Date aired: June 18, 2019
Join us as we discuss the different types of hacks, how they work, and what to do post-hack. We’ll also share some examples of hacked websites and discuss the most common methods attackers use to target them.
Joshua Hammer
Senior Sales Operations Manager
Josh is managing the sales consultant team for Sucuri. When he is not reading about the newest hacks or delving into website security, he is at home playing board games with his family or video games with friends.
Stephen Johnston
Sales Consultant
Stephen is an Agency Account Manager for Sucuri. He loves helping those he comes into contact with and website security is an important aspect of this approach. He is passionate about God, his family, playing guitar and technology. He lives life to the fullest and focuses on the positive.
Question #1: Why should I trust OWASP?
Answer: OWASP is an open-source area of website security experts that come together to share information. It is vetted by those experts as well 🙂
Question #2: You said that there is a logging process within Sucuri Firewall, how would I be able to set up logging if there were attacks to my site? I’ve seen email reports on uptime, SSL, etc. Have I been lucky and not had an attack yet?
Answer: Check under the audit tab of the firewall. It will show you a lot of good information. We also allow SIEM integration for our enterprise accounts.
Question #3: What is the most unique attack you have seen?
Answer: My favorite one is where someone figured out that if you post a segment of code in 3 separate areas when WordPress archives it, it will execute the code.
Question #4: What is the most common off-site attack, when the attacker doesn’t have any actual access to the WordPress site?
Answer: An SQL injection is a good example of an attack where the person does not have access to the WordPress site but injects code into a form to gather information.
Question #5: With different hacks coming in all the time how do you stay up to date?
Answer: It’s hard but we pay people full time to stay on top of this stuff 🙂 It helps when you are seeing it in cleanup. Then we can tell our firewall guys and block the new trends as they happen.
Question #6: Can you give me a price for a full VPS 3 monitoring where we have more than 10 websites ?
Answer: With bulk sites like this we do have multiple options. For more information on this, contact us via Chat or I can help you, joshua@sucuri.net.
Question #7: What does it mean when someone is attacking xmlrpc.php and sending POST requests on WordPress sites?
Answer: Could be a DDoS attack like Stephen mentioned, or it could be an injection/XML attack. if you send me some more information, such as logs, I would be happy to get you an answer, joshua@sucuri.net.
See all Questions & Answers
ExpandTony Perez – Sucuri Co-Founder
I want to thank everyone for joining us. This is a really exciting period for us to sit down and chat with you on a number of security topics. I want to specifically start on what happens once an attacker is successful, and I think this is an important way to start. I think often we focus too much energy on what are the things we should be doing, but we don’t necessarily know what it is we’re trying to achieve. So a common theme you hear in my conversation – it’s all about mindset.
Joshua Hammer: Hi, my name is Joshua. I’m a Sales Operation Manager out of here. A little bit about me. I’ve been with Sucuri now for four years. Once again, my title is Sales Operations Manager. Basically means I do a little bit of everything. I’m married to a beautiful wife with two wonderful daughters. And I love games, man. Board games, video games. I even look at security-like games and enjoy laughing so let’s have some fun and some laughs and learn a little in the process. But before we get started let me hand it off to my cohort in crime here, Stephen.
Stephen Johnston: Hey guys. Stephen Johnston here. I’m one of our agency’s Sales Consultants here over at Sucuri. I’ve actually been working at Sucuri for about a year and a half now. I work directly underneath Josh. And a little bit about myself. Personally, I’m married. I have three great kids. And my hobbies are, yeah, I love my religion, my family. As you can tell behind me, I love guitars. And I’m big on technology and security. The two go hand-in-hand so that’s a great fit.
Joshua Hammer: Fantastic. So what are we going to be doing today? Well, first we have to define what a hack is, go over the OWASP Top 10, go a little bit into what a back door is, and SQL injections, cross site scripting, and other things. So let’s get started. So they asked me to do this and talk about the most common types of hacks and the first thing I thought of was, well, what the heck is a hack? Because the first thing that popped into my mind was malware. But we just did a webinar about malware not too long ago. Stephen, what do you consider a hack? What’s a hack in your mind?
Stephen Johnston: Yeah, to me a hack would be the use of a computer to gain unauthorized access to a data within, you know, within a given system.
Joshua Hammer: Fantastic. Very Webster dictionary right there. And you’re right. That’s kind of what I looked at too, was the hack factors. But what other things are out there? A DDoS. Is a DDoS a hack? Well, first a DDoS, by the way, is a Distributed Denial of Service attack. It’s basically flooding a system, take your website or the system offline. And, like I said, I also looked at malware, which is basically, you know, this browser site code or malicious software. What it comes down to is kind of the attack vectors. It’s the way people are getting into a site. And that really brings us into OWASP. The Top 10. OWASP is a wonderful acronym and Stephen, you’re my acronym expert, so go for it.
Stephen Johnston: Yes. So OWASP stands for Open Web Application Security Project. Basically, it’s an organization that provides information about computer and internet applications. But they’re most famous for their list of top 10 vulnerabilities, which basically shows the public the 10 most common forms of attack or attack opportunities, you know, on these applications.
Joshua Hammer: Perfect. Couldn’t say it better myself. We’ll jump right into these things. I’m going to go through each one kind of real briefly. Just give you an idea or a general top-level overview of them. The first one we got is the injection attacks, which most people, when they think of an injection attack, it’s SQL injection, where people are kind of breaking out of the line and site to site and entering their own code into SQL to get the information back from the database. We’ve got broken authentications or flaws in authentication. A big one for this is brute force attacks. We see it a lot for people who use our plugin. I can’t tell you how many times we get an email saying, “your plugin is spamming me. I’m getting like 300 emails every 10 minutes saying that, you know, people are trying to log into my site. How do I shut off the notifications?” They never ask, “how do I stop these inject- these attacks?” They ask, “How do I shut off the notifications?”
Stephen Johnston: Yeah. The focus on the symptoms.
Joshua Hammer: Right? I mean, come on. But, anyway, brute force broken authentication. Sensitive data exposure, either in transit or stored data. SSL stops the transit, the stored data, well it can be a little different. In fact, there was an insurance company not too long ago. I want to say within the last month that had posted a bunch of their customer’s information on the website. Anybody had access to it and I think it was like three weeks before they discovered it.
Stephen Johnston: That’s horrible.
Joshua Hammer: Great job. Happens all the time, right? XML external entities. This is by uploading an XML script or injecting an XML script into an XML processor. XML is kind of like a coding language or set of directions. It can be used for other things as well. You were telling me a funny one earlier, Stephen. What was it? Some kind of injection or…
Stephen Johnston: Yeah, this type of attack is really big for DDoS attacks. There’s a really well-known one called the Billion Laughs DDoS attack, where essentially the cyber criminal sends a bunch of L-O-L’s to a website and then overloads it until the website doesn’t work anymore. Billion Laughs. That’s one to watch out for.
Joshua Hammer: All right. So broken access control. Basically gaining access to areas they’re not supposed to have access to. Going into a website and forcing yourself to have more permissions than you’re supposed to. Security misconfigurations. This ones fantastic. Not changing your default username and password, for example. I love it. This is a big one that’s out there. In fact, in the internet of things, website camera or security cameras, man, routers, everything. There’s even a website search engine out there that scans the internet of things looking for default usernames and passwords. And if it finds it, it puts it into the search engine. I was playing around on this search engine and I got to go and view cameras at a local hospital here that were all default username and passwords. There was one, it was fantastic. It was a business and they had the security camera pointing right at the cash register so I could see exactly how much money was in the cash register at any given time.
Stephen Johnston: So yeah. Never use the default passwords and settings for a security system. Man, this sounds like something a dark sith lord would create.
Joshua Hammer: Right? And it’s all saved on a search engine. It’s horrible. So if you’ve got a default username and password, then change it now. Please, I beg you. To get more into the internet of things, we did a honeypot server. So we put a server up there that was just the default username and password on it. And it took, I’m not kidding here, it took five minutes for it to be weaponized, meaning somebody broke into it with the default username and password and turned it into a DDoS within five minutes. Horrible.
Stephen Johnston: Man.
Joshua Hammer: Cross-Site scripting. We’ll go into that in more detail in a little bit here. But yeah, that’s a big one. Insecure de-serialization. Give me an idea. Serialization is changing objects to bite strings. De-serialization is changing those bite strings into objects. An example of this would be like a recent attack pipe was a cookie that was stored in a person’s computer. They de-serialized it, changed the cookie to say that they were a user into an admin, re-serialized it, saved it on their computer. Now, when they visit that site, and the site pulls the cookie information it looks like they’re an admin and they have better access than what they should.
Stephen Johnston: All these talk about cookies and cereal is making me hungry.
Joshua Hammer: Right? It is kind of late for breakfast. Using components with known vulnerabilities. So that’s kind of like saying, “hey, I know this door lock doesn’t work but I’m going to put it on anyway. That should keep people out.” It doesn’t work. Big one, for example, is the old TimThumb vulnerability from years ago and people are still using the outdated TimThumb plugin. Fantastic job guys. Basically saying, “hey, look. Come on in.” And insufficient logging and monitoring. It’s kind of hard to protect if you don’t know what’s happening or you ignore what’s going on. I’ll go back to our plugin again. “Hey, I’m getting all these emails saying people are trying to attack my site. How do I stop the emails?” Protect your site, maybe? No, you just want to shut off the emails. Okay, got you. It’s in the settings. Having that logging doesn’t help.
Stephen Johnston: You know, something interesting about this OWASP Top 10 list is that Sucuri’s firewall can alleviate almost all of these options, you know. You know, with the exception of personal security hygiene things, like having a good password. Obviously, I mean, our firewalls isn’t going to be able to up against that. That’s on the user.
Joshua Hammer: It’s true. In a way though, it does because you can blocklist any IP address except for yours. You can allowlist your own IP address. And then it doesn’t matter if your password sucks because only your IP address can get in there.
Stephen Johnston: This is true.
Joshua Hammer: So, but yeah, good point. So let’s go into a little bit more of the cross-site scripting. There’s a bunch of different ways of cross-site scripting. The first is reflected cross-site scripting, which allows the attacker to execute HTML and JavaScript in the victim’s browser. Basically, via code that’s on the site that you can have it forced to work inside the browser. Fun stuff. Stored cross-site-scripting or basically allowing an attacker to view the user’s input. Because, you know, who wouldn’t want to see what you’re typing into a website, such as credit card details, usernames, passwords. None of that’s important. And then there’s the DOM XSS or cross-site scripting and, you know, DOM makes me think dominatrix, but I know that’s not right so I’m going to hand it back to you, Stephen. You’re my expert in these acronyms, so.
Stephen Johnston: Yeah, DOM stands Document Object Model-based cross-site scripting. It’s just, you know, another type of cross-site scripting. This one plays heavily off of things like API. But, you know, all together, this specific type of attack takes advantages of things like, you know, a blog, or contact form or even the comments section of a website. So this is a big one to watch out for.
Joshua Hammer: Fun stuff, isn’t it? Yeah, so the DOM- cross-site scripting is for replacements or defacements and those kind of things. And that brings us to backdoors and the reason I put backdoors on here is partially because our hack trend report. So every year, we do this hack trend report of what we’re seeing in these sites. And this last one, you can download it from our website, but 68% of the malware we removed were backdoors that were added to a site so that a hacker will be able to get back into your site at a future point in time. That’s a lot. That is a lot, considering we deal with a ton of malware and almost 70% of it is just backdoors.
Joshua Hammer: Hello. I love it. We get asked on a daily basis, “can we do a one-time cleanup?” And we always tell people, “No.” And I think this statistic goes a long way to showing why we say, “no” because if 70% of what we’re removing is backdoors, then chances are the people are coming back to your site. And if we clean it up, and you don’t fix whatever the original issue was, however they got in originally, they’re going to be back and they’re going to hack you again. So a one time clean up just kind of makes people angry because they feel like we didn’t do our job of cleaning properly when they get reinfected. But, really what it is, is finding their way back in via whatever the original issue was. But yeah, backdoors, not always a bad thing. Sometimes it allows companies to take a look at a user’s platform as if they were the user. And that can be considered a backdoor. But what we’re talking about here are backdoors that are put in by code from the hacker when they attack.
Stephen Johnston: Yeah. It’s like the cyber criminal knows where you keep the secret backup key underneath the welcome mat. They know where to find it and how to get in.
Joshua Hammer: Exactly. Basically, what they’re doing is they’re putting the welcome key there. They’re putting it under the mat for, so that they know how to get back in.
Stephen Johnston: Right.
Joshua Hammer: But with that, I’ll turn it back over to our wonderful host, Nicki, and answer any questions you guys have.
Nicole Gerren: Great job guys. Thank you so much for that and thank you for everybody who’s attending. Let’s see here. We have a… our questions coming through. Just remember that these will be available at our Sucuri.com/webinars once we have this recording finalized. So you can come back to it at any time. I’d actually like Steve to do a guitar solo and say DOM XSS three times fast. I would like-
Stephen Johnston: [crosstalk 00:14:44] this.
Nicole Gerren: That’s mine. Okay. Well, let’s see what we have. Someone here from Arizona, your guys area. What should I trust? Why should I trust OWASP?
Stephen Johnston: I can answer that. So, you know, OWASP, this is a publicly open organization that is made up of your peers, essentially. You know, in terms of online presence. And then their list is something that they all have to agree on, you know, as being the greatest threats to these websites. It was created through extensive research and experience. The findings are made public to all the group members, you know, to agree upon before it’s officially released, or published. And then these same findings, they’ve been verified globally on a daily basis since they’ve been released. So really the truth is, these vulnerabilities will affect you whether or not you trust the organization reporting them.
Nicole Gerren: Got it. Makes sense, but… Let’s see here. We have also, oh we get this one all the time. But this is the thing everybody wants to know. What is the most unique attack? Or the most common attack? That you guys at Sucuri…
Joshua Hammer: I think the most unique one that I’ve ever seen or at least my personal favorite was, there was a vulnerability within WordPress. Oh quite a while ago, where the person went into a comment section of a blog and they put in a little bit on one comment, a little bit on the next comment, and a little bit on the third comment. And when you look at it, it just looks like gobbledygook. Right? Not going to happen. Then, a few months later when WordPress goes in and they archive those comments, it put all three of those comments together and it executed the code. I mean, amount of thought that goes into that to say, “oh, this is the way that it’s going to work and three months from now my hack is going to be executed.” To me is just phenomenal. And it was a very unique one that I’ve seen that I just thought was amazing.
Joshua Hammer: A lot of these attacks, the people don’t have access to the site, so to speak, they’re… Such as the SQL injection is a very common one. They don’t actually have access into the backend. But the backend of WordPress for example is a SQL database. So if you have a form question, right? And basically what that form is doing, is it’s sending the information into the SQL database to be stored. A SQL injection is where they put in a bracket or something and break that connection to the database. And basically what they can do it add additional SQL commands to that line and extends the information back to that. So that would be a type of an attack where they’re getting information from your database even though they didn’t have access to the actual WordPress site.
Nicole Gerren: Oh wow. Okay. That is different then. Thank you for that, answering that thoroughly there. Okay, we have another one. Do we have time? Yep, we do. You said that there is a logging process within Sucuri firewall. How would I be able to set up logging if there were attacks to my site? I’ve seen email reports on uptime, SSL, et cetera. Have I been lucky and not had an attack yet?
Joshua Hammer: Under our firewall dashboard, there is a real-time section or an audit trail that you can look at. And it will show you what we’ve blocked and what we haven’t blocked and what we’ve allowed through. You can actually go in and click on any of the blocks that you see and it’ll give you an exact reason why we blocked it. On top of that, if you want to get into more, in depth, we do have integrations, such as signed integration where you can have blocks sent to you under our enterprise plans. But the audit trail is where I would go to take a look and that’s going to give you the most in depth information. You can also take a look at the API tab on WordPress and you can set up some API calls to check different aspects of the logging.
Nicole Gerren: Perfect. Got them right in the right direction there. Some of these are actually anonymous so I can’t give you where the place of these people. But thank you for giving your questions to us. Lastly, because there’s a few that look pretty similar, so I think we’ve covered it, but we can go more in depth offline. But lastly I see, which different hacks…with different hacks coming in all the time, how do you stay up-to-date?
Joshua Hammer: Well, that’s hard. That’s part of the reason why we try to get people to sign up with a expert because an experts going to be on task all the time, learning these things. One of the things that here at Sucuri that we have a benefit of is that we have people cleaning these sites along with the firewall to protect the sites, right? So as we see the types of cleanups that we’re doing on a daily basis, if we see something new, we can put that rule into the firewall to prevent it from going forward right away, since it’s all in house. Plus, we have researchers that basically, those are the guys that use their evil knowledge for good and they go out there and try to do the hacks and they protect the sites against [inaudible 00:21:12] that they find.
Stephen Johnston: Yeah, with our zero day patching, you know, if one person is affected by it, it is immediately sent out to everyone. So, you know, everyone else can benefit from that security.
Nicole Gerren: Okay, I’m okay. Facebook, sorry I’m not going to say this name right. Masanco possibly. Can you give me a price for a full VPS3 monitoring where we have more than 10 websites?
Joshua Hammer: Can I give you a price? No. But if… let me take that offline and get one of my experts to reach out to you because there’s a lot of things that are going to be dependent on that such as the number of servers, which is sounds like one, but I want to get some more information just to make sure and we can set you up with whatever package would work best for you.
Nicole Gerren: Great. So we will get back to you. For sure. And, okay, this, I think one more. Maybe I’m trying to trip you up. See if you can answer them all. What does it mean when someone is attacking a XML RPC, that a PHP, and sending POST requests on WordPress sites?
Joshua Hammer: Oh, well it could be several things. It could be a type of DDoS attack, where they’re sending POST request after POST request to try to bring down the site. By I’d imagine it could also be different things because they’re sending commands so they could be trying to do a XML injection attack. I’d have to look at it more in depth and take a look at the logs and see what type of POST request they’re sending. What the command string is and then we could give you more information. If you email abuse@sucuri.net with some of that information our research team can take a look at it.
Nicole Gerren: Right. Did sound like one of those that our analysts could take a look at in depth, so we will do that for you guys. So I think that’s it for now. If there’s any other questions you can still get through through chat and everything and add them to our Q&A at the backend of this webinar. For sure. Lastly, I’d like to say please could you share the webinar, that’d be great, with solo digital citizens out there. I thank you guys, Stephen, Josh, again. Great. From Arizona. I’m from Cali. I’m saying my goodbyes to you guys. But for the attendees. Anything else? You guys can take it from here. Say goodbye.
Stephen Johnston: Yeah, don’t forget to visit us at WordCamp Europe. I believe it starts this Thursday. It’s going to be in Berlin, Germany. We’ll be at the GoDaddy booth there.
Joshua Hammer: Yeah, say hi to the guys that are there because, you know, you spend a lot of money sending them other there, so I’d like to see that they actually are doing something and not just vacationing in Germany for a couple days. So keep them busy. Ask questions. I’d appreciate that. And join us next month, guys. I’ll be back here speaking to you again. I believe the topic is going to be why hackers hack. And beyond because they’re jerks. There is more information there. So hopefully I’ll see you next month and if you’re in the desert like we are, try to stay cool.
Nicole Gerren: Thanks guys.
Stephen Johnston: See you guys.
See Full Transcript
ExpandIn the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..