2. Understanding hackers and hacking Definitions of “hacker” Hacker’s motivations Evidence of hacking
3. What is a hacker? Someone who deliberately seeks to bypass a server’s security Black, grey, white hats A hacked site is a broken/compromised site A skilled computer programmer A hacked site is a tweaked and improved site A script kiddie Junior hacker using otherhacker’s tools and techniques
4. Hacker’s motivations To see if they can To create mayhem For social standing in the sub-culture For political reasons – hacktivism For financial reasons Theft – steal ebooks, videos, games, online services etc Sell data – user profiles, credit card details etc Industrial sabotage - paid to break competitor sites Set up zombie farms Steal bandwidth Host phishing pages Collect passwords
5. Evidence of hacking None! Site trashed Hacking message High bandwidth use Changed admin password New user with admin rights Server logs
6. Why be concernedabout security? No-one is safe Hacking is actually quite easy Fixing hacked sites is tricky Hacked sites are a big problem
8. Why worry about hacking? Sites are targeted at random Hacking is actually quite easy Vulnerable sites are easy to find Vulnerable sites are easy to hack Fixing hacked sites is quite tricky Hacks can be invisible Clients may not notice a hacked site for some time Finding a clean backup may be impossible Determining what has been done can be really hard May be difficult to restore Hardening site to avoid future hacks requires skill and focus
9. Why worry about hacking? Hacked sites are a big problem Business reputation Angry clients Site shutdown by host Loss of business Data theft Photo: flickr.com/photos/gaetanlee/
10. Hacking aJoomla site Is Joomla less secure than other systems? The site must be vulnerable 3 steps to hacking for fun and profit
11. Is Joomla less secure than other systems? Yes and No Joomla has to strike a balance between security and ease of use Joomla an attractive target for hackers The critical mass of sites Large amateur web developer user base Extensions have variable security The site must be vulnerable
12. 3 steps to hacking for fun and profit Find a vulnerability (and instructions on how to exploit it) Find a vulnerable site Hack the site Then, sit back and enjoy fame and fortune!
13. Find a vulnerability Security sites www.exploit-db.com, www.secunia.com Various hacking sites/forums Joomlavulnerable extensions list docs.joomla.org/Vulnerable_Extensions_List
14. Find a vulnerable site Google Dork - a search phrase to find vulnerable sites PHPInfo intitle:phpinfo() Vulnerable extensions allinurl:com_acajoom
15. Cut and paste hack code http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/* Photo: flickr.com/photos/tawheedmanzoor
16. Securityaction plan Web sites are like onions Levels of security Web development tools Strong, unique passwords everywhere Continuous attention
20. Web development tools WHM – server administration cPanel – hosting account administration FileZilla – FTP app Keepass – password vault
21. General advice Strong, unique passwords everywhere A password vault removes the need to have a single, simple password Continuous attention needed
22. Creating a safehome for Joomla Shared, VPS or dedicated servers? Apache PHP MySQL
23. Shared, VPS or dedicated servers? A shared server Your site(s) live in the same hosting space as other sites that you do not administer This is the cheapest hosting option. No say over the security of the other sites on the server Old shared server is the worst location for your hosting A Virtual Private Server Better than shared Still can’t change many settings
24. Shared, VPS or dedicated servers? A dedicated server Still a “shared” server Allow you to upgrade and tweak all the settings on a dedicated server Host retains responsibility for maintenance
26. Apache [3] suExec CGI scripts run under the user of the website instead of the Apache user [3] Mod_security Intrusion detection and prevention engine
27. PHP [2] PHP5, not PHP4 [3] suPHP PHP files are run under the user of the website instead of the Apache user Globally reset all files Owner – AccountUsername:AccountUsernamechown -R user:group * Files – 644find . -type f -exec chmod 644 {} Folders – 755find . -type d -exec chmod 755 {}
28. Hosting account .htaccess files [1] Activate the htaccess file in the Joomla root [1] Use an .htpasswd for the /administrator/ folder [3] Advanced .htaccess files A LOT more important detail in the manual
29. Keeping up to date Avoiding the obvious Hide, and be very, very quiet Spam form submissions Install sh404SEF Securing aJoomla site
30. Keeping up to date Must update Joomla core and extensions Remove unused extensions
31. Avoiding the obvious [1] The default database extension is jos_ [1] The default admin username is admin [1] The default admin user ID is 62 [1] Change administrator access URL
32. Hide, and be very, very quiet [1] SEF all URLs [1] Clear the default Joomlametatags [1] Clear the default Home page title [1] Remove generator tag [1] Change favicon [2] Hide component credits
33. Spam form submissions Trying to inject spam content onto your site Targets Joomla core forms and extension forms Install a captcha system
34. Install sh404SEF SEF URLS hide from Google Dorks Flood control Other security settings
35. Creating a safe working environment PC vulnerability to hacks FTP access hacks A note about users “Burglar bars, electric fences, alarms…and a key left under the doormat”
36. PC vulnerability to hacks [1] Install all operating system patches [1] Install all application system patches [1] Run comprehensive real-time protection apps [1] Install Secunia PSI [1] Secure your PC login [1] Secure your backup storage [2] Use a secure web browser
37. FTP access hacks If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier. FTP passwords are stored unencrypted in your FTP program! FTP authentication details pass unencrypted to the server! There are several common FTP apps that store their passwords in a standard location with a standard name!
38. FTP configuration [1] cPanel setup Make sure that the FTP password is strong [1] PC setup Password vault (LastPass , Keepass ) to store the strong password Make sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC) [1] FileZilla Copy all passwords to the password vault Delete all passwords from the Site Manager Set FileZilla to run in Kiosk mode
39. FTP configuration [2] Joomla Remove the FTP details from the configuration file [3] WHM Disable FTP access and allow only SFTP access A note about users You should ideally create separate user accounts for each staff member
40. Preparing forthe worst Site monitoring A disaster recovery plan Joomla site backups Restoring a hacked site
41. Site monitoring Diagnostics Site down Home page content changes Mod_security logs (shows attempts) Bandwidth use Spam blacklisting [3] Searching and browsing server logs
42. Disaster Recovery Plan Depending on how central your web site is to your business, you may need a DRP See Tom Canavan’s presentation http://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recovery Photo: flickr.com/photos/28481088@N00
43. Joomla site backups Long-cycle Joomla backups are critical Redundant backups lead to restful sleep See my Joomla for Web Developer talk for MUCH more detail
44. Restoring a hacked site Fixes the obvious problems Does not address: Hidden hacks Shell scripts Backdoors Zombies Continuing vulnerabilities Impacts of data exposure Photo: flickr.com/photos/andreweason
45. Credits/Disclaimer Brendon Hatcher is the compiler of this presentation The presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivatives If you don’t know what this licence means, go to creativecommons.org The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.