 Nigel has been one of our organisers, he's done a fantastic job of making this day a witness for you. He's going to give a very different security talk than once we've had at the local meet-ups, because he's going from a sort of a long wordpress perspective. So I will leave you to it. Thank you Nigel. Thank you. Yeah, I do feel as a slate outsider in as much as I've probably been more active and more part of the security community as opposed to the WordPress community. I've really only gotten involved in WordPress since I retired, so it's something to... Let's just say security is a bit of a passion whereas WordPress is a bit of an interest. I wouldn't describe myself as a WordPress expert, but I would like to think I've got some significant experience in security. The perspective of outside looking in, that's one of my favourite pictures to do with security for kind of obvious reasons. And it sort of does have a serious point where depending whether you're on the other side of that fence looking this way or on the outside looking in, you get a different impression of what's going on. And what I'm trying to get across in this talk is the usefulness and the importance of trying to find a different perspective on looking at the...examining your website, because you tend to spend most of your time logging into WordPress and looking at the dashboard and doing all the stuff from the inside, but you don't maybe quite as put the same effort into looking at it from the outside. So again, to try and testing hot and by, testing needs to be part of the management process. It's not a case of you design a website and then you try and secure it. It has to be part of the process and you really want to be trying to adopt a bit of a security mindset which for the most part is being inquisitive and questioning and going, why is that like that? Is that right? There are all different sort of frameworks and I think the name for it, ways of different methodologies for looking at your life cycle model, your website, etc., etc. I quite like the NIST one, which one of the advantages of it being NIST, which is to do with the American government, is anything that's produced for the American government is copyright free. So feel free to make use of it. And that particular image is showing that in effect there are kind of five general areas to that where you've got identify, protect, detect, respond, recover. But without dwelling on that too much the point is it's part of an overall life cycle. That's just the same what NIST stands for. That's another way of kind of picturing the same framework where again they're showing it as being circular. So it's an ongoing process. You never finish doing it. You should be always trying to stay on top of it and considering security as part of it. Now this is where I kind of like what I think of as the motoring analogy of the MOT test. You'll have lots of drivers who drive a car. They don't necessarily know how to service the car. They might not be experts in what goes on under the bonnet. But if you've ever failed an MOT test because a light bulb was out next time you go to take your car for an MOT test you at least check the lights, maybe check the tyres, check a few things. It doesn't have to be technical. It doesn't have to be that difficult. And I see security in the same way. People should take an active interest in looking at how the website is secured. But there are still times where you would want to go and employ a specialist, a pen tester, to then do that properly. But just as you would check your car before you take it for an MOT you should check your website before you get a pen tester in. Because otherwise you're paying them to do something which half of the work they will do will be stuff you could have done anyway. Another one which I would just mention briefly is PCI DSS which, if anybody's ever come across that, is Payment Card. Payment Card Industry Data Security Standard. I spent most of my life in financial services. So that one is kind of when I got to know rather well which comes in UK Cards Association. Without going into all, there's 12 high level requirements which fall into six categories. And simply looking down the bottom, regular monitoring test networks and regularly test security systems and processes. So essentially, if you've got a website that's taking card payments you should be abiding by the UK Card Association and if you were a big merchant or a bank you would be required to get professional pen testers in to test your site. If you're a small merchant, well, that's obviously you get into grey areas. But it's just another reason why you want to take security kind of seriously. Now, in order to do security testing from the outside looking in the way I would suggest doing it is to use a Linux distribution that's called Kali. Now, some people may know of Kali and some people may not. But Kali is essentially Unix. But on top of that Unix, the people that maintain and put this together have installed oodles and oodles of security utilities. Now, I'm going to concentrate mainly on one and then at the end I'll mention some others that are on there that are what's having a look at, possibly spending a bit of time on. But in order to get that running, I've got a Windows PC here. So how am I going to run Linux on that? And the answer is for me, VirtualBox, there are other virtual machine emulators out there, VMware and others, et cetera. I happen to like VirtualBox. I used to use VMware, but then I found VirtualBox was I found slightly easier. So in order to get started, go to that URL, install it, and away you go. You've then got VirtualBox loaded. It doesn't ask you anything other than do you want to install this? Yes. It sits there for several minutes and then at the end of it says, yep, that's you installed. And you've got an icon in your desktop. So the next step is to then go to a site where you can get Kali. Now, obviously you want to get it from a trusted source. And the place I would suggest is the distribution produced by Offensive Security, which is a well-regarded security firm. Now, on that link that I've given there, you'll see that it says VMware, VirtualBox. I think there's another Kali Linux image. So there's about three different images there. There's actually six because there's a 32-bit and a 64-bit for each. So for me, I go to the VirtualBox image and take the 64-bit one. That's the only thing to be wary of there. Now, what you should be downloading is a single OVA file. Now, that's a big file. That's three gigabits. So I'm not going to attempt it just now. But if you've got decent Wi-Fi at home, shouldn't take too long. At home, for me, it's about 10 minutes. So not too bad. Now, at this point, I shall flip over to... This is not doing what I wanted to do. Excuse me a minute. I thought I had this sorted, but... OK, I'm going to have to do it that way. This only happens when you're trying to do things in front of the world. Yes, so that's me showing the Oracle VirtualBox manager. So normally, you would come along. You would, at that screen there, go to Import. You do Import, and you give it the name of the OVA file. And you import it. And it sits there and trunters away. Again, that takes several minutes for that to be ingested, as it were. But there's nothing difficult about doing that. What a woots. Woots. Thank you. We'll kill the sound in there. What I would say is when I download the system, I always get an error when I try and run it. And if you go into Settings, you'll see there I have got that set to... You can see that just a bit. USB1 defaults to a USB2 controller, and it always fails on any machine I've ever tried it, which is this one in my desktop at home. So don't be surprised if that happens, and you see an error saying it doesn't like USB2. Don't worry about it. Just go into Settings, change USB2 to USB1, and you'll be OK. You can then start that, and away you go. I will just start that. It takes a little bit. It also mentioned down there, which is just fast by, it will tell you in the notes there what the user ID and password is for the system, which used to be Root and Tor until this release. You root Root as well. OK, that's before my time. Root and Tor is when I was doing it where Tor is root backwards, but this one, they've changed it to Callie and Callie. Callie and Callie, and you log on and away you go. We're up and running with a full Callie Linux distribution, which essentially comes pre-installed with lots and lots of goodies. You can spend hours and hours investigating those for doing all sorts of security testing to use the terminology. Now, as far as this is concerned, I have got on here, on my Windows box, a little kind of dummy... Oh, come on. It's being slow. A little dummy WordPress website, which is being hosted in Vietnamese, which I'll see if that can come back to that. Just remember there that there's quite an interesting little command which they added in this version of Callie. In fact, I think it was the last one, and this is just proving to be awkward to switch between them. That is quite obviously a Unix-type environment. Now, I've already boosted the size of the front on that so that it should be quite readable, and they came up with this nice little command called Callie Undercover, which is just a pure indulgence for a techie who happens to be kind of interested in... And it kind of looks like Windows. So for some reason you're out and about and you don't want people to think that you're hacking with... I mean, security testing with Callie Linux, you can make it look very much like Windows if you also want to. And if I simply run that again, Callie Undercover, it just toggles it all back. And we're back to looking like good old proper Callie, because I see a minor indulgence, but it was one of those features that was being much talked about in the latest version. So I had tried to make the switching a bit neater than that, but never mind. And this was just purely a little bit of a no as to say what it is I think I've got running here. I'm hoping it is running. I simply had to set up some... a couple of host settings so that what I've set up is a URL called Local Apache, and I can then start using that as a URL rather than typing IP addresses all the time, which is never very likely. So I'll come onto that. And then essentially the main tool I want to use is a thing called WPScan, which as the name suggests is for scanning WordPress, WP. And it's a community type, small community that produce this as kind of freeware, and you're quite at liberty to go and get it and use it. But rather than installing it, it can be quite tricky to install. So the easiest way of getting this up and running is by getting Callie with it pre-installed, get going with Callie and it should just run. And there's a number of commands here which are in the kind of slide, but I'll now attempt to switch back to those. And actually show you some of them. Now, let's just check that. Why is that doing that? This is not. That says it's up and running. It's gonna do this one, I'm afraid. Who am I going to get into? It's installed on your windows, right? You're looking at a local host on that and you're under Washer, you have to get into that with that splash flash. Is this enough? Essentially the host should have that local dot Apache and that is failing because this is going to try to attach to the networking here which although sort of non-existent, it's going to try to attach to it and it's causing me a big problem. I'm going to use the TP Conf and I'll see if you want to specifically direct it to the host. Wait a minute. Okay, now I know what I need to do. Bear with me one minute. Alright, this needs to be 168.56.1. That's going to complain. I'm going to say yes and then we'll save it. Alright, probably. I'm afraid I need to go back to Kali now and do sudo flash etc. 56.6. Now, I should get away with it. There we go. So, simple little website running in Bit and Army and if I go to Kali and I go to the Kali browser I should be able to do famous last words local.apache slash wordpress and there we go. So, we're sorted. I think I've wasted it slightly. So, I've got a nice little test set up working now within my local machine. So it's all local. I'm not connected to network. Not really. So, I go to here and do wp scan URL local.apache slash wordpress that's basically because XAMP always insults it into a sub directory called wordpress. I just hit return on that. This will go away. I might ask me if it wants to update in which case the answer is no. No, it doesn't. And it goes and finds out lots of information about your website. Now, you can see there I've left one nice little nugget for it to find a red alert. As in, I've deliberately left a config.old file sitting there which is an absolute no-no for anyone who doesn't realise that or know that. But again, if you're using this as a tool to help you, you don't need to be an expert in it. You just run the tool and see what it tells you. And it's not bad at kind of highlighting the things that that's a red. That's something you really do need to be concerned about. If you don't understand it, go and find somebody who does because it needs to be sorted. It's important. Most of the security testing when you look at WP scanning tends to be either plugin-related or user-related. Most of the plugins, it's really a case of are your plugins up to date? And the other thing about plugin scanning is it takes time. So I'm kind of going to side-set that because it doesn't make for a good presentation. Users, on the other hand, is much more interesting and in some ways more important. And the other thing about the user setup is in terms of if somebody tries to hack into your website using user credentials, how do you know if there's anything there to try and stop them? Because you might have stuff configured within Workplace as some form of security plugin which may or may not work. I have tested quite a few that didn't work. At least not in the way that they were claiming to. So hence the value of testing. But also your provider, whoever's hosting it, may have all sorts of intrusion detection systems or web access firewalls or various different counter-measures to try and protect your site. You will only really find out about that if you go and do some rudimentary testing and see whether or not you can get through. Now the next little in fact I just need to change the directory here because on Cali they're in amongst all the utilities they provide word lists. Now for anybody who's ever tried or looked at hacking with regards to trying to guess passwords one of the ways you do it is you get a tool of some description of which WP Scan will work for us and you feed that to a dictionary of passwords and say here's a whole lot of passwords, go and try them on these accounts and tell me if you find any. Now in there and it's in the full command for it's in the slides there's quite a famous one called Rocku which comes from a website the Rocku website which was hacked many years ago and they had very poor encryption and they basically got all the passwords on the site and that became a bit of a prediction. There's an awful lot of passwords in there and they're all real world ones. Once it people use when it comes to passwords if you try and think up a password don't be misled into believing you're the only person to have ever thought that password. Humans are predictable in also many ways and I guarantee somebody else will have already used that password. So for that reason I use randomly generated passwords where at all possible don't think you can try and make them up such that you can remember them and that they'll be a good password. So if we do WP scan in fact I'll go back to the URL right so I'm now in the right place to be able to do passwords and I'm going to use Rocku which I have to say is a big dictionary in most cases you wouldn't start refusing such a big dictionary because there are thousands of thousands of passwords in there but if I just run that and see what happens the default for this is from what press tries to WP scan tries to assess the website it will try and enumerate the first 10 users so for that reason I've set up 10 users on here you can tell it to do all users which if it's a big website I would have tried it on any you can get thousands of users that can be very interesting but there you go it's now throwing that dictionary at that website now this is local so it's doing it slightly quicker than it would across a network the point is we've just thrown several hundred passwords at that and it's gone and got every single one and there we go from one to three up to all those now if you've used a password that's based on somebody's name or somebody's pet or whatever else there's a high likelihood if somebody really wants to get into your website they could leave a PC running either at home or somewhere else and just leave it in the corner until it eventually gets one it will sit there and do that all for days you can easily throw hundreds of thousands of password attempts at the website so you need to have some other form of mitigation or some other security on that so let's just go back to the website whoops now if I I'm going to fire up two tabs here just because I'm in that one so I'll log on and user I think one two three four five six she'll get us in and lo and behold we have ten users but only one of those is an administrator in true hacking tradition not really too interested in the rest I'll just concentrate on the one called user now the other thing on here is I've got the plugins don't have very many plugins I've got one called limit login attempt now I've activated that I have changed the settings on this so that it will only the default is it will lock you out for 20 minutes I've changed that to one minute that's the least I could do so if I come back here and try that again I'll turn it away it finds that nice little nugget there there's the ten users ever and now it's going to sit there and it should come back with various it's just contemplating there we go and you can see that it's kind of hacking away and the attempt just keep going up but it's not finding anything because the website itself is going ah ah not getting in so it's that easy to try and mitigate somebody hacking in the thing that makes us particularly an important thing to bear in mind is some of the security login attempt limiting plugins that I've seen will prevent logins where somebody is attempting a login screen to interact with the login but this software uses various techniques you can use the XML and RPC RPC that's the one thank you and it can also use cookies where it essentially writes the password to a cookie then says can I get in no change the cookie can I get in no change the cookie and again it's very quick it can do at least one a second very often a lot faster than that so you can have something sat there checking the obvious passwords so it really you kind of think well that's quite important now being from a security background one of the things which gets hammered home is what often gets referred to as the onion principle you want to have security in layers so you don't want to have what also gets referred to as a spoff a single point failure so ok we can have a plug in there and we can have it so that it stops an attack like that so that it limits it and incidentally if you don't think people are trying to attack your website you're wrong I get on well last year I looked up the stats and I got 150 emails where those emails said it detected four invalid attempts and had subsequently locked out that IP address for 20 minutes now that's working out to a day because that's 600 actual invalid attempts so if you're not if you've got software on there and it's not telling you that you're trying to hack in you're wrong my website is just a little personal home page but maybe I just get paranoid as I describe it I'm a professional or was a professional paranoid even leading up to this talk in the last couple of weeks the number of people trying to hack it in my website has gone up I don't know if I might be any of you or not but somebody's been having a go it's an anxiety they want to get to you technically I'm not a pain tester but yes anyway I'm going to deactivate that one because what I also want to do is say well okay and this onion principle is that anything else we can do to protect ourselves from somebody trying to hack in because like it or not one of the most prevalent ways of trying to attack a website is people just trying to see if they can log in using stolen credentials they just type in wpadmin you have to see the admin page there's people out there some e-commerce website they work their sites and with their wpadmin I'm still that linked in their sites I mean I had I still do have a LinkedIn account and LinkedIn got hacked many years ago and my password got discovered it was a randomly generated a characters I still get emails to this day of so called hackers saying they've hacked my home PC here's my password if I don't do something about it if I don't pay them so many bitcoins they will etc etc you may have had these yourselves again that's another reason for having different passwords for every account I've had various things where the you've been phoned has contacted me and said your credentials have been found in the wild this email address this password so I go and look up the password and say oh that password which account is that for? oh that account if you use a common password that's the biggest known one if there's one thing you learned today from you go out of here do not use the same password for two accounts but anyway right so that's the users now we saw those users in WordPress and there are the users in the my the PHP so what I want to do very quickly I will prove that I can do WP scan URL local.achie flash WordPress I'm going to tell it to only do user names user and I'm going to tell it to use passwords test and I've already created a little test file there and the only thing in that test file is the password 1, 2, 3, 4, 5, 6 so if I run that and hopefully spell user names correctly the joys of being a dyslexic this should very quickly get that password very quickly and it got it there we go so what can I do to stop that apart from having a plugin because we don't want a single point of failure so if we want multiple levels of protection what can we do to protect ourselves and the answer is actually surprisingly simple if I go in here and edit that user I might just change the login name to Merter now if I go back to here user in fact I'm almost being caught out here and we'll have to put in a Merter 1, 2, 3, 4, 5, 6 because that's why it threw me out you will see that within WordPress it still says it's user but I know it's different I know it's called the Merter now interestingly most people that try and hack my website try for the account admin you will find I don't have an account called admin WordPress thinks I have an account called admin but I don't if I go to here and try that again I won't get in it will say failed no valid passwords found but if I come back to here and simply change user to Merter this time I'll find it and I'll get in I think that's worthwhile doing I wouldn't do it for every password on a word site on a WordPress word site but I would do it for the administrators you don't really want to advertise your administrators and you probably don't want to have an account called admin change it to something and and there you go let me go back to that just so that I come on because I have to get that picture in because to me that is the ultimate outside looking in that's actually taken from the moon looking back towards the earth and I just thought that was an absolutely cracking picture which has an awful lot of interesting internet history too but yes time is out questions very quickly I will just mention that on the end of this presentation I've stuck some additional commands and utilities that you might want to try if you do get Kali up and running, install Kali go and try those other ones as well you will see some interesting output not all of which you'll understand that you will learn something from it we're going to do two quick questions because we do need to break for lunch so I see that WP scan it's not in Kali by default so you just just sit down it is in Kali by default it has been for a long time well in the back can this still help with finding how is it happening so files that might have exploits in them or files that shouldn't be there no it's a short answer it might find some open doors that might give you some clues to how it might have been hacked but no it's not an auditing thing and it won't actually tell you what's there you might see something that you go oh sugar I've left I have for example a little config file that's probably how they got in but no it's it's only going to give you some limited information the last one you can do up until now when I had been looking at two facts that it typically was something you were having to pay for and I was kind of avoiding it because of that okay that's a different question yeah it's an official call which is putting the implements in a nutshell there's something we're using to go out and use it again because that's the issue the main thing I would say whatever you go for if you go down the route of two factor great but test it see if there's ways around it see what you can learn about it first of all thank you so much I want to bring my coffee