Sunday, February 24, 2013

Bad Bad hacker...Protect your JOOMLA website before someone without ethics takes it out.

Recently, there has been a huge wave of sites being hacked by the so-called "Your country's name here"CyberArmy.

I've placed the "Your country's name here"CyberArmy of purpose. First was the Bangladesh, then Pakistan... and I've lost count on the rest of them. I've been watching this from the distance through feeds from twitter and rss, described as a "hacker war between India and Pakistan". However, in this last month I've had to spend over 50% of my time cleaning-up, recovering, protecting and placing back online sites from friends of mine, that were hacked.

I'd like to state here and now that I'm affiliated with the Anonymous movement. However, I'm affiliated with the original concept of anonymous. NOT THE RADICAL fractions, nor the "It's cool to say we are anonymous but we're just a bunch of kids that destroy stuff fractions".
Anonymous has no organized leadership, or body of command, so as a result, a lot of fractions just wander around and follow their own path under the name of Anonymous (counter-sense, I know, but you get the picture).

Most of my friends sites are made on Joomla. Yes, others have .NET sites, or WordPress sites, but those really don't come asking me for help as they already know my answer.
Joomla people, on the other hand, I try to help as much as I can. I don't code components (can't afford the time) but I do customize them and customize the Joomla it self. So when a friend asks for help I try to help...I figure that this is one way to give-back to the community.

One of the things I've not explained is that I didn't charge for that 50% month worth of hard work. This part SHOULD clear my "Anonymous ideal alignment" and my understanding of this wave of STUPID and POINTLESS cyber terrorism.
-If someone hack a government website and brings down the IRS database or VAT reporting and registration services, I'll be the first to cheer and congratulate...partially because very little governments on earth are honest (so they deserve to be robbed in the good old Robin Hood style) and partially because a big organization should pay for the best in terms of security (and most just decide to hire people without technical value, like friends and their colleagues kids, for these high-pay jobs).
-If someone hacks a big company, especially if it's one of those company's that are truly worthless, and do nothing but damage with blind profit in sight (like moody's for instance), I'm the first to applause and pass the message.
-On the other hand, if someone just hacks or defaces a website from a small company, because they are trying to show off skill, in truth they are showing off TOTAL and COMPLETE lack of I.Q. ...and I ultimately hate them with a despise that I can't even compare to an insect. At least an insect does what it is biologically programmed to do...a human, on the other hand, SHOULD KNOW BETTER!
Small companies tend to serve their clients in the best possible way, because they can't afford to loose them; they try to have a lower margins because they are also lighter and with a leaner structure to support; they have very little profits compared to the big companies  so no Lobby is possible, creating LESS government corruption impact; They also pay the full tax load, because they can't "shake the system off" with good lawyers and tax experts on the payroll...They normally have such a lean system that it's almost impossible to access good security experts, making their efforts to migrate their business online extremely vulnerable.
As a result, most get hacked and the majority doesn't recover from the hit. Most had to pay for the website already, and did that at the lowest possible's unthinkable to rent an expert for 1 or 2 full weeks and pay 10k€.

Joomla is an excellent CMS to build up-on. I don't particularly like V3.0, but I love 2.5 and 1.7 .
Joomla gets patched regularly and it's actually very acceptable in terms of  security.
There are 2 main problems with Joomla in terms of security:
- you can install 3rd party components, and not all are safe form bugs.
- the system is protected at code level, this then assumes no attack gets through  as a result the data layer has very little protection.

The most common SQLinjection attack on Joomla, take advantage of one vulnerability on a form on one of the components (generally 3rd party) and Injects SQL code. So the community developing Joomla protected their code, but a part of code done outside their control just bypasses all those protection layers.
So what? Well, normally, the hacker will attack the users table on Joomla and just replace every user with the same username and password.
Why? When you install Joomla, the very first user in the database is the Admin and it's a super user. Anyone logging in with that user can do anything.
How to solve this: There are several protections (some more effective) but I'll go though them.
1-change the user name to something different than admin and description different than super user.
2-add a user called admin with no right at all (public or simple registered)
3-on your database, change the username and email fields to UNIQUE.
So now, next time the hacker tries an injection with a code like "UPDATE something_users SET username= 'admin', password='1234' WHERE 1=1", at the very first row, the database engine will issue an error because admin already exists.
If, on the other hand he tries "UPDATE something_users SET password='1234' WHERE username= 'admin'", he will end up with a user account that has no rights at all.
Is that it? No! a more knowledgeable hacker would simply replace the first row with a different user and still change both username and pass form your super user account. Something like "UPDATE something_users SET username= 'Pamela Anderson', password='1234' WHERE 1=1 LIMIT 1" or  "UPDATE TOP(1) something_users SET username= 'Pamela Anderson', password='1234' WHERE 1=1" or  "UPDATE something_users SET username= 'Pamela Anderson', password='1234' WHERE 1=1 ROWNUM=1"... this will change with the database engine, but you get the picture.
How to solve this: 
1- create a different account on your Joomla administrator (preferably NOT on the first users on your user list)
2-give full administrator permissions to this new account.
3-remove all permissions on the default administrator account (the first row on your table).
OR- just use SQL commands to copy that account to a lower ROW, and then just delete the first ROW.

What if: the hacker is patient enough to go and execute this last hack on the first row, try to log, if the user has no rights delete the first row and re-start the hack until he gets to a row with the real admin user? THIS IS HOW you should think... that what if the guy trying to hack-me is better and more persistent than I am?
Then, the only way to solve this in the database, is using TRIGGERS.
I personally protect MOST of my website databases with a BEFORE UPDATE and BEFORE DELETE or TRUNCATE or DROP:
1-On the Update trigger I simply don't enable updating of the username and email without a safety password input into a value.
2-About the DELETE, TRUNCATE and DROP, I just don't allow-it, period (you never know if the hacker just gets mad and decides to destroy).

So what about that good thinking that the hacker is better than me and can think around my defensive configurations, or that some entry-point on some module or component is wide open and beyond my comprehension until it is too late?
Remember my advice? Assume the hacker is better and more persistent than you are; don't take Joomla updates for granted as they can still have vulnerabilities and they do not patch 3rd party components.
Well, thinking about this I created a protection service. Think of it like a bouncer.
I created a webservice (with internal protection against hacking) that is put to work in a different domain than the one of the site being protected... that way, the hacker will have to hack 2 different websites to clean up his "digital footprints".
The webservice is then called by each index.php page on my clients website and administrative site. The call will send all the request data to the Webservice and wait for a forensic analysis. The reply may point the website visitor to the website, the hacker to a standard "stop trying to hack this site" page, or simply send the hacker or visitor to a "this site is blocked on your country" page.
Independently of the answer being a block, anti-hack or a go through, the webservice logs everything and if (here come the important assumption)  the hacker finds a hole, it will be recorded and later analysed to create a rule against that new vulnerability.

For the time being, I'm only allowing free usage of this tool for all my friends that have been hacked, as I'm still testing the hardening efficiency. But as soon as finish the mobile app to access reports and statistics, I'll place a price tag on it. If you like the project, please keep visiting Http:// (still on final construction phase) under "enforcer" menu....or register and follow this blog.