Website defaced? Check your PCs for Malware!

Asterisk were recently called in to assist a Not-for-profit in responding to a website defacement security incident. Initially it was suspected that there must be some vulnerable web application code on the website, perhaps via an un-patched web forum, or old, archived copies of an out of date forum. Of course when you start looking through the web logs and you can’t see anything obvious that’s when you have to widen your net.

So naturally we checked out the FTP logs, and voila, a number of uploads from an IP from Monaco, placing numerous .php files in numerous folders. This IP address logged into the FTP account using the primary FTP account holder’s username, which we knew had a really complicated (read: 12+ characters with a mix of upper, lower and symbols) password. After confirming with the client that they stored these credentials in FTP client software on a few computers, the next avenue of investigation was that they’d had their one of their PCs compromised… and there was the root cause.

Whilst this isn’t that uncommon these days, it’s certainly something to consider when you’re responding to website defacement incidents.

Doing a bit of research now on the IP address you can also see that this attacker went after quite a few sites.. http://www.ipillion.com/ip/193.104.153.63

Integrating Google’s 2nd Factor Authentication with your Rails App

Asterisk is happy to announce the release of their first (beta) Ruby Gem. The “devise_google_authenticator” gem is a Devise Extension that integrates Google’s 2nd Factor Authenticator into Devise’s authentication scheme. It’s not designed to replace the existing password scheme (database_authenticatable), but it’s ideal to provide a second factor authentication mechanism from your smart phone (Android, Blackberry, iOS).

If you are doing any Rails development and have a need for user authentication/authorisation then you should certainly be checking out Devise. From their site:

Devise is a flexible authentication solution for Rails based on Warden. It:

  • Is Rack based;
  • Is a complete MVC solution based on Rails engines;
  • Allows you to have multiple roles (or models/scopes) signed in at the same time;
  • Is based on a modularity concept: use just what you really need.

Lets put together a really simple application.. (I’m assuming you have Ruby 1.9.2, but no other gems available. Also, most of this is following the Rails Guide and the Devise installation process)

Install rails:
$ gem install rails -v 3.2.0 –no-rdoc –no-ri

Create your vanilla app:
$ rails new myapp

Change into your new app:
$ cd myapp

Edit your Gemfile with the following two lines (after gem ‘sqlite3’):
gem ‘devise’, ‘~> 1.5.3’
gem ‘devise_google_authenticator’, ‘0.3.1’

Update your bundle:
$ bundle install

Create some data for your app
$ rails generate scaffold post title body:text

Install Devise:
$ rails generate devise:install

Install Devise Google Authenticator:
$ rails generate devise_google_authenticator:install

Create your user model:
$ rails generate devise User

Add the Devise Google Authenticator scheme:
$ rails generate devise_google_authenticator User

Migrate your database changes:
$ rake db:migrate

Remove the static index page:
$ rm public/index.html

Change the root page (edit your config/routes.rb and add the following below resource :posts):
root :to => ‘posts#index’

Edit your main application controller to require user authentication for all pages (edit app/controllers/application_controller.rb add just after protect_from_forgery) with the following:
before_filter :authenticate_user!

Now start up your app and visit localhost:3000:
$ rails server

After you register your user (after clicking Sign Up), you should be displayed with a QR Code. Simply add this to your Google Authenticator app on your phone, enable the authenticator, close down your browser (to clear your session), revisit the website and after you sign in, you’ll be prompted for your one time password.

Voila!