1. JoomlaSecurity Bare essentials to serious measures Brendon Hatcher Technical Director Photo: flickr.com/photos/carbonnyc

2. Understanding hackers and hacking Definitions of “hacker” Hacker’s motivations Evidence of hacking

3. What is a hacker? Someone who deliberately seeks to bypass a server’s security Black, grey, white hats A hacked site is a broken/compromised site A skilled computer programmer A hacked site is a tweaked and improved site A script kiddie Junior hacker using otherhacker’s tools and techniques

4. Hacker’s motivations To see if they can To create mayhem For social standing in the sub-culture For political reasons – hacktivism For financial reasons Theft – steal ebooks, videos, games, online services etc Sell data – user profiles, credit card details etc Industrial sabotage - paid to break competitor sites Set up zombie farms Steal bandwidth Host phishing pages Collect passwords

5. Evidence of hacking None! Site trashed Hacking message High bandwidth use Changed admin password New user with admin rights Server logs

6. Why be concernedabout security? No-one is safe Hacking is actually quite easy Fixing hacked sites is tricky Hacked sites are a big problem

7. No-one is safe

8. Why worry about hacking?  Sites are targeted at random Hacking is actually quite easy Vulnerable sites are easy to find Vulnerable sites are easy to hack Fixing hacked sites is quite tricky Hacks can be invisible Clients may not notice a hacked site for some time Finding a clean backup may be impossible Determining what has been done can be really hard May be difficult to restore Hardening site to avoid future hacks requires skill and focus

9. Why worry about hacking?  Hacked sites are a big problem Business reputation Angry clients Site shutdown by host Loss of business Data theft Photo: flickr.com/photos/gaetanlee/

10. Hacking aJoomla site Is Joomla less secure than other systems? The site must be vulnerable 3 steps to hacking for fun and profit

11. Is Joomla less secure than other systems? Yes and No Joomla has to strike a balance between security and ease of use Joomla an attractive target for hackers The critical mass of sites Large amateur web developer user base Extensions have variable security The site must be vulnerable

12. 3 steps to hacking for fun and profit Find a vulnerability (and instructions on how to exploit it) Find a vulnerable site Hack the site Then, sit back and enjoy fame and fortune!

13.  Find a vulnerability Security sites www.exploit-db.com, www.secunia.com Various hacking sites/forums Joomlavulnerable extensions list docs.joomla.org/Vulnerable_Extensions_List

14.  Find a vulnerable site Google Dork - a search phrase to find vulnerable sites PHPInfo intitle:phpinfo() Vulnerable extensions allinurl:com_acajoom

15.  Cut and paste hack code http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/* Photo: flickr.com/photos/tawheedmanzoor

16. Securityaction plan Web sites are like onions Levels of security Web development tools Strong, unique passwords everywhere Continuous attention

18. Extensions

20. Web development tools WHM – server administration cPanel – hosting account administration FileZilla – FTP app Keepass – password vault

21. General advice Strong, unique passwords everywhere A password vault removes the need to have a single, simple password Continuous attention needed

22. Creating a safehome for Joomla Shared, VPS or dedicated servers? Apache PHP MySQL

23. Shared, VPS or dedicated servers? A shared server Your site(s) live in the same hosting space as other sites that you do not administer This is the cheapest hosting option. No say over the security of the other sites on the server Old shared server is the worst location for your hosting A Virtual Private Server Better than shared Still can’t change many settings

24. Shared, VPS or dedicated servers? A dedicated server Still a “shared” server Allow you to upgrade and tweak all the settings on a dedicated server Host retains responsibility for maintenance

25. Additional security Suhosin – hardens PHP Samhain or Tripwire Configserver firewall

26. Apache [3] suExec CGI scripts run under the user of the website instead of the Apache user [3] Mod_security Intrusion detection and prevention engine

27. PHP [2] PHP5, not PHP4 [3] suPHP PHP files are run under the user of the website instead of the Apache user Globally reset all files Owner – AccountUsername:AccountUsernamechown -R user:group * Files – 644find . -type f -exec chmod 644 {} Folders – 755find . -type d -exec chmod 755 {}

28. Hosting account .htaccess files [1] Activate the htaccess file in the Joomla root [1] Use an .htpasswd for the /administrator/ folder [3] Advanced .htaccess files A LOT more important detail in the manual

29. Keeping up to date Avoiding the obvious Hide, and be very, very quiet Spam form submissions Install sh404SEF  Securing aJoomla site

30. Keeping up to date Must update Joomla core and extensions Remove unused extensions

31. Avoiding the obvious [1] The default database extension is jos_ [1] The default admin username is admin [1] The default admin user ID is 62 [1] Change administrator access URL

32. Hide, and be very, very quiet [1] SEF all URLs [1] Clear the default Joomlametatags [1] Clear the default Home page title [1] Remove generator tag [1] Change favicon [2] Hide component credits

33. Spam form submissions Trying to inject spam content onto your site Targets Joomla core forms and extension forms Install a captcha system

34. Install sh404SEF SEF URLS hide from Google Dorks Flood control Other security settings

35. Creating a safe working environment PC vulnerability to hacks FTP access hacks A note about users “Burglar bars, electric fences, alarms…and a key left under the doormat”

36. PC vulnerability to hacks [1] Install all operating system patches [1] Install all application system patches [1] Run comprehensive real-time protection apps [1] Install Secunia PSI [1] Secure your PC login [1] Secure your backup storage [2] Use a secure web browser

37. FTP access hacks If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier. FTP passwords are stored unencrypted in your FTP program! FTP authentication details pass unencrypted to the server! There are several common FTP apps that store their passwords in a standard location with a standard name!

38. FTP configuration [1] cPanel setup Make sure that the FTP password is strong [1] PC setup Password vault (LastPass , Keepass ) to store the strong password Make sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC) [1] FileZilla Copy all passwords to the password vault Delete all passwords from the Site Manager Set FileZilla to run in Kiosk mode

39. FTP configuration [2] Joomla Remove the FTP details from the configuration file [3] WHM Disable FTP access and allow only SFTP access A note about users You should ideally create separate user accounts for each staff member

40. Preparing forthe worst Site monitoring A disaster recovery plan Joomla site backups Restoring a hacked site

41. Site monitoring Diagnostics Site down Home page content changes Mod_security logs (shows attempts) Bandwidth use Spam blacklisting [3] Searching and browsing server logs

42. Disaster Recovery Plan Depending on how central your web site is to your business, you may need a DRP See Tom Canavan’s presentation http://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recovery Photo: flickr.com/photos/28481088@N00

43. Joomla site backups Long-cycle Joomla backups are critical Redundant backups lead to restful sleep See my Joomla for Web Developer talk for MUCH more detail

44. Restoring a hacked site Fixes the obvious problems Does not address: Hidden hacks Shell scripts Backdoors Zombies Continuing vulnerabilities Impacts of data exposure Photo: flickr.com/photos/andreweason

45. Credits/Disclaimer Brendon Hatcher is the compiler of this presentation The presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivatives If you don’t know what this licence means, go to creativecommons.org The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.