Copyright Justin C. Klein [email protected]
whoami
Information security specialist with University of Pennsylvania
Worked infosec for over a decade Discovered over 100 Drupal vulnerabilities in
core and contributed modules One of the chapter leaders for Philadelphia
OWASP Began my professional career as a web
developer so I feel your pain...
Copyright Justin C. Klein [email protected]
About this Presentation
Security is a massive topic Highlight the most likely way(s) your Drupal site
will get compromised The litany of ways it could get compromised
would take all day... #1 reason your site will be a target:
Money
Copyright Justin C. Klein [email protected]
It's not personal
When hacking is illegal, only criminals will hack Hacking used to be about curiosity or notoriety Now hacking is all about money Financial motivation guides most compromises
Copyright Justin C. Klein [email protected]
Making money from cybercrime
Compromise banking or purchasing credentials Black hat SEO Sending spam Denial of service and extortion Building and renting botnets
Copyright Justin C. Klein [email protected]
Targets of Crime
Databases Large stores of financial or credit card data Stores of user account credentials
End user machines Contain individual financial credentials Can be added to botnets Provide bandwidth for denial of service attacks
Copyright Justin C. Klein [email protected]
Where's the Drupal?
How does Drupal fit into this equation?
Copyright Justin C. Klein [email protected]
Value of your Drupal
Reputation and Trust Your Drupal site likely has a legitimate search
engine ranking Your users trust your Drupal site Your Drupal site is a valuable platform that reaches
a large number of visitors and trusted admins
Copyright Justin C. Klein [email protected]
Economics
Attackers choosing targets will seek the high return with the least risk/effort
Target pool is the entire internet Two main high value targets:
Large financial data stores High risk/effort – high reward
End user machines where financial transactions take place
Low risk/effort – low reward Unless...
Copyright Justin C. Klein [email protected]
Ah Computation
Computers make automation easy
+ The internet allows for massive scale
= Attack lots of low risk/effort targets for massive
rewards!
Copyright Justin C. Klein [email protected]
Anatomy of an Attack
Find a vulnerability that affects a large number of servers
Exploit the vulnerability en masse to install something that will attack each client that visits a site
Result: A large number of malware installations
Copyright Justin C. Klein [email protected]
Malware
Webkit vulnerability Flash Java Adobe Acrobat
XML rendering engine Etc.
Malware is the virus code that will run on end user computers
Generally exploits a vulnerability in a web browser or some third party plug in
Examples:
Copyright Justin C. Klein [email protected]
Malware Design
Trick the user into loading a specific page Page contains tainted content Client loads content, triggering attack Tainted content executes arbitrary code
Generally a downloader Downloader reaches out to the internet and
downloads larger malware toolkit Once download complete toolkit is installed
Copyright Justin C. Klein [email protected]
Types of Attack – SQL Injection
SQL injection requires a module developer to willfully ignore the Drupal framework
Allows an attacker to issue database queries though the web interface
Can be used for all sorts of nefarious purposes Ensure your Drupal site isn't using the MySQL
root account!
Copyright Justin C. Klein [email protected]
Types of Attack – XSS
XSS stands for cross site scripting Better known as arbitrary script injection Can be used by an attacker to produce an alert
box! Actually can be used to write any HTML to a
page, including but not limited to: Javascript Iframe tags Object tags
Copyright Justin C. Klein [email protected]
Types of Attack – XSS (cont.)
Javascript can be used to steal cookie tokens and perform session hijacking
XSS can be used to perform XSRF Can be used to include references to malicious
content Can be used to redirect your users to another
site
Copyright Justin C. Klein [email protected]
Types of Attack - XSRF Cross Site Request Forgery Attack causes your browser to submit forms
silently in the background Because all GET/POST requests carry
appropriate cookies requests often assumed to be legit
Drupal form tokens prevent this UNLESS the attacker can inject JavaScript to read them
XSRF can be used to silently change settings or post content in your Drupal site
Copyright Justin C. Klein [email protected]
Other Types of Attack
Access bypass Open redirect Information disclosure Arbitrary code execution (BAD!!!)
Copyright Justin C. Klein [email protected]
Tactics for Injecting Tainted Content Use SQL injection to arbitrarily add it to the database Use XSS to force a reference to the tainted content Upload tainted content directly or include a link to
tainted content Use stolen credentials to add content through the
admin interface Purchase a malicious add banner Trick the user (Fake AV) And so on...
Copyright Justin C. Klein [email protected]
Economies of Scale
Automation is the key to making this profitable Attackers will try to identify a vulnerability
affecting a large number of sites Attackers will test their attack strategy then
deploy it once it is automated Attacks are over in a few seconds Your site will be on of thousands, or millions of
victims
Copyright Justin C. Klein [email protected]
Why You Should Care
You do care about your visitors don't you? Even if you don't:
Your site could get delisted by search engines Your hosting provider could block your site Your domain registrar could block your site End user browsers could block your site
Net result – denial of service
Copyright Justin C. Klein [email protected]
Protect Thyself
#1 thing you can do is keep your Drupal core and modules up to date Use the latest version of core if you can
Don't forget about third party libraries like TinyMCE and JQuery
Make sure MySQL isn't IP accessible Keep your web server and operating system up
to date Use strong FTP/SSH passwords!
Copyright Justin C. Klein [email protected]
Avoid Admin Account Compromise
Recently Drupal brute force bots have been spotted in the wild!
Create a new account with all privileges Disable your uid 1 account
Copyright Justin C. Klein [email protected]
Trust but Verify
Avoid allowing untrusted users to publish content
Restrict tags that users can utilize Moderate your content if possible Restrict file upload types Use an antivirus package to scan file uploads
Copyright Justin C. Klein [email protected]
Install Security Related Modules
Security Review Spot problems proactively
Login Security Block brute force attempts
Password Strength Prevent weak passwords
CAPTCHA & reCAPTCHA Deny attackers automation
Copyright Justin C. Klein [email protected]
Beware!
Don't use alpha, beta, dev, or rc (release candidate) versions of modules Wait, why? Even for Drupal 7?
Only use the modules you need Be careful of modules that are designed to
extend privilege Be sure your module developers understand
and follow Drupal security guidelines Make sure your theme designers do too!
Copyright Justin C. Klein [email protected]
How to Detect a Compromise
If you're lucky you'll spot a compromise Most likely though you'll get the dreaded 3rd
party notification Email from your hosting provider or other party
In extreme cases your site will simply go offline
Copyright Justin C. Klein [email protected]
What to do after a compromise
Don't panic! Decide on a course of action
Seek professional help if appropriate Preserve evidence if possible Work with your hosting provider to figure out
what went wrong Be sure the compromise is contained before
you go back online
Copyright Justin C. Klein [email protected]
Getting Help
Come to Drupaldelphia! OWASP (http://www.owasp.org) Contract for a security review Follow the Drupal security mailing list Report compromises to:
Your hosting provider Your users