copyright justin c. klein keane [email protected] drupal threat landscape

Copyright Justin C. Klein [email protected]

Drupal Threat Landscape

mailto:[email protected]


whoami

Information security specialist with University of Pennsylvania

Worked infosec for over a decade Discovered over 100 Drupal vulnerabilities in

core and contributed modules One of the chapter leaders for Philadelphia

OWASP Began my professional career as a web

developer so I feel your pain...



Quick poll

Let's chat about security metrics...



About this Presentation

Security is a massive topic Highlight the most likely way(s) your Drupal site

will get compromised The litany of ways it could get compromised

would take all day... #1 reason your site will be a target:

Money



It's not personal

When hacking is illegal, only criminals will hack Hacking used to be about curiosity or notoriety Now hacking is all about money Financial motivation guides most compromises



Making money from cybercrime

Compromise banking or purchasing credentials Black hat SEO Sending spam Denial of service and extortion Building and renting botnets



Targets of Crime

Databases Large stores of financial or credit card data Stores of user account credentials

End user machines Contain individual financial credentials Can be added to botnets Provide bandwidth for denial of service attacks



Where's the Drupal?

How does Drupal fit into this equation?



Value of your Drupal

Reputation and Trust Your Drupal site likely has a legitimate search

engine ranking Your users trust your Drupal site Your Drupal site is a valuable platform that reaches

a large number of visitors and trusted admins



Economics

Attackers choosing targets will seek the high return with the least risk/effort

Target pool is the entire internet Two main high value targets:

Large financial data stores High risk/effort – high reward

End user machines where financial transactions take place

Low risk/effort – low reward Unless...



Ah Computation

Computers make automation easy

+ The internet allows for massive scale

= Attack lots of low risk/effort targets for massive

rewards!



Anatomy of an Attack

Find a vulnerability that affects a large number of servers

Exploit the vulnerability en masse to install something that will attack each client that visits a site

Result: A large number of malware installations



Malware

Webkit vulnerability Flash Java Adobe Acrobat

XML rendering engine Etc.

Malware is the virus code that will run on end user computers

Generally exploits a vulnerability in a web browser or some third party plug in

Examples:



Malware Design

Trick the user into loading a specific page Page contains tainted content Client loads content, triggering attack Tainted content executes arbitrary code

Generally a downloader Downloader reaches out to the internet and

downloads larger malware toolkit Once download complete toolkit is installed



Types of Attack – SQL Injection

SQL injection requires a module developer to willfully ignore the Drupal framework

Allows an attacker to issue database queries though the web interface

Can be used for all sorts of nefarious purposes Ensure your Drupal site isn't using the MySQL

root account!



Types of Attack – XSS

XSS stands for cross site scripting Better known as arbitrary script injection Can be used by an attacker to produce an alert

box! Actually can be used to write any HTML to a

page, including but not limited to: Javascript Iframe tags Object tags



Types of Attack – XSS (cont.)

Javascript can be used to steal cookie tokens and perform session hijacking

XSS can be used to perform XSRF Can be used to include references to malicious

content Can be used to redirect your users to another

site



Types of Attack - XSRF Cross Site Request Forgery Attack causes your browser to submit forms

silently in the background Because all GET/POST requests carry

appropriate cookies requests often assumed to be legit

Drupal form tokens prevent this UNLESS the attacker can inject JavaScript to read them

XSRF can be used to silently change settings or post content in your Drupal site



Other Types of Attack

Access bypass Open redirect Information disclosure Arbitrary code execution (BAD!!!)



Tactics for Injecting Tainted Content Use SQL injection to arbitrarily add it to the database Use XSS to force a reference to the tainted content Upload tainted content directly or include a link to

tainted content Use stolen credentials to add content through the

admin interface Purchase a malicious add banner Trick the user (Fake AV) And so on...



Economies of Scale

Automation is the key to making this profitable Attackers will try to identify a vulnerability

affecting a large number of sites Attackers will test their attack strategy then

deploy it once it is automated Attacks are over in a few seconds Your site will be on of thousands, or millions of

victims



Why You Should Care

You do care about your visitors don't you? Even if you don't:

Your site could get delisted by search engines Your hosting provider could block your site Your domain registrar could block your site End user browsers could block your site

Net result – denial of service



Protect Thyself

#1 thing you can do is keep your Drupal core and modules up to date Use the latest version of core if you can

Don't forget about third party libraries like TinyMCE and JQuery

Make sure MySQL isn't IP accessible Keep your web server and operating system up

to date Use strong FTP/SSH passwords!



Avoid Admin Account Compromise

Recently Drupal brute force bots have been spotted in the wild!

Create a new account with all privileges Disable your uid 1 account



Trust but Verify

Avoid allowing untrusted users to publish content

Restrict tags that users can utilize Moderate your content if possible Restrict file upload types Use an antivirus package to scan file uploads



Install Security Related Modules

Security Review Spot problems proactively

Login Security Block brute force attempts

Password Strength Prevent weak passwords

CAPTCHA & reCAPTCHA Deny attackers automation



Beware!

Don't use alpha, beta, dev, or rc (release candidate) versions of modules Wait, why? Even for Drupal 7?

Only use the modules you need Be careful of modules that are designed to

extend privilege Be sure your module developers understand

and follow Drupal security guidelines Make sure your theme designers do too!



How to Detect a Compromise

If you're lucky you'll spot a compromise Most likely though you'll get the dreaded 3rd

party notification Email from your hosting provider or other party

In extreme cases your site will simply go offline



Obligatory

KEEP GOOD BACKUPS!(test them)



What to do after a compromise

Don't panic! Decide on a course of action

Seek professional help if appropriate Preserve evidence if possible Work with your hosting provider to figure out

what went wrong Be sure the compromise is contained before

you go back online



Getting Help

Come to Drupaldelphia! OWASP (http://www.owasp.org) Contract for a security review Follow the Drupal security mailing list Report compromises to:

Your hosting provider Your users


http://www.owasp.org/


File a Complaint (http://www.ic3.gov)



Thanks so much!

Questions?


copyright justin c. klein keane [email protected] drupal threat landscape

Documents