Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

WordPress Security - WordCamp phoenix 2013

Próximo SlideShare
WordPress Security 101
WordPress Security 101
Cargando en…3
×

Eche un vistazo a continuación

1 de 41 Anuncio
1 de 41 Anuncio
Anuncio

Más Contenido Relacionado

Anuncio

WordPress Security - WordCamp phoenix 2013

  1. WordPress Security Dealing with Today’s Hacks
  2. If you don’t ask, you don’t get! • Dre Armeda, CISSP • CEO, Co-Founder at Sucuri Inc. • @dremeda • Dre.im I'm a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. I'm infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place! 1/19/2013 Dre Armeda - @dremeda #wcphx
  3. Why listen to me? You don’t have to, but… • 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy. – Managed security awareness for Sempra Energy – Deployed security suite for 1-800-Flowers. – Cleaned Martha Steward web properties of malware • Not an expert, passionate enthusiast. • Seriously though – Quick Sucuri stats: – Remediate 200 – 300 infected websites a day, • 24/7/365 – Perform 2 million + malware website scans a month – Support all CMS platforms and custom applications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… ) My goal in life is to make the web a safer place! 1/19/2013 Dre Armeda - @dremeda #wcphx
  4. Thoughts To Kick Things Off • Information Security is about risk reduction. – If you’re looking for the “silver bullet” this is the wrong talk for you. • To think that you will never be infected is like saying you will never be sick. – Someone tells you different – Percussion calibration time • Prevention is ideal, but not realistic. – Risk will never be 0% – Detection is key. 1/19/2013 Dre Armeda - @dremeda #wcphx
  5. Know Your Enemy • They have time & resources • They are intelligent • Attacks are automated • Goal is to impact quantity • Own one, own them all… • It’s not personal 1/19/2013 Dre Armeda - @dremeda #wcphx
  6. Ok, so what’s the problem? TODAY’S ISSUES: • The Ecosystem / Environment • Access Control • Software Vulnerabilities • Administration • Credential Management • Extensibility 1/19/2013 Dre Armeda - @dremeda #wcphx
  7. Today’s Focus • Ecosystem / Environment • Access Control • Dealing with Hacks 1/19/2013 Dre Armeda - @dremeda #wcphx
  8. Logical Architecture Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules 1/19/2013 Dre Armeda - @dremeda #wcphx
  9. The EcoSystem / Environment • Apache – Malicious module injects iFrames – http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module- injects-iframes/ • phpMyAdmin – Mirror Hacked – http://sourceforge.net/blog/phpmyadmin-back-door/ • PHP-CGI – Remote Code Execution – http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the- wild.html • Plesk – Vulnerable to SQLi attacks – http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to- malware.html 1/19/2013 Dre Armeda - @dremeda #wcphx
  10. The EcoSystem / Environment • What can you do? – Not much… completely outside of your control if you’re using a shared or managed host • But, you can reduce risk... – Use a Dedicated / VPS Environment • But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step – Go with a Managed Host • Doesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on 1/19/2013 Dre Armeda - @dremeda #wcphx
  11. Access is Key • We have to change the way we treat and think about access. All access – Server / Application • We are going through the same mistakes servers and desktops were making in the 90’s with access. • Know where you are surfing the web, do you really need to log in as an admin at the coffee shop? 1/19/2013 Dre Armeda - @dremeda #wcphx
  12. Before We Dive In 1/19/2013 Dre Armeda - @dremeda #wcphx
  13. WordPress Loving Infections • Defacements • Backdoors • Pharma Hack • Injections – iFrame Specifically • Malicious Redirects • Phishing 1/19/2013 Dre Armeda - @dremeda #wcphx
  14. Hacktivism at its finest… you now support a cause!?!?! DEFACEMENTS
  15. Defacements • Hacktivism 101 – Annoying as S*&T • Places to look: – Index.html – Index.php • Root Directory • Wp-Content • Theme Directory • GREP is your friend: – grep –ri ‘sniper399’ . 1/19/2013 Dre Armeda - @dremeda #wcphx
  16. It’s ok to cry a little…  BACKDOORS
  17. Backdoors • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan 1/19/2013 Dre Armeda - @dremeda #wcphx
  18. Erectile Dysfunction pills are leading ads.. Who knew..  PHARMA HACK
  19. Pharma Hack • Multi-million $ Business • Rarely Distribute Malware • Impression based Affiliate Marketing • Google’s Search Engine Result Pages (SERP) • Odds of malware distribution are actually low • Tricks: – Embedded within core files – Look for “.tmp” directories = > 1/19/2013 Dre Armeda - @dremeda #wcphx
  20. Pharma Hack, cntd.. • Try using CURL to emulate Google and Windows: Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com – Google Webmaster Tools • Fetch as Google Bot • Check your Theme Index.php file for things like this: – <?php $wp__theme_icon=@create_function(”,@file_get_co ntents(‘/public_html/wp-content/themes/my-really- good-theme/images/s.jpg’));$wp__theme_icon(); ?> 1/19/2013 Dre Armeda - @dremeda #wcphx
  21. Pharma Hack, cntd.. 1/19/2013 Dre Armeda - @dremeda #wcphx
  22. It only hurts for a minute… INJECTIONS
  23. Injections • Invisible iFrame’s - Executing on your browser • Contributing to Drive-by-Downloads, Pharma, XSS, CSRF • Places to check – Pages that generate content: – JS files, Header.php, Index.php, Function.php, Footer.php 1/19/2013 Dre Armeda - @dremeda #wcphx
  24. Injections, cntd… • PHP iFrame Injection => – Count##.php – Check all Index.php / Theme JS files – Example below: 1/19/2013 Dre Armeda - @dremeda #wcphx
  25. Injections, cntd… • Pharma Link Injections => • Drive-By- Downloads 1/19/2013 Dre Armeda - @dremeda #wcphx
  26. WTF?!?! Why don’t I understand what it says? MALICIOUS REDIRECTS
  27. Malicious Redirects • Redirects your user to a domain distributing malware, fundamentally different than an iframe injection that executes in your browser • 8 out of 10 times, check your .htaccess file – all of them – # find /var/www –name .htaccess –type f | wc –l • Check for backdoors also – often a sign of a bigger issue 1/19/2013 Dre Armeda - @dremeda #wcphx
  28. Biggest growing problem, exceptionally difficult to detect… PHISHING
  29. Phishing • Growing at a faster pace than traditional web- malware • No impact to readers, but tied to SPAM bots sending out emails like this: 1/19/2013 Dre Armeda - @dremeda #wcphx
  30. Phishing, cntd… 1/19/2013 Dre Armeda - @dremeda #wcphx
  31. Bringing the Point Home DEMONSTRATION
  32. Demo Objective • Use good tools for bad things – wpscan • Enumerate the users • Enumrate Passwords • Own target WordPress site • Deface the Website I have 5 minutes – Ready? 1/19/2013 Dre Armeda - @dremeda #wcphx
  33. Remember the risk discussion? KEEPING IT REAL
  34. Update • Oldest version found in production – 1.5 • Leading cause of cross-site contamination issues • Perhaps the simplest of tasks, yet we still find this: 1/19/2013 Dre Armeda - @dremeda #wcphx
  35. Access is Key • On the Server: – Kill accounts that are not in use – FTP is the devil – slap yourself and switch to SFTP – Disable password auth & use key pairs • WordPress Admin: – Multi-Factor Authentication on wp-admin – Two-Factor Authentication on wp-login.php • Employ least privileged: – Only use admin accounts for admin tasks – Learn to use Editor, Author, Contributor, Subscriber 1/19/2013 Dre Armeda - @dremeda #wcphx
  36. Password Dilemma • 15 character pass – 3 months to crack • Long / Complex / Unique – Key to Passwords • Prefer Password Manager – You don’t? ok.. – Passphrases work too • iLuvWCLpHX:2013:S@nT@N b@By • Come up with a process & stick to it: – One scheme: • Remember 8 characters • Write Down 8 characters • Save 20 characters – Second scheme: • Remember 20 characters • Prefix characters with site name • End sequence with some date 1/19/2013 Dre Armeda - @dremeda #wcphx
  37. Kill PHP Execution • Kill PHP Execution – Directories: • WP-INCLUDES • WP-CONTENT • UPLOADS – At a minimum <Files *.php> Deny from all </Files> 1/19/2013 Dre Armeda - @dremeda #wcphx
  38. Disable Theme / Plugin Editor I’d take it a step further and remove the ability to install, but that’s just me. Modify WP-CONFIG.PHP With: • Disable the Plugin / Theme Editor – Define(‘DISALLOW_FILE_EDIT’,true); - OR - • Disable the Plugin / Theme Update and Installation – Define(‘DISALLOW_FILE_MODS’,true); 1/19/2013 Dre Armeda - @dremeda #wcphx
  39. Plugins That Help Sucuri Clients Non-Clients • Sucuri Security Plugin • Limit Login Attempts • Theme-Check • Theme-Check • BackupBuddy • BackupBuddy • Akismet • Akismet 1/19/2013 Dre Armeda - @dremeda #wcphx
  40. Need a Hand? Support Forums Online Resources • Hacked – • Sucuri Blog: http://wordpress.org/tags/ http://blog.sucuri.net hacked • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: • Malware – http://unmaskparasites.com http://wordpress.org/tags/ • Perishable Press: malware http://perishablepress.com/ca tegory/web-design/security/ • Secunia Security Advisories: • BadwareBusters – http://secunia.com/communit https://badwarebusters.org y/advisories/search/?search= wordpress 1/19/2013 Dre Armeda - @dremeda #wcphx
  41. Dre Armeda, CISSP Dre.im @dremeda Sucuri Inc. http://sucuri.net http://blog.sucuri.net @sucuri_security Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck. 1/19/2013 Dre Armeda - @dremeda #wcphx

×