Copyright Justin C. Klein Keane Drupal Threat Landscape

Copyright Justin C. Klein Keane whoami Information security specialist with University of Pennsylvania Worked infosec for over a decade Discovered over 100 Drupal vulnerabilities in core and contributed modules One of the chapter leaders for Philadelphia OWASP Began my professional career as a web developer so I feel your pain...

Copyright Justin C. Klein Keane Quick poll Let's chat about security metrics...

Copyright Justin C. Klein Keane About this Presentation Security is a massive topic Highlight the most likely way(s) your Drupal site will get compromised The litany of ways it could get compromised would take all day... #1 reason your site will be a target:  Money

Copyright Justin C. Klein Keane It's not personal When hacking is illegal, only criminals will hack Hacking used to be about curiosity or notoriety Now hacking is all about money Financial motivation guides most compromises

Copyright Justin C. Klein Keane Making money from cybercrime Compromise banking or purchasing credentials Black hat SEO Sending spam Denial of service and extortion Building and renting botnets

Copyright Justin C. Klein Keane Targets of Crime Databases  Large stores of financial or credit card data  Stores of user account credentials End user machines  Contain individual financial credentials  Can be added to botnets  Provide bandwidth for denial of service attacks

Copyright Justin C. Klein Keane Where's the Drupal? How does Drupal fit into this equation?

Copyright Justin C. Klein Keane Value of your Drupal Reputation and Trust  Your Drupal site likely has a legitimate search engine ranking  Your users trust your Drupal site  Your Drupal site is a valuable platform that reaches a large number of visitors and trusted admins

Copyright Justin C. Klein Keane Economics Attackers choosing targets will seek the high return with the least risk/effort Target pool is the entire internet Two main high value targets:  Large financial data stores High risk/effort – high reward  End user machines where financial transactions take place Low risk/effort – low reward Unless...

Copyright Justin C. Klein Keane Ah Computation Computers make automation easy + The internet allows for massive scale = Attack lots of low risk/effort targets for massive rewards!

Copyright Justin C. Klein Keane Anatomy of an Attack Find a vulnerability that affects a large number of servers Exploit the vulnerability en masse to install something that will attack each client that visits a site Result: A large number of malware installations

Copyright Justin C. Klein Keane Malware  Webkit vulnerability  Flash  Java  Adobe Acrobat  XML rendering engine  Etc. Malware is the virus code that will run on end user computers Generally exploits a vulnerability in a web browser or some third party plug in Examples:

Copyright Justin C. Klein Keane Malware Design Trick the user into loading a specific page Page contains tainted content Client loads content, triggering attack Tainted content executes arbitrary code  Generally a downloader Downloader reaches out to the internet and downloads larger malware toolkit Once download complete toolkit is installed

Copyright Justin C. Klein Keane

Copyright Justin C. Klein Keane Types of Attack – SQL Injection SQL injection requires a module developer to willfully ignore the Drupal framework Allows an attacker to issue database queries though the web interface Can be used for all sorts of nefarious purposes Ensure your Drupal site isn't using the MySQL root account!

Copyright Justin C. Klein Keane Types of Attack – XSS XSS stands for cross site scripting Better known as arbitrary script injection Can be used by an attacker to produce an alert box! Actually can be used to write any HTML to a page, including but not limited to:  Javascript  Iframe tags  Object tags

Copyright Justin C. Klein Keane Types of Attack – XSS (cont.) Javascript can be used to steal cookie tokens and perform session hijacking XSS can be used to perform XSRF Can be used to include references to malicious content Can be used to redirect your users to another site

Copyright Justin C. Klein Keane Types of Attack - XSRF Cross Site Request Forgery Attack causes your browser to submit forms silently in the background Because all GET/POST requests carry appropriate cookies requests often assumed to be legit Drupal form tokens prevent this UNLESS the attacker can inject JavaScript to read them XSRF can be used to silently change settings or post content in your Drupal site

Copyright Justin C. Klein Keane Other Types of Attack Access bypass Open redirect Information disclosure Arbitrary code execution (BAD!!!)

Copyright Justin C. Klein Keane Tactics for Injecting Tainted Content Use SQL injection to arbitrarily add it to the database Use XSS to force a reference to the tainted content Upload tainted content directly or include a link to tainted content Use stolen credentials to add content through the admin interface Purchase a malicious add banner Trick the user (Fake AV) And so on...

Copyright Justin C. Klein Keane Economies of Scale Automation is the key to making this profitable Attackers will try to identify a vulnerability affecting a large number of sites Attackers will test their attack strategy then deploy it once it is automated  Attacks are over in a few seconds  Your site will be on of thousands, or millions of victims

Copyright Justin C. Klein Keane Why You Should Care You do care about your visitors don't you? Even if you don't:  Your site could get delisted by search engines  Your hosting provider could block your site  Your domain registrar could block your site  End user browsers could block your site Net result – denial of service

Copyright Justin C. Klein Keane Protect Thyself #1 thing you can do is keep your Drupal core and modules up to date  Use the latest version of core if you can Don't forget about third party libraries like TinyMCE and JQuery Make sure MySQL isn't IP accessible Keep your web server and operating system up to date Use strong FTP/SSH passwords!

Copyright Justin C. Klein Keane Avoid Admin Account Compromise Recently Drupal brute force bots have been spotted in the wild! Create a new account with all privileges Disable your uid 1 account

Copyright Justin C. Klein Keane Trust but Verify Avoid allowing untrusted users to publish content Restrict tags that users can utilize Moderate your content if possible Restrict file upload types Use an antivirus package to scan file uploads

Copyright Justin C. Klein Keane Install Security Related Modules Security Review  Spot problems proactively Login Security  Block brute force attempts Password Strength  Prevent weak passwords CAPTCHA & reCAPTCHA  Deny attackers automation

Copyright Justin C. Klein Keane Beware! Don't use alpha, beta, dev, or rc (release candidate) versions of modules  Wait, why? Even for Drupal 7? Only use the modules you need Be careful of modules that are designed to extend privilege Be sure your module developers understand and follow Drupal security guidelines Make sure your theme designers do too!

Copyright Justin C. Klein Keane How to Detect a Compromise If you're lucky you'll spot a compromise Most likely though you'll get the dreaded 3 rd party notification  from your hosting provider or other party In extreme cases your site will simply go offline

Copyright Justin C. Klein Keane Obligatory KEEP GOOD BACKUPS! (test them)

Copyright Justin C. Klein Keane What to do after a compromise Don't panic! Decide on a course of action  Seek professional help if appropriate Preserve evidence if possible Work with your hosting provider to figure out what went wrong Be sure the compromise is contained before you go back online

Copyright Justin C. Klein Keane Getting Help Come to Drupaldelphia! OWASP ( Contract for a security review Follow the Drupal security mailing list Report compromises to:  Your hosting provider  Your users

Copyright Justin C. Klein Keane File a Complaint (

Copyright Justin C. Klein Keane Thanks so much! Questions?