 Sipping on a good malt single with single malt whiskey which kind of make him my kind of person But anyways, that's another story So his session today will be He will give us more information on Hack attempts and how we can have a good understanding on what hack attempts are and how they work He has a company called press 84 that deals with such things So I'm sure he has a lot of interesting things to share with us. So welcome And it cut prepped record Otherwise here me all right, okay First time I'm going to try something. I hope I don't pronounce it badly, but Drasty as a casual I So I've been doing wordpress basically since 2005 version 1.5 started out as an end user So I started out as an end user just creating some sites for me about my hobbies about the group of friends Which I used to play basketball with and things like that. So All just basic stuff and gradually that advanced to just making some minor coded tweaks I grew into somewhat of a hobby death and then back in 2008 I started working at a hosting company as a senior as a support engineer eventually I grew into a senior support engineer and Besides working there. I started my own company back in 2010. So That's basically my my background with what I do on wordpress So you can find me on Twitter at at break take out You can find my personal site at break take out.com and my company site at present before Now Let's talk about hacking first and foremost But just by show of hands who's here because he or she has been hacked before There's not a lot of hands which is actually fairly good news. I'm happy about that now there's One common misconception I would like to end right here right now today and that is You're not the target and also it's a good thing Otherwise that Basically the better part of all hacks are fully automated. So They happen through leaks in plugins leaks in teams Leaks in core Often also leaks in server software if it's not capable to date But also things like grid forcing so there are many techniques that hackers can use to get access to your website now there's good news here as well because Automated hacks are usually easier to stop If you're not a personal target if they're not just targeting you and your specific site Usually, they're just using a very common technique or a known leak or whatever and that means it's easier to fix easier to hold and In most cases, it could be as simple as updating a team a plug-in updating core changing passwords Just updating your service software if you manage your service stack yourself or adding a rule to your website application firewall Now How does hacking go about how does it work? There's a number of types of attacks Most well not the most common ones, but once I see you often are as well injections With forcing but sadly There's quite a number more different types of attacks And I'm not going to go Not going to be able to go over all of them, but I'll just highlight To and just give a really basic explanation. So Next well injection is actually a hack that targets the database directly at attempts to inject a certain amount of code into the database a certain amount of Data could be a new user that's being created anything like that And usually it's caused by a lack of input validation in the code so To put it simply this would Be a good example of as well injections Then there's another fairly common one, which is a brute-forcing attempt Basically what you see in the logs just post after post after post to the WP log in dot php just attempting another username and password combination until they find one and The most cases hackers use like it's called the rainbow tables. It's it's our huge files containing the most common usernames, but most common passwords and they just fire Every single attempt to your site. So these things are fairly easy to stop. You could block the IP you could Yeah, basically do quite a lot of things but blocking the IP would probably be the quickest and most effective way to do it but If it's not clear for anyone what a brute-forcing attack would be Imagine doing this when meeting an old colleague Just randomly trouting names out until The guy says yes That would basically be a brute-forcing attack Now of course we're here for some real-life examples And before we start I would like to make a disclaimer We're not here to make fun of anyone We're not here to laugh to point the finger at anyone We're learn trying to learn from some stakes that were made and have been since corrected So does anyone remember this one? 2014 was a very interesting year for this this plugin was a massive hack The gate the hacking in this case was a local file inclusion so making actually the files accessible through the hack and it had a message impact like when this hack Or this vulnerability was discovered within a couple of months. We had I think at that point the shared hosting accounts or the shared hosting cluster. I was helping to manage had about 60,000 active accounts something like that and a Couple of months in we've already seen over 10,000 sites hacked like by this the impact was immense now the problem When this plugin was this so this is a fictional path, but In essence the plug-in we do an action show image and then The full path was actually used in the URL now This would be the problem the full path because Can anyone just imagine what would have happened if you would have done this? anyone Yeah You can basically access everything from there. Yeah, and with this specific one have an idea Actually, it would have downloaded your WP config and If you have the WP config you have the database access you have the salts you have basically everything So this was a massive massive problem They fixed it just by providing an update Which was cool, which was good, but Kind of bad that this happened So yeah, we spoke of that in the logs You could see something like this happening and Yeah At that point you already know okay. I'm a victim They had me a second more recent example WP GDPR compliance plugin Gave many among us quite some headache including me This was just I think around the 7th of November And this was a privilege escalation issue. This was actually a Bit more complex not as easy to execute as the previous one So there was a lack of a capability check on the safe setting and you could abuse the do action command or function So in the logs you would see things like this. So they would do some post to the admin Ajax Just altering some settings Because it was checked and then even though you had user registration completely disabled they were able to Action register and then validate and they had access and Then again when they're in your back end Basically, they have access to everything Now my website why is my website being hacked is being attacked again It's nothing personal not at all. Has anyone ever heard about dorks just by show of hands No, okay cool So they're the best friend of a script kitty And it's a way of by for example abusing Google to identify possible targets So let's go back to our ref slider example At the top in the search bar, you'll see a specific door. It's just a basic search command But if you use that the results are that you get a list of sites This was done on Google dot e because I'm from Belgium. So mostly dot the e-sites here Which are actually this closing that they are running refslider This is will not tell you anything about the version they're running but it will tell you that it is running refslider This will this one as well. So This is another variation on the same door. Just helps you identify sites that run refslider in this case So these are the dorks that were used to generate these screenshots The results The thing is if you're able to use Google to generate lists of sites that have this plug-in active You're also probably going to be able as a script kitty to write some Python script or something like that To scrape the results and add them in text file and then it's just running your script against your list of URLs Your list of domains and you can easily start abusing this Preventing hex This is actually an interesting one because Some people tend to think that preventing hex is strictly something that should be done by the user Others think it's something that's strictly needs to be done by the developer or the host or Anyone involved in the process of getting your work aside online And actually and that's the hard part of Securing a site. It's a cooperation. It's a cooperation between all parties involved Let me let me put it like this you could have a top-notch hoster which Titans every loophole Make sure that it's completely secured you could use as an end user the best security techniques on your PC on the on the password level so using password security programs generating really complex passwords storing them securely Making sure you have the best security software on your computer But still in the end if you're using a plug-in that has a major issue or a major leak They're still being prone to be hacked So you're still going to be subject to hacking so it's a shared responsibility of us all not just the people who make WordPress or plug-ins or teams but also of the end user and the people who are hosting it and that's why I try to Give some a few tips. That's a that's really like that on how to improve this because if we don't cooperate we're Going to see a lot more acts in the future and especially with In a revamp of WordPress coming in five condo with Gutenberg I'm kind of wary at this point to see how this will turn out security wise because a lot of plug-ins and teams will need to be altered and The impact of that could result in some new leaks, so I'm on watch to see what happens so if you're a developer this Probably is going to be basic, but if you're using input of any kind, please sanitize it Be very aware of the functions you use the hopes you use fall back on the codex because these are the kind of things that Will make an impact and And this one is often forgotten the code reviewing so I Mean this on different levels like I know for example, that's a the company use which makes the SEO plug-in has their code reviewed by one of the more Popular security firms and they do this for basically every release But it doesn't have you don't have to even invest Those kinds of amounts to get your code secure Just do peer reviewing have a colleague go over your code You go over his code learn from each other you as a second pair of eyes will always find something you will have missed and This way we can make our code a little bit better or a little bit more secure the same goes for System administrators people who run the servers Make sure you have the best security tools installed and opera operating on their servers. I'm talking about mod security as a Partial of a website application firewall use OWASP use OSSEC What's wrong for example is a commercial product as opposed to the other ones, but also a very great product that will help patch old leaks So those are things That can be done on that level and that most hosting companies will do to keep your site safe And then there's the end user I think We have a problem with WordPress And that is that it's very easy to use it's accessible. It's easy to understand. There's no steep learning curve The problem there is that it's almost too easy now things are being done within WordPress like suggesting a stronger password obviously But it still isn't always enough to prevent the end user from doing Well, let's say things that don't really comply with best practices so for example at the company I work for where we When we do an install of WordPress and have not made it install we make sure it's a complex username What do we often see the user comes in logs in with the first time creates a new administrator user called admin You can't prevent these things, but it's it is important that our end users are educated and Point or that's the risks of using these kind of simple and generic usernames are actually Known to them because that's also already a part of the hack and updates as former Microsoft CEO Steve Baldwin would have put it updates updates updates really I can't stress this enough because If you look just that the statistics a huge percentage of all acts come from outdated core versions outdated teams outdated plugins, so please please please keep on updating your WordPress set of everything you need And that will help keep you safe And well then of course there are the other practices like installing a Decent security plug-in it will help it won't fix everything, but it will help and that's basically what we need to do And a bit sooner than I was expecting and actually already at the Q&A, so Okay You've shown us the example for the slider plug-in that it can be listed in Google How can we prevent Google indexing our plug-in lists or plug-in directory, maybe well, there are a few ways you could do that by For example, just setting some blocking rules by the the HD access By user agent so using the user agent of the Google for example There are a couple of other ways the problem there would be If you would use for example Yoast SEO which integrates nicely with the Google services if you do that kind of blocking that would also Have a negative effect on the operation of the Yoast SEO plug-in So in this case it would be choosing the work or the least Least bad solution I would say The lesser of two evils, that's why the was the term I was looking for. Thanks. Thank you Anybody else? I have one question here. I have one more In your opinion as a security expert What advice will it give to someone that don't have a lot of technical experience, but isn't over. Let's say it was few small websites If they well it would depend If they have the budget Hire someone exactly or Outsource the security part to a company specializing this if you do not have the the budget to do that Obviously get a good security plugin not a free one it go for clean solution Check with your host because usually they also have some extra security techniques or Services that could be enabled that aren't on by default for example and could help out as well But it would actually come down to just checking the site Perhaps reducing the number of plugins to a minimum just don't use anything you don't need to use per se Because every extra plug-in would be an extra chance for loophole or leak Same the teams things you don't you having your in your set of what are inactive remove them Choose good passwords. Just there's actually a bunch of information out on the subject several good blog posts I might try and treat some of those later on today But it would actually all depend on how the sites are built because you can for example doing a security of a nearly static corporate site for example in a completely different way than for example a WooCommerce based site because the usage scenario will be different and That will also have an impact on how to secure the website It would depend on the website But if there's there's a lot of guys who are active in security for WordPress specifically If you reach out to them, I got the word camp meet up. Whatever they will help you so Same goes for me at all. If you want to I'll just talk with you out short and give you some things Okay I have this question. Okay, if you act or for example anybody me How do you understand from where the hot came from FTP? Well When I see a hack or I get to the report of a hacked site Basically what I would do first is just checking what the impact of the hack would be So to see if there are files altered or something like that if it's team files If it's an indication of this might be in the database or this might be there And if it would be something that would be traceable in the files I would then connect over as his age to the server Do a file listing see what the time stamp was on the files for the last alteration And then I would go into blocks and see if there's something that can call we can correlate to that specific time that in 90% of the cases will give you a good indication of When and how the hack was performed. So for example the I'm just going back a couple of slides here this one for example One of the sites was using a rest slider in this case. We would have seen okay So the height on the site would have been altered after let's say two o'clock in the afternoon And if we see this happening at 145 in the afternoon We'll have a pretty good idea. This would be pretty close to the actual time of change in the logs And it'll show you that they actually requested the WP config file That would be a rather clear indication of thing. This is the type of hack that has happened and Then it comes down to running scans seeing what exactly was altered and restoring or Or just changing the the alter files Hey, what do you have against the tree name that would be admin for the URI itself? Do you think that was helpful in such case or not really? Well, it Um Basically, you're talking about security through obscurity. So securing something by hiding it I'm not opposed to it, but I don't see it as a valid primary measure. We can add it as a secondary measure sure but That's a primary measure. I wouldn't base my soul security strategy on that technique, you know Sure. Hi, Brett. Oh, that's well firstly. Thanks very much. Um, you mentioned Something about WordPress 5 coming out. I have concerns about updating websites 2.5. We're not holding back Is it your recommendation to do that? And what are the potential Effects that WordPress 5 will have on security? Well, that's the question to be honest Um I with my own company I manage and I do maintenance and and manage security for For one specific line to us over a couple of hundred sites All types of sites webshop corporate sites, you name it As soon as WordPress 5.0 comes out, I won't be updating right away. No way Um, I'm at least going to hold out for a couple of days. So we can see Which plugins and teams get broken? If there are leaks occurring now, uh, because usually whenever there's a new leak in WordPress in a major release It's found to rather rather quickly People are the code is open. It's open source. So people are digging in to see is there something we can exploit Both white hat and black hat after so um I think in this case, I It's kind of counterproductive to advise people not to update because in most cases updates are so essential So in this case, we're changing the entire editor Which has a major impact So in this case specifically for for WordPress 5.0, I would give the advice wait To the four five days something like that just hold out to see what the initial problems are if there are major issues or minor issues and If it's a major issue, we'll know about it regularly. So, um, I would suggest holding out just a couple of days. That's usually what I do if there's a Major release of a plugin or WordPress or a team anything that needs to be updated I tend to wait 48 hours just to see if anything happens um, you can run tests yourself, but in this case Kind of crowdsourcing it would be good. So it's good to take your look yourself But know that other people will also be looking and out of all those tests something will arise so Hope it answers your question. Okay. That's all. Thank you