Presentation given by Ellen Mitchell of the CIS security team on website exploits - what do we see at Texas A&M, how can you prevent them, what should you do if your site is hacked.
2. Outline
• What is a web server compromise?
• Background - who participates in campus
process (open web server, respond)?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
3. What is a Web Server Compromise?
• Defacement
• Pharmacy Spam (viagra, cialis)
4. Defacement
• Defacement is a type of vandalism that
involves damaging the appearance or surface
of something.
9. Pharmacy Spam
• Malicious code injected on legitimate but
compromised sites
• There is also a twist – referer links, user
agents, etc. can prevent admins from
discovering this easily
14. Outline
• What is a web server compromise?
• Background - who participates in campus
process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
16. Participants?
• Host “owners” as recorded in “NIM”
– “Liaisons” on behalf of a professor/customer
– Web server maintainers (the “mechanic”)
– Web content managers (the “driver”)
– From student workers -> professional IT staff
• Security team
• Your web audience
17. Participants?
• Host “owners” as recorded in “NIM”
– “Liaisons” on behalf of a professor/customer
– Web server maintainers (the “mechanic”)
– Web content managers (the “driver”)
– From student workers -> professional IT staff
• Security team
• Your web audience
18. Typical Process to Launch Web Server
• Contact Security Team
– security@tamu.edu
• Vulnerability Scan
– Self-service: scan.tamu.edu or
– We’ll scan for you
20. Typical Process to Launch Web Server
• Contact Security Team
• Vulnerability Scan
– Self-service: scan.tamu.edu or
– We’ll scan for you
• Fix any problems
• Port(s) are opened on the campus firewall
21. Common Issues We See (1/3)
• Software can permit execution of arbitrary
commands, re-direct to other sites, inclusion
of files, loss of data
• Out of date versions:
– PHP
– Apache
– Drupal
– WordPress
– Joomla
22. Common Issues We See (2/3)
• Configuration
– SSLv2, SSLv3 should be disabled, use TLS
• https://www.sslshopper.com/article-how-to-disable-ssl-
2.0-in-iis-7.html
• https://www.digitalocean.com/community/tutorials/ho
w-to-protect-your-server-against-the-poodle-sslv3-
vulnerability
– Self-signed certificates
• Get one at no cost from cert.tamu.edu
23. Common Issues We See (3/3)
• Configuration
– Forums not locked down
– WordPress default configuration allows someone
to create their own blog
• See owasp.org “top 10” list of problems
(Open Web Application Security Project)
• Doing research, we found many of the “top
10” problems from 2006 were same as today
24. OWASP Top 10 problems from 2006
• Unvalidated input
• Broken access control
• Broken authentication and session management
• Cross-site scripting (XSS)
• Buffer overflows
• Injection flaws (shell commands and sql)
• Improper error handling
• Insecure storage
• Denial of service
• Insecure configuration management
25. OWASP Top 10 problems from 2013
• Injection
• Broken authentication and session management
• Cross-site scripting (XSS)
• Insecure direct object references
• Security misconfiguration
• Sensitive data exposure
• Missing function level access control
• Cross-site request forgery
• Using components with known vulnerabilities
• Unvalidated redirects and forwards
26. Outline
• What is a web server compromise?
• Background - who participates in campus
process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
27. How Can We Prevent Compromise?
(1/2)
• Vulnerability scans
• Keep up-to-date with software, patches
• Secunia Corporate Software Inspector
• Back up your content
• Code review – sanitize input
28. Prevention (2/2)
• Microsoft Baseline Security Analyzer (Windows 7,
Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows
Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista,
Windows XP)
• Antivirus
• Be careful what you install
– Toolbars – source of spyware
– Cnet.com – often software comes pre-installed
with undesirable add-ons
29. Outline
• What is a web server compromise?
• Background - who participates in campus
process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
36. A note about Mudrop
• Windows malware
• Talks to “Mother Ship” and downloads
additional files
• Bypasses personal firewall settings
• Affects Master Boot Record and registry
37. A note about Zeus
• Windows malware
• Keylogger, can steal financial information
• Used to install CryptoLocker ransomware
• Hard to detect and prevent
• Often obtained via phishing, “drive-by”
downloads
38. How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
44. Google Webmaster Tools
• Fetch as googlebot
• The fetch and render mode tells Googlebot to
crawl and display your page as browsers
would display it to your audience. […] You can
use the rendered image to detect differences
between how Googlebot sees your page, and
how your browser renders it.
45. How Can We Detect It?
• In-house tools
• Receive notices from off-campus
• Phone calls, email to president@tamu.edu
• Google Webmaster Tools
• Review log files (ours and yours)
48. Outline
• What is a web server compromise?
• Background - who participates in campus
process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
49. What Do We Do if Compromised?
• Please contact us if we haven’t contacted you
– We can cross-reference and notify others
– We contact the NIM-owner (or best guess)
• Determine what happened
– We may be able to help, with scans/logs, forensic
service contract
• Close firewall ports?
• Restore content?
• Reinstall?
50. Outline
• What is a web server compromise?
• Background - who participates in campus
process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
51. Additional Resources
• us-cert.gov
• isc.sans.org
• owasp.org
• Providers such as php mailing list, etc.
• www.cgisecurity.com/papers/fingerprint-port80.
txt
• aw-snap.info
• am-compadmin (listserv.tamu.edu)
• tamunet (listserv.tamu.edu)