This document provides an overview of WordPress security best practices. It recommends regularly backing up websites and data, using strong and unique passwords, automating updates, and monitoring websites to prevent attacks from going unnoticed. It also discusses attacker motivations like financial gain from phishing, SEO fraud, and installing backdoors. The document outlines steps to clean up after an attack, like updating all software, checking and removing unauthorized files, changing all passwords, and reinstalling the website from a known good backup. It also provides suggestions for preventative measures and security plugins to prevent future compromises.
As web enabled systems become an integral part of everything we interact with, how do we secure data in potential unsecure environments?
In this session you'll learn how to apply fundamental security precepts in potentially insecure environments. Topics include:
Securing identity and payment data through voice commands or text
Tokenization and encryption security
Triggering secure transactions from communications media
PHP and Application Security - OWASP Road Show 2013rjsmelo
Presentation related to Information Security in the context of PHP programming. Principal pitfalls when programming PHP. Context of the PHP usage and evolution.
Video of the presentation: http://youtu.be/NTc5cZKZGF0
Understanding and implementing website securityDrew Gorton
Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.
We will cover:
Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices.
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.
Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8.
Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series at https://pantheon.io/blog/understanding-and-implementing-website-security-part-1-you-are-target
As web enabled systems become an integral part of everything we interact with, how do we secure data in potential unsecure environments?
In this session you'll learn how to apply fundamental security precepts in potentially insecure environments. Topics include:
Securing identity and payment data through voice commands or text
Tokenization and encryption security
Triggering secure transactions from communications media
PHP and Application Security - OWASP Road Show 2013rjsmelo
Presentation related to Information Security in the context of PHP programming. Principal pitfalls when programming PHP. Context of the PHP usage and evolution.
Video of the presentation: http://youtu.be/NTc5cZKZGF0
Understanding and implementing website securityDrew Gorton
Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.
We will cover:
Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices.
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.
Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8.
Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series at https://pantheon.io/blog/understanding-and-implementing-website-security-part-1-you-are-target
This talk was originally titled “I'm tired of defenders crying”, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.
Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
Talk from 4Developers '12 and PHP Barcelona '11
It’s fun to architect your application to handle millions of pageviews, but in reality that’s time where you could be adding features. We’ll examine some practical solutions for designing your platform to deal with increasing traffic and how to add those features on an incremental basis. This will take us through options for scaling the code and additional methods for scaling the infrastructure.
5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan
So you have started-it-up and now you are getting good traffic — Thousands of users, etc. etc.
Do you know script kiddies are scanning your website using simple dictionary attacks on SSH ports? Do you know that once in a while there is a Fatal application Error in your PHP log (which may point to bigger problem)? Do you know that the backup you are taking is actually not gonna restore your DB? Do you know that every night at 12 one of the servers has a CPU spike?
It’s a good idea to catch some of the serious problems early on and deploy tools to proactively assess them. In this session we will discuss some very basic things, as a CTO you MUST worry about and proactively solve problems around them.
These are (in the order of decreasing priority):
1. Security
2. Monitoring/Availability/Load (External/System level)
3. Application errors
4. Backup
5. Source control
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Scraping the web with Laravel, Dusk, Docker, and PHPPaul Redmond
Jumpstart your web scraping automation in the cloud with Laravel Dusk, Docker, and friends. We will discuss the types of web scraping tools, the best tools for the job, and how to deal with running selenium in Docker.
Code examples @ https://github.com/paulredmond/scraping-with-laravel-dusk
A walk through of how to think about Web Exploitation. Focuses less on performing SQL injections and more on how to properly enumerate and evaluate functionality.
Detecting and Defending Your Privacy Against State-Actor SurveillanceRobert Rowley
This is a review of recently leaked documents that detail state-actors surveillance technologies. In the presentation I provide easy to implement actionable methods to detect state actor surveillance, and steps you can take to defend against them.
(short version)
This talk was originally titled “I'm tired of defenders crying”, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.
Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
Talk from 4Developers '12 and PHP Barcelona '11
It’s fun to architect your application to handle millions of pageviews, but in reality that’s time where you could be adding features. We’ll examine some practical solutions for designing your platform to deal with increasing traffic and how to add those features on an incremental basis. This will take us through options for scaling the code and additional methods for scaling the infrastructure.
5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan
So you have started-it-up and now you are getting good traffic — Thousands of users, etc. etc.
Do you know script kiddies are scanning your website using simple dictionary attacks on SSH ports? Do you know that once in a while there is a Fatal application Error in your PHP log (which may point to bigger problem)? Do you know that the backup you are taking is actually not gonna restore your DB? Do you know that every night at 12 one of the servers has a CPU spike?
It’s a good idea to catch some of the serious problems early on and deploy tools to proactively assess them. In this session we will discuss some very basic things, as a CTO you MUST worry about and proactively solve problems around them.
These are (in the order of decreasing priority):
1. Security
2. Monitoring/Availability/Load (External/System level)
3. Application errors
4. Backup
5. Source control
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Scraping the web with Laravel, Dusk, Docker, and PHPPaul Redmond
Jumpstart your web scraping automation in the cloud with Laravel Dusk, Docker, and friends. We will discuss the types of web scraping tools, the best tools for the job, and how to deal with running selenium in Docker.
Code examples @ https://github.com/paulredmond/scraping-with-laravel-dusk
A walk through of how to think about Web Exploitation. Focuses less on performing SQL injections and more on how to properly enumerate and evaluate functionality.
Detecting and Defending Your Privacy Against State-Actor SurveillanceRobert Rowley
This is a review of recently leaked documents that detail state-actors surveillance technologies. In the presentation I provide easy to implement actionable methods to detect state actor surveillance, and steps you can take to defend against them.
(short version)
Let's cover the history of privacy to reflect on current events. It may surprise you the same abuses of privacy come up throughout US history, and the same battles to protect an individual's privacy are fought.
Juice Jacking 101 covers the hisotry behind why and what we learned from building malicious cell phone charging kiosks (and then setting them up at various hacker conferences)
This isn’t your uncle’s “what’s a WAF” talk, I’ll be covering as many cool tricks and advance topics related to deploying Web Application Firewalls. I will show you how to write custom scripts using lua and mod_security, and give first hand experiences of how I used scripting with a WAF to put the security team at my previous job ahead of the game when dealing with web app attacks. I will be including the source code for these example scripts which can be used to provide automatic incident response, counter-intelligence and more.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
18. How?
● Software vulnerabilities
Arbitrary file uploads, Code execution, LFI/RFI SQLi
● Password compromise
Spyware/Brute force
● Host based attacks
Are you on a shared host? (cloud?)
19. Show your work!
How does a compromised site equal profit?
● Phishing (Identity theft)
● BlackHat SEO (Affiliate services efraud)
● Traffic Theft (Malware)
● Spam (All of the above)
● Backdoor installations (All of the above)
35. Spot ALL THE “diff”erences!
● Use “diff” to compare directories.
● Works best with backups (or just download WP)
$ diff omgfire.com omgfire.com_lastbackup
Only in omgfire.com: this_could_be_a_backdoor.php
Common subdirectories: omgfire.com/wp-admin and
omgfire.com_lastbackup/wp-admin
diff omgfire.com/wp-config.php
omgfire.com_lastbackup/wp-config.php
1d0
< <? /* this is a little bit of code changed! */ ?>
36. Pay for ALL THE fixes!!!
● The good, the bad and the ugly
41. Security Plugins
Backups Prevention Cleanup Monitoring Authentication
File Monitor
plus X
VaultPress
X X
Google Auth.
Yubikey
Etc...
X
Exploit Scanner
/ X
Backup Buddy
X
42. Security Services
Backups Prevention Cleanup Monitoring Price
Cloudflare
X /
Free-20+5/month
VaultPress
X / X
15-350/month
StoptheHacker
X
Free-100+/month
URLvoid.com
Various others X
Free
Sucuri
X X
90-290/month
Welcome I want so show security is easy, I'm giving out the keys to the castle and want everyone to be able to do this.
Security Concepts Know your attacker Cleanup Prevention Auditing
Robert R – Silly acronyms like CISSP 10ish years experience in multiple arenas of security (mobile, websites, administration, networking) Customer facing security concerns at Dreamhost.
Goes beyond wordpress, but we see it all and monitor it, which makes for a great conversation piece!
It's all about how easy security is. Everything goes back to the core concepts so lets get into that!
Keep them often, keep them secure. Check them regularly. Do not presume anyone is keeping backups, be certain.
Did you lock your car here? Who is at fault if it's broken into (that's right , the burglar!) Choosing good passwords isn't about if you can remember the password to login, it's about policy. Do you feel it's necessary to have a unique password that will stop someone from getting into your site/FTP (if not? Just set it to abc123, password, or secret) More on policy, you have to think about where you can log in to your site's admin pages (is this network secure/safe? Back to car analogy regarding where you park it) Many of the remainder of the topics in this talk actually come down to this type of decision. For example lets think of backups as “how important is it that you have a copy of your site's data if it's lost?” Your answer is what you base your backup policies on!
Following right on in from passwords and policies. The longer you leave a site at the last security update, the longer you're exposing the domain to an attack. If there is a critical security update in the patch, then you need to upgarde ASAP (unless your site is not on the internet) Why ASAP? I'll show some graphs, but in the infamous words of MC Frontalot, “it's already too late.”
It's really a stop-gap concept. “It's already too late.” Sooner the better for incident response. You need to know ASAP about these events to be able to take action.
Knowing what you're up against is important! Knowing is half the battle! Common threats Low hanging fruit Ties back in to best practices Review monitored logs of attacks Attacker motivation Commonly seen activity
It's well known attackers go for the easy target. No matter how much you think “i'm too small to be targetted” it's not about that, every website is a possible target if not for anything more than to act as a small part in a bigger attack (add another bot to the pile!).
It's all automated (well mostly, but those are more unique cases) Bots hit sites every day, I know this because I monitor them, and unless there is an ritlain fueled obsessive compulsive freak of a person out there doing the same repetative attacks on tens of thousands of sites a date then these are bots.
You may ask yourself, why?
Money This is just the majority of attacks we see, which are connected to cyber criminal gangs. There are alternatives such as anonymous (who do it for awareness/causes) and cough governments (for espionage) but the vast majority is just gangs who want money.
Arbitrary file uploads (upload backdoors) Code execution (backdoor access) Password compromise (they can do what you can do) LFI/RFI (backdoors) SQLi (get your Dbs)
Phishing (Identity theft) BlackHat SEO (Affiliate services efrauding) Traffic Theft (Malware) Spam (All of the above) Backdoor installations (All of the above)
This is not to say the software listed is any less secure (each has patched the vulnerability) These are attempts, not successes All attacks were blocked
zencart
e107
Lets call this “rimrum.php” Not part of wordpress core
OK lets get into some important steps in a cleanup.
Check for changes in files/db/logins (back to best practices) Check for upgrades Passowrd security It's easy , unless you weren't paying attention, then it's certainly far moer difficult! Services (my god ...) DIY. … My god it's only one line!
Why? Quarantine so the attackers can do no further harm. (to your visitors or your site)
Before you put things back online
Again before you put things back online
If someone had the key to your front door, would you not change it?
Shwo the find one-liner Note WP's built in file integrity rebuilder
Directories and file permissions
Backdoors! Bah!
Shwo the find one-liner Note WP's built in file integrity rebuilder
Good – companies that release fixes for free, work with hosting providres, never play the blame game. Bad – companies that have no contributions to security community, high costs. Ugly – high costs, blame game posts in their blog! Charlatans (snakeoil) – how will they interact with you as a customer if they openly berate people on their blog?
Server side Site side Wordpress specific tricks Review
permissions, firewalls (mod_sec, cloudflare, htaccess) Database server (hostname access)
Monitor with rsync/git/svn on your backup server Stop using FTP! Https (who logged in today using the open wifi?) Permissions, always important.
Https logins, or two factor Admin, don't make your login name guessable Table prefixes help but don't prevent SQLi If you're uploading images, why would you execute them as PHP? How many plugins and themes do you have installed that are not in use?
There are a lot of options, just search for “security” in the plugins reposatory. Be warned, many end up unmaintained. Some claim to cover everything, but none cover all of your needs.
List/graph Cloudflare, vaultpress, sitemonitor, stopthehacker, sucuri Anyone in the audience from these services? “make checks payable to...” or talk with them after.
Most of these will be techniques I will quickly cover that are all handled via SSH Soryr, advanced topic. I can go over details in person.
Not supported with WP panel Use “last” command via SSH, this will verify if it was a SSH/FTP password compromise.
Tiemstamp coorealation with file creations, logs, etc... Note the POST request … shady!
Awk/grep/sort madness!
Awk/grep/sort madness!
It doesn't hurt to ask, and it's entirely possible they are familiar with that specific type of attack.
Do not be ashamed to post about your site being compromised, if anything it may help. Help not only you, your visitors, but the next webmaster that sees a similar attack against their site. Build a network of individual site owners who are all actively reporting these compormises, will be paying it forward.
No seriously, wordpress and automattic take security seriouesly. Following the steps in this URL which is well written will show you specific details on what to do. I just didn't want to waste time talking about only what's on this URL.