hacktivismFor financial reasonsTheft – steal ebooks, videos, games, online services etcSell data – user profiles, credit card details etcIndustrial sabotage - paid to break competitor sitesSet up zombie farmsSteal bandwidthHost phishing pagesCollect passwords
  • 5. Evidence of hackingNone!Site trashedHacking messageHigh bandwidth useChanged admin passwordNew user with admin rightsServer logs
  • 6. Why be concernedabout security?No-one is safe Hacking is actually quite easyFixing hacked sites is trickyHacked sites are a big problem
  • 8. Why worry about hacking? Sites are targeted at randomHacking is actually quite easyVulnerable sites are easy to findVulnerable sites are easy to hackFixing hacked sites is quite trickyHacks can be invisibleClients may not notice a hacked site for some timeFinding a clean backup may be impossibleDetermining what has been done can be really hardMay be difficult to restoreHardening site to avoid future hacks requires skill and focus
  • 9. Why worry about hacking? Hacked sites are a big problemBusiness reputationAngry clientsSite shutdown by hostLoss of businessData theftPhoto: flickr.com/photos/gaetanlee/
  • 10. Hacking aJoomla siteIs Joomla less secure than other systems?The site must be vulnerable3 steps to hacking for fun and profit
  • 11. Is Joomla less secure than other systems?Yes and NoJoomla has to strike a balance between security and ease of useJoomla an attractive target for hackersThe critical mass of sitesLarge amateur web developer user base Extensions have variable securityThe site must be vulnerable
  • 12. 3 steps to hacking for fun and profitFind a vulnerability (and instructions on how to exploit it)Find a vulnerable siteHack the siteThen, sit back and enjoy fame and fortune!
  • 13. Find a vulnerabilitySecurity siteswww.exploit-db.com, www.secunia.comVarious hacking sites/forumsJoomlavulnerable extensions listdocs.joomla.org/Vulnerable_Extensions_List
  • 14. Find a vulnerable siteGoogle Dork - a search phrase to find vulnerable sitesPHPInfointitle:phpinfo()Vulnerable extensionsallinurl:com_acajoom
  • 15. Cut and paste hack codehttp://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*Photo: flickr.com/photos/tawheedmanzoor
  • 16. Securityaction planWeb sites are like onionsLevels of securityWeb development toolsStrong, unique passwords everywhereContinuous attention
  • 17. Web sites arelike onionsServer operating systemApachePHP + MySQLJoomla
  • 19. Users and their behaviourLevels of security[1] Basic actions[2] More complex actions[3] Actions that require significant modification rights on the server (unless already implemented by default)Image by echiner1
  • 20. Web development toolsWHM – server administrationcPanel – hosting account administrationFileZilla – FTP appKeepass – password vault
  • 21. General adviceStrong, unique passwords everywhereA password vault removes the need to have a single, simple passwordContinuous attention needed
  • 22. Creating a safehome for JoomlaShared, VPS or dedicated servers?ApachePHPMySQL
  • 23. Shared, VPS or dedicated servers?A shared serverYour site(s) live in the same hosting space as other sites that you do not administerThis is the cheapest hosting option. No say over the security of the other sites on the serverOld shared server is the worst location for your hostingA Virtual Private ServerBetter than sharedStill can’t change many settings
  • 24. Shared, VPS or dedicated servers?A dedicated serverStill a “shared” serverAllow you to upgrade and tweak all the settings on a dedicated serverHost retains responsibility for maintenance
  • 25. Additional securitySuhosin – hardens PHPSamhain or TripwireConfigserver firewall
  • 26. Apache[3] suExecCGI scripts run under the user of the website instead of the Apache user[3] Mod_securityIntrusion detection and prevention engine
  • 27. PHP[2] PHP5, not PHP4[3] suPHPPHP files are run under the user of the website instead of the Apache userGlobally reset all filesOwner – AccountUsername:AccountUsernamechown -R user:group *Files – 644find . -type f -exec chmod 644 {} Folders – 755find . -type d -exec chmod 755 {}
  • 28. Hosting account.htaccess files[1] Activate the htaccess file in the Joomla root[1] Use an .htpasswd for the /administrator/ folder[3] Advanced .htaccess filesA LOT more important detail in the manual
  • 29. Keeping up to dateAvoiding the obviousHide, and be very, very quietSpam form submissionsInstall sh404SEFSecuring aJoomla site
  • 30. Keeping up to dateMust update Joomla core and extensionsRemove unused extensions
  • 31. Avoiding the obvious[1] The default database extension is jos_[1] The default admin username is admin[1] The default admin user ID is 62[1] Change administrator access URL
  • 32. Hide, and be very, very quiet[1] SEF all URLs[1] Clear the default Joomlametatags[1] Clear the default Home page title[1] Remove generator tag[1] Change favicon[2] Hide component credits
  • 33. Spam form submissionsTrying to inject spam content onto your siteTargets Joomla core forms and extension formsInstall a captcha system
  • 34. Install sh404SEFSEF URLS hide from Google DorksFlood controlOther security settings
  • 35. Creating a safe working environmentPC vulnerability to hacksFTP access hacksA note about users“Burglar bars, electric fences, alarms…and a key left under the doormat”
  • 36. PC vulnerability to hacks[1] Install all operating system patches[1] Install all application system patches[1] Run comprehensive real-time protection apps[1] Install Secunia PSI[1] Secure your PC login[1] Secure your backup storage [2] Use a secure web browser
  • 37. FTP access hacksIf a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.FTP passwords are stored unencrypted in your FTP program! FTP authentication details pass unencrypted to the server!There are several common FTP apps that store their passwords in a standard location with a standard name!
  • 38. FTP configuration[1] cPanel setupMake sure that the FTP password is strong[1] PC setupPassword vault (LastPass , Keepass ) to store the strong passwordMake sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)[1] FileZillaCopy all passwords to the password vault Delete all passwords from the Site ManagerSet FileZilla to run in Kiosk mode
  • 39. FTP configuration[2] JoomlaRemove the FTP details from the configuration file[3] WHMDisable FTP access and allow only SFTP accessA note about usersYou should ideally create separate user accounts for each staff member
  • 40. Preparing forthe worstSite monitoringA disaster recovery planJoomla site backupsRestoring a hacked site
  • 41. Site monitoringDiagnosticsSite downHome page content changesMod_security logs (shows attempts)Bandwidth useSpam blacklisting[3] Searching and browsing server logs
  • 42. Disaster Recovery PlanDepending on how central your web site is to your business, you may need a DRPSee Tom Canavan’s presentationhttp://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recoveryPhoto: flickr.com/photos/28481088@N00
  • 43. Joomla site backupsLong-cycle Joomla backups are criticalRedundant backups lead to restful sleepSee my Joomla for Web Developer talk for MUCH more detail
  • 44. Restoring a hacked siteFixes the obvious problems Does not address:Hidden hacksShell scriptsBackdoorsZombiesContinuing vulnerabilitiesImpacts of data exposurePhoto: flickr.com/photos/andreweason
  • 45. Credits/DisclaimerBrendon Hatcher is the compiler of this presentationThe presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivativesIf you don’t know what this licence means, go to creativecommons.orgThe content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.

Editor's Notes

  1. Balaclava - http://www.flickr.com/photos/vladus/1933814881/
  2. Pickpocket - http://www.flickr.com/photos/dullhunk/4575707721/
  3. Onion - http://www.flickr.com/photos/10460483@N02/5448093522/
  4. Shhh - http://www.flickr.com/photos/42918851@N00/5905346604/sizes/l/in/photostream/
  5. http://www.flickr.com/photos/philliecasablanca/6011248010/