 Good afternoon everybody. I know it's after lunch, but really good afternoon everybody Okay, right You are in watch the hacker hack a Drupal con presentation if you don't think you're in the right place You should probably leave now So the three of us up here, and I am Michael Hess I am mlh 407 on Twitter and mlhess on Drupal dot org This is out of work. Oh, no, it's not Ben Jevins cold train on Drupal dot org And Greg can Addison gregals on Twitter and Drupal And I work for the University of Michigan these two guys work for card comm who happens to be hiring and they're awesome to work with So who's secure raise your hand Really no one Oh one person okay who has a site on the internet who's secure so Problem is that your site on the site on the internet probably isn't secure in fact pretty sure it's not It is a target for people to attack in fact. It's probably being attacked how many people think they've ever been attacked in their life How many people think they haven't been So not all the hands are up on the first time, but on the second time It seems to be a little problem here So the only way to really make sure that you are secure is to remove yourself from the internet And even then you're not really secure like unless you're gonna like solder closed all your USB ports and all sorts of other things But now that you've been given this great advice by three great people How many people just disabled wireless or you know powered off their servers When we talk about security breaches we often like think about Big sites right so a lot of big sites are in the news when they're broken into so this is a graphic of Breaches by I think a user counselor or records lost in those data breaches These are the ones that we hear about in the news target or Sony or Panama papers or you know these sort of big companies big groups But it actually also happens to small companies Verizon did a research study in their data breaches report and 70% of Data breaches were organizations under a hundred people. So it's happening to large companies. It's happening to small companies It's happening to everybody There was a survey I don't remember where or I'm citing this from and maybe I'm making it up But it was something like 70% of businesses reported Security breaches or security attempts against them which would imply that 30% didn't have them and really the 30% just didn't know So why would you be a target great? Why would people be a target? Well, you know speaking as card comm we have a lot of information about our customers Let me have financial information. Yeah, they're debit card numbers So that's you know, certainly an obvious target is an organization that has that kind of sensitive information but I think you know with the SQL injection issue that we saw with Drupal a year and a half ago That you know a large number of sites got attacked And so every site that's connected to the internet is you know Some sort of a resource that can be used for attacking other sites or to harvest information out of it So whether you think your site is a target or not the answer is that it is a target The only question is how easy will it be to get into the site? So in the case of the SQL injection issue, that was fairly easy to break into a lot of sites all at once And so that made every site a worthwhile target, right? There's a trade-off between the level of effort to get in and the the value of the resources inside and Eventually at some level of effort every site becomes a target Everybody know what we're talking about with the SQL injection issue So we've heard a lot of things about this like no one cares about my small site and I store medical records, but not people's names. Seriously. This wasn't an email. So no one would attack me or I'm in some industry and no one really cares about our data and All of these are false as Greg indicated If you're on the internet, you are being attacked look at your Apache logs You'll see people attacking you how many people work for a hosting company in this room How many people have seen attacks on sites in their logs from a hosting company or from not from a hosting company? How many people have ever looked at their logs? Who has never looked at their logs? Okay, we're gonna wait 30 seconds Seriously, we're gonna wait 30 seconds for you to go look at your logs So we also need to be aware that it's not just Drupal that's at risk like we this is a Drupal con We talk about Drupal a lot, but there's other things that are running that are attackable So how many people run a web server kind of hard to run Drupal without a web server? How many people like know if that web server is vulnerable? What about my sequel or Postgres or some other database Lennox itself memcash or read a solar? Hey anybody update image magic this week Like image how many people image magic is a library that deals with resizing of images It's not the default library used in Drupal, but it had a pretty serious vulnerability that is actively being x exploited Where you could basically run code on the server so if I can run code on a server, what can I do Greg or Ben? Whatever whatever the web server can do Yeah access the database web servers gonna be talking to the database is gonna be uploading files Maybe to the private file system So somebody who can upload an image with this malicious payload in it could access all of those files I think the the most interesting exploit that I saw related to image magic was opening a reverse shell So that somebody could get an interactive control to that server and run just arbitrary commands From their own server so they can you know probe it and get us a nice tight feedback loop To be able to probe the server and execute additional things So as this is a Drupal con we're gonna focus mostly almost entirely on Drupal, so let's actually get started What What what is this? I'm running a Mac here. I don't know how I've got a Windows error message. We'll take questions afterwards yet This is my work. What do you mean? It's your work. I mean this is This is my work. You hacked my presentation And why would you hack my presentation? But like what do you have to gain by hacking my presentation disturbing all these wonderful people? Well, we have eyeballs. I mean publicity publicity for what? Palantir why Palantir? Because I'm gonna work for them. Oh So like you I should too so you should just take a look at our logo for for the five minutes that I have here captured your attention So you hacked my presentation for the purpose of putting a logo on my slides. I Mean the attention is on us, right? How many people have been hacked and like someone else put like links to like spam or Viagra or anything of that nature similar here, so Okay Thank you. Thank you Can we continue? Are we allowed to continue? Yeah, you have my permission So we're all hackers Like this term. Yeah exactly like this term is get gets misused a lot anybody coming to sprint days at the end of the week You're all hacking you're hacking on core Some cases you might actually hack on core, but that's okay in that instance when we're talking about hacking here We're referring to the traditional or the non-traditional depending on what were you stand of someone who is attempting to break into a system in which they should not have access to and We have to talk a little bit about the types of hackers So people do this for different reasons There are people out there who actually hack for good and that's kind of what happened today The presentations were about to show were people hacking for good You have people who just run shell scripts and just don't really know what they're doing So like SAO 5 was mostly exploited by this you downloaded a script You ran it you gave it a URL and it gave you an account on the site You didn't have to understand how it worked You didn't really have to have a good set of skills or understanding of what sequel even was You just knew that if you ran this Python script and handed the URL you could log in as admin There are different colors of hats which I'm not going to get into but people hack for different reasons and we kind of like Assigned colors to them, but it seems that you know the only ones that are agreed on are black and white and There's like other colors in there We have like unfortunately these state-sponsored hackers people who are paid to hack sometimes by a government sometimes by corporations FBI CIA we have people like Michelle who hacked for personal gain They want you know They have monetary interest to be gained by hacking and then there's some other groups that fall into other Thank you so we happen to have this new site that was put up recently and This is the site that was given to our hackers to attack and it was a clone of an actual real site And we thought we followed best practices when we built it So it has things like two-factor authentication speaking of which if you're not running two-factor authentication on your site That's another thing we should stop wait the 30 seconds for you to download the module and install it Someone on this stage up here wrote that module for Drupal. I'm looking at them It's a multi site site it has two separate databases and Once the site was cloned and moved over to another server I went through it and I injected common security mistakes that people make and then I handed it over to our two hackers And I didn't tell them what they were so just as if I had put up a site and actually made these mistakes They had to discover them and try to figure out what to do on their own Here's the you know warning don't try this at home The actions taken here would be illegal You could go to jail for doing this So we like all of you don't end up in jail and then in a little side note here if we were to actually watch a hacker hack Against a complex target. It's not something you do in an hour It's something that might take hours weeks maybe even years if there's social engineering involved if there's a lot of Probing involved. It's not something that happens quickly So for our first little subset here, we have a hacker and they're gonna look around the site and so Yeah, there we go. Yes so Then sure so this in this case the hacker is looking for weaknesses in the site sort of probing things about the Drupal site that might Be exploitable so risks that exist in all Drupal sites or maybe in particular this one if it's using custom modules or custom things So one of the first things was looking to see if the site has full html available or php filter available to anonymous users So filter tips is a place you can visit on all Drupal sites It shows you what input formats are available for anonymous users And then the attacker is looking around for you know other things Maybe there's some place where content can be injected comments or nodes or any other forms that are accessible to the anonymous user And it's interesting. I think when looking around at the site You may notice that it's giving a couple of different kinds of errors So some of them are page not found that are being developed or that are being produced by Drupal some of them are Access denied being generated by Apache it looks like and then also page not found being generated by Apache and those different errors happen for different kinds of files And so you can see in this case like the attacker found Something called the add this module add. This is a social widgets Sort of plug-in went to Drupal.org to read about that module and discover maybe that Module has a public security issue Maybe the site is running an out-of-date version of that module So you know sort of probing for weaknesses either very low-hanging fruit in a sense weaknesses that can just be publicly exploited or easily It's played and sort of this is referred to as fingerprinting or sort of doing analysis on the site to sort of understand what those weaknesses are And so in this case How do you fingerprints like a particular version of a Drupal module where you look for public? Artifacts of that module like a CSS file or a job strip file that might you might be able to then use to distinguish What particular version so? You know Drupal.org is the source of this module so you can get identifiers like the MD5 Hash of that of a CSS or JS file and then you can get that for what's running on the site You can compare them to sort of try to identify Which particular version of the module this is used by the blind elephant tool. It's a general open-source tool for fingerprinting Lots of different types of web applications in this case You know the attackers doing it manually just by doing the MD5 hashes of these files This is in my mind some of the good news is that Ben's not super efficient at this because he doesn't attack sites all the time Right if you're attacking sites all the time then he would probably have more automation. Yeah So once that attackers done some anonymous fingerprinting the attacker attempts to create an account to see what they're capable of doing So along with fingerprinting like for particular vulnerabilities, you know You want to try to an attacker will want to try to get access, you know elevation elevated access You know administrator access if they can or anything beyond an anonymous user You know assuming that there's not a vulnerability immediately exploitable as an anonymous user So just so happens on this Drupal site was able to register for an account So the Drupal site allowed me to create an account on the site. So okay. Well now that I have an account What can I do? I think where it's at now It's before having created an account so still sort of great thing that you're locked in So logged in looking at what can happen as an Authenticated user so again checking input formats or text formats For if anything beyond filtered HTML is available specifically looking for like a JavaScript or php can be executed And so we see our hacker create a comment and inject some Set the format to full HTML and sex of inject some evil JavaScript, but it doesn't work And it doesn't work because the hacker actually made a mistake They're posting their evil JavaScript into a whizzy wig editor That's actually converting it to Is it basically escaping it so our hackers gonna like confirm? Yes, full HTML is available on here, and oh they just figured out that they can diss wait no click it Or not And so the JavaScript being injected here is an attempt to steal Access from somebody who has elevated or administrative access on the site So it's a it's a cookie theft attack basically the JavaScript when if executed by somebody with Elevated permissions on the site will steal their cookie which you can then fake and get authenticated access on the site as that person How many people have seen like a security demo and like it ends with the person who's demoing it like get really happy that they Made hello world or hello pop up in a JavaScript dialogue So that's basically the way to test to see if JavaScript gets executed and If it does you can do all sorts of fun things like steal a cookie. What else can you do? Anything anything that you can do in your browser cross-site scripting can do on your behalf So if you're logged in as an admin and you can enable or disable a module disable the two-factor authentication module JavaScript in your browser can do that for you. I Actually had a question on this one. I thought that the cookies were HTTP only so does this attack work on that? No, did you actually try stealing a cookie? No, okay. Well But but I think an attacker like attacking the site, you know, what you know Yeah, you would have discovered that the particular thing about the cookies were Mitigating against so it's that that's mitigated in Drupal 7 and 8. I guess but not so much in Drupal 6. Yeah Which Drupal 6 is now end-of-life. So running a Drupal 6 mod site You should update it or find a long-term support vendor to help you out So our hackers going to find a huge misconfiguration and as I said earlier, I Injected some common mistakes into the site and I actually didn't mean to inject this. I did it by mistake But what you can see is it's pretty pretty bad Our hackers actually able to edit their own user account and elevate their permissions to administrator Now I honestly did not mean to do this But what's interesting to me is not that the hacker was able to do that because there's other ways to do that It's what the hacker does after they get that so whether or not they clicked a checkbox and gave themselves admin Or they stole a cookie and then logged in as the admin or they password sniffed the admin account What do they do next they've got admin on your site? What are they going to do and so it looks like our attacker has enabled the deval module and is now writing PHP code wait oh Yeah, sorry And so they're writing some PHP code and they're looking at settings dot PHP So they've got the entire contents of settings that PHP on the browser that includes your database credential strings So what are they going to do now, but of course there's a file while protecting the database, right? So they've now dumped settings dot PHP to a text file so they can download it to their local machine and read it and They're calling it files CSS CSS that's the name of the file So if you are looking at your file system, you wouldn't even know it didn't belong necessarily well CSS is a strange file name But so now they've got a copy of settings that PHP and they're going through and trying to find something interesting from it and You can see they're just writing PHP here. So this is referred to as code execution or code injection It's injecting malicious PHP code into the application And it's made available by the dev module So make sure your permissions for the dev module are configured correctly or better yet don't run dev on a live site Just remove it from the code base when you push it to the production server. I Also really appreciate that the hacker in this case cleaned up after themselves, right? They're very very tidy Which is which is always nice when you have a guest, but it But it's interesting how like You know you have to think about what is the motivation of the attacker if the motivation of the attacker is to control the site for A long time then they are gonna want to clean up clean up after themselves So it's hard to find them and and when the attacker created their account They didn't just say well I'm an evil attacker is my user name it was admin one right which probably a lot of sites have an account called admin one Or at least it wouldn't be noticed So they've now finding the username and password for the database out of settings that PHP and they're just running the my SQL dump command to dump a copy of the database And in an effort to still also hide that hide their tracks They're dumping the file as you know not dot sequel But as dot CSS and trying to hide it in the Drupal's files directory, and they were able to do that and they're now downloading the several The very large database, but it's too large for them to download Like it's it's probably a hundred megs, and that's taking too long. So now they're G zipping the database And you can see like this is taking a little bit to run because it's got a G zip the database Oh much faster. Look at that go So it went from 13 minutes to Half of that or to a minute basically and so now they can just suck down the entire database And of course when they're done they're gonna remove the database because they don't want the administrator to come back and find it later and so There's the database they see it They're gonna rename it to something that makes sense now. They're gonna read through the database They've got the whole database there, and now they're gonna delete the database Deleting the database copy on the server. Yes not deleting the actual database because that would break the thing and now you can see that They've actually removed the database so You know while they elevated themselves through a bug that I really didn't mean to introduce they Got themselves The database pretty easily once they had access to run PHP code And so that's that's kind of scary So we've got another misconfiguration here So in another way of probing is you know checking for static files, you know fingerprinting the site You might check the Change log dot txt to see which version Drupal is in this piece They found a read me dot txt that happened to have a plaintext password for an admin account So one of the issues with like github and bit bucket is they prompt you to create a read me file Drupal doesn't have one by default and it prompts you to create one And so this person created one with the SQL credentials to the database in it that happened to work So now we can see that our hacker found this read me file and is now actually going through the database for another site And what they do is actually going to be interesting Also, this was actually I take that back. This is not the database credentials This is the login for admin to the actual site itself So the database server was configured to listen on a port improperly And so they were able to connect to it as anonymous and have read access They can't write so they can't change anything, but you can see that our user Or our hacker not our user is actually running the tfa module So their database has two factor in it so even with the admin and testing one two three password They couldn't actually log in But with database access, they're going to do something else and so we actually see our hacker writing code here Yeah, we move through this kind of fast, but the the attacker having you ID one access where they were blocked by the tfa module To factor authentication. It's an additional item that you need to log into a site So in this case having both the you ID one password as well as the database dump the attackers going to sort of reverse engineer That two factor authentication security control and get access So with the with the database comes The Drupal private key if the Drupal private key is stored there and the Drupal private key is used for Generating tokens and other security hash secure hatches On the site so the tfa module by default, you know, we'll rely on that token if it's not configured otherwise and so But by being able to have a read access to the database we can get Something for that particular you ID one user. We can get the hashed Data for that second token and now that now having that we just need to use the private key to like recreate the What's referred to as the seed for that token and A lot of that's very specific to the tfa module. So basically we're we're just seeing a Seen somebody get access by reverse engineering a security control Well, I just can say another you know, this is a good reason to sanitize database backups You know if if some of your information like the Drupal private key gets into your Into your database and then you have a backup copy of your database on your laptop and you leave your laptop in the bin at TSA Now whoever picks it up has access to that information that can be used to attack your site So, you know before you put your database outside of the production environment. It's good to clean out all of that secret information And I think there's a nice There are many nice tools for doing that Drush SQL sanitize is a good tool that most people have installed because it's just available with Drush But yeah within the paranoia module There's a tool called SQL sanitize whitelist, which is much more aggressive and thorough about how it cleans out tables And so what we're gonna see is oh, here's our two-factor authentication and we basically use the script and we're now logged in as admin So What we did here is we basically set up several sites For the purpose of being hacked and you know when I was doing these I was kind of going through my mind Okay, how should I set this up in a manner that can be attacked? And is it gonna take you know my hackers, you know multiple hours to do this because you know I knew they were to rush and you know They know the common configuration mistakes and I obviously made a mistake in there But what was interesting to me is they didn't approach it the way I thought they'd approach it So this was somewhat of a learning thing in that you know And it's a learning thing for everybody out there because when your sites get hacked not if when your sites get hacked You know how the attacker can elevate their privileges is actually the more important question. It's not if they get hacked It's when and what can they do when they do so dumping my database getting access to those keys. That's all really bad. So Let's let's kind of think about that You're at risk Your sites are at risk. So, you know this model that you know, I've I've checked my checkbox off on security I ran my end map, you know, I'm good. I got TFA installed. I'm done with security. I'm not gonna get hacked That's a myth Your your sites are at risk. So the question becomes how do you defend yourself and Since everyone is at risk the really the real question becomes what do you do to reduce that risk? so You're at risk. You have a risk, you know in the same way that your you know could be at risk for having a heart attack What do you do to reduce that risk? Well, you don't exercise one time a year. You exercise daily, maybe weekly you Eat good food. You don't eat fry food fried food unless you're in New Orleans so you you follow these daily best practices and just like You know with your risk for a heart attack Drupal has best practices. One of those is to Follow the Drupal security team if you're on the Drupal security team, please stand up How many people in here three so And I guess the three of us should be standing up, but so please don't ask any of these people in this room to remove their shirt You might see like a portal to the internet We follow the security team follows responsible Disclosure to help keep your site secure and Kind of that process is basically we we take incoming reports about security vulnerabilities. We verify that they're accurate We then work with the maintainers to get those issues fixed And then we release security advisories and whatever the updated version of the code is on a Wednesday in a coordinated release fashion And we provide advice on best practices for maintainers if they have a question about how to handle something The security team doesn't actively stand all Drupal modules So there's no sort of active process in that regard It's more reactive as if a security vulnerability is found there are members of the team on their own time who do some of that analysis But it's not an active And as I said we release updates on Wednesdays typically between noon and 5 p.m. Eastern time Kind of trending more towards like noon 30 1 o'clock somewhere in that range, but sometimes it gets spread out So what does that mean on Wednesdays? You you should have a Little bit of time set aside to see if there's any release announcements. You can follow us on Twitter We have RSS feeds we send out emails which you can subscribe to if you have a Drupal org account Edit your profile. I it's moved around a bunch of times But I think there's something called my newsletters and there's a box in there to check to see if you can subscribe Having said that we just updated our list infrastructure And I don't think we checked that today and I'm looking at Rudy to actually see if I don't think we did that So if it doesn't work, we'll have it fixed soon But do set a time decide the time on Wednesdays. It's important to do it's the number one easiest thing You can do to keep your site secure is just keep it updated and that doesn't just go for your site That goes for everything you're running in your stack So whether it's Drupal or Lennox or my sequel or your firewall There was a Cisco ASA firewall issue that came out about Three months ago where someone could get root on your firewall So keep all your components in your stack up to date. It's the easiest defense you can have against hackers It doesn't require much extra work. It's really simple to do And I think one thing that goes along with that is that not only should you set aside time But you should also make it as easy as of a process as possible and make it Easy to recover if there's a problem So, you know, you want to make the deployment as automated as possible Make the integration of new code as automated as possible have automated tests if you can have a QA process that you're confident in You know just make that as easy as possible so then as you're looking at these new releases and you say wow That's a lot instead. You're saying oh no problem. I'll just push the button and it'll happen. Hopefully how many people have an automated deployment workflow Okay, how many people have backups? How many people ever destroyed their production environment and recreated it from backup in a testing environment? So for everybody's whose hands were up earlier who said they had backups your backups are useless if they don't work So it's not enough just to back up the things actually try restoring as if your production environment got destroyed We run a drill typically where we take those backups throw them on a drive and restore them to a different provider So we test to make sure that if you know provider a went Belly up and is gone and all the data they had is gone Could we get up and running and how long does that take and then from a business side? Is that okay with the business? you know Folks is a 20-hour restore time acceptable and if not, what do we do to speed that up? You know, I said keep your stack up to date, you know I want to also bring up you guys all have laptops you use to connect to your sites Make sure your laptops are up to date the CVE 2016 2315 is a get vulnerability in which if you check out a repository With malicious code and it runs shell and shell scripts on your local machine as you so it could take your SSH keys And send them to a third party I've got a repo for people to check out after this But the point is is that every component you're using in your stack Including your local machine Potentially is vulnerable the image magic one is a great one. It's not Drupal specific But if you're running image magic, you need to mitigate that And there's directions online how to do so if you're running with a hosting provider. Well, we'll talk about that in a second So that kind of goes to process how many people have like checked off the security checkbox before Nobody's willing to admit this So like you'll see I won't name names You know these proposals that come from Drupal vendors where they actually have a line item for security and it's a checkbox It's a sprint basically where they're going to go through and secure the site normally after it's built That doesn't really work Security should be embedded into every sprint when you're when you're installing a module you should sit there and ask yourself Hey, what is the impact for me installing this module on the security of my site? And you should be also be asking what's the performance impact not that that's related to security But when you're making decisions regarding your site, there's all these different questions that come into mind You know, this is I put this up because I made this mistake Drupal has a lot of these checkboxes in it and these drop-down things and they're really cool UI widgets because we don't have To write code to do things, but you have to be aware of the checkbox. I accidentally clicked administer permissions Oops I've seen other sites where people have checked other things like use administration system and You know, what's the other one? administer taxonomy Well, administer taxonomy is not a security issue people need to be able to add and remove taxonomy But administering taxonomy lets you administer fields, which kind of makes it a security issue Your users are probably your biggest security issue, sorry about that But they're probably your like single point of weakness, unfortunately audit your configuration never give anyone you don't 100% trust full HTML Side story on this You know, you've got content editors who work on your site. They're trusted their employees. You give them full HTML I've seen people copy and paste JavaScript code off the internet into a site because they were trying to accomplish something That's bad especially because they don't understand the code. They're copying And anything that has admin star has a little italicized text under it, you know, give this to trusted users only Really trusted users is almost a synonym for site builders and administrators Like I know we all can't follow that all the time, but we should try to And I would say these are this list is the root of a lot of the vulnerabilities shown in those videos because the MySQL database had read access available to anonymous people You could like connect to it from anywhere on the internet. That's a configuration issue the Drupal site had it was allowed to just like grants administrative role to that After creating the account, that's also a configuration issue. So it's sort of these things pile up, you know Getting a little bit of access you find some more access of the light So there's a there's a term of defense in defense in depth about like, you know Auditing configuration but also putting in security controls behind that and sort of thinking it holistically About this and not just a checkbox as Michael said Most attacks aren't the result of one vulnerability SAO 5 was kind of the exception there But most attacks are I use a little one little vulnerability, which then I use another vulnerability and now I've got root everywhere So keep that in mind Also, there are modules out there whose sole purpose is to increase your security Like that's all they're designed to do is to increase your security. This is not an exhaustive list But we'll go through these two factor authentication really easy to run on your site It's really really easy to run on your site. It doesn't require anything special Just install it set it up It provides an enormous second layer of authentication or second layer of security for your users It's sometimes a pain to use But the security out and you know security is never easy the the security protections You get the risk you mitigate by using it is worth it And despite the video you unless you have a configuration issue that gives people access to the private fee You can't just like hack see a bay module that way. Yeah, it's it's difficult to actually we ran a bounty on it where we basically threw it up on a hosting provider and Gave out the username and password I think it was admin admin and said if you can get access to this site and create a Node on the site or modify node. We will give you money and ran that for three months. I think yeah Yeah, it was it was $500 so like not not an extreme amount But also not a trivial amount of money and there were I think we counted something like 40 different IP addresses Who tried to attack it a couple of people tried brute force attacks on it Which is like a theoretical possibility with a six-digit number But you know even after hitting the mathematical number where they should have been able to break it That person was still not able to break it So, you know, we had said that brute force attacks were out of scope because you know One of the things that I think is important with security is that you know, you know that you're going to get attacked So as somebody is Attacking you want you want that to be noisy if especially if they've like moved from one place to another So you want to have detection in place that will make it noisy for them to do that and a brute force attack on a TOTP code is going to be a pretty noisy thing because it's going to take you know Hundreds of thousands of visits to your site from one IP And actually TFA now no longer allows brute force attacks. Oh, that's right using flood. It has flood protection. That's right So it's harder. It's harder take a lot longer and take a lot would take a lot longer So paranoia is a really cool module It mitigates an enormous amount of risk It is the type of thing that you probably want to start on a dev site or a staging site I would not roll it out to your production site. It does make things It takes the best practices that you should be following and makes you follow them for lack of a Basically, it's the best way to describe it So if you're using PHP code anywhere on your site and you install paranoia, you're not using PHP code anywhere on your site anymore So that's the type of thing you want to install a password policy module There's a lot of these but basically if people are using a password of one character. That's bad. This stops that Security review is a module that basically goes through your configuration and sees if you're Doing some known common mistakes. So all it does is generate a report It doesn't change anything, but it's the type of thing you can automate So there's a drush script for it and you can run it on your site with every deployment and see if people are you know Have done things that they shouldn't be doing an account sentinel Yeah account sentinel is a relatively new module It basically takes a look at the accounts on your site So it helps to protect against the instance that we saw earlier of an attacker creating an account called admin one And then granting it the admin role account sentinel knows everybody who is an admin and it stores that fact in a database table with a hash the hash is hopefully stored in the settings that p or based on a Salt that's stored in the settings that PHP so that the hash can't be tampered in the database directly So account sentinel really really knows if there are any new accounts added to your site with different roles different permissions on them a couple different things like that and it will send you an email whenever that happens it sends an email whenever a Password has changed if you're using the password strength module. It will also tell you how strong that person's password was Has a handful of other features like that so that you can understand You know gives you makes that attack noisy right as I was saying earlier It helps you to know if you've got an attack going on So hosting Basically pay for good hosting. Don't use $10 shared hosting or $50 shared hosting on the hundred thousand dollar sites. You just bought Shared hosting isn't secure. It's cheap if you're going to spend the money to build a good site Don't host it on the cheap should say don't don't spend money then. Oh, yeah, I've worded it correctly so host your sites on I'm not naming company names, but You know if you spent spend the appropriate money for where your site lives. It is your site's home Don't put your site in with a bunch of other sites. It won't be happy for all sorts of reasons HTTPS so we have this wonderful new project out called let's encrypt it generates free SSL certs There is never a reason To host a site that isn't under SSL If you're not serving your site over SSL do it now And there's a module out there that lets you like log in over SSL and then like transfers you back to an unsecured domain Don't use that it exposes cookies and all sorts of other things There's no server costs to running SSL nowadays Just just host your site under SSL Every major hosting company allows this and if your hosting company doesn't find a different one and then you know Getting close to the end here because I want to take questions repeat this on your own sites So pretend to be a hacker and find out what you can explore on your own sites or have Slash pay someone else to do it for you It's really illuminating what you discover when you go through this on your own site I Will be posting more videos online. There were more video we cut the videos down Also, the videos were sped up significantly so that we weren't sitting here for an hour and a half watching videos I will put the videos online probably the end of the day tomorrow depending on how fast the campus or the Wi-Fi connection is May take a few days And so we'll we'll get the videos online. You'll be able to watch them all There's ones that are narrated so you kind of see what's going on in real time. Thank you Greg and Let's take some questions Yeah, come on up to the mic, please I kind of missed the beginning of your talk. So forgive me if you already went over this but in Recent days we've gone through dozens dozens of hack sites It happens more and more freaking all the time and for the most part people don't have backups Or at least they don't have a backup procedure that yields in with a backup. That's not also hacked so What are your methods of going into a site and Going through its files and looking for that information So backups sorry So, you know, I typically you know There's the hard line approach that says that once a site's been hacked There is no 100% surefire way to make sure that it's secure again You know the presentation that I think we did last year basically tells the story of someone who got hacked They put they cleaned it up They put their site back online and it continually gets hacked again because they didn't find anything There is the hacked module which basically goes through and tries to find what's been done a lot of manual Review of user accounts There's there is a page in the handbook. Oh, that's triple.org node two three six five five four seven I've read it. I'm right. Oh, you read it. Okay. Well, I've done a lot of things I'm saying and I was curious if they mirrored something you would do beside actually just rebuilding the whole site Which typically is not in their budget, you know, you got to go a lot of it's just manual, right? Yeah It's manual. It's never guaranteed, right? Yeah Thank you So my question is about the modules like new modules How long does it take before you guys bless them to say it's okay that they're able to be used for the rest of us using modules on on Drupal sites So that's a good question Actually at the moment the maintainers make that decision We have a proposal that we'll be looking at that may change the way that works But for now the maintainers basically say this is a stable module and as soon as they do that It gets security team coverage and if it's reported as a vulnerability we follow our processes And that's why we have the sandbox and the project applications to help make sure that people aren't just throwing up code on the internet Thank you and just to expand on that the as a security team to say this module is okay to you know be run That's a sort of hard thing to say for everybody who's building Drupal modules and running Drupal sites So the way that the security team has decided to communicate that is to say security advisories Which is a you know vulnerability report and an upgrade path that's going to come out for stable modules only So dev modules or alpha beta modules right now those don't don't get security advisers That's just the way to communicate from the team but obviously that's a Impediment for some like module development process. So that's the proposal that Michael's elaborating on Let's say you know in my experience Like basically every site that I've seen that was exploited. They were exploited with vulnerabilities You know unless you're unless you're like Stuxnet or something like that like very few Resources are compromised by something that's a true zero day that has not been disclosed yet And so having a healthy functioning Coordinated disclosure program is the best thing that a software project can do to ensure the safety of their users and that of the Site builders and its responsibility of the site builders then to upgrade quickly So I would say you know favor Modules that have a stable, you know 1.0 release When you can and if you can't encourage the maintainer to do that work with them to get that done Maybe you pay them to get that done and then follow updates as quickly as possible Those are you know really the two keys in my mind to have a safe site Can you discuss a little bit about sort of a drive-by or automated scans or attacks where it's not so tailored or individual? But it just they're out there kind of sucking up the data if you could discuss some simple mitigation measures I'll take that So if you look at your access log or whatever your web server happens to call it You will see these and what what normally is happening is there's been a publicly disclosed vulnerability in a project and a Attackers basically scanning the internet Trying to find servers that are running that particular version of that project or just running that project So you know this happens in everything WordPress Drupal PHP my admin had one for ages And you know you'll see attackers going through and just seeing you know does this path exist? Does this path exist? Does this path exist? Does this path exist? Excuse me And so when they find it they know they can attempt to exploit that vulnerability Yeah, I mean I think one good solution to that there's a lot of cloud Web application firewall providers or there are some web application firewalls You can install yourself and run yourself that have sort of default rule sets to block that kind of traffic and that's helpful To reduce the resources that are wasted on those requests It's helpful to get that noise out of your logs so that log analysis and log review will be more valuable So that seems like a good solution. I Mostly just ignore it honestly Which is probably not the best solution. So you heard it here card.com I mean on my personal site. Oh your personal site, okay So failed a ban is a really cool tool used for SSH So if you're attempting to brute force an SSH password Then it basically gives you like five tries by default and blocks your IP for a certain amount of time I've seen people who run just Drupal sites can figure that if someone goes to like WP admin on a Drupal site just block the IP. They're up to no good Like WP admin is not a URL that exists on a Drupal site unless you've done something very strange Then you know so you can install fail to ban or other modules that basically say oh you're trying to access this URL that you Shouldn't go to block You got to be a little careful with that because not everyone has a dedicated IP address So, you know, you may be blocking a good portion of users Drupal.org tried doing this for a while and ended up blocking. I think a small country Am I right on that? I think there was some like we I'm sorry Okay, it's not a small country So we blocked a large chunk of users by you know because one user was behaving as a bad actor Yeah, I have a site that we're migrating to Drupal over the next 12 months But we have more users over the age of 90 than we do under the age of 40 And so I have stakeholders who are very low to put forth any sort of strong password policy or two-factor authentication Is there anything I can do other than Cross my arms on the CEO's desk to to harden my site despite those sorts of limitations Do they have to have user accounts? They do yes Do they need privileges on those user accounts like full HTML? Oh, absolutely not So that I mean that's that's a huge mitigation there is that you know just because a user I mean take Drupal.org for example everyone in this room can log into Drupal.org We don't enforce strong passwords on Drupal.org So now what we do do is if you have admin rights on Drupal.org you must go through TFA but anyone can log into Drupal.org and you know, we also do a It's been called many things over the years But we put you in a penalty box or a penalty box is the wrong term But we put you in a little waiting period to make sure you're not a spammer before we give you privileges to create anything anywhere On ramp on ramp. There we go. It's the welcoming process Penalty box I call it penalty box because I'm thinking of post-crate which was a mail server implementation of the same concept I think one other thing you can do is Analysis of the machines that they're coming from you can do like browser fingerprinting I mean if I guess it sort of depends upon the accounts like if they if they don't have administrator rights They're not if they're not accessing sensitive information about themselves or other people then you know Maybe it's not a big deal. Maybe they can have a bad password and that's okay You can just accept that as a risk for some levels of accounts, but but there are other tools that you can use to Fingerprint the browser looking at the user agent the language Looking at how quickly the people type looking at the IP address that they come from the IP address or the The geo location like HTML5 geo location that they're coming from there's a lot of things like that that you can use to create a fingerprint of visitors to your site and If you see all of a sudden that they're logging in from somewhere faster than you know Jet travel would allow then you can like it you know look into the account and see is this okay or not If anybody wants to build that module So just a reminder, please join us for our hacking sprints. Yes, I modified the default slide And we've got some people we want to thank As well as take the survey evaluating this session We did things a little differently as you might be able to notice So we'd like to get some feedback from you on what you thought of it We have the node ID on On the slide which we got by viewing the source code on the page Are there any other questions if you're logged in with edit privileges sure Any other questions? Thank you everybody