SlideShare uma empresa Scribd logo

Access Denied

Paul Gilzow
Paul Gilzow

Keeping yourself off an attacker's radar. After performing the basic WordPress hardening steps, what next? In this talk we look at black box scanning tools to discover what data our sites are leaking, and steps to stops those leaks.

Tecnologia
1 de 70
Baixar para ler offline
ACCESS DENIEDKEEPING YOURSELF OFF AN ATTACKER’S RADAR Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: https://fb.com/gilzow
 https://www.linkedin.com/in/gilzow
TL;DSWTGMC SUMMARY ▸Implicitly Deny ▸Defense-in-Depth (Too Long; Didn’t Stay, Went to Get More Coffee)
WHY DO ATTACKERS TARGET YOU ▸Your site resources ▸Your domain ▸Your SEO reputation ▸Your visitors
WHY WORDPRESS IS AN ATTRACTIVE TARGET ▸ Market share ▸ Open Source ▸ Extremely easy to set up and get running, not so easy to secure ▸ Anyone can create and submit a theme/ plugin
“WHAT MAKES WORDPRESS SO INSECURE IS THAT IT'S HIGHLY EXTENSIBLE AND EASY TO USE; WORDPRESS SECURITY ISSUES REVOLVE ALMOST ENTIRELY AROUND THIS EXTENSIBILITY AND EASYNESS OF USE.” Tony Perez, @perezbox
CURRENT STATE OF WORDPRESS SECURITY ▸Most compromises occur through ▸vulnerable plugins and themes ▸Weak passwords ▸Wordpress out-of-date
AS AN OWNER/MAINTAINER OF A 
 WORDPRESS SITE, IT IS YOUR 
 RESPONSIBILITY TO BE PARANOID
SO WHAT DO WE DO?
DEFENSE-IN-DEPTH
WPSCAN ▸ Robots.txt ▸ Interesting headers ▸ Multisite ▸ Must-use plugins ▸ Xml-rpc ▸ Wordpress version ▸ Plugins/themes Passive (non-intrusive) Scan
WPSCAN Active scan ▸ Scans for signs of vulnerable plugins ▸ Scans for signs of vulnerable themes ▸ Scans for signs of timthumb ▸ Attempts to enumerate user account names
COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/
COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/ ▸ Protect wp-content completely ▸ Not only prevent php execution, but ▸ Implicit deny (only allow what is necessary and expected)
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin
64.85.59.68 —> 64.85.0.0/16
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin ▸ Protect the root
COUNTER MEASURES ▸ Prevent ?author= redirection Account enumeration
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink Account enumeration
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration ▸ Remove user “slug” property from users endpoint in 
 REST API
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes ▸ Remove users endpoint from REST API Account enumeration ▸ Remove default login failure error messages
SUMMARY ▸ Be paranoid; be skeptical ▸ Uninstall plugins/themes that aren’t in use ▸ Disable php from executing where it shouldn’t ▸ Limit access to everything where you can
SUMMARY CONT. ▸Implicitly deny ▸Defense-in-depth In other words…
“[SECURITY IS A] CONTINUOUSLY MOVING TARGET… THAT REQUIRES CONSTANT VIGILANCE TO UNDERSTAND AND APPRECIATE.” Tony Perez, @perezbox
WHAT QUESTIONS DO YOU HAVE FOR ME?
CONTACT ▸ Contact ▸ gilzow@missouri.edu ▸ @gilzow on twitter ▸ gilzow on wordpress.org ▸ Files: https://github.com/gilzow/access-denied/, wckc2017 branch

Recomendados

Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices
Adam W. Warner
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Joshua McNary
 
Cloud with A Chance of Security Breach
Cloud with A Chance of Security BreachCloud with A Chance of Security Breach
Cloud with A Chance of Security Breach
Yeni Setiawan
 

Recomendados

Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices
Adam W. Warner
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Joshua McNary
 
Cloud with A Chance of Security Breach
Cloud with A Chance of Security BreachCloud with A Chance of Security Breach
Cloud with A Chance of Security Breach
Yeni Setiawan
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
firojkhansahu
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
SEO Sanity During a Redesign
SEO Sanity During a RedesignSEO Sanity During a Redesign
SEO Sanity During a Redesign
Mike Gracen
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site Clean
Sucuri
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
mounika k
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
Sucuri
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Locking Down Your WordPress Site
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress Site
Frank Corso
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress Security
Joseph Herbrandson
 
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
Quentin Adam
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Jennifer Riehle McFarland
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein
 

Mais conteúdo relacionado

Mais procurados

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 

Mais procurados (20)

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
 
SEO Sanity During a Redesign
SEO Sanity During a RedesignSEO Sanity During a Redesign
SEO Sanity During a Redesign
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site Clean
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Click jacking
Click jackingClick jacking
Click jacking
 
Locking Down Your WordPress Site
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress Site
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress Security
 
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
 

Semelhante a Access Denied

Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts
 

Semelhante a Access Denied (20)

WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
WebHack #13 Web authentication essentials
WebHack #13 Web authentication essentialsWebHack #13 Web authentication essentials
WebHack #13 Web authentication essentials
 
Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
 
Basic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website StartedBasic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website Started
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Access Denied

  • 1. ACCESS DENIEDKEEPING YOURSELF OFF AN ATTACKER’S RADAR Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: https://fb.com/gilzow
 https://www.linkedin.com/in/gilzow
  • 2. TL;DSWTGMC SUMMARY ▸Implicitly Deny ▸Defense-in-Depth (Too Long; Didn’t Stay, Went to Get More Coffee)
  • 3. WHY DO ATTACKERS TARGET YOU ▸Your site resources ▸Your domain ▸Your SEO reputation ▸Your visitors
  • 4. WHY WORDPRESS IS AN ATTRACTIVE TARGET ▸ Market share ▸ Open Source ▸ Extremely easy to set up and get running, not so easy to secure ▸ Anyone can create and submit a theme/ plugin
  • 5. “WHAT MAKES WORDPRESS SO INSECURE IS THAT IT'S HIGHLY EXTENSIBLE AND EASY TO USE; WORDPRESS SECURITY ISSUES REVOLVE ALMOST ENTIRELY AROUND THIS EXTENSIBILITY AND EASYNESS OF USE.” Tony Perez, @perezbox
  • 6. CURRENT STATE OF WORDPRESS SECURITY ▸Most compromises occur through ▸vulnerable plugins and themes ▸Weak passwords ▸Wordpress out-of-date
  • 7. AS AN OWNER/MAINTAINER OF A 
 WORDPRESS SITE, IT IS YOUR 
 RESPONSIBILITY TO BE PARANOID
  • 8. SO WHAT DO WE DO?
  • 10. WPSCAN ▸ Robots.txt ▸ Interesting headers ▸ Multisite ▸ Must-use plugins ▸ Xml-rpc ▸ Wordpress version ▸ Plugins/themes Passive (non-intrusive) Scan
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. WPSCAN Active scan ▸ Scans for signs of vulnerable plugins ▸ Scans for signs of vulnerable themes ▸ Scans for signs of timthumb ▸ Attempts to enumerate user account names
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23. COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/
  • 24.
  • 25. COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/ ▸ Protect wp-content completely ▸ Not only prevent php execution, but ▸ Implicit deny (only allow what is necessary and expected)
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes
  • 31.
  • 32. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin
  • 33.
  • 35.
  • 36.
  • 37. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin ▸ Protect the root
  • 38.
  • 39.
  • 40.
  • 41.
  • 42. COUNTER MEASURES ▸ Prevent ?author= redirection Account enumeration
  • 43.
  • 44.
  • 45. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink Account enumeration
  • 46.
  • 47.
  • 48.
  • 49.
  • 50. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration ▸ Remove user “slug” property from users endpoint in 
 REST API
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes ▸ Remove users endpoint from REST API Account enumeration ▸ Remove default login failure error messages
  • 64.
  • 65.
  • 66. SUMMARY ▸ Be paranoid; be skeptical ▸ Uninstall plugins/themes that aren’t in use ▸ Disable php from executing where it shouldn’t ▸ Limit access to everything where you can
  • 68. “[SECURITY IS A] CONTINUOUSLY MOVING TARGET… THAT REQUIRES CONSTANT VIGILANCE TO UNDERSTAND AND APPRECIATE.” Tony Perez, @perezbox
  • 69. WHAT QUESTIONS DO YOU HAVE FOR ME?
  • 70. CONTACT ▸ Contact ▸ gilzow@missouri.edu ▸ @gilzow on twitter ▸ gilzow on wordpress.org ▸ Files: https://github.com/gilzow/access-denied/, wckc2017 branch