word camp orange county 2012 enduser security

63
WordPress Security Knowledge is Power

Upload: perezbox

Post on 29-Jan-2015

105 views

Category:

Technology


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Word camp orange county 2012   enduser security

WordPress

SecurityKnowledge is Power

Page 2: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

2

Who Am I

Hi, my name is Tony Perez | @perezbox

Marine Corps – War Vet

Sucuri Security

Objectivity and rationalism

Gun carrying, Harley riding, Martial Artist .

Web-malware is my life

Page 3: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

3

What are we going to talk about?

Web Security

Look at some statistics…

Provide an understanding of web malware

Understand the threat scape a bit…

Look at some of the recent trends…

Give some hardening tips

Get into the recommendations…

Page 4: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

4

Thinking about Web Security

Web Security

Access Containment Knowledge

Page 5: Word camp orange county 2012   enduser security

The Stats

Page 6: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

6

Web Numbers

> 700 Million websites – As of May 2012– Netcraft

300 Million – Number of websites in 2011 – Pingdom

10.82 Billion – Number of indexed pages – WorldWebSize

2.1 Billion – Number of internet users worldwide Pingdom

Projected that:1 Billion – 2013

2 Billion - 2015

Page 7: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

7

WordPress Numbers73 Million + – Number of WP powered sites

16% - Of all Websites run WordPress

22 – Out of every 100 new domains in the U.S.

54% - CMS marketshare62% - Market share of top 1,000,000 Sites

53% - Market share of top 100,000 sites

55% - Market share of top 10,000 sites

Projection300 – 500 Million - 2015

Page 8: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

8

Web Malware Numbers

403 Million – Unique variants of malware 2011140% Growth – 2010 – 2011 in unique variants

55,294 – Malicious web domains in 2011130% Growth – 2010 – 2011 in malicious domains

81% - Increase malicious web-based attacks between 2010 / 2011

42 Billion – Global SPAM per day 2011

(Source: Symantec Internet Security Threat Report, Vol 17)

Page 9: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

9

Gah… NO MORE NUMBERS

The web is growing at an unprecedented pace.

WordPress growth – astronomical and gaining

Web-based malware is not far behind

To have a virtual presence you must consider the security of your website

Page 10: Word camp orange county 2012   enduser security

Web Security

Page 11: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

11

Thinking about Web Security

Web Security

Access

Control Authentication

Containment

Reduce Threat

Minimize Impact

Knowledge

Have a Plan Be prepared

Page 12: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

12

Web-based MalwareMalware – Short for malicious software. This software is designed to disrupt operation of an information system

(i.e., local machine, server, mobile device, etc…)

In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures

last beyond any one attack. - BlueCoat 2012 Web Security Report

Page 13: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

13

Types of Malware

Obfuscated JavaScript

Hidden & Malicious iFrames

Embedded Trojans

Phishing Attempts

Malicious Redirects

Backdoors (e.g., C99, R57, Webshells)

Stupid, Pointless, Annoying Messages (SPAM)

Defacement

Anomalies

IP Cloaking

Drive by Downloads

Page 14: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

14

Attack Vectors

User IssuesOut-of-Date Software

Social Engineering

Compromised Credentials

Software IssuesSQL Injection

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (XSRF)

Remote Execution

Page 15: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

15

Most Common Distributions

Social Engineering Trick you into installing malware

Compromising credentials

Websites, Email, Twitter

Drive-by-DownloadsInstall malware after exploiting a vulnerability – big issue for us in the WP community

iFrame (52.6%) and JS injections (26.5%)

Malicious redirectsRedirect user to another site often distributing malware

Page 16: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

16

Threat Landscape

Threat Landsca

peNetwork

Web Server

Application

End User

Local Environment

Administration

Environmental

Page 17: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

17

The Attacker

Types

White-Hat

Ethical / Grey Hat

Script Kiddie

Hacktivist

Cracker / Black Hat

Culture

Has code of ethics, heroes and villains and competing gangs

Knowledge is power

Most Believe information and computer access should be freely shared

Major motivation among hackers is status

Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal

Page 18: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

18

But I only write about lazy lizards!!!!

• Opportunistic Attacks

• Road of least resistance

• Political Agenda / Further Cause

• Mass Exposure

• In short – it doesn’t matter what you write about, you have a virtual presence

Page 19: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

19

Is WordPress insecure?

Out of the box, core is well built and secure

It’s no longer the days of 1.5

Security team is in place to quickly address and patch issues

Extensibility – both its strength and weakness

With popularity comes a target… think Windows for local environments

Easy target because of its exposure, attackers focusing on the platform

Road of least resistance

Page 20: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

20

Recent Vulnerabilities and Infections

Vulnerabilities

PHP-CGI Vulnerability - Patched

WooThemes Vulnerability – Patched

TimThumb Vulnerability – Patched

Campaigns

Recovery-hdd.eu Malware Campaign

Nikjju Mass Injection Campaign

GetMama Conditional Malware Campaign

.RR.NU Malware Campagin

Sweepstake Malware Campaign

Page 21: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

21

Top reasons why we see these infections

Poor credential Management

Poor System Administration

Soup Kitchen Servers

Out of Date Software

Lack of Web knowledge

Use of self-proclaimed “experts”

Cutting Corners

Page 22: Word camp orange county 2012   enduser security

So what can you do?Glad you asked

Page 23: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

23

Reduce Threat Risk

Update

Credentials

Communicate Securely

Themes / Plugins

Harden Your Install

Don’t forget your local environment

Knowledge - Resources

Page 24: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

24

Update, Update, Update

Leading cause of infections

If your theme is so coupled with core it can’t be updated, consider purchasing a new one

PHP, Core, Themes, Plugins, JavaScript…

Page 25: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

25

Credentials (user / password)

Basics

Avoid using ‘Admin’ & ‘Administrator’

Use Strong PasswordsOnline Generator: http://www.onlinepasswordgenerator.com/password.php

Use Password ManagerLastPass – Free – Online / Mobile Access

https://lastpass.com/

1Passwordhttps://agilebits.com/onepassword

Take-Aways

Complex Unique passwordUpper / Lower

Symbols

Numbers

Longer than 18 characters

Passphrases

Use one time – Password manager

In short:No Dates

No Names

No Pets

No Places

A = @, E = 3, S= $, O = 0They know this

Page 26: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

26

Data Dictionary / Defacement

Page 27: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

27

Communicate Securely

Communication mechanismsFile Transfer Protocol (FTP)

Secret File Transfer Protocol (SFTP)

Secure Shell (SSH)

ToolsFilezilla

Coda

NCFTP

SFTP / SSH - Best Approach

Google: How to create SFTP account on [Host Name]

Google: How to enable SSH on [Host Name]

Page 28: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

28

Safe Themes / Plugins

WordPress Repository is a good place to start19.6k+ - Available Plugins

1.5k+ - Available Themes

Look for good descriptions of the theme or plugin

Look to see versions and updates

Active change log is always good

Theme-check & Plugin-check are good tools to check potential issues

Free Theme?http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

Page 29: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

29

Plugins To Avoid

WPStats.org SPAM – Fake Advanced Search PluginSEO poisoning – Bad

http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search-plugin.html

Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0)Upload / Server control - Very Bad

http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with-pwwangs-code-for-wordpress-version-1-0-0.html

Absolute Privacy PluginKnown vulnerability

http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html

ToolsPack PluginDangerous backdoor – full access - Very Bad

http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html

Page 30: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

30

What websites are dangerous?

Page 31: Word camp orange county 2012   enduser security

HardeningGetting er done!

Page 32: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

32

HTACCESS is your Friend

Configuration file for web servers using Apache

Features:Error Documents

Redirects

Password Protection

Deny visitors by IP

Hot link prevention

Access prevention

More?

Apply these changes at your own peril – run risk of blowing up site

Page 33: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

33

Protect HTACCESS

Permission<= 640

#PROTECT HTACCESS<Files HTACCESS>Order Allow, DenyDeny from all</Files>

Page 34: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

34

Protect WP-Config

.htaccess

Permissions<= 640 #PROTECT WP-CONFIG

<Files wp-config.php>Order Allow, DenyDeny from all</Files>

Page 35: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

35

Authentication Keyswp-config.php

Encrypts information stored in user’s cookies

https://api.wordpress.org/secret-key/1.1/salt/

Resource: http://codex.wordpress.org/Editing_wp-config.php

Page 36: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

36

Database Prefix

Default is “wp_”

wp-config.php

Page 37: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

37

Admin User

Created by “default” < = 3.0

In higher version you can define your own administrator

Create new user, apply “administrator” role

Be mindful of any posts created by “admin” user

Delete “admin” user

Page 38: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

38

Disable Directory Listing

Nobody show know the color of your skivvies

Default in most hosts, not always

# PREVENT DIRECTORY LISTINGSOptions -Indexes

Page 39: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

39

Disable Plugin / Theme Editor

wp-config.php file

Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE

# Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

Page 40: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

40

PermissionsDirectories

755

Files644

Important Files.htaccess = 644

wp-config.php = 600

php.ini = 600

php.cgi = 711

php5.cgi = 100

Reading: http://codex.wordpress.org/Changing_File_Permissions

Directories: find [path to install] -type d -exec chmod 755 {} \;

Files:Find [path to install] -type f -exec chmod 644 {} \;

Page 41: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

41

Protect WP-AdminIf you have a dynamic IP this might be problematic

Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple)

# SECURE Access to WP-ADMIN<FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address]</FilesMatch>

Page 42: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

42

Harden WP-Includes

Create .htaccess in wp-includes directory

#PROTECT WP-INCLUDES<FilesMatch “.php”>Order Allow, DenyDeny from allDeny</Files>

Page 43: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

43

Harden WP-Content

Create .htaccess in wp-content directory

Most vulnerable, contains Uploads directory, often the attack vector

It can be moved, but if you’re an end-user don’t touch – hire a pro – lots of dependencies

#PROTECT WP-CONTENT<FilesMatch “.php”>Order Allow, DenyDeny from allDeny</Files>

Page 44: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

44

Limit Upload

Most shells < 1 mb

Good idea anyway -

//limit file upload to 10mbLimitRequestBody 10240000

Page 45: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

45

Protect Against BotsMalnets are a growing problem, proactively protect against them using a Web Application Firewall

Perishable Press – 5G Blacklist 2012

http://perishablepress.com/5g-blacklist-2012/

Page 46: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

46

5G WordPress Add-OnDon’t want to add all that other stuff? No problem, try this condensed version for WordPress

Doesn’t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests

Source: http://perishablepress.com/wordpress-5g-blacklist/

Careful – wp-signup required for MultiSite

Page 47: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

47

Secure Login Page

There are a number of plugins you can use for this, or, you can turn to your .htaccess again

Might be an issue if its not static..

<Files wp-login.php>Order Deny,AllowDeny from AllAllow from [Your IP]</Files>

Page 48: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

48

Protect against XSS

Deny bad query Strings – in short, don’t become a victim to cross-site scripting

# QUERY STRING EXPLOITS<IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ../    [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag=     [NC,OR] RewriteCond %{QUERY_STRING} ftp:     [NC,OR] RewriteCond %{QUERY_STRING} http:    [NC,OR] RewriteCond %{QUERY_STRING} https:   [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L]</IfModule>

Page 49: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

49

SPAM Comments

SPAM in your comments can get you blacklisted just as fast as injections on your pages

Disable comments on pages if you don’t want them

Setting to close comments after a certain amount of time.

Settings > Discussion > Other Comment Settings

Automatically close comments on articles older than XX days

Use AKISMET

Page 50: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

50

Cross-Site Contamination

Most of the things provided so far help you from external attacks.

Internal attacks are as prevalent

Growing problem – “Soup Kitchen” servers

Development, Staging, Testing, Productions – 1 environment

http://blog.sucuri.net/2012/03/a-little-tale-about-website-cross-contamination.html

http://blog.sucuri.net/2012/03/website-cross-contamination-blackhat-seo-spam-malware.html

Page 51: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

51

Security PluginsSucuri Clients – Sucuri Security – Free to Clients

Web Application Firewall

Integrity Monitoring

Auditing

Hardening

More: http://sucuri.net/services/preventive

Not a client? No problem, other good options include – Login Lock

http://wordpress.org/extend/plugins/login-lock/

WordPress File Monitorhttp://wordpress.org/extend/plugins/wordpress-file-monitor/

WordPress Firewall 2http://wordpress.org/extend/plugins/wordpress-firewall-2/

BulletProof Securityhttp://wordpress.org/extend/plugins/bulletproof-security/

Page 52: Word camp orange county 2012   enduser security

Still have a malware problem?

Page 53: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

53

Two Approaches

Do it Yourself

Forums are you friend

Requires time and patience

Leverage free tools

Know when you’re in over your head

Can take time – hours, days, weeks, months

Hire a Professional

Will cost money

Alleviates the stress

Gets you up and running in hours, if not days

Page 54: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

54

Support Forums

WordPress.orgHacked: http://wordpress.org/tags/hacked

Malware: http://wordpress.org/tags/malware

BadwareBusters.orghttps://badwarebusters.org/

Page 55: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

55

Things to Know when Engaging Professionals

Know who your host is and how to contact them in the event of an emergency

Know how to access your server – FTP, SFTP, SSH, FTPS

Have a backup accessible

Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web-malware-company.html

Page 56: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

56

Tips & TricksAfter all this you might still become infected, and if you do here are a few tips to keep you going:1. Immediately Change all credentials – wp-admin,

database, cpanel

2. Log into your database and check all the users

3. Replace WP manually – avoid the default updater

4. Defacements – look at your index files (watch out for “.html” and “index2.php”)

5. Use live scanner: http://sitecheck.sucuri.net

6. Use terminal to GREP and FIND issues reported

7. Restore site from clean backup

8. Purge your cache

9. Disable plugins, validate each plugin

10. Engage a professional

Page 57: Word camp orange county 2012   enduser security

Online Resources

Page 58: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

58

FREE Real Time Virus ScannersSucuri SiteCheck: http://sitecheck.sucuri.net

Unmask Parasites: http://unmaskparasites.com/

Page 59: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

59

Blacklisting Authorities

GoogleChrome, FireFox

Search Engine Results Page (SERP)

http://www.google.com/webmaster/tools

http://www.google.com/safebrowsing/diagnostic?site=[your site]

BingInternet Explorer

http://www.bing.com/toolbox/webmaster/

NortonFacebook

http://safeweb.norton.com/

AVGOpera

http://www.avgthreatlabs.com/sitereports/

Page 60: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

60

Useful PluginsKnow what you’re using:

Theme-CheckAuthors: Pross, Otto42

http://wordpress.org/extend/plugins/theme-check/

Plugin-CheckAuthor: Pross

http://wordpress.org/extend/plugins/plugin-check/

Protect Against Comment SPAMAkismet

Authors: Matt, Ryan, Andy, mdawaffe

http://wordpress.org/extend/plugins/akismet/

Still offers free service

Backups are your friend:Author: iThemes

http://pluginbuddy.com/purchase/backupbuddy/

Page 61: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

61

Online Reading

http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html

http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is-locked.html

http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web-malware-company.html

http://codex.wordpress.org/Hardening_WordPress

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://wpsecure.net/

Page 62: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

62

Online Tools

http://www.botsvsbrowsers.com/SimulateUserAgent.asp

http://www.tareeinternet.com/scripts/base.html

http://www.tareeinternet.com/scripts/decrypt.php

Page 63: Word camp orange county 2012   enduser security

04/10/2023@sucuri_security @perezbox #wcoc

63

Tony Perez

Company: Sucuri Security

Company site: http://sucuri.net

Company blog: http://blog.sucuri.net

Personal blog: http://perezbox.com

Twitter: http://twitter.com/perezbox

Linkedin: http://linkedin.com/in/perezbox

Email: [email protected]