Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress Greek Community 6th meetup Security 101 - Stefanos Grammenos, Panagiotis Macromanolis

WordPress Greek Community 6th meetup Security 101 - Stefanos Grammenos, Panagiotis Macromanolis

WordPress Greek Community

October 21, 2015
Tweet

More Decks by WordPress Greek Community

Other Decks in Technology

Transcript

  1. Copyright 2015 WebDevls
    Copyright 2015 WebDevls

    View full-size slide

  2. Copyright 2015 WebDevls
    REAL-TIME VISIBILITY INTO GLOBAL CYBER
    WordPress-ATTACKS
    By
    Grammenos Stefanos
    Panagiotis Macromanolis
    Copyright 2015 WebDevls

    View full-size slide

  3. Copyright 2015 WebDevls
    WordPress powers more than 74.6m sites around the
    world
    48% Technorati’s top 100 blogs, χρησιμοποιούν WP
    Dashboard
    WordPress-Related Keywords Score 37 Million Searches Per Month
    WordPress.com Gets More Unique Visitors Than Amazon (Us)
    Plugins have been downloaded more than 300,000,000+ times.
    48 Million Downloads of WordPress
    Online marketing circles will often discuss WordPress more than any other CMS out there.
    Copyright 2015 WebDevls

    View full-size slide

  4. Copyright 2015 WebDevls
    Αποτελεί τεράστιο στόχο
    Για την διάδοση των πιο
    κύριων μορφών
    Κυβερνοεγκλημάτων
    Κυρίως για την απλότητα της
    Χρήσης του, άλλα και την
    Τεράστια δημοτικότητα που έχει
    Αποκτήσει.
    Copyright 2015 WebDevls

    View full-size slide

  5. Copyright 2015 WebDevls
    25 experts including lead
    developers and security researchers.
    WordPress and Drupal security team
    collaboration.
    The WordPress Security Team
    Automatic Background Updates for
    Security Releases.
    2013 OWASP Top 10 Vulnerabilities
    most serious application security risks.
    WordPress Plugin and Theme Security
    Theme Review Team – Plugin Review Team
    API's (Core WordPress API's, DB API, FileSystem API, HTTP API Permissions and Current
    User API ).
    [email protected]
    Copyright 2015 WebDevls

    View full-size slide

  6. Copyright 2015 WebDevls
    Όταν είμαστε οπλισμένοι με τεχνικές συμβουλές και κοινή λογική. Μπορούμε
    Να αποφύγουμε αρκετές από τις γνωστές επιθέσεις. Όσο περισσότερο δυσκολέψουμε
    Το έργο ενός επιτιθέμενου στην ιστοσελίδα μας, τόσο πιο πιθανό είναι να μας αφήσει
    Ήσυχο και να περάσει σε έναν πιο εύκολο στόχο.
    Ασφάλεια Υπολογιστικών Συστημάτων
    Sasser – Bagle – Zafi – MyDoom – Lovsan/Blaster – Klez - BugBeaR
    Copyright 2015 WebDevls

    View full-size slide

  7. Copyright 2015 WebDevls
    Attacks που τελούνται με τη χρήση Ηλεκτρονικών Υπολογιστών (Computer Crime)
    Attacks που τελούνται μέσω του Διαδικτύου (Cyber Crime)
    Copyright 2015 WebDevls

    View full-size slide

  8. Copyright 2015 WebDevls

    View full-size slide

  9. Copyright 2015 WebDevls
    - Brute-force password-guessing attacks
    - ΧSS -(css)
    Οι κύριες WordPress Based επιθέσεις
    Το WordPress παραμένει ο κύριος στόχος επιθέσεων
    C.M.S
    - SQL Injection
    - Directory Indexing
    Honorable Mentions
    - Image HotLinking
    Copyright 2015 WebDevls

    View full-size slide

  10. Copyright 2015 WebDevls
    Brute Force Attack
    Or Dictionary attack
    Brute Force Attack is an automated process and can be done by using a program
    That will try to decrypt your password by using a list of words, symbols and numbers
    (wordlists).
    The Attacker will try to compromize your website by brute force attacking to your
    wp-login.php
    Copyright 2015 WebDevls

    View full-size slide

  11. Copyright 2015 WebDevls
    Cross Site Scripting Attack
    Copyright 2015 WebDevls
    Hack-Attack that exploits web applications
    A security exploit in which attacker inserts
    Malicious code into a link that appears to be
    From a trustworthy source.

    View full-size slide

  12. Copyright 2015 WebDevls
    Cross Site Scripting Attack
    http://www.xssed.com/archive
    Κλοπή κωδικών/λογαριασμών
    Και προσωπικών δεδομένων
    Aλλαγή ρυθμίσεων Browser Κλοπή Cookies
    Copyright 2015 WebDevls
    XSS, SQL Injections and Brute Force Attacks are the most commons attacks to WP

    View full-size slide

  13. Copyright 2015 WebDevls
    The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript
    1.victim requests the web page from the website
    2. The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
    3. The victim’s browser will execute the malicious script inside the HTML body.
    In this case it would send the victim’s cookie to the attacker’s server.
    The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server
    after which the attacker can use the victim’s stolen cookie for impersonation.
    Copyright 2015 WebDevls

    View full-size slide

  14. Copyright 2015 WebDevls
    SQL Injection
    Query Database Attack.
    Attacker tries to find vulnerable queries in the code.
    Access, to the Whole Database Tables and Schema.
    Copyright 2015 WebDevls

    View full-size slide

  15. Copyright 2015 WebDevls
    Directory Indexing
    Is a way for an attacker, to find out our servers' folder structure.
    Can find our server user name in the process.
    Copyright 2015 WebDevls

    View full-size slide

  16. Copyright 2015 WebDevls
    Image HotLinking
    The ability for another website to use our own bandwidth
    Copyright 2015 WebDevls

    View full-size slide

  17. Copyright 2015 WebDevls
    DDoS
    A DDoS or a Distributed Denial of Service Attack is used to target a single (or multiple)
    Systems by sending a very large amount of traffic packets in to the system and finally
    overwhelming it and make it unavailable.
    Distributed via botnets (infected systems)
    Types of DDoS Attacks
    Traffic Attacks
    Bandwidth Attacks
    Application Attacks
    Copyright 2015 WebDevls

    View full-size slide

  18. Copyright 2015 WebDevls
    Live Demonstration On Brute Forcing
    a WordPress Installation
    Do Not Try this at Home..The following Operation is iLLegall and must be
    Performed only after having the necessary permissions on the server and the website
    From the rightful owner.
    Copyright 2015 WebDevls

    View full-size slide

  19. Copyright 2015 WebDevls
    Ways to Secure your Installation

    View full-size slide

  20. Copyright 2015 WebDevls
    Don't use the 'admin' username
    Good Passwords
    Security Plugins
    /plugins/google-authenticator/
    Two Step Verification
    WordFence
    Clef

    View full-size slide

  21. Copyright 2015 WebDevls
    Επιπρόσθετα μέτρα Αντιμετώπισης επιθέσης στο wp-login.php
    MD5 algorithm- Crypt()
    Passwords
    Και Linux
    και Windows
    Password Protect the wp-login.php File
    http://www.htaccesstools.com/htpasswd-generator/
    1. Visit: http://www.htaccesstools.com/htpasswd-generator/
    2. Use the form to create the username and password.
    3. Login to cPanel in another window or tab.
    4. Click on File Manager.
    5. Select Home Directory.
    6. Check Show Hidden Files (dotfiles) if not already checked.
    7. Click on the Go button.
    8. Look for a .wpadmin file
    If one exists, right click on it and select Code Edit
    to open the editor. Click on the Edit button to edit the file.
    If one does not exist, click on New File at the top
    of the page, and specify the name as .wpadmin
    (with the dot at the front) and click on the Create New File button.
    9. Paste the code provided from the website in step 2.
    10. Click on the Save Changes button when complete.
    11. You can Close the file when finished.
    Βημα 1ο

    View full-size slide

  22. Copyright 2015 WebDevls
    Επιπρόσθετα μέτρα Αντιμετώπισης επιθέσης στο wp-login.php
    Password Protect the wp-login.php File
    ErrorDocument 401 "Unauthorized Access"
    ErrorDocument 403 "Forbidden"

    AuthName "Authorized Only"
    AuthType Basic
    AuthUserFile /home/username/.wpadmin
    require valid-user

    Βημα 2ο
    Username το username που έχουμε στο Cpanel

    View full-size slide

  23. Copyright 2015 WebDevls
    # Block access to wp-admin.
    order deny,allow
    allow from x.x.x.x
    deny from all
    Block access to wp-admin by IP.
    Στο .htaccess file μας.

    View full-size slide

  24. Copyright 2015 WebDevls
    Protect your WP Installation from XSS by:
    1. Keep your systems secured and updated.
    2. Always download Themes and Plugins from trusted sources.
    3. Ninja Firewall (WP Plugin)
    4. Bullet Proof Security (WP Plugin)
    Copyright 2015 WebDevls

    View full-size slide

  25. Copyright 2015 WebDevls
    SQL Injection
    Preventing
    By Using Plugins.
    By Using .htaccess *
    1
    By Changing the Default Database Prefix.
    Copyright 2015 WebDevls

    View full-size slide

  26. Copyright 2015 WebDevls
    Prevent Directory Indexing
    By configuring your .htaccess file
    Drop the code:
    Options -Indexes
    By creating a blank index.php in all your subfolders:
    Copyright 2015 WebDevls

    View full-size slide

  27. Copyright 2015 WebDevls
    Prevent Image HotLinking
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-site.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-other-domain.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif)$ “http://ieikonamou.png” [NC,R,L]
    Copyright 2015 WebDevls

    View full-size slide

  28. Copyright 2015 WebDevls

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^(.*)$ - [F,L]

    Appendix
    1.
    Copyright 2015 WebDevls

    View full-size slide

  29. Copyright 2015 WebDevls
    Recommended WordPress Security Plugins
    -Brute Forcing (etc) -IDS - Firewall +Scanners
    1.Block Bad Queries (BBQ)
    2. WordFence
    3. WordPress Simple Firewall
    1.Acunetix WP Security
    2.Sucuri
    3.Ithemes Sec Pro
    1.Sucuri
    2.Ithemes Sec Pro
    Copyright 2015 WebDevls

    View full-size slide

  30. Copyright 2015 WebDevls
    General Guide Lines
    1. Maintain strong passwords.
    2. Always Update Everything.
    3. Protect your WordPress Admin.
    4. Guard against brute Force Attacks.
    5. Monitor for malware.
    6. ...Then do something about malware.
    7. Choose the right Web Host.
    8. Always have your site cleaned.
    9. Control sensitive information
    10. Use any CDN Service
    Copyright 2015 WebDevls

    View full-size slide

  31. Copyright 2015 WebDevls
    Stay Vigilant !!!
    11.
    Copyright 2015 WebDevls

    View full-size slide

  32. Copyright 2015 WebDevls
    Copyright 2015 WebDevls
    Extra WebSecurity Informations
    DNS and DNSSEC
    DNS is the system that lets your
    browser know which web server
    to connect to when you request
    to visit a website.
    It’s the underlying backbone
    of the usable internet
    and yet, is vulnerable
    to man in the middle attacks.
    There is a solution. It’s called DNSSEC
    and it adds cryptographic hashes and
    signatures for authenticating DNS records.
    The DNSSEC beta is open to all websites
    that use CloudFlare for DNS.
    email for beta access: [email protected]
    DNS and DNSSEC
    DNS is the system that lets your
    browser know which web server
    to connect to when you request
    to visit a website.
    It’s the underlying backbone
    of the usable internet
    and yet, is vulnerable
    to man in the middle attacks.

    View full-size slide