Thoughts On Security

Security is in a constant evolving state and keeping up with the various changes can be heard. As my journey continues in the security industry, I will share thoughts and opinions based on personal experiences. Thoughts are mostly around website security, sprinkled with general security concepts as well, but all tailored to the everyday enduser.

OSSEC – Detecting New Files – Understanding How it Works

Published in Security on July 27, 2013

I recently saw some discussion in the OSSEC distribution list of someone having an issue with getting OSSEC syscheck to work right in real-time. It reminded me of a similar issue I had with my own configuration and others I have read about, so I figured I’d write something to shed light on how OSSEC’s syscheck works in real-time. Thanks ofcourse to Dani for the assist.

Syscheck – Integrity Checking Daemon

If you’re familiar with OSSEC, then you know syscheck, if you’re not then this section will get you caught up – I hope.

Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. The way it works is simple, when you first install OSSEC it runs an initial syscheck scan, this scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.

Simple, right? Right…

Enable 2FA with SSH Connection

Published in Security on July 24, 2013

If you don’t know, I’m a big fan of two-factor authentication. I often talk about it integrated into your web applications access points, like wp-admin in WordPress and administrator in Joomla, but in this post I’m going to talk about leveraging it with your SSH connections.

When configuring your server access points it’s important you enable Public Key authentication in the place of passwords. Mainly because, unlike passwords, you can’t exactly brute force the access point with the keys enabled. There is also a functional aspect to it, not having to worry about passwords is great. Once you have it configured you can quickly access any of your boxes without having to remember or store the passwords. An example of where this would have been in your favor is the SSHD rootkit outbreak in February. With public keys enabled, those affected would have been spared compromises as passwords would not have been stolen.

Jump Between Servers using SSH and Shuttle

Published in Security on July 22, 2013

Jason Tucker shared this cool link over the weekend and I like it a lot and wanted to share.

It’s a tool that allows you to quickly access your various servers via SSH. If you authenticate using keys, then this is a serious win for you. It allows you to manage multiple SSH accounts via your MAC, but more importantly allows you to quickly log into them by opening your terminal and passing your syntax.

Why this is so convenient is because it helps you set your various ports, assuming they are all different, allows you to set any special options like binding to specific ports and / or defining specific keys that might not be your standard. Instead of trying to remember which one is which, you set it once and leave it alone.

OSSEC – Error: PostgreSQL client libraries not installed.

Published in Security on May 10, 2013

I was playing with OSSEC HIDS this afternoon and trying to get it configured to work with MySQL and when I was running make on the DB setup I was getting this error:

Error: PostgreSQL client libraries not installed.

I was a bit frustrated with it, it seems as it if requires both MySQL and PostgreSQL to be installed to finish compiling. To get around this just install PostgreSQL that seems to do the trick.

Curious to See a DDOS in Action?

Published in Security on April 26, 2013

I’ve always wondered what a Distributed Denial of Service (DDOS) really looks like. Fortunately, there is now this pretty awesome video illustration of what it looks like:

Crazy April for the WordPress Platform

Published in Security on April 25, 2013

In case you haven’t been following the month of April has been a bit of a whirlwind for website owners, specifically those using the WordPress platform. The good news is it’s motivated me to start writing again, not so much here but on our company blog. That being said, let me get you caught up on what’s been going on.

Fortunately, it all started off with my presentation at WordCamp Miami, which was pretty awesome I might add.

It really kicked off with the big challenges presented by the apparent abuse of trust that came from the Social Media Widget plugin.

If you didn’t hear, the original developer of the plugin sold the rights to a marketing firm, who then outsourced it to a freelancer. That freelancer then took it upon himself to inject code into the core of the plugin, so when it was pushed to the repository and notified everyone of updates it injected everyone with the payload. Nasty, I know. Talk about taking all the fun out of hacking, boo for laziness, yay for ingenuity. The obvious downside here being the abuse of trust as I just stated, making you wonder what is being done to address that very apparent vulnerability. What do you think?

WordPress Website Security: WordSesh 2013

Published in Security on April 15, 2013

Here is an online presentation I gave at WordSesh 2013. Always weird when you give an online presentation, unable to gauge the crowd and respond accordingly. Look forward to your feedback.

WordCamp Miami 2013: WordPress Website Security

Published in Security on April 3, 2013

I’ll be in Miami this weekend, for WordCamp Miami 2013, giving a new, updated talk on Website Security. Come by and say hi if you’re around — If you’re not, no problem, I’ve included my slides below in this post for your reference.

My talk is titled Staying of the Website Threats and Becoming One with Malware. In it, I talk about the latest threats and things you can do to help yourself and your site stay secure. The idea is to educate and in the process, help you gain a deeper appreciation for the underbelly of the web and the realities of the web based malware.

OSSEC For Website Security: Part I

Published in Security on March 13, 2013

OSSEC HIDS is my preferred host-based intrusion detection system (HIDS). I have to admit I am a bit partial to it because my good friend Daniel Cid built it and sold it to Trend Micro / Third Brigade back in 2008. I have what many don’t have, that’s the ability to pester Daniel until he tells me and guides through all my issues. In the process I have learned a number of things and made some very interesting observations about the product, here is where I will be sharing them.

Being that my focus is on website security my employment and utilization of the product will be as such. I won’t talk much to the configuration and monitoring of large scale enterprises, but will likely get into large n-tier implementations of web enterprises. This could include the utilization of load balancers, web servers and database servers, and possibly some storage devices. Pretty straight forward stuff.

Protect Your Website Vulnerabilities With a WAF: New Compairson Report: CloudFlare vs Incapsula vs ModSecurity

Published in Security on March 9, 2013

A new report came out in February, put together by Zero Science Lab, in which they compare the effectiveness between CloudFlare and Incapsula. In it they did the same thing Philip Tibom of Sweden did last year in his comparative report in which he concluded that Incapsula was the superior product. In this new report they included the use of TrustWave’s ModSecurity solution. The thing that website owners have to understand however is that comparing the three is a bit misleading.

Incapsula and Cloudflare are the two leading WAF solutions set up as a software as a service (SaaaS) designed to help every day website owners. CloudFlare probably trumps Incapsula actually in their marketing prowess. ModSecurity, although powerful, is the opposite. It’s something you’d have to configure and maintain on your web servers.

Web Threats Are Real: Be Proactive

Published in Security on March 6, 2013

This post is really designed for my family and friends. I write it because in the business that I am in I get to see hear the detrimental impact web based threats have on people. I hear horror stories of lost data, the amount of information they have lost and the impacts it has had on them and their businesses.

I by no means will cover all the things that you should do, but it will help better situate your online security posture.

Good security posture is about risk reduction…

Understand that when reading this there are many variables that have to be accounted for when talking about protecting yourself and not everything is under your control. The web is such that we have grown accustomed to what it offers us and now we have to learn to adapt.

Security Implications of WordPress in The Enterprise

Published in Security on January 30, 2013

My Chileno brother from another mother, Chris Lema, put out a great guest post on WPEngine yesterday talking about WordPress and the Enterprise. He talks to the how and why of it’s emergence in the enterprise scene, but in the process makes a number of statements that very clearly explains the challenges we face as information security professionals. That, however, does not take away from the great points he makes around why it is a good enterprise platform.

Quick side note:

If you’re not familiar with Chris Lema, he’s perhaps one of the most engaging and insightful people you’ll meet and loves to write. WP Engine on the other hand is one of the premiere managed WordPress hosting providers in today’s market specializing in the ability to make your website grow wings, yes like Red Bull.

The Discussion

Of the various things I do at Sucuri, the one I am fondest of, is the ability to lead our incident / intrusion handling team. This is an unadvertised service that we provide enterprises. At a high-level we perform forensic analysis of the incident, outline the impacts of the compromise and perform offensive countermeasures to attacks if so required. It’s in this capacity that I have gained a unique perspective on this subject. I can attest to its arrival in the enterprise, and I’d argue that it’s no longer sneaking in – that was perhaps 2 years ago.

Web Application Vulnerability Scanners: W3AF – 12.10 xUbuntu Installation

Published in Security on January 28, 2013

I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.

Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.

My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.

WordCamp Las Vegas 2012: WordPress Security, Dealing with Today’s Hacks

Published in Security on January 16, 2013

In December I had the opportunity to speak at WordCamp Las Vegas 2012 on the topic of WordPress Security, Dealing with Today’s Hacks.

Every day there are new hacks that come online and the problem is affecting everyone. If you or a friend have found yourself at a tail end of a hack then then this talk is for you.

In this talk, I speak about the prominent WordPress hacks, how they affect and leverage WordPress resources and more importantly how to detect and remove, including Backdoors, Pharma Hack, Injections, and Malicious Redirects. I will also introduce you to working with Google Webmaster and how to deal with “Your site maybe be compromised” warnings in the Google’s search engine results pages.

While this talk will employ the use of terminal commands, it’s delivered in a way that end-users can understand, with instructions on how to navigate your host CPANEL configuration to make it work for you, as well as steps that will help you protect yourself from these hacks.

Check out the video on my presentation:

Watch The Video

Responsible Disclosure

Published in Security on November 14, 2012

As of late I seem to get into more and more discussions around this subject. I am fortunate enough to own a web security company which has grown in brand reputation to the point where when we disclose we often get a response, but that is not always the case. We go through the same struggles many do around disclosure.

When is it appropriate to disclose?
What time-frame should you give?
What do you do if you don’t receive a response?
What do you do if you get a response that blows you off?

Protecting Your Website: CloudFlare or Incapsula?

Published in Security on November 13, 2012

I get this question a lot whenever I talk with clients or give presentations, “How do I prevent my website from being hacked?”. Many actually confuse the service we offer at Sucuri as a preventive service. Good thing we don’t advertise preventive services.

That’s right, our service sits in the detection and remediation realm. By the nature of what we do there are preventive components that we implement, but our service has always been about detection, and more importantly remediating the mess. For any InfoSec professional working in the security domain you can understand this approach; you have long learned that prevention is ideal but detection is key and that’s based around the understanding that prevention, like detection, will never be a 100% solution.

That being said, I came across a recent report by Philip Tibom of Sweden titled Incapsula vs. CloudFlare (PDF Download). It was published October 15th, 2012 and in it he chronicles his experiences with both platforms over the last 6 months. If you’re not familiar with either then you’re really not that concerned with your security posture, and that’s ok of course but unfortunate none the less.

Spoofing an Admin’s Cookies Using Burp

Published in Security on November 5, 2012

Here is a quick little video I put together to show you how spoofing a users cookies works. This is not a real example, in most instances an application like Burp suite would be used in conjunction with a XSS attack or some equivalent attack. The objective is to get someone with higher privileges to log in with the desired credentials.

In this example, I intercept the administrators account cookie then use that same cookie to modify my own request, from a lower privileged user. This in turn grants me full access as the administrator, the application being none the wiser. Even after I logged out.

2012 NCSA / Symantec: National Small Business Cyber Security Study

Published in Security on October 16, 2012

The National Cyber Security Alliance (NCSA) partnered with Symantec to conduct an online safety survey study of Small to Medium businesses. It was just released October of 2012 and as surprising as some of the data points are, they really shouldn’t be. The total representative sample group was 1,015 US based SMB’s (250 employees or less) and its margin of error is +/- 3.1 percent for the sampling error.

The report actually covers a wide range of Information Security concepts, from: internet usage, device management (obviously getting more insight into the growing bring your own device (BYOD) dilemma plaguing companies) and other concepts like intrusion detection and mitigation. I will obviously focus on those areas that best pertain to the domain I’m interested in, web security.

OSSEC Agent to Server Connection Issues

Published in Security on October 9, 2012

So naturally, as of late, I have found myself doing more than I probably need to on my servers and in the process causing more headaches then required. One of those issues has been with the communication between my agents and the mother-ship (command control) server with my OSSEC installs. For more details information, be sure to check out the OSSEC Host-Based Intrusion Detection Guide by Daniel.

The first thing to understand is how to check the status of your agents and easiest way to do that is running the following on the server install (my mothership):

# /var/ossec/bin/agent_control -lc

This will list out all your agents and if they are active it’ll read Active. If they are inactive, they don’t read inactive unfortunately, they just don’t show up.

Update WPSCAN using GIT on BackTrack 5R2

Published in Security on October 3, 2012

So I have been playing with a number of tools lately and this was perhaps one of the easiest things I couldn’t figure out. Talk about having a “WTF” moment.

If you’re curious, wpscan is a vulnerability scanner designed to pentest WordPress applications. It has a number of features that allow you to enumerate usernames, plugins, and TimThumb files. I’ll actually be demonstrating the tool this weekend at WordCamp Las Vegas. As for BackTrack its a Linux distribution also designed for pentesters. If you’re interested more in malware reverse engineering then you might want to look at the REMnux linux distribution. In any event, that’s a subject for another day…

WPSCAN came pre-configured with BackTrack but as you might expect, it was out of date. So naturally I tried their update option:

#ruby ./wpscan.rb --update

When you do, on a clean install, you’re likely greeted with the following: