Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013

•

3 likes•1,038 views

Nicholas Dionysopoulos

The sixth major revision of my security introduction presentation,

Technology

Mission: Impossible
Talking in-depth about Joomla! security in 30 minutes
or less... but I’ll try!

Updated server software
PHP, MySQL, Apache, FTP Server...

Permissions & ownership
Who can do what and where

Sane ownership &
permissions
All ﬁles and folders owned by the FTP user
Use Joomla!’s FTP mode on shared hosts
Folders 0755 permissions • Files 0644 permissions
If you “must” use 0777 (don’t!), protect with .htaccess
order deny, allow
deny from all
allow from none
Better yet, use suPHP or FastCGI

Too much to remember?
Akeeba Backup User’s Guide, Security
Information
https://www.akeebabackup.com/documentation/
akeeba-backup-documentation/security-info.html
777: The number of the beast
http://www.dionysopoulos.me/blog/777-the-number-
of-the-beast

Think before installing
Don’t be the mouse in the trap!

A terrifying thought
Password hacking super-computer: 2,700 USD
(back in 2010; much cheaper now)

How safe is your password?
Password Bits Iterations Time to crack
15082005
admin
ortrtaortftaaidbt
0rtrTA0rtfTa&idbT
horse correct battery stapler
13,6 12416 0.00038 msec
15,9 61147 0.00185 msec
67,7 2,39e+20 228.95 years
88,2 3,55e+26 340 million years
107,2 1,86e+32 178179 billion years

Derive from a sentence
the
quick
brown
fox
jumped
over
the
lazy
dog

Derive from a sentence
the
quick
brown
fox
jumped
over
the
lazy
dog
t
q
b
f
j
o
t
l
d

Derive from a sentence
the
quick
brown
fox
jumped
over
the
lazy
dog
t
q
b
f
j
o
t
l
d
t
q
b
F
j
o
t
l
D

Derive from a sentence
the
quick
brown
fox
jumped
over
the
lazy
dog
t
q
b
f
j
o
t
l
d
t
q
b
F
j
o
t
l
D
+
q
b
F
j
o
+
l
D

Derive from a sentence
the
quick
brown
fox
jumped
over
the
lazy
dog
t
q
b
f
j
o
t
l
d
t
q
b
F
j
o
t
l
D
+
q
b
F
j
o
+
l
D
+
q
b
F
j
0
+
1
D

Still unsure? Write it down
And keep it ON YOUR PERSON!
+qbFj0+1D

Use a password manager
And keep it on your person (mobile device)

Lock it down
Nothing on my site runs unless I say so

.htaccess Rules
My Master .htaccess - FREE
http://akeeba.assembla.com/code/master-htaccess/
git/nodes/htaccess.txt
Admin Tools Professional
https://www.akeebabackup.com/products/46-
software/855-admintools.html

Backups
Frequent, automated, off-site backups

Use myJoomla.com
Dead easy site auditing – and ﬁxing!

We’ve got instructions
Unhacking your site
https://www.akeebabackup.com/documentation/
walkthroughs/item/1124-unhacking-your-site.html
You do have backups, right?
You did use myJoomla.com, right?
Make sure you read the instructions before getting
hacked.

Download this presentation
http://akeeba.info/asjd13bih

Thank you for listening!
Image credits for copyrighted images: sxc.hu; istockphoto.com
Coprights of the logos and screenshots of software displayed in this presentaiton is owned by their respective companies

Similar to Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013

Password Storage Sucks!

nerdybeardo

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity). As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking. This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser. https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016

Security and Privacy on the Web in 2016

Francois Marier

Django Web Application Security

levigross

Unloading Plone

Elizabeth Leddy

Crafting Secure Software - DDDEU 2019

Yvan PHELIZOT

Joomladay Switzerland - security

Wilco Jansen

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices. This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

Steelcon 2015 - 0wning the internet of trash

infodox

Sangam 18 - Database Development: Return of the SQL Jedi

Connor McDonald

Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all. LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data. Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication. We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.

Even the LastPass Will be Stolen Deal with It!

Martin Vigo

WordPress End-User Security

Dre Armeda

From HashiCorp Korea User Group Meetup 발표자: 김민규(데브시스터즈, 인프라 관리, https://github.com/synthdnb) 발표자: 김도윤(데브시스터즈, 플랫폼 API 서버 개발, https://github.com/solmonk) 발표내용: 팀의 규모가 커지면서 Secret 관리 문제가 조금씩 부각되었습니다. 예를 들면 코드에 커밋되거나, 구전으로 전해지는 Secret들, SSH Key Rotation 등의 문제를 처리하기 위해 많은 노력과 삽질이 필요했습니다. 저희 팀에서 Vault를 통해 이런 문제들을 어떻게 해결했는지 소개하려 합니다.

20명 규모의 팀에서 Vault 사용하기

Doyoon Kim

How-to crack 43kk passwords while drinking your juice/smoozie in the Hood

Yurii Bilyk

BSides Hannover 2015 - Shell on Wheels

infodox

LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker. The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.

Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo

Shakacon

Securing Your Joomla website

Mike Carson

OWASP Thailand 2016 - Joomla Security

Akarawuth Tamrareang

Presented at SCaLE 19x, Los Angeles 2022 Misconfigurations in your Kubernetes deployments can create unforeseen security vulnerabilities that can give bad actors leverage to exploit containers, nodes or even the entire control plane of your cluster. In this talk I'll show how easy it can be to break into a cluster and why using tools to find issues and enforce governance around them can make your clusters a less attractive target.

SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks

Eric Smalling

Django cryptography

Erik LaBianca

XFLTReaT presentation from Shakacon 2017 https://www.youtube.com/watch?v=AfqNVXHz0hU This presentation will sum up how to do tunneling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunneling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunneling on your network or to bypass misconfigured filters. Our new tool XFLTReaT is an open-source tunneling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customized on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane. This framework is not just a tool; it unites different technologies in the field of tunneling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunneling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunneling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.

XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)

Balazs Bucsay

When I was introduced to drush, a command line shell and scripting interface for Drupal, I thought, “meh, I can do those tasks already in about the same time with no learning curve.” Now? “Omg omg, do you use drush? You gotta try drush! It’s awesome!” Find out why drush has transformed me into a groupie. In this session, we’ll walk through installing a Drupal site using drush, enabling modules, and common tasks like running update hooks, cron, and clearing the cache. Intimidated by the command line? We’ll cover the basics and show you how development tools like Coda enable you to use drush inside a visual environment.

Intro to Drush

Four Kitchens

Similar to Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013 (20)

Password Storage Sucks!

Security and Privacy on the Web in 2016

Django Web Application Security

Unloading Plone

Crafting Secure Software - DDDEU 2019

Joomladay Switzerland - security

Steelcon 2015 - 0wning the internet of trash

Sangam 18 - Database Development: Return of the SQL Jedi

Even the LastPass Will be Stolen Deal with It!

WordPress End-User Security

20명 규모의 팀에서 Vault 사용하기

How-to crack 43kk passwords while drinking your juice/smoozie in the Hood

BSides Hannover 2015 - Shell on Wheels

Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo

Securing Your Joomla website

OWASP Thailand 2016 - Joomla Security

SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks

Django cryptography

XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)

Intro to Drush

Recently uploaded

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Scaling API-first – The story of a global engineering organization

Radu Cotescu

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Developing An App To Navigate The Roads of Brazil

V3cube

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Driving Behavioral Change for Information Management through Data-Driven Gree...

Scaling API-first – The story of a global engineering organization

How to Troubleshoot Apps for the Modern Connected Worker

2024: Domino Containers - The Next Step. News from the Domino Container commu...

GenCyber Cyber Security Day Presentation

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Tech Trends Report 2024 Future Today Institute.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

AWS Community Day CPH - Three problems of Terraform

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

Automating Google Workspace (GWS) & more with Apps Script

The 7 Things I Know About Cyber Security After 25 Years | April 2024

[2024]Digital Global Overview Report 2024 Meltwater.pdf

A Year of the Servo Reboot: Where Are We Now?

Partners Life - Insurer Innovation Award 2024

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Developing An App To Navigate The Roads of Brazil

Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013

1. Joomla! Security 101 version 6.0

2. Mission: Impossible Talking in-depth about Joomla! security in 30 minutes or less... but I’ll try!

3. Put your pens away Sit back and enjoy

4. Updated server software PHP, MySQL, Apache, FTP Server...

5. Permissions & ownership Who can do what and where

6. Sane ownership & permissions All ﬁles and folders owned by the FTP user Use Joomla!’s FTP mode on shared hosts Folders 0755 permissions • Files 0644 permissions If you “must” use 0777 (don’t!), protect with .htaccess order deny, allow deny from all allow from none Better yet, use suPHP or FastCGI

7. Too much to remember? Akeeba Backup User’s Guide, Security Information https://www.akeebabackup.com/documentation/ akeeba-backup-documentation/security-info.html 777: The number of the beast http://www.dionysopoulos.me/blog/777-the-number- of-the-beast

8. Update, yesterday Joomla! & extensions

9. Think before installing Don’t be the mouse in the trap!

10. Length matters

11. Your Password’s length matters

12. A terrifying thought Password hacking super-computer: 2,700 USD (back in 2010; much cheaper now)

13. How safe is your password? Password Bits Iterations Time to crack 15082005 admin ortrtaortftaaidbt 0rtrTA0rtfTa&idbT horse correct battery stapler 13,6 12416 0.00038 msec 15,9 61147 0.00185 msec 67,7 2,39e+20 228.95 years 88,2 3,55e+26 340 million years 107,2 1,86e+32 178179 billion years

14. Derive from a sentence

15. Derive from a sentence the quick brown fox jumped over the lazy dog

16. Derive from a sentence the quick brown fox jumped over the lazy dog t q b f j o t l d

17. Derive from a sentence the quick brown fox jumped over the lazy dog t q b f j o t l d t q b F j o t l D

18. Derive from a sentence the quick brown fox jumped over the lazy dog t q b f j o t l d t q b F j o t l D + q b F j o + l D

19. Derive from a sentence the quick brown fox jumped over the lazy dog t q b f j o t l d t q b F j o t l D + q b F j o + l D + q b F j 0 + 1 D

20. Derive from a sentence +qbFj0+1D

21. Still unsure? Write it down And keep it ON YOUR PERSON! +qbFj0+1D

22. Use a password manager And keep it on your person (mobile device)

23. Lock it down Nothing on my site runs unless I say so

24. .htaccess Rules My Master .htaccess - FREE http://akeeba.assembla.com/code/master-htaccess/ git/nodes/htaccess.txt Admin Tools Professional https://www.akeebabackup.com/products/46- software/855-admintools.html

25. Armor up Protect your site

26. Backups Frequent, automated, off-site backups

27. Use myJoomla.com Dead easy site auditing – and ﬁxing!

28. In spite of it all…

29. Dammit! You got hacked, now what?

30. DON’T PANIC

31. We’ve got instructions Unhacking your site https://www.akeebabackup.com/documentation/ walkthroughs/item/1124-unhacking-your-site.html You do have backups, right? You did use myJoomla.com, right? Make sure you read the instructions before getting hacked.

32. Questions?

33. Download this presentation http://akeeba.info/asjd13bih

34. Thank you for listening! Image credits for copyrighted images: sxc.hu; istockphoto.com Coprights of the logos and screenshots of software displayed in this presentaiton is owned by their respective companies

Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013

Recommended

Recommended

More Related Content

Similar to Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013

Similar to Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013 (20)

More from Nicholas Dionysopoulos

More from Nicholas Dionysopoulos (8)

Recently uploaded

Recently uploaded (20)

Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013