Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Michael McKinnon: Hackers Ahoy! Batten Down The...

WP Australia
April 27, 2013
Technology
0
290

Michael McKinnon: Hackers Ahoy! Batten Down The Hatches

A detailed look at some of the security vulnerabilities that we’ve seen in WordPress – including the infamous Timthumb.php attack, and to put into perspective WHY WordPress sites are targeted and what the key motives of the criminals are – it isn’t what many people think.

WP Australia

April 27, 2013
Tweet

More Decks by WP Australia

See All by WP Australia
Amelia Briscoe: WordPress and Git
wpaustralia
1
650
Blaz Robar: Photoshop Best Practice for WordPress
wpaustralia
2
400
Mikey De Wildt: How to survive people discovering your plugin
wpaustralia
0
210
Travis Hensgen: Introducing MasterPress
wpaustralia
1
1.3k
Phil Steinke: 9 1/2 Free WP Plugins to Keep you Sane While Blogging
wpaustralia
0
440
Anthony Hortin: Getting Started with WooCommerce
wpaustralia
0
200
Bronson Quick: My WordPress Development Workflow
wpaustralia
5
1.7k
David Jenyns: WordPress and Video SEO
wpaustralia
1
620
Joe Ortenzi: Inclusive Design for WordPress
wpaustralia
1
250

Other Decks in Technology

See All in Technology
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
540
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
420
Engineer Career Talk
lycorp_recruit_jp
0
190
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
Taming you application's environments
salaboy
0
190
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
The Role of Developer Relations in AI Product Success.
giftojabu1
0
130

Featured

See All Featured
A Tale of Four Properties
chriscoyier
156
23k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Side Projects
sachag
452
42k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Designing Experiences People Love
moore
138
23k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Building Applications with DynamoDB
mza
90
6.1k
A better future with KSS
kneath
238
17k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Building Your Own Lightsaber
phodgson
103
6.1k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k

Transcript

  1. Hackers Ahoy! Batten down the hatches! Michael McKinnon, Security Advisor

    [email protected] | @bigmac | WordCamp Melbourne 2013

  2. AVG.COM.AU AVG.CO.NZ Cute Kittens.

  3. AVG.COM.AU AVG.CO.NZ Not so cute Kittens.

  4. AVG.COM.AU AVG.CO.NZ What we’re looking at today… Learn why your

    Wordpress site is a target for cybercriminals. Ten things you can do to secure your site!

  5. How does a Wordpress site get compromised?

  6. AVG.COM.AU AVG.CO.NZ Attack Vectors •  With a Username and Password

    •  A security vulnerability on your site: •  SQL injection – executing database scripts to inject data •  Weak site permissions – uploading files •  Exploiting a known bug/weakness in a plugin or theme •  Through your web hosting provider •  Backdoor from previous compromise (re-infection)

  7. AVG.COM.AU AVG.CO.NZ Exploit example: timthumb.php •  Image thumbnail resizing PHP

    library, commonly used in many Wordpress theme templates. •  Allowed uploading of .php files to a site – even when the theme was inactive.

  8. AVG.COM.AU AVG.CO.NZ Redirect Example: <title> tag inject

  9. AVG.COM.AU AVG.CO.NZ Example – how to host phishing pages!

  10. Why? Oh, Why? (is my Wordpress site a target)

  11. AVG.COM.AU AVG.CO.NZ Where is the value in your site? Which

    one is the most valuable to a cyber criminal? 1.  Your personal information (as the site owner) 2.  Personal details of other users in your database 3.  Your web hosting username/password 4.  Your Wordpress database and uploaded files 5.  Access to the visitors that hit your site 6.  eCommerce detail like transactions, or credit cards All too common!

  12. AVG.COM.AU AVG.CO.NZ The big picture, where do you fit in?

    Victim • Searching for cute kittens • Clicks on link in email Compromised Website • Wordpress sites • Joomla • Drupal • Usually involves a Javascript redirection – can be controlled with Cookies etc. Exploit Toolkit Server • Blackhole toolkit • Account for 50% + of web infections Exploit a vulnerability • Victim computer is vulnerable, or not up to date • “Dropper” installation Payload / Malware • Ransomware • Fake Antivirus • Banking Trojan • Password stealers • Money, money, money $$$ Every compromised Wordpress website contributes to this chain...

  13. Malware that your visitors can end up with…

  14. AVG.COM.AU AVG.CO.NZ Rogue Scanners & Fake Antivirus Payload / Malware

  15. AVG.COM.AU AVG.CO.NZ Fake Antivirus Payload / Malware

  16. AVG.COM.AU AVG.CO.NZ Ransomware – Your PC is blocked… “Australian Federal

    Police” labeled Ransomware – first appeared late September 2012 Payload / Malware

  17. How would you know?

  18. AVG.COM.AU AVG.CO.NZ How do you know if your site is

    infected? More often that not somebody else will tell you, BEFORE you find out. Source: Verizon Data Breach Investigations Report 2013

  19. AVG.COM.AU AVG.CO.NZ Ten things you can do! Protect • Don’t use

    the ‘admin’ username • Strong passwords • Always keep updating • Be selective with plugins & themes Detect • Review web logs • Use antivirus software to scan your website files • Sign up to Google Webmaster Tools • Know your files, spot the enemy Correct • Keep 90 days of offsite daily backups • Practice restoring your site, know how to do it quickly

  20. #1 – Everyone wants to be an ‘admin’

  21. AVG.COM.AU AVG.CO.NZ What’s wrong with this picture?

  22. AVG.COM.AU AVG.CO.NZ Botnet attacks! BBC News - http://www.bbc.co.uk/news/technology-22152296 Ars Technica

    - http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/

  23. AVG.COM.AU AVG.CO.NZ What could ‘admin’ do anyway?

  24. #2 – pa55w0rds!

  25. AVG.COM.AU AVG.CO.NZ Passwords – Back to Basics! What should we

    aim for in a password? •  Should be easy for you to remember •  Should be hard for someone else to guess (and “brute-force”)

  26. AVG.COM.AU AVG.CO.NZ Passwords – World’s Top 10 Most Used • 

    123456 •  123456789 •  Password •  12345678 •  654321 •  Password1 •  Password123 •  1234567 •  abc123 •  Qwerty

  27. AVG.COM.AU AVG.CO.NZ Can someone guess your password? •  Favourite football

    team? •  Pet’s name? •  Family members?

  28. AVG.COM.AU AVG.CO.NZ Rank these passwords in order of strength… 1. 

    E56#av+Yb! 2.  Password123 3.  aaaaaAAAAA#####43 4.  123456 5.  lucasjames MOST SECURE

  29. AVG.COM.AU AVG.CO.NZ Why? Anatomy of a good Password •  The

    password: aaaaaAAAAA#####43 •  It is 17 characters in length •  Contains upper and lowercase letters •  Contains numbers •  Contains the ‘#’ symbol •  How many combinations? •  72 combinations, 17 combinations long is 72^17 •  That’s 37 thousand billion billion billion combinations!

  30. AVG.COM.AU AVG.CO.NZ Password Separation •  Make new passwords for different

    accounts you access… •  Start with your “base” password (aaaaaAAAAA#####43) •  “Facebook” – you could take the letters “f” and “b” from Facebook and create a new password: aaaaaAAAAA#####43fb •  “Twitter” – you could take the letters “t” and “r” from Twitter and create another password: aaaaaAAAAA#####43tr •  Mix it up! Be creative! And don’t use my lame examples!

  31. #3 – Update. Update. Update.

  32. AVG.COM.AU AVG.CO.NZ Make sure you keep Wordpress updated! Apart from

    secure access controls, this is your next biggest security win in Wordpress.

  33. #4 - Be selective with Plugins & Themes

  34. AVG.COM.AU AVG.CO.NZ You don’t need every Plugin and Theme! Once

    you’re happy with your site – REMOVE all unused plugins and themes. A live website is a “production” website, and the “production” environment needs to be treated with respect. Be selective with your plugins and themes. Beside the more you have, the more annoying updating can be.

  35. #5 – Review web logs

  36. AVG.COM.AU AVG.CO.NZ Looking regularly will help spot anomalies You’ll find

    things like… 247 login attempts from an attacker… But other advantages too, such as 404 errors and things you might not otherwise be aware of.

  37. #6 – Use Antivirus software

  38. AVG.COM.AU AVG.CO.NZ Detect web threats and infected files •  Use

    an Antivirus scanner to schedule a scan of your Wordpress site files (easiest by scanning offsite). •  Great for detecting common PHP shell scripts and other files injected into your site. •  Also protects you when surfing the web, and may alert you when accessing your own site. •  Find it on your site before Google does!!

  39. #7 – Use Google Webmaster Tools

  40. AVG.COM.AU AVG.CO.NZ Sign up to Google Webmaster Tools https://www.google.com/webmasters/tools/ They

    will e-mail you if they detect a problem with your site!

  41. #8 – Know your own files

  42. AVG.COM.AU AVG.CO.NZ File integrity monitoring •  Just being familiar with

    the files on your site can help. •  Spotting new files by their timestamp •  Depending how technical you want to get.. •  Use git (i.e. github) •  Use AIDE or Tripwire •  What can your hosting provider do for you?

  43. #9 – Keep offsite backups

  44. AVG.COM.AU AVG.CO.NZ Backup your site, regularly •  Use a backup

    provider/plugin such as VaultPress or Backupbuddy, or ask friends what they’re using •  Do NOT leave backup files sitting in your Wordpress folders - they could be downloaded by attackers! •  Suggest daily backups – 90 days worth.

  45. #10 – Know how to restore. Quickly.

  46. AVG.COM.AU AVG.CO.NZ When the proverbial hits the fan •  You

    don’t want to be searching for a solution after your site gets compromised. •  BE PREPARED •  Have a plan to restore your website, quickly, and TEST it beforehand – do a LIVE test. •  And remember, sometimes the attacker may return, especially if the vulnerability is still present in the backed up site. •  You’ll need to remediate and identify how the compromise happened, and apply any updates/fixes, change passwords etc.

  47. AVG.COM.AU AVG.CO.NZ Credits & Acknowledgements Photographs and images used in

    this presentation are thanks to: Skitch by Evernote for all screen snapshots - http://evernote.com/skitch/ iStockphoto.com – slides 2, 3, 4, 17, 46, 47 used under license in accordance with their terms at - http://www.istockphoto.com/license.php Fairfax Publications, The Age “Football Fans” - slide 27 http://images.theage.com.au/2010/09/22/1941829/article-fans2-420x0.jpg Verizon Data Breach Investigations Report 2013 – slide 18 http://www.verizonenterprise.com/DBIR/2013/

  48. AVG.COM.AU AVG.CO.NZ Protect • Don’t use the ‘admin’ username • Strong passwords

    • Always keep updating • Be selective with plugins & themes Detect • Review web logs • Use antivirus software to scan your website files • Sign up to Google Webmaster Tools • Know your files, spot the enemy Correct • Keep 90 days of offsite daily backups • Practice restoring your site, know how to do it quickly Thank you! avgaunz avgaunz resources.avg.com.au Michael McKinnon, Security Advisor [email protected] bigmac