hey
hello hello to everyone thank you very
much for
attending to this session
this is gonna be
a security session not very technical i
promise
and it’s it’s title is how to know
if i’ve been hacked i’m nestor angulo a
security analyst from godaddy
i’ve been working as a security analyst
in the last
six years and pretty much everything i’m
gonna tell you
in this presentation is based in my own
experience
i wanna i would like to to use the
occasion to thanks
a lot the organization
team of this event they are doing a
pretty pretty
beautiful work not only with the event
but also with their
initiatives they are taking so thank you
very much and thank you very much to all
of you
again so let’s get into
uh well um normally i start my
sessions with this slide you know it’s
one of my favorite quotes that reflects
very well how we feel in this this
security war you know so there are two
types of company those
uh who has have been hacked and those
who don’t yet know
they have been hacked so this is uh
uh a quote uh applied to john chambers
the ceo of
cisco also i use this
image in pretty a lot of my sessions
because i really know what you are
feeling
when you are using internet nowadays
because there are something like a cyber
strat don’t click hit there
don’t open that email don’t open that
email attachment be careful with the
malware with the virus with the run
somewhere so
this talk is intended to help you guys
um and i want to to share with you some
tips
uh and i hope the they will be useful
for you
to understand this uh war and
the things that that should be done in
order to reduce
the probability of being hacked or to
suffer any
issue related with it with security
so i decided this session
in a sort of way of
questions and answers so the main
question you may
have in your mind is what hack means
and in the website environment
it means that your site has been
attacked that attack
could be successfully so
everything of these bad things could
happen to you that the bridge reputation
drain
run somewhere etc
or it could fail and this is the vast
majority of the
the situation of failing not a failing
attack is the vast majority of the
situations
we normally face in in
day by day so it’s uh maybe
a website suffer thousands of attacks
every day but only one is needed to
to to suffer or to make you a lot of
or suffer a lot of pain like this
but keep in mind that the hacking
attempt are
always uh happening it’s something like
uh
every every second every single second
uh
in probably the
the whole internet right so who is
uh who who’s who are the guys who hacks
maybe if you think about hackers you
have this image of this tv show in your
mind if
you have seen it uh you have a pretty
clear image of what a hacker a computer
hacker
leaf looks like and if you don’t
just take a look mr robot is a very nice
tv show about
about this about this war of security
and
and how it will eat it or what
it involves
but it’s important for to me to uh
to clear the fly to clarify this um
different it’s not the same hacker than
a cyber terrorist a hacker
is a curious person who loves to go
beyond limits and conventionalism
so a curious guy
an assemblatory is a computer hacker a
alliance to enrich himself
to do bad things right
keep in mind that if you are sleepy
and you want to study a little bit more
or to work a little bit more and you
take a coffee you are hacking yourself
so the process of hacking is is
something so close to humanity to human
being
and so older like the human being is
so in order to this uh to different
um the computer hackers
intentions we normally classify in hot
colors right they are
black hat grey hat and white hat
hackers the black hat hacker is a
bad guy and the white hat hacker is the
security animal the ethical
hacker the good one right and the great
heart hacker is that one that normally
is a good guy but it’s using illegal
procedures
uh well but how would this happen how a
hacking process
happened he always start with a
vulnerability this
is the key the code has to be
abnormality then there is
somebody who creates a software piece
to elaborate that gravity it’s called
exploit
and using the exploit you can insert or
inject
any piece of code that could be the
final code or in the worst
scenario a backdoor
using the back door you can gain regain
access to the website
even if the the owner uh start to
protect it
after the the injection so
the worst scenario is to have a hide and
backdoor
somewhere in your site and using it
we can or hackers can span
the face it add to a board net or
inject any other kind of code
but what they what these guys
will want from our site because it’s a
typical question hey i have a
kitten food store why they want to
to to to hack my say my site
so in wordpress this is the most common
objectives the users list
because you know it’s a list of emails
usernames and so on on more sensible
information sensitive information sorry
there is a database with information as
well with
with data you are storing there there is
content if you are selling you know
uh presets for
lightroom for photographers or something
like that if you
i gain access to your site and you have
those presets there i can
get them for free i can use your
infrastructures yes
keep in mind that a website
is just a collection of files that runs
in a
pc in out there in an internet in the
data center so there is a cpu there are
ram
there there is a
bandwidth for communications
and so on so the infrastructure is also
something valuable for these guys
and also i might want to add this uh
a website or a server to a botnet and
use
it and roll like a uh enroll in my army
and
use it later for for something like a
ddos attack or something like that
but also the reputation of your of your
website or your business represented by
the website is
is a valuable available coin
for these guys let me share with you
some facts that is
that are very important to give a little
bit of
context and
[Music]
about security right so it’s important
to
uh understand that this site hacking
almost never is client oriented so i
mean
if you’ve been hacked normally it’s not
because
who you are or the content you have in
your website normally they are just
automatic algorithms out there scanning
internet
and the websites and
infecting injecting or adding to botnets
the website they find
no matter no matter the content they
have
this normal normally happens so because
of
uh deficiency monitoring and maintenance
maintenance is important
this is a very common error just to
think that
you have a website you put there out
there in internet and that’s all
all the customers just gonna start
coming to my business
and i don’t need to to take a look of to
this
site continuously so maintenance is very
important
this one is blow my mind
in when some people come to me and say
hey why i’ve been hacked
if i have a social certificate i use the
https
protocol in the url so i’m protecting
and to explain this i i usually use this
joke
uh to make it to to help you to
understand that ssl certificate is not
it’s not an anti-hacking shield so
uh keep in mind that the ssl certificate
will ensure that the channel between you
and the web server uh
is secure so if you communicate with the
server or server with you
all the information uh running in this
channel
gonna be secure and nobody can hear that
and
i will if somebody just reads something
that is
being communicating in this channel
is not going to be understable so that’s
the ssl certificate and the https
uh protocol uh mission right
to make this channel communication
secure
so if instead of that user
is communicating with a with a server is
a hacker so the hacker will be hacking
your website
securely so it’s
is the way i i used to to explain this
so this is important
but it’s not an anti-hacking shield okay
so i hope you
understood this
this part uh keep in mind also that the
security updates and parts
are normally appear after
the somewhere um
abundantly is being exploited so if you
see that there is an
update it’s because there are computer
hackers out there
exploiting it so run
and this this one is also one of my
favorite
human being fails so no matter how proud
you are about your code
no matter if you uh
think that the code is perfect and is
fully protected
it will be hacked maybe in the future
sooner or later but
it’ll be it’ll be hack we are human we
fail so
keep this in mind and it explains
why i say that security never is and nor
will be
ever 100 effective so
how to detect a hacking attempt this is
more or less the core of the
of the talk uh this is very difficult to
explain how to detect
because you know hackers you used to
find
more creative ways of hacking
servers and websites every day
so my very two first
recommendation is stay vigilant always
monitor your site
review it very often and hear your users
set and appropriates all the channels
you might you might want to establish
with
you your users because they gonna be
your best hears
and eyes out there to to check if your
site is doing something wrong so
hear your users facilitate channels to
communicate with them
and to let them communicate with you
in an early stage detection normally i
just put the hosting because you know
they are
supporting our website so they have
access to
uh their resources they monitor them so
they
they can share with you some warnings
and also
if you have plugins or services in your
website for monitoring
it will help a lot we can’t
have services like sukuri monitors you
can install ser
appliance or security clients inside
your website like warframes all in one
security items
etc and if you have a firewall also it’s
very useful
because every firewall has a
monitor uh
dashboard so you can see in real time
and also a log of
about which ips has
have have hit your site
the country they were this ip comes and
so on
and face-to-band is applying also that
blocks
or protect your login
against multiple
[Music]
attempts so
if someone just failed more than three
times or five times you could you can
set it up uh it get banned for a certain
time so you can be protected
from brute force attack but also you
heard you will get a monitor of who is
and how many attempts
are trying to get inside of your website
dashboard the detection
is of course if there is time between
between the hack and your detection it
happened
or it could might happen that some
vendors out there can add your website
to a blog list
like search engines like google yandex
and bin
any uh some of the antivirus
vendors have some blog lists and some
other specialized companies like mx
toolbox for
phishing or for spam spreading
bi by via email
and so on and also if you
one day decide to scan your site
these are my favorites i check
from sukuri it’s very nice it will
show you how the site looks like a
front outside virustotal on
uh match your website to the most
to the least of the most common uh
security vendors out there blog list
security vendors out there so
you will see in a in a page if your site
has been
blocked in any of them and bp scan is a
plugin you can install
your server so it will
scan your site from inside
so let’s that’s more or less how to
detect
it’s a little debug very but you know
those are
tips and tools to help you and i would
like to
to show you some examples uh
of the of how hack side looks like keep
in mind that there are a lot of kind of
attacks
so i just uh took somebody
some examples to you to let you see
the most typical and visual is the face
man family if you
if you take this slide as uh
as my website and in the morning you
find like this for
probably someone has access to the
website
and changing it because it’s funny or
something like that
okay so the defacement is like that it’s
just changing
uh the visual the front end of the
uh displaying of your website
um in a hack attempt right
for example uh the photographer gallery
i
always use in my sessions this is a part
of the website i
just wanted to to focus in this part
to to protect the
uh the identity of this
page so maybe this photographer has this
gallery
who had this gallery and then he
went to sleep in the night and in the
morning
he awake with a lot of messages in the
in his
social network saying hey you’ve been
hacking when
he load his website
finds this so this is a
a defacement this is another example you
more political claim or social claiming
and this is a turkish one
i like it i like it a lot so
at the end the face means a partial full
replacement of the website the front end
is very obvious normally is easy to
detect
and probably your users will detect
will detect it faster but the scanners
also detect it very easily at the end is
yes
the goals is used to be
awareness or social political claim
fishing we are a little bit
tired of hitting about hiding uh him
hearing about phishing about the email
fishing and so on
and then at the end it’s a long check
out environment imitation
it’s very subtle and
this you will detect it because of the
scanners
or because your site appears in some
block list
and the goal is to steal credentials
sensitive information
this is an example dropbox
fake login webpage is not very actual
but
you will surprise uh
you see how many people just get cheated
with this uh so maybe you and your
website you have a login
button that when you click you go to the
login
the common login form
and a hacker inject into
your website that they’ve instead of
that and the login button goes to
this fake dropbox login page so maybe
your users could understand that you
have changed it
and now you you do the
the logging process through dropbox and
then they put the credentials here but
if we let me
do this a little bit bigger if you
go to them to the code you will see that
um
there are some indications some
clues to detect that this is a fake one
as you can see this uh it says dropbox
business so it’s
pale spelt right and the form
uh just send a mail and password to an
action.php
file which looks like this
and you can you can see here that there
is an email
address here and takes the email and the
password
and sent to this guy an email with those
in
those variables the email and the
password we’re saying something like
dropbox login from the ip of the website
the hack website
in the country uh whatever i would say
so
this guy is receiving every time someone
uh gets it with a with this
fake login page
receiving the credentials in his email
black ceo is spam for example imagine
that you have a
inc design inc in the contact
form uh when you click in the contact
section
you get this one this is a normal uh
contact form but in the header you can
see free shipping by viagra now you can
imagine
the impact in the ceo of this guy
and also in the reputation of this
website
this is another example of professional
janitorial services which is
which has in the here in the header some
some fake text about a dark
android market and as a result of this
if the
search engines scroll down like the
sites
when they are being they have been
hacked with these
black spam ceo infections is
is in the wrestled gonna be like this
you’re gonna be
you’re gonna get your website
in the blog list and every
every user that wants to enter in your
website will
get first a web page like this
or attack in the in the
search results like this this
is this site might be hack or
even maybe a lot of spam
crawled from your side and display
in the search result page so
you can’t imagine the impact
be any spam or unwanted content in your
site
the detection is easy for scanners
sometimes for users it’s not that easy
because
those we the those examples we have seen
are very
very obvious but sometimes it’s hidden
in the code
so it’s not that obvious to for us
for for regular users uh to see these
things but it’s in the code and for
search engines warnings and the scanners
yes it is
very easy to detect effects to your ceo
maybe it’s inside of a link building
a campaign or whatever
redirection reaction is something that
happens a lot
recently at the end it consists
in a situation where unwanted affiliate
links is open to suspicious website
without
any any intention and those suspicious
websites
are totally uh different and
not wanted the detections is
not that easy it’s a little bit tricky
but the users will detect it most easily
and certain giants as well will affect
your ceo and affiliate also the
affiliate ceo
will be in a campaign of link building
as well and so on this is an example
where
i phoned in the wordpress url
settings instead of the
website we roll it’s a new different
url hello from honey.com something like
that
so it will cause that when you get into
the
into the website just putting the url in
the
browser you will start loading the
website and then
immediately you will be redirected to a
totally
uh different one born one or drag one or
you know
span one or maybe a
page like this that offers you a price
don’t click ever and this kind of
pop-ups they are all fi
fakes or maybe ask for your permissions
to
uh access the information from your
browser or
or or send you a notification
ddos attacks and botnets these attacks
are not very easy to be detected by
users
maybe you can feel that your site is
being
loading very slow so this one of the
symptoms if you take this like a normal
traffic in the world
uh this happened
in 2016. it was
the infamous attack
first first iot ddos
attack so the internet of things at the
end it was uh
it was um caused because a lot of
cameras uh cctv you know for civilians
around the world uh were infected with a
third day
and and
and they start to load a website
suddenly so the service get down
and as a result of that i think i
don’t remember if whatsapp
netflix and some other twitter some
other
services just get down because that’s a
specific service got a
denial of service attacked
so effects to instructure
is difficult to
to detect normally you detect that
because of the strange use of resources
you have a peak of bandwidth or
something like that and you can use a
file integrity scanner
in order to see if something has been
changed
and a professional tip here is to have a
waff
in place i mean a firewall for web
applications
so if you still doesn’t
if you still don’t understand what a
ddos attack is
is looks like this if you demand
with the net or the website is the
website server and the codes are
hits from users so you can manage some
of them
but it’s at the moment they overflowed
it’s self-explanatory right so
what can i do if this happens so the
items involved is something that happens
first is you and yours and your side
your clients
so keep calm analyze
scan your site inform yourself your guys
about this then
inform megaware the hosting provider
about this
the eighty percent of the security
issues can be fixed
uh directly through the support
from hosting provider and if this is not
possible
or you don’t have backups or you don’t
want to restore a backup because you
want to
lose information you can just check out
a security expert
external or internal and to avoid it
normally i share with you some measures
but i want to
uh separate them in reactive and
proactive
reactive measures are those when bad
things have
already happened so you have to mitigate
the pain you have to mitigate
the uh
the lose right and proactive ones are
before anything but happens so
it’s a risk mitigation you want to lower
the possibilities of being
a hack
the reactive ones are scan your site
when something happens
scan your site check everything files
admin users
plugins and so on remove them if you
don’t
recognize them update and that is
interesting because
you overwrite the code so if the code is
infected you will override with a fresh
from from the trusting
repository so this is a good measure as
well
or restore a backup you don’t mind to
lose information from
when you took the snapshot to this
moment
and the practice one is to reduce the
surface of the attack
so you reduce the admins appliance and
the themes to those
strictly needed to to make your site
run do backups have a good
strategy of backups update regularly
invest in hosting and security instagram
install a web application firewall
because this is gonna rise
dramatically your security level
as a takeaway i would like to repeat
remember to invest in
a good hosting because a good hosting is
the first layer
of protection they are monitoring your
resources they are conducting
scanning scanners very often
and if you have a good one it is
half of the way uh
dawn and also invest in security you do
in the real
in the real life use higher
uh alarms or
a good lock for your house so do the
same in the digital world
so that’s all guys i always say
everybody needs a hacker so we need
curiosity
to make uh our future as a human
as human being to to run
and to discover new things and that’s
for me the spirit of a hacker
thank you very much this is the end for
now thanks
again for the organization thanks again
to all of you
and i hope that you found this lecture
useful for you have a very nice 2021
and stay safe thank you