adventures in drupal security - juniortidal.comin drupal security junior tidal web services &...
TRANSCRIPT
ADVENTURES IN DRUPAL SECURITY JUNIOR TIDAL
WEB SERVICES & MULTIMEDIA LIBRARIAN
NEW YORK CITY COLLEGE OF TECHNOLOGY
@JUNIORTIDAL
1
ORGANIZATIONAL INFORMATICS
2
HUMANS ARE FLAWED
3
HUMANS CREATE SYSTEMS
4
SYSTEMS ARE INHERENTLY FLAWED
5
EVENTUALLY SYSTEMS FAIL
6
THERE IS NO PERFECT SYSTEM
7
THERE IS NO PERFECT SYSTEM
…SO DON’T TRY TO CREATE ONE.
8
SYSTEMS FAIL FROM INTERNAL AND EXTERNAL FACTORS
9
INSTEAD OF BUILDING A PERFECT SYSTEM 10
EMPHASIZE PREVENTIVE MAINTENANCE
11
CREATE RECOVERY STRATEGIES
12
WHAT ARE WE TALKING ABOUT TODAY? BACKGROUND SECURITY COMPROMISED! RECOVERY LEARNING SECURING YOUR SITE
13
BACKGROUND
14
URSULA C. SCHWERIN LIBRARY SUPPORTS OVER 17,000 STUDENTS OF THE NEW YORK CITY COLLEGE OF TECHNOLOGY (CITY TECH)
15
ONE OF THE 23 CAMPUSES OF THE CITY UNIVERSITY OF NEW YORK (CUNY)
16
CONSIDERED A “COMMUTER” SCHOOL
17
SERVES A DIVERSE POPULATION IN DOWNTOWN BROOKLYN
18
THE WEB SERVER
19
MIGRATED FROM A MULTI-DEPARTMENTAL WINDOWS IIS SERVER TO A DEDICATED LAMP SERVER IN 2008.
20
AD HOC SUPPORTED BY COLLEGE IT DEPARTMENT.
21
THE WEB SERVICES LIBRARIAN AND IT ASSOCIATE ARE ADMINS FOR THIS SERVER
22
DRUPAL
23
DRUPAL IS THE CMS USED TO MANAGE SEPARATE DESKTOP AND MOBILE SITES.
24
DRUPAL 6 WAS USED FOR THE DESKTOP SITE.
25
USING ANALYTICS INFORMATION, THERE WAS A NEED TO SUPPORT MOBILE USERS.
26
DRUPAL 7 WAS USED TO CREATE A SEPARATE MOBILE SITE.
27
CONVERSION FROM D6 TO D7 WASN’T POSSIBLE DUE TO LACK OF SUPPORT OF KEY MODULES
28
MOBILE SITE
29
THE MOBILE SITE HAD A WIDGET TO SEARCH THE CATALOG
30
LINKS TO MOBILE FRIENDLY ELECTRONIC RESOURCES
31
LIBRARY INFORMATION SUCH AS HOURS AND CONTACT WAS ALSO PROVIDED
32
SECURITY COMPROMISED!
33
THE MOBILE SITE WAS HACKED ON DECEMBER 21ST, 2014.
34
THE BBC REPORTED A DRUPAL HACK ATTACK ON OCTOBER 31, 2014.
35
UNIVERSITY IT CONTACTED CAMPUS IT ABOUT THE BREACH
36
THE SITE WAS DEFACED AND THE HOMEPAGE REPLACED
37
IT DISCONNECTED THE LIBRARY’S SERVER
38
ATTACK ANALYSIS
39
AFTER EXAMINING LOG FILES, THERE WASN’T ANY EVIDENCE OF UNAUTHORIZED USERS OR FILES
40
SEARCHING MYSQL TABLES FOUND NO MALICIOUS CODE
41
THE BREACH WAS EITHER THE OUTDATED D7 CORE OR MODULE(S)
42
THE MOBILE SITE WAS SHUT DOWN
43
UNTIL THE BETA SITE WAS READY, TRAFFIC WAS REDIRECTED TO THE DESKTOP SITE
44
LESSONS LEARNED
45
DON’T NEGLECT YOUR SITE
46
USE DRUPAL’S EMAIL NOTIFICATIONS FOR NEW UPDATES
47
IMPLEMENT DRUPAL SECURITY MODULES
48
DRUPAL SECURITY MODULES
49
DRUPAL SECURITY KIT
50
CAPTCHA
51
BACK UP AND MIGRATE
52
AUTO LOGOUT
53
LOGIN SECURITY
54
DRUSH
55
STRATEGIES FOR A SECURITY BREACH
56
CREATE RECOVERY GUIDELINES
57
CREATE RECOVERY GUIDELINES
58
TAKE YOUR SITE OFFLINE
59
MAKE A BACKUP OF YOUR HACKED SITE
60
REPLACE A HACKED SITE WITH A BACKUP OR FAILOVER SITE
61
CHECK LOG FILES
62
NOTIFY ALL WHO NEED TO KNOW
63
CHANGE PASSWORDS
64
DOCUMENT EVERYTHING
65
PREVENTIVE STRATEGIES AT THE SERVER LEVEL
66
USE HTTPS (PORT 443)
67
MANAGE FILE EXTENSIONS
68
MANAGE PHP EXECUTION WITHIN YOUR UPLOADS FOLDER
69
ROBOTS.TXT
70
SECURE FILE PERMISSIONS
71
MAKE AND AUTOMATE BACKUPS
72
PREVENTIVE MAINTENANCE
73
STRONG PASSWORDS
74
EVALUATE USER ROLES AND PERMISSIONS
75
EXAMINE SUB DIRECTORIES FOR RANDOM FILES ESPECIALLY /FILES AND /UPLOADS
76
WRAPPING UP SYSTEMS FAIL BACKGROUND OF CITY TECH SECURITY COMPROMISED! RECOVERY LEARNING FROM THE COMPROMISE SECURING YOUR DRUPAL SITE 77
RESOURCES DRUPAL’S SECURITY ADVISORIES
YOUR SITE GOT HACKED. NOW WHAT?
SEC4LIB LISTSERV
78
THANKS!
79