JoomlaSecurit

y

JoomlaSecurit

yBrendon Hatcher

Technical DirectorPhoto: flickr.com/photos/carbonnyc

Bare essentials to serious measures

Understanding hackers and hacking

Definitions of “hacker”

Hacker’s motivations

Evidence of hacking

What is a hacker? Someone who deliberately seeks to bypass a

server’s security– Black, grey, white hats– A hacked site is a broken/compromised site

A skilled computer programmer– A hacked site is a tweaked and improved site

A script kiddie– Junior hacker using other

hacker’s tools and techniques

Hacker’s motivations To see if they can To create mayhem For social standing in the sub-culture For political reasons – hacktivism For financial reasons

– Theft – steal ebooks, videos, games, online services etc

– Sell data – user profiles, credit card details etc– Industrial sabotage - paid to break competitor sites– Set up zombie farms– Steal bandwidth– Host phishing pages– Collect passwords

Evidence of hacking None! Site trashed Hacking message High bandwidth use Changed admin password New user with admin rights Server logs

Why be

concernedabout

security?

No-one is safe

Hacking is actually quite easy

Fixing hacked sites is tricky

Hacked sites are a big problem

No-one is safeType of site Motivation

Any site To see if they canTo create mayhemSocial standingPost political messagesZombie farmsSteal bandwidthHost phishing pages

Any membership site

Sell user profiles to marketersObtain usernames and passwords

Some ecommerce sites

Sell credit card details to thievesSell order history and contact details to marketers

Why worry about hacking? Sites are targeted at random Hacking is actually quite easy

– Vulnerable sites are easy to find– Vulnerable sites are easy to hack

Fixing hacked sites is quite tricky– Hacks can be invisible– Clients may not notice a hacked site for some time– Finding a clean backup may be impossible– Determining what has been done can be really hard– May be difficult to restore– Hardening site to avoid future hacks requires skill

and focus

Why worry about hacking? Hacked sites are a big problem

– Business reputation– Angry clients– Site shutdown by host– Loss of business– Data theft

Photo: flickr.com/photos/gaetanlee/

Hacking a

Joomla site

Is Joomla less secure than other systems?

The site must be vulnerable

3 steps to hacking for fun and profit

Is Joomla less secure than other systems?

Yes and No

Joomla has to strike a balance between security and ease of use

Joomla an attractive target for hackers– The critical mass of sites– Large amateur web developer user base – Extensions have variable security

The site must be vulnerable

3 steps to hacking for fun and profit

1. Find a vulnerability (and instructions on how to exploit it)

2. Find a vulnerable site

3. Hack the site

Then, sit back and enjoy fame and fortune!

Find a vulnerability

Security sites– www.exploit-db.com, www.secunia.com

Various hacking sites/forums Joomla vulnerable extensions list

– docs.joomla.org/Vulnerable_Extensions_List

Find a vulnerable site

Google Dork - a search phrase to find vulnerable sites

PHPInfo– intitle:phpinfo()

Vulnerable extensions– allinurl:com_acajoom

http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*

Cut and paste hack code

Photo: flickr.com/photos/tawheedmanzoor

Security

action plan

Web sites are like onions

Levels of security

Web development tools

Strong, unique passwords everywhere

Continuous attention

Web sites arelike onions

Server operating system Apache PHP + MySQL

Joomla Extensions Users and their behaviour

Levels of security

[1] Basic actions

[2] More complex actions

[3] Actions that require significant modification rights on the server (unless already implemented by default)

Image by echiner1

Web development tools WHM – server administration cPanel – hosting account administration FileZilla – FTP app Keepass – password vault

General advice Strong, unique passwords everywhere

– A password vault removes the need to have a single, simple password

Continuous attention needed

Creating a

safehome for

Joomla

Shared, VPS or dedicated servers?

Apache

PHP

MySQL

Shared, VPS or dedicated servers?

A shared server– Your site(s) live in the same hosting space as other

sites that you do not administer– This is the cheapest hosting option. – No say over the security of the other sites on the

server– Old shared server is the worst location for your

hosting

A Virtual Private Server– Better than shared– Still can’t change many settings

Shared, VPS or dedicated servers?

A dedicated server– Still a “shared” server– Allow you to upgrade and tweak all the settings on a

dedicated server– Host retains responsibility for maintenance

Additional security Suhosin – hardens PHP Samhain or Tripwire Configserver firewall

Apache [3] suExec

– CGI scripts run under the user of the website instead of the Apache user

[3] Mod_security– Intrusion detection and prevention engine

PHP [2] PHP5, not PHP4 [3] suPHP

– PHP files are run under the user of the website instead of the Apache user

Globally reset all files– Owner – AccountUsername:AccountUsername

chown -R user:group *– Files – 644find . -type f -exec chmod 644 {} \;

– Folders – 755find . -type d -exec chmod 755 {} \;

Hosting account .htaccess files

– [1] Activate the htaccess file in the Joomla root– [1] Use an .htpasswd for the /administrator/ folder– [3] Advanced .htaccess files– A LOT more important detail in the manual

Securing aJoomla site

Keeping up to date

Avoiding the obvious

Hide, and be very, very quiet

Spam form submissions

Install sh404SEF

Keeping up to date Must update Joomla core and extensions Remove unused extensions

Avoiding the obvious [1] The default database extension is jos_ [1] The default admin username is admin [1] The default admin user ID is 62 [1] Change administrator access URL

Hide, and be very, very quiet

[1] SEF all URLs [1] Clear the default Joomla metatags [1] Clear the default Home page title [1] Remove generator tag [1] Change favicon [2] Hide component credits

Spam form submissions Trying to inject spam content onto your site Targets Joomla core forms and extension forms Install a captcha system

Install sh404SEF SEF URLS hide from Google Dorks Flood control Other security settings

Creating a

safe working environment

PC vulnerability to hacks

FTP access hacks

A note about users

“Burglar bars, electric fences,

alarms…and a key left under the

doormat”

PC vulnerability to hacks [1] Install all operating system patches [1] Install all application system patches [1] Run comprehensive real-time protection

apps [1] Install Secunia PSI [1] Secure your PC login [1] Secure your backup

storage [2] Use a secure web

browser

FTP access hacks If a hacker can obtain your FTP password, they

can login as you, bypassing almost every security barrier.

– FTP passwords are stored unencrypted in your FTP program!

– FTP authentication details pass unencrypted to the server!

– There are several common FTP apps that store their passwords in a standard location with a standard name!

FTP configuration [1] cPanel setup

– Make sure that the FTP password is strong

[1] PC setup– Password vault (LastPass , Keepass ) to store the

strong password– Make sure passwords are not stored anywhere else

(including on a Post-It note on the side of the PC)

[1] FileZilla– Copy all passwords to the password vault – Delete all passwords from the Site Manager– Set FileZilla to run in Kiosk mode

FTP configuration [2] Joomla

– Remove the FTP details from the configuration file

[3] WHM– Disable FTP access and allow only SFTP access

A note about users– You should ideally create separate user accounts for

each staff member

Preparing for

the worst

Site monitoring

A disaster recovery plan

Joomla site backups

Restoring a hacked site

Site monitoring Diagnostics

– Site down– Home page content changes– Mod_security logs (shows attempts)– Bandwidth use– Spam blacklisting

[3] Searching and browsing server logs

Disaster Recovery Plan Depending on how central your web site is to

your business, you may need a DRP See Tom Canavan’s presentation

– http://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recovery

Photo: flickr.com/photos/28481088@N00

Joomla site backups Long-cycle Joomla backups are critical Redundant backups lead to restful sleep

See my Joomla for Web Developer talk for MUCH more detail

Restoring a hacked site Fixes the obvious

problems Does not address:

– Hidden hacks• Shell scripts• Backdoors• Zombies

– Continuing vulnerabilities

– Impacts of data exposure

Photo: flickr.com/photos/andreweason

Credits/Disclaimer Brendon Hatcher is the compiler of this

presentation The presentation is released under the

Creative Commons Licence – Attribution, Non-commercial, No derivatives

If you don’t know what this licence means, go to creativecommons.org

The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.