2. Who Am I
Hi, my name is Tony
Perez | @perezbox
Marine Corps â War Vet
Sucuri Security
Objectivity and
rationalism
Gun carrying, Harley
riding, Martial Artist .
Web-malware is my life
@sucuri_security @perezbox #wcoc 2 6/2/2012
3. What are we going to talk
about?
Web Security
Look at some statisticsâŚ
Provide an understanding of web malware
Understand the threat scape a bitâŚ
Look at some of the recent trendsâŚ
Give some hardening tips
Get into the recommendationsâŚ
@sucuri_security @perezbox #wcoc 3 6/2/2012
4. Thinking about Web
Security
Web Security
Access Containment Knowledge
@sucuri_security @perezbox #wcoc 4 6/2/2012
6. Web Numbers
> 700 Million websites â As of May 2012â Netcraft
300 Million â Number of websites in 2011 â Pingdom
10.82 Billion â Number of indexed pages â WorldWebSize
2.1 Billion â Number of internet users worldwide Pingdom
Projected that:
1 Billion â 2013
2 Billion - 2015
@sucuri_security @perezbox #wcoc 6 6/2/2012
7. WordPress Numbers
73 Million + â Number of WP powered sites
16% - Of all Websites run WordPress
22 â Out of every 100 new domains in the U.S.
54% - CMS marketshare
62% - Market share of top 1,000,000 Sites
53% - Market share of top 100,000 sites
55% - Market share of top 10,000 sites
Projection
300 â 500 Million - 2015
@sucuri_security @perezbox #wcoc 7 6/2/2012
8. Web Malware Numbers
403 Million â Unique variants of malware 2011
140% Growth â 2010 â 2011 in unique variants
55,294 â Malicious web domains in 2011
130% Growth â 2010 â 2011 in malicious domains
81% - Increase malicious web-based attacks between
2010 / 2011
42 Billion â Global SPAM per day 2011
(Source: Symantec Internet Security Threat Report, Vol 17)
@sucuri_security @perezbox #wcoc 8 6/2/2012
9. Gah⌠NO MORE NUMBERS
The web is growing at an unprecedented pace.
WordPress growth â astronomical and gaining
Web-based malware is not far behind
To have a virtual presence you must consider the security
of your website
@sucuri_security @perezbox #wcoc 9 6/2/2012
11. Thinking about Web
Security
Web Security
Access Containment Knowledge
Minimize
Control Authentication Reduce Threat Have a Plan Be prepared
Impact
@sucuri_security @perezbox #wcoc 11 6/2/2012
12. Web-based Malware
Malware â Short for malicious software. This software is
designed to disrupt operation of an information system
(i.e., local machine, server, mobile device, etcâŚ)
In 2011, malnets (malware networks) emerged as the next
evolution in the threat landscape. These infrastructures last
beyond any one attack. - BlueCoat 2012 Web Security
Report
@sucuri_security @perezbox #wcoc 12 6/2/2012
13. Types of Malware
Obfuscated JavaScript Stupid, Pointless, Annoyi
ng Messages (SPAM)
Hidden & Malicious
iFrames Defacement
Embedded Trojans Anomalies
Phishing Attempts IP Cloaking
Malicious Redirects Drive by Downloads
Backdoors
(e.g., C99, R57, Webshe
lls)
@sucuri_security @perezbox #wcoc 13 6/2/2012
15. Most Common Distributions
Social Engineering
Trick you into installing malware
Compromising credentials
Websites, Email, Twitter
Drive-by-Downloads
Install malware after exploiting a vulnerability â big issue for
us in the WP community
iFrame (52.6%) and JS injections (26.5%)
Malicious redirects
Redirect user to another site often distributing malware
@sucuri_security @perezbox #wcoc 15 6/2/2012
16. Threat Landscape
End User
Local
Application
Environment
Web Server Administration
Network
Threat Environmental
Landscape
@sucuri_security @perezbox #wcoc 16 6/2/2012
17. The Attacker
Types Culture
Has code of ethics, heroes and
White-Hat villains and competing gangs
Ethical / Grey Hat Knowledge is power
Most Believe information and
Script Kiddie computer access should be
freely shared
Hacktivist Major motivation among
hackers is status
Cracker / Black Hat
Financial gain is a strong
motivation with crackers â
Robin Hood mindset â ok to
steal
@sucuri_security @perezbox #wcoc 17 6/2/2012
18. But I only write about lazy
lizards!!!!
⢠Opportunistic Attacks
⢠Road of least resistance
⢠Political Agenda / Further
Cause
⢠Mass Exposure
⢠In short â it doesnât matter
what you write about, you have
a virtual presence
@sucuri_security @perezbox #wcoc 18 6/2/2012
19. Is WordPress insecure?
Out of the box, core is well built and secure
Itâs no longer the days of 1.5
Security team is in place to quickly address and patch
issues
Extensibility â both its strength and weakness
With popularity comes a target⌠think Windows for local
environments
Easy target because of its exposure, attackers focusing on the
platform
Road of least resistance
@sucuri_security @perezbox #wcoc 19 6/2/2012
21. Top reasons why we see these
infections
Poor credential Management
Poor System Administration
Soup Kitchen Servers
Out of Date Software
Lack of Web knowledge
Use of self-proclaimed âexpertsâ
Cutting Corners
@sucuri_security @perezbox #wcoc 21 6/2/2012
23. Reduce Threat Risk
Update
Credentials
Communicate Securely
Themes / Plugins
Harden Your Install
Donât forget your local environment
Knowledge - Resources
@sucuri_security @perezbox #wcoc 23 6/2/2012
24. Update, Update, Update
Leading cause of
infections
If your theme is so
coupled with core it canât
be updated, consider
purchasing a new one
PHP, Core, Themes, Plu
gins, JavaScriptâŚ
@sucuri_security @perezbox #wcoc 24 6/2/2012
25. Credentials (user / password)
Basics Take-Aways
Avoid using âAdminâ & Complex Unique password
âAdministratorâ Upper / Lower
Symbols
Numbers
Use Strong Passwords
Longer than 18 characters
Online Generator:
http://www.onlinepasswordgen Passphrases
erator.com/password.php
Use one time â Password manager
Use Password Manager
LastPass â Free â Online / In short:
Mobile Access No Dates
No Names
https://lastpass.com/
No Pets
1Password No Places
https://agilebits.com/onepass A = @, E = 3, S= $, O = 0
word They know this
@sucuri_security @perezbox #wcoc 25 6/2/2012
26. Data Dictionary / Defacement
@sucuri_security @perezbox #wcoc 26 6/2/2012
27. Communicate Securely
Communication mechanisms
File Transfer Protocol (FTP)
Secret File Transfer Protocol (SFTP)
Secure Shell (SSH)
Tools
Filezilla
Coda
NCFTP
SFTP / SSH - Best Approach
Google: How to create SFTP account on [Host Name]
Google: How to enable SSH on [Host Name]
@sucuri_security @perezbox #wcoc 27 6/2/2012
28. Safe Themes / Plugins
WordPress Repository is a good place to start
19.6k+ - Available Plugins
1.5k+ - Available Themes
Look for good descriptions of the theme or plugin
Look to see versions and updates
Active change log is always good
Theme-check & Plugin-check are good tools to check potential
issues
Free Theme?
http://wpmu.org/why-you-should-never-search-for-free-
wordpress-themes-in-google-or-anywhere-else/
@sucuri_security @perezbox #wcoc 28 6/2/2012
29. Plugins To Avoid
WPStats.org SPAM â Fake Advanced Search Plugin
SEO poisoning â Bad
http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search-
plugin.html
Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0)
Upload / Server control - Very Bad
http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with-
pwwangs-code-for-wordpress-version-1-0-0.html
Absolute Privacy Plugin
Known vulnerability
http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html
ToolsPack Plugin
Dangerous backdoor â full access - Very Bad
http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html
@sucuri_security @perezbox #wcoc 29 6/2/2012
32. HTACCESS is your Friend
Configuration file for web servers using Apache
Features:
Error Documents
Redirects
Password Protection
Deny visitors by IP
Hot link prevention
Access prevention
More?
Apply these changes at your own peril â run risk of blowing up
site
@sucuri_security @perezbox #wcoc 32 6/2/2012
33. Protect HTACCESS
Permission
<= 640
#PROTECT HTACCESS
<Files HTACCESS>
Order Allow, Deny
Deny from all
</Files>
@sucuri_security @perezbox #wcoc 33 6/2/2012
34. Protect WP-Config
.htaccess
Permissions
<= 640
#PROTECT WP-CONFIG
<Files wp-config.php>
Order Allow, Deny
Deny from all
</Files>
@sucuri_security @perezbox #wcoc 34 6/2/2012
35. Authentication Keys
wp-config.php
Encrypts information stored in userâs cookies
https://api.wordpress.org/secret-key/1.1/salt/
Resource: http://codex.wordpress.org/Editing_wp-config.php
@sucuri_security @perezbox #wcoc 35 6/2/2012
37. Admin User
Created by âdefaultâ < = 3.0
In higher version you can define your own administrator
Create new user, apply âadministratorâ role
Be mindful of any posts created by âadminâ user
Delete âadminâ user
@sucuri_security @perezbox #wcoc 37 6/2/2012
38. Disable Directory Listing
Nobody show know the color of your skivvies
Default in most hosts, not always
# PREVENT DIRECTORY LISTINGS
Options -Indexes
@sucuri_security @perezbox #wcoc 38 6/2/2012
39. Disable Plugin / Theme Editor
wp-config.php file
Remove the ability modify your files via your wp-admin
panel â force to use SFTP / SSH and your local IDE
# Disable Plugin / Theme Editor
Define(âDISALLOW_FILE_EDITâ,true);
@sucuri_security @perezbox #wcoc 39 6/2/2012
41. Protect WP-Admin
If you have a dynamic IP this might be problematic
Consider HTTPS (Heavy / Complicated) or Basic
Authentication (Effective / Simple)
# SECURE Access to WP-ADMIN
<FilesMatch ".*">
Order Deny,Allow
Deny from all
Allow from [IP Address]
</FilesMatch>
@sucuri_security @perezbox #wcoc 41 6/2/2012
42. Harden WP-Includes
Create .htaccess in wp-includes directory
#PROTECT WP-INCLUDES
<FilesMatch â.phpâ>
Order Allow, Deny
Deny from all
Deny</Files>
@sucuri_security @perezbox #wcoc 42 6/2/2012
43. Harden WP-Content
Create .htaccess in wp-content directory
Most vulnerable, contains Uploads directory, often the
attack vector
It can be moved, but if youâre an end-user donât touch â
hire a pro â lots of dependencies
#PROTECT WP-CONTENT
<FilesMatch â.phpâ>
Order Allow, Deny
Deny from all
Deny</Files>
@sucuri_security @perezbox #wcoc 43 6/2/2012
44. Limit Upload
Most shells < 1 mb
Good idea anyway -
//limit file upload to 10mb
LimitRequestBody 10240000
@sucuri_security @perezbox #wcoc 44 6/2/2012
45. Protect Against
Bots
Malnets are a growing
problem, proactively
protect against them using
a Web Application Firewall
Perishable Press â 5G
Blacklist 2012
http://perishablepress.com
/5g-blacklist-2012/
@sucuri_security @perezbox #wcoc 45 6/2/2012
46. 5G WordPress Add-On
Donât want to add all that other stuff? No problem, try this
condensed version for WordPress
Doesnât require the 5G Blacklist and helps protect against
bad URL request â i.e., helps take the load off your server
from these very annoying requests
Source: http://perishablepress.com/wordpress-5g-blacklist/
Careful â wp-signup required for MultiSite
@sucuri_security @perezbox #wcoc 46 6/2/2012
47. Secure Login Page
There are a number of plugins you can use for
this, or, you can turn to your .htaccess again
Might be an issue if its not static..ď
<Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from [Your IP]
</Files>
@sucuri_security @perezbox #wcoc 47 6/2/2012
49. SPAM Comments
SPAM in your comments can get you blacklisted just as
fast as injections on your pages
Disable comments on pages if you donât want them
Setting to close comments after a certain amount of time.
Settings > Discussion > Other Comment Settings
Automatically close comments on articles older than XX days
Use AKISMET
@sucuri_security @perezbox #wcoc 49 6/2/2012
50. Cross-Site Contamination
Most of the things provided so far help you from external
attacks.
Internal attacks are as prevalent
Growing problem â âSoup Kitchenâ servers
Development, Staging, Testing, Productions â 1
environment
http://blog.sucuri.net/2012/03/a-little-tale-about-website-
cross-contamination.html
http://blog.sucuri.net/2012/03/website-cross-
contamination-blackhat-seo-spam-malware.html
@sucuri_security @perezbox #wcoc 50 6/2/2012
51. Security Plugins
Sucuri Clients â Sucuri Security â Free to Clients
Web Application Firewall
Integrity Monitoring
Auditing
Hardening
More: http://sucuri.net/services/preventive
Not a client? No problem, other good options include â
Login Lock
http://wordpress.org/extend/plugins/login-lock/
WordPress File Monitor
http://wordpress.org/extend/plugins/wordpress-file-monitor/
WordPress Firewall 2
http://wordpress.org/extend/plugins/wordpress-firewall-2/
BulletProof Security
http://wordpress.org/extend/plugins/bulletproof-security/
@sucuri_security @perezbox #wcoc 51 6/2/2012
53. Two Approaches
Do it Yourself Hire a Professional
Forums are you friend Will cost money
Requires time and Alleviates the stress
patience
Gets you up and running
Leverage free tools in hours, if not days
Know when youâre in
over your head
Can take time â
hours, days, weeks, mo
nths
@sucuri_security @perezbox #wcoc 53 6/2/2012
55. Things to Know when
Engaging Professionals
Know who your host is and how to contact them in the
event of an emergency
Know how to access your server â
FTP, SFTP, SSH, FTPS
Have a backup accessible
Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-
know-when-engaging-a-web-malware-company.html
@sucuri_security @perezbox #wcoc 55 6/2/2012
56. Tips & Tricks
After all this you might still become infected, and if you do
here are a few tips to keep you going:
1. Immediately Change all credentials â wp-
admin, database, cpanel
2. Log into your database and check all the users
3. Replace WP manually â avoid the default updater
4. Defacements â look at your index files (watch out for â.htmlâ
and âindex2.phpâ)
5. Use live scanner: http://sitecheck.sucuri.net
6. Use terminal to GREP and FIND issues reported
7. Restore site from clean backup
8. Purge your cache
9. Disable plugins, validate each plugin
10. Engage a professional
@sucuri_security @perezbox #wcoc 56 6/2/2012
63. Tony Perez
Company: Sucuri Security
Company site: http://sucuri.net
Company blog: http://blog.sucuri.net
Personal blog: http://perezbox.com
Twitter: http://twitter.com/perezbox
Linkedin: http://linkedin.com/in/perezbox
Email: tony@sucuri.net
@sucuri_security @perezbox #wcoc 63 6/2/2012
Editor's Notes
Good morning everyone.. No no no.. Thatâs just not going to do.. I said GOOD MORNING FOLKSâŚOh yeah, now thatâs what Iâm talking about⌠Letâs see if we canât get the blood flowing up in this room.. When I point to that side I want you to give me a WordPress, when I point to this side I want you to give me a Security⌠ready here we go⌠you â WORDPRESS, you â Security, me â YUT, you â WordPress, you â Security, me â YUTOUTSTANDING â little mexican dance⌠nice to see you guys as excited as me..Oh and if you get tired, please realize I can see all your eye balls.. That includes the white⌠thatâs right⌠Iâm watching you⌠ď
So as you might or might know, my name is Tony Perez â go by @perezboxIâm a Columbian / Cuban with a bad attitude living in a world of Mexicans. I spent a better part of a year and a half doing to combat tours in Iraq in 2002 â 2003 and 2004 â 2005⌠I now work for a little company focusing on web security, specializing in integrity monitoring and remediation â might have heard of us â Sucuri SecurityIâm a Gun carrying, Harley riding junior martial artist⌠And finally my life has been engulfed by a little thing called web-malware
Well obviously we are going to talk about some good ole web securityâŚnot exciting, but itâs a necessary evil. Its important to understand though that its but one small slice of the information security pie and itâd be impractical to think we can cover it in 50 minute⌠but hopefully Iâm able to give you a much better understanding of the concept and empower you with knowledgeWeâll take a quick peak at some numbers that I am personally intrigued by as it helps put things into perspective around the web and web malware and specifically their relationship to WordPressThen before we get into hardening tips and real tangible take-aways I want to provide a better understanding of the threat landscape and how and where you fit in that. Howâs that sound? Do we need to stretch? Sing?
As we talk about Web Security I want us to keep in mind these three area of interest â Access, Containment, and Knowledge.. These will be the three areas of discussion during the next 40 minutes.
These are some astronomical numbers.. In 2011 there were 300 million websites that came online.. In December of 2011 there were total of 555 million websites running⌠holy smokes.. In one year we had 300 million websites come online.. I just want that to sink in, before that we were at about 200 million..Over 10.8 BILLION indexed pages.. Thatâs just an astronomical number to wrap your head around⌠So how does WordPress fit into the moldâŚ
So as it stands of all the websites out there⌠its estimated that WordPress owns about 16% of the market â thatâs blogs, CMSâs.. Etc⌠so that is 16% of approximately 555 Million websites..In the US alone 22 out of every 100 websites are WordPress powered.. Here is an interesting fact.. In the CMS domain, WP is dominating the space with something close to 54% market share.. Wow.. Impressive I must admit
In 2011, according to Symantec, they captured about 403 million unique malware variants.. Now to caveat that is malware across desktops, mobile devices, web etc.. Still an astronomical number. This was a 140% growth over 2010In 2011, approximately 55, 294 malicious domains were detected.. Thatâs a 130% growth from 2010 andAs for web-based atacks, there was an 81% increase__________________________Previous:286 Million â Variants in 201042,926 â malicious web domains in 2010
So what does this mean.. Easy..The web is a very large large place and the platform we all love and use is quickly gaining market share at a very astronomical rate. More important to our discussion is the growth of web-malware and how important it is that its not an after thought, but part of your administration and / or project lifecycles if youâre managing a WordPress instance and / or developing it for a client. It is a problem we must all share responsibility in.
That being said.. Letâs get into some Web Security folksâŚ
You might remember this slide from the beginning.. As we walk through the next few slides I want you to think about these three domains.. Specifically on CONTROLLING and AUTHENTICATING ACCESS, while we all wish that an infection will never affect us, plan and ensure that you reduce your threat profile and minimize the total impact. Lastly, allow yourself to learn such that you are able to put a plan in place to both prevent and remediate, being preapared is the key and you will accomplish this through knowledge.
So malware â by definition designed to disrupt the function of the system⌠whatever it may be, your mobile device, notebook or website.. In 2011 however, the concept of malnets â or malware networks â began to make a real impact on the web malware domain. Most of you will know and recognize malnets as BOTS.. These are highly complex networks designed to scale according to their needs and last well beyond any one attack⌠If you look closely at the image hat youâre actually seeing is the top 5 malnets being tracked by BlueCoat and how they scale over time.. Often dependent on what activities are being planned or executedâŚThe network will shrink waiting for a reason to grow.. And as an event arises â say a death of a super start, an election, a holiday, something that warrants an action â it will grow to impact as many people as possible.. This is what a BOT isâŚ
Social Engineering â the art of manipulating users to divulge credentials and other sensitive informationXSS â allows you to inject client-side scripts into the web pagesXSRF â Sesion is hijacked and unathorized commands are executed under an authenticated user
Everyday at least twice a day I get a client ask⌠Please make this go away for good⌠and I find myself going into a discussion of the threat landscape⌠I swear, I literally feel their eyes rolling into the back of their heads on the phoneâŚSo I decided to include this slid because it illustrates best what makes up the threat landscape..Is it all encompassing? Absolutely not.. But does it work to bring home the point? Absolutely⌠The risk can never be 0 and this is why.. Too many variables to account for.
White-Hatâs â those that work at companies like mine, or the Symantecs, Trendâs, Nortonâs of the worldâŚEthical / Grey Hatâs â Obviously between the whiteâs and blackâs.. Not usually out to intentionally harm, often find vulnerabilities and disclose.. Sometimes more appropriately than others.. Script Kiddieâs â kind of a derogatory term in the community for the newbieâs that know enough to be dangerous. As the name implies, they often employ existing scripts used to exploit known vulnerabilitiesHacktivist â by far one of the fastest growing types of attackers â driven by politics, culture, religion â you wake up one day and youâre flying the Syrian flag or pleading for the release of Libyan fighters..Black hatâs â known as crackers â these are the guys intent on taking something good and turning it into some thing bad â highly intelligent, technically sound
Gah.. If I had anickle for every time someone asked us thisâŚWhat I can say is its not the day of version 1.5, as the product has matured so have the controls that help ensure that at every release a safe product is being released. While not perfect, there is a great team within the core contributors designed to quickly address issues and push patches once identified. So then why do we see so many WordPress sites infected? Well, I think the answer comes down to two things â extensibility and ease of use. It is to the point where the application is so easy to use that almost anyone is able to install, operate and manage an instance. The same applies to the extensibility, by its nature itâs an extensible platform, which is great, but its also its most vulnerable point and often where we see attack vectors introduced. Lastly, the darn thing is popular folks for the reasons I mentioned before⌠Remember the stats? That popularity brings about a target⌠I would say that in 80% of the attacks we see, itâs the road of least resistance that has allowed your WordPress instance to be compromised.
Donât worry, I wonât bore you with the specifics of these but I wanted to quickly show of some of the more recent issues in the past 6 months.. Just to show have valid of an issue this is.. And yes.. TimThumb is still very much a problem todayâŚ
You are the webmaster of today! Recognize it, embrace it.Your local environment is as important as your web server. When was the last time you ran a local anti-virus?Did you know that most anti-virus only catch 70 â 80% of infection? Run multiple.
Move out of web directoryUp a directoryBe weary of plugins that hardcode the locationAvailable since 2.6
Caution 600 could break some thingsFTP user and PHP user are not going to be the same â ideal setupsIDEALLY one is the owner of the file and others in the group660 is okThe Lowest Permission that Works!!
Caution this would block wp-signup.php â WP Multisite file