Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Michael McKinnon: Hackers Ahoy! Batten Down The Hatches

Michael McKinnon: Hackers Ahoy! Batten Down The Hatches

A detailed look at some of the security vulnerabilities that we’ve seen in WordPress – including the infamous Timthumb.php attack, and to put into perspective WHY WordPress sites are targeted and what the key motives of the criminals are – it isn’t what many people think.

073054d5848746e939c7165bc90a507b?s=128

WP Australia

April 27, 2013
Tweet

Transcript

  1. Hackers Ahoy! Batten down the hatches! Michael McKinnon, Security Advisor

    mmckinnon@avg.com.au | @bigmac | WordCamp Melbourne 2013
  2. AVG.COM.AU AVG.CO.NZ Cute Kittens.

  3. AVG.COM.AU AVG.CO.NZ Not so cute Kittens.

  4. AVG.COM.AU AVG.CO.NZ What we’re looking at today… Learn why your

    Wordpress site is a target for cybercriminals. Ten things you can do to secure your site!
  5. How does a Wordpress site get compromised?

  6. AVG.COM.AU AVG.CO.NZ Attack Vectors •  With a Username and Password

    •  A security vulnerability on your site: •  SQL injection – executing database scripts to inject data •  Weak site permissions – uploading files •  Exploiting a known bug/weakness in a plugin or theme •  Through your web hosting provider •  Backdoor from previous compromise (re-infection)
  7. AVG.COM.AU AVG.CO.NZ Exploit example: timthumb.php •  Image thumbnail resizing PHP

    library, commonly used in many Wordpress theme templates. •  Allowed uploading of .php files to a site – even when the theme was inactive.
  8. AVG.COM.AU AVG.CO.NZ Redirect Example: <title> tag inject

  9. AVG.COM.AU AVG.CO.NZ Example – how to host phishing pages!

  10. Why? Oh, Why? (is my Wordpress site a target)

  11. AVG.COM.AU AVG.CO.NZ Where is the value in your site? Which

    one is the most valuable to a cyber criminal? 1.  Your personal information (as the site owner) 2.  Personal details of other users in your database 3.  Your web hosting username/password 4.  Your Wordpress database and uploaded files 5.  Access to the visitors that hit your site 6.  eCommerce detail like transactions, or credit cards All too common!
  12. AVG.COM.AU AVG.CO.NZ The big picture, where do you fit in?

    Victim • Searching for cute kittens • Clicks on link in email Compromised Website • Wordpress sites • Joomla • Drupal • Usually involves a Javascript redirection – can be controlled with Cookies etc. Exploit Toolkit Server • Blackhole toolkit • Account for 50% + of web infections Exploit a vulnerability • Victim computer is vulnerable, or not up to date • “Dropper” installation Payload / Malware • Ransomware • Fake Antivirus • Banking Trojan • Password stealers • Money, money, money $$$ Every compromised Wordpress website contributes to this chain...
  13. Malware that your visitors can end up with…

  14. AVG.COM.AU AVG.CO.NZ Rogue Scanners & Fake Antivirus Payload / Malware

  15. AVG.COM.AU AVG.CO.NZ Fake Antivirus Payload / Malware

  16. AVG.COM.AU AVG.CO.NZ Ransomware – Your PC is blocked… “Australian Federal

    Police” labeled Ransomware – first appeared late September 2012 Payload / Malware
  17. How would you know?

  18. AVG.COM.AU AVG.CO.NZ How do you know if your site is

    infected? More often that not somebody else will tell you, BEFORE you find out. Source: Verizon Data Breach Investigations Report 2013
  19. AVG.COM.AU AVG.CO.NZ Ten things you can do! Protect • Don’t use

    the ‘admin’ username • Strong passwords • Always keep updating • Be selective with plugins & themes Detect • Review web logs • Use antivirus software to scan your website files • Sign up to Google Webmaster Tools • Know your files, spot the enemy Correct • Keep 90 days of offsite daily backups • Practice restoring your site, know how to do it quickly
  20. #1 – Everyone wants to be an ‘admin’

  21. AVG.COM.AU AVG.CO.NZ What’s wrong with this picture?

  22. AVG.COM.AU AVG.CO.NZ Botnet attacks! BBC News - http://www.bbc.co.uk/news/technology-22152296 Ars Technica

    - http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/
  23. AVG.COM.AU AVG.CO.NZ What could ‘admin’ do anyway?

  24. #2 – pa55w0rds!

  25. AVG.COM.AU AVG.CO.NZ Passwords – Back to Basics! What should we

    aim for in a password? •  Should be easy for you to remember •  Should be hard for someone else to guess (and “brute-force”)
  26. AVG.COM.AU AVG.CO.NZ Passwords – World’s Top 10 Most Used • 

    123456 •  123456789 •  Password •  12345678 •  654321 •  Password1 •  Password123 •  1234567 •  abc123 •  Qwerty
  27. AVG.COM.AU AVG.CO.NZ Can someone guess your password? •  Favourite football

    team? •  Pet’s name? •  Family members?
  28. AVG.COM.AU AVG.CO.NZ Rank these passwords in order of strength… 1. 

    E56#av+Yb! 2.  Password123 3.  aaaaaAAAAA#####43 4.  123456 5.  lucasjames MOST SECURE
  29. AVG.COM.AU AVG.CO.NZ Why? Anatomy of a good Password •  The

    password: aaaaaAAAAA#####43 •  It is 17 characters in length •  Contains upper and lowercase letters •  Contains numbers •  Contains the ‘#’ symbol •  How many combinations? •  72 combinations, 17 combinations long is 72^17 •  That’s 37 thousand billion billion billion combinations!
  30. AVG.COM.AU AVG.CO.NZ Password Separation •  Make new passwords for different

    accounts you access… •  Start with your “base” password (aaaaaAAAAA#####43) •  “Facebook” – you could take the letters “f” and “b” from Facebook and create a new password: aaaaaAAAAA#####43fb •  “Twitter” – you could take the letters “t” and “r” from Twitter and create another password: aaaaaAAAAA#####43tr •  Mix it up! Be creative! And don’t use my lame examples!
  31. #3 – Update. Update. Update.

  32. AVG.COM.AU AVG.CO.NZ Make sure you keep Wordpress updated! Apart from

    secure access controls, this is your next biggest security win in Wordpress.
  33. #4 - Be selective with Plugins & Themes

  34. AVG.COM.AU AVG.CO.NZ You don’t need every Plugin and Theme! Once

    you’re happy with your site – REMOVE all unused plugins and themes. A live website is a “production” website, and the “production” environment needs to be treated with respect. Be selective with your plugins and themes. Beside the more you have, the more annoying updating can be.
  35. #5 – Review web logs

  36. AVG.COM.AU AVG.CO.NZ Looking regularly will help spot anomalies You’ll find

    things like… 247 login attempts from an attacker… But other advantages too, such as 404 errors and things you might not otherwise be aware of.
  37. #6 – Use Antivirus software

  38. AVG.COM.AU AVG.CO.NZ Detect web threats and infected files •  Use

    an Antivirus scanner to schedule a scan of your Wordpress site files (easiest by scanning offsite). •  Great for detecting common PHP shell scripts and other files injected into your site. •  Also protects you when surfing the web, and may alert you when accessing your own site. •  Find it on your site before Google does!!
  39. #7 – Use Google Webmaster Tools

  40. AVG.COM.AU AVG.CO.NZ Sign up to Google Webmaster Tools https://www.google.com/webmasters/tools/ They

    will e-mail you if they detect a problem with your site!
  41. #8 – Know your own files

  42. AVG.COM.AU AVG.CO.NZ File integrity monitoring •  Just being familiar with

    the files on your site can help. •  Spotting new files by their timestamp •  Depending how technical you want to get.. •  Use git (i.e. github) •  Use AIDE or Tripwire •  What can your hosting provider do for you?
  43. #9 – Keep offsite backups

  44. AVG.COM.AU AVG.CO.NZ Backup your site, regularly •  Use a backup

    provider/plugin such as VaultPress or Backupbuddy, or ask friends what they’re using •  Do NOT leave backup files sitting in your Wordpress folders - they could be downloaded by attackers! •  Suggest daily backups – 90 days worth.
  45. #10 – Know how to restore. Quickly.

  46. AVG.COM.AU AVG.CO.NZ When the proverbial hits the fan •  You

    don’t want to be searching for a solution after your site gets compromised. •  BE PREPARED •  Have a plan to restore your website, quickly, and TEST it beforehand – do a LIVE test. •  And remember, sometimes the attacker may return, especially if the vulnerability is still present in the backed up site. •  You’ll need to remediate and identify how the compromise happened, and apply any updates/fixes, change passwords etc.
  47. AVG.COM.AU AVG.CO.NZ Credits & Acknowledgements Photographs and images used in

    this presentation are thanks to: Skitch by Evernote for all screen snapshots - http://evernote.com/skitch/ iStockphoto.com – slides 2, 3, 4, 17, 46, 47 used under license in accordance with their terms at - http://www.istockphoto.com/license.php Fairfax Publications, The Age “Football Fans” - slide 27 http://images.theage.com.au/2010/09/22/1941829/article-fans2-420x0.jpg Verizon Data Breach Investigations Report 2013 – slide 18 http://www.verizonenterprise.com/DBIR/2013/
  48. AVG.COM.AU AVG.CO.NZ Protect • Don’t use the ‘admin’ username • Strong passwords

    • Always keep updating • Be selective with plugins & themes Detect • Review web logs • Use antivirus software to scan your website files • Sign up to Google Webmaster Tools • Know your files, spot the enemy Correct • Keep 90 days of offsite daily backups • Practice restoring your site, know how to do it quickly Thank you! avgaunz avgaunz resources.avg.com.au Michael McKinnon, Security Advisor mmckinnon@avg.com.au bigmac