 All right, fancy presentation by H&S and thank you very much to Brie and Dan for organizing these. They actually flew me in from Melbourne to do this presentation, so that's pretty big commitment I think. That's an extra step for an open source community, I think it's really cool. So just a bit of info about me, my current title in the project is Enterprise Architect. I've got 14 years of experience working across the LAMP stack, WebRise Jumla, Mobile, Drupal, everything currently technically at Heiden Sieg and going to be talking about cyber security in Drupal and a lot of interesting things that I found along my journey as I was hacked multiple times. I spent countless nights debugging and cleaning up websites with that architecture. There's some small prizes and some quizzes that are stuck in the presentation today, so Brie over there will give a super special prize if whoever works out the secret gets special prize. Yeah, all right, so just super brief, I'm going to talk about essential aid, which is I'll talk about it in a second. We'll talk about scanning, reporting, updating, firewalls, basically all the different things that you need to do in order to not get hacked. We'll talk about self-posting, Drupal sometimes you need to do that, especially in a government requirements where you need to, you know, when you are working in high security workloads, you have your workload running in Asia, they don't want to share your data anywhere else. For example, Acrea backs it up with Tokyo region, right, and some government would say, hey, I don't want it. I don't want my data to go to Tokyo sensitive, I want the data to be in Melbourne, Sydney, and then they self-post it and then they get into trouble. So we'll walk through that and we'll walk through the different enterprise posting platforms, right, Acrea platform stage, Einstein versus self-posting it, what are the implications, what are the issues? There is a questionable ethical demo of hacking live site on the call, we'll try to do that as well. No, no, I had to do it myself. And just questions and summary. So starting with a story about Vlog 4J, I don't know how everyone decides smiling. So, yeah, like, anyone had one of those on their own site ever? Oh, wow. So what happens when you get one of those, it means too late, your site has been injected, they've changed the payload, it's loading some JavaScript, it's loading, you know, whatever it's doing, Google Chrome picked it up and it's telling everyone that it's not bad. Your site disappears on Google, it's delisted, all that SEO effort you put in is gone. So multiple clients with 4,000 and thousands of dollars in SEO to try to get in page Google 1, for example, yeah, one company used to work before, right, like $15,000 on articles, blogs, every month for five years, one of those, they've gone up Google for three months, they reappeared on page 16, two years to climb back up. So it essentially destroys your site reputation. So back to Vlog 4J story, it's very interesting because government really didn't mind that much what you're running, what kind of tools you can scan, which is like, oh, the website's up, that's wonderful. And then kind of privately I found out because working for some federal government clients that about 80% of infrastructure was affected by Vlog 4J vulnerability data was stolen, stuff was deleted, removed, destroyed. And we're talking like big things, big blocks of government operation, ports, things like that, right. A lot of sensitive information leaked and the government started to go, oh, maybe we should have a look at everything that hasn't been hacked yet and see what we're doing about it. And then I got a call from a client and they went, can you please tell us how you comply with Central 8? It's been there for a very long time, no one knows what it is, but we actually have to make sure that it's done. Can you please have a look at where we're at? And can you please tell us whether we're compliant or not and what we can do? Anyone that can work out something not right with this PHP file? Everything looks a little bit out of place. So that's how this thing happens, right. So this is the end result, but your site gets injected, I'll talk through different methods how it happens. And then your PHP file gets a nice present, a nice extra, a little bit of line of code. This is called a heuristic logic injection where the virus is encoded, it's actually encoding itself, so if you try to match the pattern, it will not be the same. It will always be different in every site because it's using some random string, it's passing around the string to base 64, it's encoding it, and you don't actually know what it is. It's probably trying to do one of the bad things that it does. So going back to Central 8, the government brought to my attention that there's something called Central 8, which is a sub-security maturity model that requires us to do a lot of things. So the definition is yeah, so it's a framework for organizations, specifically the government was developed by a certain government to improve sub-security posture reduceries of successful cyber attack, and it's a set of strategies both for mitigation and remediation. When I talked about it with the developers, they were like, no, no, we'll just write JavaScript, we'll like React, it's like React is the best. But then, okay, so then some of the stuff specific for Drupal would be, you know, matching, scanning, multi-factor, backups, network segmentation, and many more of the things. But it's actually, Drupal is really not there because, for example, when they told me, do you scan twice a day your dependencies in Drupal? We weren't even thinking like, is there a tool that does that? Because, you know, like say, if you're using Composer, you have a dependency of the dependency of the dependency that is using a dependency that hasn't been updated for five years. And then, if that dependency is vulnerable, you get the red screen dead. It's good on Acquia and platform usage with it blocked the file system, so even you get injected, they can't write, but I'll talk later about the self-posted systems. That's where they can write to the file system very easily, like, you know, we're talking about the BlueCoast, they explore the net registry, all those share hosting platforms that are achieved, and a lot of the governments still use that, and it's very unfortunate because there's no tools in place to mitigate that. So when it happens too late, Drupal can be exploited, specifically, most common one, 99% of SQL injection, but there's also denial of service, distributed denial of service, file inclusion, cross-site scripting. SQL injection is a really interesting one, we'll talk about that, we'll show some slides, and I'll talk about the denial of service on this, that's my favorite one, this one here. It's quite funny. So, a company that's selling, you know, you buy, you put money in the account and you bet on horses, they make 90% of their money during their races in Melbourne, and they get a phone call five days before the races, and the hacker says, we're going to bring your site down for one hour, watch, watch, then the site goes down for one hour, then you come back up, then they say, okay, we just want 15, what have I, 150,000, 300,000, $1,000,000, otherwise during the races, your site goes down forever, you're not making any, and that's done using distributed denial of service attack. So, this vulnerable code that you saw might infect your computer to become part of the botnet, which will then form one of those attacks, become a participant of one of those mass attacks that will deny service to the app, so, and protecting can be done with patching, obviously, restricting privileges, multi-factor, backup, network authentication, a lot of other things, which I'll talk about in a moment, but it will not help if you have really bad architecture in the begin, so, there's the little quiz that I put on together today. So, when this is actually a real situation from my previous workplace, there was an architect who said, you're just a dev, and he said, this is how all of our sites are handled, and I went, yeah, yeah, are you sure? So, who wants to give a crack at, well, it's not that difficult, but who wants to try to see what potentially might be wrong with this? For security, performance, that's the HD access, that's how the DNS is handled on three sides, that's the dedicated server, with three directories in it. Yeah, anything else? Yeah, post-pilot, I'd like to know if there's a good opportunity for that on HD, I don't think so. Yeah? Yeah. Lose one, lose them all is probably there, so I think you deserve a gift. Oh, my God, the genius, right there, everybody? That's right. So, anyone else wants to pick up a couple of scenarios where this could go horribly wrong if this is not fashion production? They ran like that for two years. Yeah, the Drupal get-in was when I was employed there. So, that's a horror story, right? So, let's see, anyone else wants to try? No, that's it. Okay, I'll try to summarize, right? IP address is only one IP. It's not mask, but it's not proxy 20 CDN, if you do it and look up, you see the IP, you can hit the IP. All of the sites are on the same server in a web root directory, in public HTML directory. So, when we had, so that was production, end of, end stage. And that's how they had HD access of actually was routing traffic to the three different applications. And as a result, when the Drupal get-in happened and we got exploded in production, every single PHP file got basically written. You've got that base 64 problem in there. You've got all over the place. It then has infected all the backups because all the backups were in the same directory, too. And it corrupted all the backups and remained all the files, and then it also screwed up the depth and the stage was already. The backups were on the same server with production and depth, end stage. And it was a self-posted server, because, you know. So, if you try to do any antivirus on this, you already lost your game, and because you're just asking for it here, right? So, with this system, I remember Drupal getting happened. Everything got destroyed. I had to manually clean up 700 files because we didn't have a backup, because every backup was destroyed. Then I went to the database and manually cleaned up the database. And then it was done at 4 a.m., so 9 a.m. to 4 a.m., and I got $100 data. So, it's pretty good. The U.S. also had the same site, but someone else was managing the U.S. site, and they couldn't have cleaned it up, so they hired a cyber security agency to do it, and they got a bill of $80,000 U.S. dollars for emergency remediation from a consulting company, and they paid that bill. I'll find out later. So, that's when we talked about architecture, infrastructure, blah, blah, blah. So, obviously, if you're using a proper hosting solution and not hosting it yourself or not trying to save money, you're using something big, you're never going to have that problem, right? You're going to have stage fraud, everything, pipeline, CIC details, backup restores, all that stuff. And then, of course, you have the code problems, too. If anyone wants to give it a, see if there's a potential, maybe something up right, yeah? That's right. He just gets the input from the post, right? Yeah. That's it. So, bad, bad, bad. And so, seeing a lot of that, too. So, the same is not prepared. We're not using, we're not taking advantage of the awesome APIs that we have in Drupal, the API, blah, blah, blah. We are, so here is an example of where we are passing the through for necrometer, right? So, it's, you know, rather than just writing the whole SQL thing, this will make it much harder for an entire future. But a very easy mistake, like three lines of code, the red screen of death. If you're a government, you're screwed. If you are, if you are using this SEO, you build up a reputation, you draw, you go on. Yeah. Drupalgetten. That's what has, yeah. So, Drupalgetten, tried using a GitHub, but couldn't make it work. We wrote a thing in Bash to make it easy. This is really interesting. So, the script is utilizes just the normal library, 64 lines of code. Because of lack of sanitization, the Drupal 837 and down and Drupal 737 and down did not have the sufficient input validation in the port. A tactic would inject arbitrary code, basically run anything that wants to get access to the server and just run to make a new file. You could not move the settings file where the database password is there and he could, you know, do a simple dump and then download that dump straight from the public directory. So, easy. If anyone wants, I will plug the link. You can try it yourself. I've set up a Drupal 8 site and all it takes, this thing takes one parameter, URL. And then the second parameter, any command you want to run in the, as a shell. So, you can go touch index HTML in the main directory. The whole thing is gone and you just get a black page. So, that's easy. That's a Drupal core, right? So, what do we need to make sure that, yeah, that's the big library code you're interested in. So, obviously, what the government wants us to do is it wants to scan every day for dependencies or using heuristic logic. So, heuristic logic scanner is a specific tool that scans the files for anything that might be a virus, but not sure. So, for example, that basic straightforward coding is an injection, but it's different on every side. So, you can't like just do a comparison string to string, right? You need to kind of go, maybe that doesn't look right. So, heuristic logic scanning is a really important thing. And if it picks up, it's 95% chance there is a problem. But no, most people haven't anyone heard about heuristic logic scanning daily. Many people have known. Yeah. And it's, and so when they told me, okay, Dennis, so how do you make sure we scan every, every day? I had to go, well, you know, actually, the tools are hard to find. If you ask other developers, how do you do that? They'll be like, well, I know, maybe what this is easy, but Google, like, how do you scan for, look for J, which is a fourth level dependency in a composite file? How do you know that that's not possible? So here's a composite file for a client that we manage. Everything looks all right. Except the problem is with this parsley module. Anyone has any idea why? Perfect. Sweet version. We keep updating everything, but the parsley module is going to be 3.4. And when in one year later, when they hire someone else to manage it, some, you know, when the project is finished, they got someone else to do it for you. When that module becomes vulnerable, who will tell them that this is the one that can be bring your whole system down? You need a scanner for that. And the scary one is that if the parsley module that's strict and locked the 314, so see if it's like this, that means that it's at least two, but whatever the latest emergence went up there, but that usually sticks with 14 all the time. And that's a really big problem. But a lot of people just ignore it. But the parsley might be relying on a vulnerable component. So that needs to also be checked and scanned. And the government wants to do it daily. And so we have to develop quite a lot of tools to do that. Side guarding is a really good tool that does any PHP, but it's a paid thing. But it's really cheap. It's 10 euros a month per site. Ukrainian company. Same as audit.io started by a friend. Also does the same thing. Firewall is really interesting. There's two types. The way I see it, the one that works on instance and the one that works at CDN level. CDN level is really clever. This is a cloud player. I mean, Acre gives that to everyone. There's also Fastly and Akamai, AWS and WIF and so many others. But this is a really good one because it recognizes that it scans the deep packet signatures of the attacks for injection payload, and then it's going to use AI to determine whether a request in real time might be a malicious request and is going to destroy it without even touching your site. And that is actually free. You can proxy your site for that. It also gives you free access to get them. So it maintains a real-time machine learning, the database and signature-based heuristics. So that's what we're talking about, the heuristic logic. So there's a signature of how something gets exploited, what kind of payload is being sent, and that's how it will block it even before it hits your site. So if you're proxying your DMS, if the cloud level also hides your IP, if you then do a HTTP, a mild form of HTTP request or injection of some signature that matches the logic that they know, it's going to destroy it before it hits your site. Generally, it's vulnerable, you're not going to get affected. Unless you're exposing your IP address, then just hit the IP in as well. Cloudflare. If anyone wants, this is Cloudflare dashboard, you can put it under attack mode. Chantry Pt is using Cloudflare at the moment because too many people, too many bots are trying to scrape it. So it's really good. It's really free. It gives you lots of dashboards to understand where your attack is coming from. Also use this really effectively to walk every country in Australia for the clients because they keep getting spam and it works. Okay, we'll see if I have time for a more code execution in a second. We've talked about heuristic logic scans. We've talked about antivirus solutions. Antivirus solutions, it's a little bit too late when you run and have an antivirus because it's already been injected, already been infected. But yeah, there are solutions. For example, so this kit has got to be really good. It's a composite dependency security checkup. It can be run as part of the CICD and what it will do is every time you generate a composite log file, it's going to scan it and tell you, hey, log page is there and it's not touched. There's people that let you push the code, something like that. But that's a manual thing. There's no real tools out there that are, so that's a great opportunity to enter the market at the moment because the government needs it. However, AcreA, no one's done it. I've been trying to see if there's an all-in-out-of-the-box solution that doesn't exist. So we have to experiment. We have to do these things. Hosting is interesting, right? Because Drupal's open source can be hosted everywhere. Fly from such AcreA banking is essentially safe because they are doing your own scanning, patching, and they're using CloudPlay fastly CDN to actively kind of like know that in Israel there's like this dome, the dome, right? So the rocket is flying and the fence, yeah, and it just explodes the missile before it keeps the lamp. But if you don't have the CDN, you're on your own. You have to do that. Okay, self-hosting, cheap, but problem because you have to do all this yourself. Don't get the support. Tenable, anyone had a Tenable before? It's really great. Tenable, that's the Tenable website, the proprietary thing. It allows an agent, it can basically give you a Linux agent that you self-host on your VMs and it will report or end the scanning, but it will not send it online if you don't want it to be. So that's compliant with a lot of the essential aid. A lot of the antivirus solutions are out and not compliant with the sharing government because they are leveraging cloud scanning. So you have to kind of send your vulnerabilities out in the middle of nowhere to be scanned and then get a report and that's an extra level of responsibility to the government. So they don't have to take this. Tenable provides your Linux distro, you run it on your post and then it's going to tell you everything that's wrong. And so this business here in true data I don't know if anyone heard of it, really popular is actually just a piggybacking of Tenable agents that are sitting there and it's just using an API and giving you vulnerability with this. So good. Recap, no one's seen the red screen of death before. Seriously, yeah? No, that's not what I'm saying. No, it's not. I've been brought in to get society to be the most self-hosted. Yeah. It's nice because I started, I had my own business and I was doing small websites in Drupal, Joomla and I hosted them on shared hosts when I started and I thought everything was going great. I wasn't going to just start getting hacked and it was really bad. Yeah. Drupal in itself is extremely secure. I normally work in the modules because it hasn't worked. All right, that's my presentation. Okay. That's the way. Do you have any questions? Which I can answer as much as I can. I have a question more than just an experience that I want to share. Last year we did a processing of the way the aim virus provides for hostages in New York. Can you mention that? Once you're familiar with the aim virus, it's a few minutes too late. Yeah. I wanted to say that I think that's still a really, I wouldn't suggest that people walk away from it and not focus on it. It's the aim virus that's coming in. It is too late. You are infected. Something's going inside. Yeah. I might have found that the tenable was really kind of a strong and active scan impact ability. So for example, tenable, we could do that for your scan every hour or every day, but with crowdstrike, I think we could constantly run hostages, scan it, write, and have it as a surprise for us. But the only thing we could do after that is we could watch that thing. So we could say there's somebody that's said to me awkward and we could wait on the work and everything. So if not just say there's a virus that's going on, or that there's a user who's malicious or not, who's kind of footprinting and what we know going on, trying to see what might be on the go, then that can stop something from happening before it becomes clear. Yeah. That's right. And it is a requirement. In essential aid, the government requires you to do antivirus. And I guess like for me, when I was a small business owner, the thing was Google takes about three to four days to pick it up, antivirus takes 24 hours. So it's better that I find it. Oh, yeah. Yeah, let's have a look. Oh, he'll answer all the questions. But I didn't see. I'm so sorry. Is there an argument for compile static hymns? So what sites? Oh, yeah, one second. Compile static. Who wants to know if they're arguing for using static site generators? Oh, yeah, that's great. So Drupal is vulnerable because of the database and PHP. If it's static, you can't hack a JPEG image. You can't hack a JPEG image on in an S3 bucket, right? Well, you can try, but it will be impossible almost, right? So you can scrape your Drupal site. This is actually a really good strategy. Scrape the site once it's done, but you have to make sure the contact form obviously won't be able to post to PHP because it's scraped. So it has to post to some API. And as long as all you do is just do that, then you stick that into an S3 bucket at an SSL certificate to get secure, scalable, you don't have to worry about hosting. You only pay as much as you need for it because it's an S3 bucket and it's a static site. So yeah, absolutely. The scary thing, the reason why we are really worried about scanning is because so it's like injection through the most likely like an API, web form API, REST API, or if there's a contact form on your site, they just put a single injection inside the contact form field to submit the form and it drops your database or dumps the output. So if there's no database, you can't really change. You can't really edit a static site, which is really good news. So that's a great question. And that's like an ultimate solution for security. Yeah, that's what Brest just said. If there's only no such thing as content updates. Well, you can do that. Still, you can. There are things you can do that you can use like time model, for instance, like that's just a simple model that just makes a site study. Yeah, when you have a contact form, it's really good because anytime you make a content update, you just set the time and compile and you just make the disk directory, your root directory. Yeah, or you could RDP into a protected VM where it will live. Do your content updates. You have like RDP accounts for everyone who needs to do an update with SSO. And then once you finish your CICD pipeline, we'll scrape it and just commit it as HTML static. Easy. No, super solution. Someone says that they had a static Drupal site, but it's still got hacked via the Linux kernel. Oh, well, if the hacker really wants to get to his side there. What are you doing? Well, I'm sorry. So do you want to speak? I'll try to my sound up. Do you want to speak? Oh, yes, I would like to say, yes, there was a static website on Drupal 6 I made, but it was hacked because the hacker gets paid very good. So if the hacker gets paid very well, there is no solution. Yeah, if you're desperate and you offered a lot of money, you'll find a way. Yeah, I mean, and then when I stream back it, there's still the root credentials and I am credentials and AWS CLI and people use, install that in their terminal. And then they, you know, don't touch the Mac at home and then boom, they get some, someone makes the support of a team viewer logs in to help you out, right? And then boom, on your back. And that's how Uber got hacked, right? Yeah, I am credentials involved. Yes, sorry. Yeah, to reduce it. Oh, like all of some, you can say like you can decouple the database from the, but I guess that the logic behind the attack is like this. Here I have a PHP file, right? The PHP file will load something from the database. If PHP like, see how that file is injected, right? In the very beginning. Just a minute, so how did that happen? It doesn't matter if it's like a Postgres or MySQL or RDS, because they injected the database because some query here, like that input, right? Like what we talked about the code thing. If it's not sanitized properly, they will inject it. So it doesn't matter what database you use. The only way to stop hacking is to make it non, you make it static and remove the database. If there's a programming language behind the scenes that generates dynamic content, you're gone unless you protect it. But I think like if you stop PHP files being written using Linux tools, like what hosts, professional hosts with like Acquia, right? Like you commit to Prod, even if I try to, even SSH to Prod, I can't, I can't like edit the file using Vivo or anything like that. Yeah. So read only. But anything with the database is hackable, everything, but then imagine you just have an image. You just have a photo on the link. Like you can't hack it. It's nothing to do there, right? So I know, I know. I know you can. Yeah, but you know. That's right. There we go. So many. It's a great read. It's just really complicated at once. Choose how it came to me, mate. Wow, like the birds. Oh, yeah. Alex, haven't you got that? Yeah. So what do you think actually is the truth? Yeah, yeah. Because the government actually. Yeah. The reader is too complicated. When I got an email from the government, it was like this. Make sure it's patched. Make sure it's scanned and we know when something goes wrong. Make sure it's up to date. Anything critical has to be up to date the same day. Everything non-critical has to up to date within two weeks. And then they wanted and so and then of course they wanted to have like logging system. Someone tries to guess the password three times on the same IP address. It goes into the log and then that gets analyzed. The way the way my understanding is this essential eight works is you have multiple maturity models one, two, three, four, five, whatever. And you need to get to at least maturity model one, which is like the most at least to do something. And then once you complete that, you move to the next and next and next maturity model. And it gets really. I think that is your response. I think that's probably the best way to do it. It's certainly the best way to do it. So we get quite a bit of a question. And of course, you know, it helps to jump to a bunch of tips to go to the government on top of the sustainability requirements. So, you know, it's for them. They're probably correct. These are the ones that we know are consumable. Perfect. Someone who's going to be able to spend two or three practices when you talk about the other ones, you know, the first is this music. This is this is this is if you do that, I think you would be level one. And then the next maturity model. You can stand up at the project for the clients. But I would just emphasize even if you don't need to think about you've got to do the side of this. So yeah, I mean, I've learned a lot about hacking through very hard, you know, because there were tens and tens of sites that were ejected nonstop. And so if you work in an enterprise, it's much less likely to occur. But if you work in small business and they don't really go for big platforms, it's much harder. So, so yeah, I mean, yeah, in here. Okay, regarding hack via JPEG, Bexat says inject malicious code into the pixels of a photo is over hacking and transferring secret messages. Yes. Yeah, there's there's a lot of funny stories, like I'd love to tell you all. It's just I don't have enough time, but that's obviously part of you. Is there something in your room stands out? Yeah, you're exactly right. How many Drupal projects are you running? Who please lift your hand up if you are up to date today on all your modules? All of them projects that I'm managing currently? Yes. What are you on? You just started it. You're not pretty hungry. I've got two projects. I've got two models all day updated today. But we're talking about like tiny mce like this version, all the nonrequire. They're probably not. Ah, I suspect that's coming from your point of view. Yes. Yeah. Yeah. It's a miracle. Yeah. I mean, we're still okay. So one of the things with multi factor, as I see all the time, the government has to go through a crazy process to give you some access. They will, that sample access will stop working if you haven't logged in for the last three days or two days or one day, and then they're like, hey, can you build a back door? Can you just build a query string? And then if I pass an argument through a query string, then we just go to Drupal login instead of the SAML just to make it easier just while we're working on it. So I will sample kind of ease. Well, yes, because you are managing it using Azure V2C or Active Directory or LDAP, right? So you are offsetting the, you're outsourcing the authentication to the managed provider. So injection that this is just for access. So if someone stole your password, they can edit that. If it's injection doesn't work, they just, if there's a contact form on your form, they just inject it and see it later. Yeah. And then with that beautiful Azure MFA, Uber got hacked with that. Yeah, because they just went, the attacker stole the person's password through a link, then he went authenticate, authenticate, authenticate, authenticate, authenticate, the guy started getting multiple messages to authenticate the request, you know, authenticator. He just got an email from a support saying, please, can you approve it? We're just testing it. Can you click the phone? So that's it. Yeah. Yeah. Use platform free. It's $20, right? Something like that. $75 per month. If you can't afford that, maybe AWS? Yeah. Yeah. Yes. This is on, this will be on YouTube next week or two. Is it in a month March? I know we haven't done any slide share of some YouTube. It'll be visible, depends if you want, if, do you want to click through them? If you want to know some of the content to be. There's nothing, there's nothing else. Too scary in the code, it's all in GitHub. I often source the exploit. If you use it right, you're there in your server, you just want to click to. Yeah. You actually can run shell commands as root through Python, by modifying HTTP requests to the person. We love the implement. Yeah. All right. Thank you so much, everyone.