Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Justin C. Klein Keane Drupal Threat Landscape.

Published byDelphia Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Justin C. Klein Keane Drupal Threat Landscape."— Presentation transcript:

1 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Drupal Threat Landscape

2 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu whoami Information security specialist with University of Pennsylvania Worked infosec for over a decade Discovered over 100 Drupal vulnerabilities in core and contributed modules One of the chapter leaders for Philadelphia OWASP Began my professional career as a web developer so I feel your pain...

3 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Quick poll Let's chat about security metrics...

4 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu About this Presentation Security is a massive topic Highlight the most likely way(s) your Drupal site will get compromised The litany of ways it could get compromised would take all day... #1 reason your site will be a target:  Money

5 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu It's not personal When hacking is illegal, only criminals will hack Hacking used to be about curiosity or notoriety Now hacking is all about money Financial motivation guides most compromises

6 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Making money from cybercrime Compromise banking or purchasing credentials Black hat SEO Sending spam Denial of service and extortion Building and renting botnets

7 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Targets of Crime Databases  Large stores of financial or credit card data  Stores of user account credentials End user machines  Contain individual financial credentials  Can be added to botnets  Provide bandwidth for denial of service attacks

8 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Where's the Drupal? How does Drupal fit into this equation?

9 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Value of your Drupal Reputation and Trust  Your Drupal site likely has a legitimate search engine ranking  Your users trust your Drupal site  Your Drupal site is a valuable platform that reaches a large number of visitors and trusted admins

10 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Economics Attackers choosing targets will seek the high return with the least risk/effort Target pool is the entire internet Two main high value targets:  Large financial data stores High risk/effort – high reward  End user machines where financial transactions take place Low risk/effort – low reward Unless...

11 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Ah Computation Computers make automation easy + The internet allows for massive scale = Attack lots of low risk/effort targets for massive rewards!

12 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Anatomy of an Attack Find a vulnerability that affects a large number of servers Exploit the vulnerability en masse to install something that will attack each client that visits a site Result: A large number of malware installations

13 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Malware  Webkit vulnerability  Flash  Java  Adobe Acrobat  XML rendering engine  Etc. Malware is the virus code that will run on end user computers Generally exploits a vulnerability in a web browser or some third party plug in Examples:

14 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Malware Design Trick the user into loading a specific page Page contains tainted content Client loads content, triggering attack Tainted content executes arbitrary code  Generally a downloader Downloader reaches out to the internet and downloads larger malware toolkit Once download complete toolkit is installed

15 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu

16 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Types of Attack – SQL Injection SQL injection requires a module developer to willfully ignore the Drupal framework Allows an attacker to issue database queries though the web interface Can be used for all sorts of nefarious purposes Ensure your Drupal site isn't using the MySQL root account!

17 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Types of Attack – XSS XSS stands for cross site scripting Better known as arbitrary script injection Can be used by an attacker to produce an alert box! Actually can be used to write any HTML to a page, including but not limited to:  Javascript  Iframe tags  Object tags

18 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Types of Attack – XSS (cont.) Javascript can be used to steal cookie tokens and perform session hijacking XSS can be used to perform XSRF Can be used to include references to malicious content Can be used to redirect your users to another site

19 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Types of Attack - XSRF Cross Site Request Forgery Attack causes your browser to submit forms silently in the background Because all GET/POST requests carry appropriate cookies requests often assumed to be legit Drupal form tokens prevent this UNLESS the attacker can inject JavaScript to read them XSRF can be used to silently change settings or post content in your Drupal site

20 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Other Types of Attack Access bypass Open redirect Information disclosure Arbitrary code execution (BAD!!!)

21 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Tactics for Injecting Tainted Content Use SQL injection to arbitrarily add it to the database Use XSS to force a reference to the tainted content Upload tainted content directly or include a link to tainted content Use stolen credentials to add content through the admin interface Purchase a malicious add banner Trick the user (Fake AV) And so on...

22 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Economies of Scale Automation is the key to making this profitable Attackers will try to identify a vulnerability affecting a large number of sites Attackers will test their attack strategy then deploy it once it is automated  Attacks are over in a few seconds  Your site will be on of thousands, or millions of victims

23 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Why You Should Care You do care about your visitors don't you? Even if you don't:  Your site could get delisted by search engines  Your hosting provider could block your site  Your domain registrar could block your site  End user browsers could block your site Net result – denial of service

24 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Protect Thyself #1 thing you can do is keep your Drupal core and modules up to date  Use the latest version of core if you can Don't forget about third party libraries like TinyMCE and JQuery Make sure MySQL isn't IP accessible Keep your web server and operating system up to date Use strong FTP/SSH passwords!

25 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Avoid Admin Account Compromise Recently Drupal brute force bots have been spotted in the wild! Create a new account with all privileges Disable your uid 1 account

26 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Trust but Verify Avoid allowing untrusted users to publish content Restrict tags that users can utilize Moderate your content if possible Restrict file upload types Use an antivirus package to scan file uploads

27 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Install Security Related Modules Security Review  Spot problems proactively Login Security  Block brute force attempts Password Strength  Prevent weak passwords CAPTCHA & reCAPTCHA  Deny attackers automation

28 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Beware! Don't use alpha, beta, dev, or rc (release candidate) versions of modules  Wait, why? Even for Drupal 7? Only use the modules you need Be careful of modules that are designed to extend privilege Be sure your module developers understand and follow Drupal security guidelines Make sure your theme designers do too!

29 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu How to Detect a Compromise If you're lucky you'll spot a compromise Most likely though you'll get the dreaded 3 rd party notification  Email from your hosting provider or other party In extreme cases your site will simply go offline

30 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Obligatory KEEP GOOD BACKUPS! (test them)

31 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu What to do after a compromise Don't panic! Decide on a course of action  Seek professional help if appropriate Preserve evidence if possible Work with your hosting provider to figure out what went wrong Be sure the compromise is contained before you go back online

32 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Getting Help Come to Drupaldelphia! OWASP (http://www.owasp.org)http://www.owasp.org Contract for a security review Follow the Drupal security mailing list Report compromises to:  Your hosting provider  Your users

33 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu File a Complaint (http://www.ic3.gov)

34 Copyright Justin C. Klein Keane jukeane@sas.upenn.edu Thanks so much! Questions?

Download ppt "Copyright Justin C. Klein Keane Drupal Threat Landscape."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.

© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
The Most Dangerous Places on The Web (according to PC World)

The Most Dangerous Places on The Web (according to PC World)
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.

Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google