In the wake of the Heartbleed bug and a
number of other high profile security related
failures, we revisit the idea of making sure
we’re ahead of the game, secure from the start
1. Welcome
"In the wake of the Heartbleed bug and a
number of other high profile security related
failures, we revisit the idea of making sure
we’re ahead of the game, secure from the start"
Kieran O'SheaSecure from the Start : The changing landscape
Secure from the Start
The changing landscape
Kieran O'Shea
kieran@kieranoshea.com • @kieranoshea • http://www.kieranoshea.com/
2. Overview
Kieran O'Shea
Motivations for this session
Analysis on recent high profile issues
Types of attack vectors
Mitigation; config, tools, plugins & more
Questions
Secure from the Start : The changing landscape
3. Recent issues - Heartbleed
Kieran O'Shea
An OpenSSL exploit
Heartbeat reply leaks data in memory
Data acquired compromises security
Secure from the Start : The changing landscape
4. Recent issues - Heartbleed
Kieran O'SheaSecure from the Start : The changing landscape
5. Recent issues - Heartbleed
Kieran O'SheaSecure from the Start : The changing landscape
6. Recent issues - Heartbleed
Kieran O'Shea
Fallout
Recovery
Secure from the Start : The changing landscape
7. Recent issues - Ransomware
Kieran O'SheaSecure from the Start : The changing landscape
Realintogive/Wikimedia Commons
8. Recent issues - Ransomware
Kieran O'Shea
Essentially blackmail
Takes different forms
Difficult to recover from
Infection rates uncertain
Millions made by criminals
Secure from the Start : The changing landscape
9. Recent issues – Back doors
Kieran O'SheaSecure from the Start : The changing landscape
10. Recent issues - Back doors
Kieran O'SheaSecure from the Start : The changing landscape
11. Recent issues - Social Engineering
Kieran O'Shea
Should be considered a back door
Password resets
Security questions
"Single Sign On"
Secure from the Start : The changing landscape
12. Recent issues - Obscurity
Kieran O'Shea
When is security no security at all?
When my hotel reservation is
www.somehotel.com/reservation/12345
So the previous customer's must be...
www.somehotel.com/reservation/12344
Secure from the Start : The changing landscape
13. Attack Vectors - Passwords
Kieran O'Shea
Exploitation of simple passwords
Re-use of stolen credentials
Brute force
Is this your password?
Secure from the Start : The changing landscape
14. Attack Vectors - Social Engineering
Kieran O'Shea
Probably our weakest link
Guessable info overrides passwords
Privileged users exploited
Secure from the Start : The changing landscape
15. Attack Vectors - External Applications
Kieran O'Shea
Shared use servers amplify risk
Exploiting the file system
Taking advantage of firewall rules
Piggy backing off API connectivity
Secure from the Start : The changing landscape
16. Attack Vectors - Rogue Code
Kieran O'Shea
Does your theme footer look like this?
Secure from the Start : The changing landscape
17. Attack Vectors - Rogue Code
Kieran O'Shea
When hackers get control
Secure from the Start : The changing landscape
18. Attack Vectors - Rogue Code
Kieran O'Shea
When hackers really get control
Secure from the Start : The changing landscape
19. Mitigation - Passwords
Kieran O'Shea
Secure passwords, auto generated
Avoid re-use between systems
Secure from the Start : The changing landscape
20. Mitigation - Passwords
Kieran O'Shea
Employ secure password storage
Complex & differing passwords easier
A variety of services exist, paid & free
Single, secure,
master password
Secure from the Start : The changing landscape
21. Mitigation - Two Factor Authentication
Kieran O'Shea
Something you have, something you know
A variety of implementations
Finger prints
Smart cards
Text Messages
Paper based grids
Good degree of separation required
Extend to multi-factor authentication
Secure from the Start : The changing landscape
22. Mitigation - One Time Passwords
Kieran O'Shea
Reduces consequences of interception
Remote verification of token
Also provides two factor authentication
Support for independent infrastructure
Secure from the Start : The changing landscape
23. Mitigation - SSL
Kieran O'Shea
Protects data in transit
Consider what constitutes ”sensitive”
Key & Signed certificate
Available for free
Beware revocation costs
Enhance security with forward secrecy
Remember client security too
VPN
S/MIME
Don't settle for plain text
Secure from the Start : The changing landscape
24. Mitigation - External Applications
Kieran O'Shea
Minimise server sharing, VPS preferable
If sharing, protect users from users
Don't chmod 777
Sand box your code, e.g. suPHP
Keep an eye on key file changes
Consider onward security of allowed IPs
Secure from the Start : The changing landscape
25. Mitigation - Plugins
Kieran O'Shea
Two factor authentication (OTP)
✔ "YubiKey Plugin" (Henrik Schack)
Modifications to files
✔ "WordPress File Monitor Plus" (Scott Cariss)
Login attempts
✔ "Limit Login Attempts" (Johan Eenfeldt)
Action logging
✔ "Audit Trail" (John Godley)
More involved auditing
✔ "The Auditor" (interconnect/it)
Secure from the Start : The changing landscape
26. Mitigation – Configuration
Kieran O'Shea
Lock down powerful interfaces
Work with minimum usable privileges
Reduce brute force with fail2ban
Block access at an IP level
Maintain access by using a VPN
# Define specific rules for the blog admin panel
<Directory /home/kieran/public_html/wp-admin>
Order Deny,Allow
Deny from all
Allow from 95.172.226.96/27
</Directory>
Secure from the Start : The changing landscape
27. Mitigation – Social engineering
Kieran O'Shea
Don't populate ”password hints”
Don't use real ”secret questions”
Become aware of back doors
Know the warning signs
Power of notifications
Avoid single points of failure
Multiple backups, multiple services
At least one backup offline
Secure from the Start : The changing landscape
28. Questions?
Kieran O'Shea
Kieran O'Shea • kieran@kieranoshea.com
@kieranoshea • http://www.kieranoshea.com/
Remember, WordCamp tweets archived here:
https://wcuk.kieranoshea.com/tweets/
Secure from the Start : The changing landscape