Michael McKinnon: Hackers Ahoy! Batten Down The Hatches

Hackers Ahoy! Batten down the hatches!
Michael McKinnon, Security Advisor
[email protected] | @bigmac | WordCamp Melbourne 2013

View Slide

AVG.COM.AU AVG.CO.NZ
Cute Kittens.

View Slide

Not so cute Kittens.

View Slide

What we’re looking at today…
Learn why your
Wordpress site
is a target for
cybercriminals.
Ten things you can do
to secure your site!

View Slide

How does a Wordpress site get compromised?

View Slide

Attack Vectors
•  With a Username and Password
•  A security vulnerability on your site:
•  SQL injection – executing database scripts to inject data
•  Weak site permissions – uploading files
•  Exploiting a known bug/weakness in a plugin or theme
•  Through your web hosting provider
•  Backdoor from previous compromise (re-infection)

View Slide

Exploit example: timthumb.php
•  Image thumbnail resizing PHP library, commonly used in many
Wordpress theme templates.
•  Allowed uploading of .php files to a site – even when the theme
was inactive.

View Slide

Redirect Example: tag inject

View Slide

Example – how to host phishing pages!

View Slide

Why? Oh, Why? (is my Wordpress site a target)

View Slide

Where is the value in your site?
Which one is the most valuable to a cyber criminal?
1.  Your personal information (as the site owner)
2.  Personal details of other users in your database
3.  Your web hosting username/password
4.  Your Wordpress database and uploaded files
5.  Access to the visitors that hit your site
6.  eCommerce detail like transactions, or credit cards
All too common!

View Slide

The big picture, where do you fit in?
Victim
• Searching for
cute kittens
• Clicks on link in
email
Compromised
Website
• Wordpress sites
• Joomla
• Drupal
• Usually involves
a Javascript
redirection – can
be controlled
with Cookies etc.
Exploit Toolkit
Server
• Blackhole toolkit
• Account for 50%
+ of web
infections
Exploit a
vulnerability
• Victim computer
is vulnerable, or
not up to date
• “Dropper”
installation
Payload /
Malware
• Ransomware
• Fake Antivirus
• Banking Trojan
• Password
stealers
• Money, money,
money $$$
Every compromised Wordpress website contributes to this chain...

View Slide

Malware that your visitors can end up with…

View Slide

Rogue Scanners & Fake Antivirus
Payload /
Malware

View Slide

Fake Antivirus
Payload /
Malware

View Slide

Ransomware – Your PC is blocked…
“Australian Federal Police” labeled Ransomware – first appeared late September 2012
Payload /
Malware

View Slide

How would you know?

View Slide

How do you know if your site is infected?
More often that not
somebody else will tell
you, BEFORE you find out.
Source: Verizon Data Breach Investigations Report 2013

View Slide

Ten things you can do!
Protect
• Don’t use the ‘admin’
username
• Strong passwords
• Always keep updating
• Be selective with
plugins & themes
Detect
• Review web logs
• Use antivirus software
to scan your website
files
• Sign up to Google
Webmaster Tools
• Know your files, spot
the enemy
Correct
• Keep 90 days of offsite
daily backups
• Practice restoring your
site, know how to do it
quickly

View Slide

#1 – Everyone wants to be an ‘admin’

View Slide

What’s wrong with this picture?

View Slide

Botnet attacks!
BBC News - http://www.bbc.co.uk/news/technology-22152296
Ars Technica - http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

View Slide

What could ‘admin’ do anyway?

View Slide

#2 – pa55w0rds!

View Slide

Passwords – Back to Basics!
What should we aim for in a password?
•  Should be easy for you to remember
•  Should be hard for someone else to guess (and
“brute-force”)

View Slide

Passwords – World’s Top 10 Most Used
•  123456
•  123456789
•  Password
•  12345678
•  654321
•  Password1
•  Password123
•  1234567
•  abc123
•  Qwerty

View Slide

Can someone guess your password?
•  Favourite football team?
•  Pet’s name?
•  Family members?

View Slide

Rank these passwords in order of strength…
1.  E56#av+Yb!
2.  Password123
3.  aaaaaAAAAA#####43
4.  123456
5.  lucasjames
MOST SECURE

View Slide

Why? Anatomy of a good Password
•  The password: aaaaaAAAAA#####43
•  It is 17 characters in length
•  Contains upper and lowercase letters
•  Contains numbers
•  Contains the ‘#’ symbol
•  How many combinations?
•  72 combinations, 17 combinations long is 72^17
•  That’s 37 thousand billion billion billion combinations!

View Slide

Password Separation
•  Make new passwords for different accounts you access…
•  Start with your “base” password (aaaaaAAAAA#####43)
•  “Facebook” – you could take the letters “f” and “b” from Facebook
and create a new password:
aaaaaAAAAA#####43fb
•  “Twitter” – you could take the letters “t” and “r” from Twitter and
create another password:
aaaaaAAAAA#####43tr
•  Mix it up! Be creative! And don’t use my lame examples!

View Slide

#3 – Update. Update. Update.

View Slide

Make sure you keep Wordpress updated!
Apart from secure access controls, this is your next
biggest security win in Wordpress.

View Slide

#4 - Be selective with Plugins & Themes

View Slide

You don’t need every Plugin and Theme!
Once you’re happy with your
site – REMOVE all unused
plugins and themes.
A live website is a “production”
website, and the “production”
environment needs to be
treated with respect.
Be selective with your plugins and themes. Beside the more
you have, the more annoying updating can be.

View Slide

#5 – Review web logs

View Slide

Looking regularly will help spot anomalies
You’ll find things like… 247 login attempts from an attacker…
But other advantages too, such as 404 errors and things you
might not otherwise be aware of.

View Slide

#6 – Use Antivirus software

View Slide

Detect web threats and infected files
•  Use an Antivirus scanner to schedule a scan of your
Wordpress site files (easiest by scanning offsite).
•  Great for detecting common PHP shell scripts and other
files injected into your site.
•  Also protects you when surfing the web, and may alert
you when accessing your own site.
•  Find it on your site
before Google does!!

View Slide

#7 – Use Google Webmaster Tools

View Slide

Sign up to Google Webmaster Tools
https://www.google.com/webmasters/tools/
They will e-mail you if they detect a problem with your site!

View Slide

#8 – Know your own files

View Slide

File integrity monitoring
•  Just being familiar with the
files on your site can help.
•  Spotting new files by their
timestamp
•  Depending how technical
you want to get..
•  Use git (i.e. github)
•  Use AIDE or Tripwire
•  What can your hosting
provider do for you?

View Slide

#9 – Keep offsite backups

View Slide

Backup your site, regularly
•  Use a backup provider/plugin such as VaultPress or
Backupbuddy, or ask friends what they’re using
•  Do NOT leave backup files sitting in your Wordpress
folders - they could be downloaded by attackers!
•  Suggest daily backups – 90 days worth.

View Slide

#10 – Know how to restore. Quickly.

View Slide

When the proverbial hits the fan
•  You don’t want to be searching for a solution
after your site gets compromised.
•  BE PREPARED
•  Have a plan to restore your website, quickly,
and TEST it beforehand – do a LIVE test.
•  And remember, sometimes the attacker may
return, especially if the vulnerability is still
present in the backed up site.
•  You’ll need to remediate and identify how
the compromise happened, and apply
any updates/fixes, change passwords etc.

View Slide

Credits & Acknowledgements
Photographs and images used in this presentation are thanks to:
Skitch by Evernote for all screen snapshots - http://evernote.com/skitch/
iStockphoto.com – slides 2, 3, 4, 17, 46, 47
used under license in accordance with their terms at - http://www.istockphoto.com/license.php
Fairfax Publications, The Age “Football Fans” - slide 27
http://images.theage.com.au/2010/09/22/1941829/article-fans2-420x0.jpg

Verizon Data Breach Investigations Report 2013 – slide 18
http://www.verizonenterprise.com/DBIR/2013/

View Slide

Protect
• Don’t use the ‘admin’
username
• Strong passwords
• Always keep updating
• Be selective with
plugins & themes
Detect
• Review web logs
• Use antivirus software
to scan your website
files
• Sign up to Google
Webmaster Tools
• Know your files, spot
the enemy
Correct
• Keep 90 days of offsite
daily backups
• Practice restoring your
site, know how to do it
quickly
Thank you!
avgaunz
avgaunz
resources.avg.com.au
Michael McKinnon, Security Advisor
[email protected]
bigmac

View Slide

Michael McKinnon: Hackers Ahoy! Batten Down The Hatches

Michael McKinnon: Hackers Ahoy! Batten Down The Hatches

WP Australia

More Decks by WP Australia

Other Decks in Technology

Featured

Transcript