Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking WordPress... and countermeasures.

A beginners intro to cybersecurity in WordPress environment, showing how the hacking process works using the Art of War as the driving theme. Also, there are some examples to make conscious of what could happen if we don't care about this.
This talk was presented in the WordCamp Osaka 2019.

  • Be the first to comment

Hacking WordPress... and countermeasures.

  1. 1. 4
  2. 2. Hacking WordPress & Countermeasures NESTOR ANGULO DE UGARTE WORDCAMP OSAKA 2019 #WCOSAKA
  3. 3. こんにちわ! 6
  4. 4. Who I am 7 u Computer Science Engineer & Technology consultant u Photographer & Early Adopter u Truly curious guy u 2015: SUCURI Incident Response & Easy SSL u 2019: GoDaddy Spain Interim Head of IT @ GoDaddy Spain
  5. 5. Where is カ ナリア諸島 8
  6. 6. 9 About u Sucuri: Anaconda (No Securi / Security) u Website security u Fully remote (people from > 25 countries around the world) u 2008: Foundation u 2017: Proud part of the GoDaddy family u Free scanners: u Sitecheck (sitecheck.sucuri.net) u Performance (performance.sucuri.net)
  7. 7. 10 #WCOsaka2019 Nestor Angulo (@pharar)
  8. 8. Concepts GIVING CONTEXT 11 #WCOsaka2019NestorAngulo(@pharar)
  9. 9. DISCLAIMER 12 #WCOsaka2019 Nestor Angulo (@pharar) Any sensitive information has been protected/encrypted to preserve privacy. Any similiarity with reality is a coincidence. I’m responsible of what I say, not what you interpret. Always ask an expert.
  10. 10. #WCOsaka2019 Nestor Angulo (@pharar) 13
  11. 11. #WCOsaka2019 Nestor Angulo (@pharar) 14 ハッキングされた企業と、 ハッキングされたことをま だ知らない企業の2種類があ ります。
  12. 12. HACKER VS Cyberterrorist 15 #WCOsaka2019 Nestor Angulo (@pharar) Hacker: Curious person who loves to go beyond limits or convetionalisms. Cyberterrorist / Cracker: Computer Hacker, whom intentions are always aligned to enrich himself in a zero- sum game situation. The bad guy
  13. 13. Hacker Hat Colours 16 u Black Hat Cyberterrorist, thief u Grey Hat White Hat using illegal procedures u White Hat Security Analyst, ethical hacker
  14. 14. Malware u Software intentionally designed to cause damage to a computer, client, or computer network. u Some types: u Backdoors, zero-day u Exploits u Trojan horses, Fremium plugins u Ransomware, Spyware u Adware, Scareware 17
  15. 15. CyberSecurity & Web Security 18 u Cybersecurity: Security in the digital world u Web Security: Field of Cybersecurity u Covers what happens through port 80 / 443
  16. 16. FACTS 19 Site hacking almost never is client-oriented (98% of cases) Almost always happens due to a deficient monitoring / maintenance A SSL certificate is not an antihacking shield Patches & security updates appear almost always after hacking exploits Errare Humanum Est (Human being fails) Security never is (nor will be) 100% effective
  17. 17. FACTS 20 Source: Website Hack Trend Report 2018 – sucuri.net
  18. 18. The Art of War IN THE MIND OF YOUR ENEMY
  19. 19. Common Targets 22 #WCOsaka2019 Nestor Angulo (@pharar) Users info Database Website Content Infrastructure Bot Net Reputation
  20. 20. Know your weaknesses 23 u You are your weakest point u You can be scammed u Passwords. u Vulnerable to brute force attacks u Leftovers u Admin users u Outdated/vulnerable software u Enabled/Disabled not-in-use plugins/themes u Non-secure connection (avoid public wifi) u Vulnerable to Man-In-the-Middle attacks
  21. 21. Hacking WordPress. The Process 24 Vulnerability ->Exploit Injection Final code Backdoor Spam / defacement BotNode Final code
  22. 22. Definitions 25 u Vulnerability u Bug in the code or posibility of misuse that can be exploited to perform unauthorized actions within a computer system. u Exploit u Software that leverages a vulnerability u Backdoor u Malware which allows remote execution of code
  23. 23. WPScan Vulnerability Database wpvulndb.com 26
  24. 24. Gallery of Horrors 27 #WCOsaka2019NestorAngulo(@pharar)
  25. 25. Defacements
  26. 26. Defacements
  27. 27. Example 1: Photographer Gallery 30
  28. 28. 31 #WCOsaka2019NestorAngulo(@pharar)
  29. 29. 32 #WCOsaka2019NestorAngulo(@pharar)
  30. 30. Example 2: Pet food store 33
  31. 31. 34
  32. 32. 35
  33. 33. Bonus 36
  34. 34. 37
  35. 35. DEFACEMENTS 38 #WCOsaka2019 Nestor Angulo (@pharar) Partial / full replacement of website frontend. Very obvious Easy detection: - Users (hear them!) - Scanners Target: Awareness or social/political revindication
  36. 36. Black Hat SEO / Spam
  37. 37. 40
  38. 38. 41
  39. 39. 42
  40. 40. 43
  41. 41. 44
  42. 42. BLACK HAT SEO / SPAM 45 #WCOsaka2019 Nestor Angulo (@pharar) Spam/unwanted content in your site Detection: - Scanners (Easy) - Users (hear them!) - Search Engine warnings Target: Your SEO and reputation
  43. 43. DDoS Attacks / BotNets
  44. 44. Definitions 47 u DoS attack - Denial of Service - Overhelmed application due to a huge amount of petitions u DDoS attack u Distributed DoS u BotNet u Net of websites linked to act coordinated u Have bot nodes and a bot master
  45. 45. Normal, tending to calm 48
  46. 46. 49
  47. 47. 50
  48. 48. BOTNETS, CRYPTOMINERS, DDOS 51 #WCOsaka2019 Nestor Angulo (@pharar) Affecting to your infrastructure Detection: - Usually difficult - Strange use of resources - File Integrity Scanner WAF recommended Target: - Your server’s resources - User’s resources. - Zombie node
  49. 49. Countermeasures REACTIVES AND PROACTIVE MEASURES 52 #WCOsaka2019NestorAngulo(@pharar)
  50. 50. Characters in the Story (if something happens) 53 You • Owner / Admins • Developer & Designer • Users/clients Hosting Provider • Agent / C3 • Support & Backups Security Expert • Security department • External services
  51. 51. Security in Layers 54 u You ( the weakest layer ) u Your device ( Antivirus ) u Your connection ( SSL ) u Your website ( WAF ) u Your credentials ( Strong Passwords / 2FA ) u Your site security ( monitor / updates ) u Your server security ( monitor / updates ) u Your database ( monitor ) u Maintenance tasks
  52. 52. Measures: Reactive vs Proactive 55 #WCOsaka2019 Nestor Angulo (@pharar) Reactive: When bad things have already happened Pain mitigation Proactive: Before anything bad happens Risk mitigation
  53. 53. #WCOsaka2019 Nestor Angulo (@pharar) Reactive measures u Scan your site: uStatus: Sitecheck.sucuri.net uBlacklist: Virustotal.com u CRC: Check, Remove and Change u Update u Restore a backup 56
  54. 54. 57 #WCOsaka2019NestorAngulo(@pharar)
  55. 55. #WCOsaka2019 Nestor Angulo (@pharar) Proactive measures u Reduce admins, plugins and themes u Backups u Updates u Invest in Hosting & Security u WAF 58
  56. 56. The more Doors, the higher Risk 59 #WCOsaka2019 Nestor Angulo (@pharar) “To Caesar, what is Caesar’s”. Admin stuff with admin account. The rest, with a limited account The more admins, plugins and themes the more risk (even when disabled). All user’s passwords MUST be unique and strong (better with 2FA when possible) Applied to all layers (wp-admin, [S]FTP, cPanel, dashboard, db, …)
  57. 57. BACKUPS 60 u Have a backups strategy uNEVER store the backups in your production server uA clean and FUNCTIONAL backup will be your best friend a bad day
  58. 58. BACKUPS 61 u Have a backups strategy uNEVER store the backups in your production server uA clean and backup will be your best friend a bad day
  59. 59. Updates 62 u PLUGINS u THEMES u CORE u PHP u APACHE / NGINX u SERVER u CPANEL / PLESK u …
  60. 60. Updates 63 Source: Web Professional Security Survey 2019 – Sucuri.net
  61. 61. Remember to Invest in 64 #WCOsaka2019 Nestor Angulo (@pharar) SECURITY HOSTING
  62. 62. Hosting 65 #WCOsaka2019 Nestor Angulo (@pharar) FIRST LAYER OF YOUR SITE’S DEFENSE BALANCE BETWEEN PRICE AND FEATURES THEY ARE IN CHARGE OF THE SERVER’S SERVICES, DATABASE AND MAINTENANCE
  63. 63. Shared hosting vs dedicated #WCOsaka2019NestorAngulo(@pharar) 66
  64. 64. Source: 2019 Sucuri survey to ecommerce owners. 67
  65. 65. WAF Your guard dog 68 #WCOsaka2019 Nestor Angulo (@pharar) FILTERS ALL YOUR WEB TRAFFIC PROTECTS AGAINST XSS, DDOS, … PATCHS VIRTUALLY WIDELY KNOWN SOFTWARE VULNERABILITIES IF IT INCLUDES CDN, IMPROVES YOUR SITE’S SPEED & PERFORMANCE FORENSIC ANALISYS TOOL ALLOWS MANUAL BLOCKING
  66. 66. WAF Your guard dog 69 #WCOsaka2019 Nestor Angulo (@pharar) FILTERS ALL YOUR WEB TRAFFIC PROTECTS AGAINST XSS, DDOS, … PATCHS VIRTUALLY WELL KNOWN SOFTWARE VULNERABILITIES IF IT INCLUDES CDN, YOUR SITE WILL IMPROVE ITS SPEED AND PERFORMANCE FORENSIC ANALISYS TOOL ALLOWS MANUAL BLOCKING
  67. 67. 70 #WCOsaka2019 Nestor Angulo (@pharar)
  68. 68. 71 #WCOsaka2019NestorAngulo(@pharar)
  69. 69. ありがとうござ いました︕ ご質問は︖ 72 @pharar #WCOSAKA2019

×