WordPress Greek Community 6th meetup Security 101 - Stefanos Grammenos, Panagiotis Macromanolis

Transcript

1. Copyright 2015 WebDevls Copyright 2015 WebDevls

2. Copyright 2015 WebDevls REAL-TIME VISIBILITY INTO GLOBAL CYBER WordPress-ATTACKS By

   Grammenos Stefanos Panagiotis Macromanolis Copyright 2015 WebDevls

3. Copyright 2015 WebDevls WordPress powers more than 74.6m sites around

   the world 48% Technorati’s top 100 blogs, χρησιμοποιούν WP Dashboard WordPress-Related Keywords Score 37 Million Searches Per Month WordPress.com Gets More Unique Visitors Than Amazon (Us) Plugins have been downloaded more than 300,000,000+ times. 48 Million Downloads of WordPress Online marketing circles will often discuss WordPress more than any other CMS out there. Copyright 2015 WebDevls

4. Copyright 2015 WebDevls Αποτελεί τεράστιο στόχο Για την διάδοση των

   πιο κύριων μορφών Κυβερνοεγκλημάτων Κυρίως για την απλότητα της Χρήσης του, άλλα και την Τεράστια δημοτικότητα που έχει Αποκτήσει. Copyright 2015 WebDevls

5. Copyright 2015 WebDevls 25 experts including lead developers and security

   researchers. WordPress and Drupal security team collaboration. The WordPress Security Team Automatic Background Updates for Security Releases. 2013 OWASP Top 10 Vulnerabilities most serious application security risks. WordPress Plugin and Theme Security Theme Review Team – Plugin Review Team API's (Core WordPress API's, DB API, FileSystem API, HTTP API Permissions and Current User API ). [email protected] Copyright 2015 WebDevls

6. Copyright 2015 WebDevls Όταν είμαστε οπλισμένοι με τεχνικές συμβουλές και

   κοινή λογική. Μπορούμε Να αποφύγουμε αρκετές από τις γνωστές επιθέσεις. Όσο περισσότερο δυσκολέψουμε Το έργο ενός επιτιθέμενου στην ιστοσελίδα μας, τόσο πιο πιθανό είναι να μας αφήσει Ήσυχο και να περάσει σε έναν πιο εύκολο στόχο. Ασφάλεια Υπολογιστικών Συστημάτων Sasser – Bagle – Zafi – MyDoom – Lovsan/Blaster – Klez - BugBeaR Copyright 2015 WebDevls

7. Copyright 2015 WebDevls Attacks που τελούνται με τη χρήση Ηλεκτρονικών

   Υπολογιστών (Computer Crime) Attacks που τελούνται μέσω του Διαδικτύου (Cyber Crime) Copyright 2015 WebDevls

8. Copyright 2015 WebDevls

9. Copyright 2015 WebDevls - Brute-force password-guessing attacks - ΧSS -(css)

   Οι κύριες WordPress Based επιθέσεις Το WordPress παραμένει ο κύριος στόχος επιθέσεων C.M.S - SQL Injection - Directory Indexing Honorable Mentions - Image HotLinking Copyright 2015 WebDevls

10. Copyright 2015 WebDevls Brute Force Attack Or Dictionary attack Brute

    Force Attack is an automated process and can be done by using a program That will try to decrypt your password by using a list of words, symbols and numbers (wordlists). The Attacker will try to compromize your website by brute force attacking to your wp-login.php Copyright 2015 WebDevls

11. Copyright 2015 WebDevls Cross Site Scripting Attack Copyright 2015 WebDevls

    Hack-Attack that exploits web applications A security exploit in which attacker inserts Malicious code into a link that appears to be From a trustworthy source.

12. Copyright 2015 WebDevls Cross Site Scripting Attack http://www.xssed.com/archive Κλοπή κωδικών/λογαριασμών

    Και προσωπικών δεδομένων Aλλαγή ρυθμίσεων Browser Κλοπή Cookies Copyright 2015 WebDevls XSS, SQL Injections and Brute Force Attacks are the most commons attacks to WP

13. Copyright 2015 WebDevls The attacker injects a payload in the

    website’s database by submitting a vulnerable form with some malicious JavaScript 1.victim requests the web page from the website 2. The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body. 3. The victim’s browser will execute the malicious script inside the HTML body. In this case it would send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server after which the attacker can use the victim’s stolen cookie for impersonation. Copyright 2015 WebDevls

14. Copyright 2015 WebDevls SQL Injection Query Database Attack. Attacker tries

    to find vulnerable queries in the code. Access, to the Whole Database Tables and Schema. Copyright 2015 WebDevls

15. Copyright 2015 WebDevls Directory Indexing Is a way for an

    attacker, to find out our servers' folder structure. Can find our server user name in the process. Copyright 2015 WebDevls

16. Copyright 2015 WebDevls Image HotLinking The ability for another website

    to use our own bandwidth Copyright 2015 WebDevls

17. Copyright 2015 WebDevls DDoS A DDoS or a Distributed Denial

    of Service Attack is used to target a single (or multiple) Systems by sending a very large amount of traffic packets in to the system and finally overwhelming it and make it unavailable. Distributed via botnets (infected systems) Types of DDoS Attacks Traffic Attacks Bandwidth Attacks Application Attacks Copyright 2015 WebDevls

18. Copyright 2015 WebDevls Live Demonstration On Brute Forcing a WordPress

    Installation Do Not Try this at Home..The following Operation is iLLegall and must be Performed only after having the necessary permissions on the server and the website From the rightful owner. Copyright 2015 WebDevls

19. Copyright 2015 WebDevls Ways to Secure your Installation

20. Copyright 2015 WebDevls Don't use the 'admin' username Good Passwords

    Security Plugins /plugins/google-authenticator/ Two Step Verification WordFence Clef

21. Copyright 2015 WebDevls Επιπρόσθετα μέτρα Αντιμετώπισης επιθέσης στο wp-login.php MD5

    algorithm- Crypt() Passwords Και Linux και Windows Password Protect the wp-login.php File http://www.htaccesstools.com/htpasswd-generator/ 1. Visit: http://www.htaccesstools.com/htpasswd-generator/ 2. Use the form to create the username and password. 3. Login to cPanel in another window or tab. 4. Click on File Manager. 5. Select Home Directory. 6. Check Show Hidden Files (dotfiles) if not already checked. 7. Click on the Go button. 8. Look for a .wpadmin file If one exists, right click on it and select Code Edit to open the editor. Click on the Edit button to edit the file. If one does not exist, click on New File at the top of the page, and specify the name as .wpadmin (with the dot at the front) and click on the Create New File button. 9. Paste the code provided from the website in step 2. 10. Click on the Save Changes button when complete. 11. You can Close the file when finished. Βημα 1ο

22. Copyright 2015 WebDevls Επιπρόσθετα μέτρα Αντιμετώπισης επιθέσης στο wp-login.php Password

    Protect the wp-login.php File ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.wpadmin require valid-user </FilesMatch> Βημα 2ο Username το username που έχουμε στο Cpanel

23. Copyright 2015 WebDevls # Block access to wp-admin. order deny,allow

    allow from x.x.x.x deny from all Block access to wp-admin by IP. Στο .htaccess file μας.

24. Copyright 2015 WebDevls Protect your WP Installation from XSS by:

    1. Keep your systems secured and updated. 2. Always download Themes and Plugins from trusted sources. 3. Ninja Firewall (WP Plugin) 4. Bullet Proof Security (WP Plugin) Copyright 2015 WebDevls

25. Copyright 2015 WebDevls SQL Injection Preventing By Using Plugins. By

    Using .htaccess * 1 By Changing the Default Database Prefix. Copyright 2015 WebDevls

26. Copyright 2015 WebDevls Prevent Directory Indexing By configuring your .htaccess

    file Drop the code: Options -Indexes By creating a blank index.php in all your subfolders: Copyright 2015 WebDevls

27. Copyright 2015 WebDevls Prevent Image HotLinking RewriteEngine on RewriteCond %{HTTP_REFERER}

    !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-site.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-other-domain.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ “http://ieikonamou.png” [NC,R,L] Copyright 2015 WebDevls

28. Copyright 2015 WebDevls <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond

    %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> Appendix 1. Copyright 2015 WebDevls

29. Copyright 2015 WebDevls Recommended WordPress Security Plugins -Brute Forcing (etc)

    -IDS - Firewall +Scanners 1.Block Bad Queries (BBQ) 2. WordFence 3. WordPress Simple Firewall 1.Acunetix WP Security 2.Sucuri 3.Ithemes Sec Pro 1.Sucuri 2.Ithemes Sec Pro Copyright 2015 WebDevls

30. Copyright 2015 WebDevls General Guide Lines 1. Maintain strong passwords.

    2. Always Update Everything. 3. Protect your WordPress Admin. 4. Guard against brute Force Attacks. 5. Monitor for malware. 6. ...Then do something about malware. 7. Choose the right Web Host. 8. Always have your site cleaned. 9. Control sensitive information 10. Use any CDN Service Copyright 2015 WebDevls

31. Copyright 2015 WebDevls Stay Vigilant !!! 11. Copyright 2015 WebDevls

32. Copyright 2015 WebDevls Copyright 2015 WebDevls Extra WebSecurity Informations DNS

    and DNSSEC DNS is the system that lets your browser know which web server to connect to when you request to visit a website. It’s the underlying backbone of the usable internet and yet, is vulnerable to man in the middle attacks. There is a solution. It’s called DNSSEC and it adds cryptographic hashes and signatures for authenticating DNS records. The DNSSEC beta is open to all websites that use CloudFlare for DNS. email for beta access: [email protected] DNS and DNSSEC DNS is the system that lets your browser know which web server to connect to when you request to visit a website. It’s the underlying backbone of the usable internet and yet, is vulnerable to man in the middle attacks.