>What does the frontend of an online hacker store look like? Courtesy of Boing Boing.

>I thought this post was both a frightening and yet strangely entertaining thought. It has such a ‘hollywood’ feel to it — perhaps this is why it’s so dangerous.

You’d think that this is an unsustainable business; I mean, don’t admins change their passwords at least from time to time? Don’t vulnerabilities get fixed, making it impossible to find the password in the long run?

Yeah, right. Site admins are probably as conscientious as they can be given their time and budget constraints. Also, it’s increasingly common for organizations to have ‘site admins’ that have more of an editing / web design background than a sysadmin / web dev / infosec background — an unfortunate consequence of increased outsourcing of web development and increased usability of CMS systems.

What did you expect to see on a webmaster’s CV 5-10 years ago? Fluency in HTML, CSS, and javascript, intermediate to advanced knowledge in a scripting language such as PHP perhaps, maybe some working knowledge of Flash, and definitely some experience with some web design package (like Dreamweaver) or IDE (such as Visual Studio .Net, Eclipse — or hell, even WebMatrix). The site admin was expected to liaise with the Comms team or something in order to put the content on the web, and had little to no experience in the field of editing or journalism.

Nowadays, it’s the opposite effect: with easy-to-use tools such as Drupal, Joomla, DotNetNuke, or Sharepoint, you don’t need nearly as much hard skills in order to administer and maintain a website. I’d go as far as to say that to recruit an admin with a strong technical background would only lead to the person’s frustration and eventual resignation. However, it does mean that this new generation of site administrators is less likely to exercise proper caution — reading access logs, using secure passwords, performing routine security tests and code reviews, and following security feeds in order to reduce the chances of your site getting pwned.

Okay wise-ass, I can hear you say, thanks for stating the problem — now what’s the solution?


Sadly, there is no easy solution for this. Ideally, in a small to medium organization, you want the web team to have at least one person managing the content, layout and editing of your website — let’s face it, we techies are generally allergic to such things (anyone that’s worked with me knows not to mention colors in my presence – I get hives). That person is the main ‘business’ liaison and project champion — let’s call him/her the ‘web editor’. Then, on the technical side, you’d have one web development liaison, and one sysadmin liaison. You don’t want the person that’s writing the code to review the code, or checking the logs — each person has a set of responsibilities that compliments the others. Nobody’s stuck with a laundry list of responsibilities, routine checks are more likely to be performed and, provided that there’s adequate communication between parties, one generally avoids getting listed on such sites as mentioned above.

>An ubuntu install script

>

Wrote a simple little script this morning to install all the software packages I might need for ruby development (plus a few security tools).  Hopefully it will serve someone other than me 🙂
I know, I know…  You can’t generalize and install some set of packages without knowing what they are.  That’s not the linux way.  On a production server, I’ll always perform a manual setup and, when I can, I compile from source rather than use packages.  This particular script is suited for a dev machine.
Note that, in the very beginning, I set up a few version variables.  You should be able to just set these and then fire up the script.
Caution: I’m providing this script as I use it, on a non-production, fresh install of a linux desktop environment. You can do whatever you want with it; but if you’re dumb enough to run this on a production server without checking it out in detail first, and it breaks your prod environment, don’t come complaining to me — I’ll hurt you, man! 😉
And now for the code:
#!/bin/bash

#This script assumes that you’re running ubuntu 10.4 32-bit. For the metasploit, ruby enterprise and flash packages, you’ll definitely need to change the packages downloaded!

if [ “$(whoami)” != ‘root’ ]; then
        echo “You have no permission to run $0 as non-root user.”
        exit 1;
fi

#Set a few variables here:
metasploit_version=3.4.1-linux-i686
ruby_version=1.9
ruby_enterprise_version=1.8.7-2010.02_i386_ubuntu10.04
gem_version=1.8
passenger_version=2.2.15
flash_version=10_linux

echo ************************** Installing basic packages: **************************
apt-get install -y build-essential subversion vpnc network-manager-vpnc libreadline5-dev

echo ************************** Installing forensics packages: **************************
apt-get install -y ewf-tools sleuthkit registry-tools hfsutils squashfs-tools
echo ************************** Installing security packages: **************************
apt-get install -y snort flow-tools aircrack-ng ettercap-gtk python-scapy wireshark tcpreplay ghex openvas-server openvas-client nmap zenmap

echo ************************** Setting up metasploit **************************
wget http://www.metasploit.com/releases/framework-`echo $metasploit_version`.run
chmod +x framework-`echo $metasploit_version`.run
./framework-`echo $metasploit_version`.run

echo ************************** Installing software development packages: **************************
apt-get install -y ruby`echo $ruby_version` ruby`echo $ruby_version`-dev libopenssl-ruby rubygems mysql-server meld

echo ************************** Installing web server packages: **************************
apt-get install -y apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev

echo ************************** Removing mysql-server autostart **************************
update-rc.d -f mysql remove

echo ************************** Removing apache autostart **************************
update-rc.d -f apache2 remove

echo ************************** Setting up ruby enterprise **************************
wget http://rubyforge.org/frs/download.php/71100/ruby-enterprise_`echo $ruby_enterprise_version`.deb
dpkg -i ruby-enterprise_`echo $ruby_enterprise_version`.deb

echo ************************** Setting up passenger **************************
/usr/local/lib/ruby/gems/`echo $gem_version`/gems/passenger-`echo $passenger_version`/bin/passenger-install-apache2-module

echo LoadModule passenger_module /usr/local/lib/ruby/gems/`echo $gem_version`/gems/passenger-`echo $passenger_version`/ext/apache2/mod_passenger.so > /etc/apache2/mods-available/passenger.load
echo <IfModule mod_mime_magic.c> > /etc/apache2/mods-available/passenger.conf
echo PassengerRoot /usr/local/lib/ruby/gems/`echo $gem_version`/gems/passenger-`echo $passenger_version` >> /etc/apache2/mods-available/passenger.conf
echo PassengerRuby `which ruby` >> /etc/apache2/mods-available/passenger.conf
echo </IfModule> >> /etc/apache2/mods-available/passenger.conf

echo ************************** Getting Flash Player **************************
wget http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_`echo $flash_version`.deb
dpkg -i install_flash_player_`echo $flash_version`.deb

echo ************************** cleanup **************************
rm examples.desktop install_flash_player_10_linux.deb framework-`echo $metasploit_version`.run ruby-`echo $ruby_enterprise_version`.deb

Here’s a sample apache config (taken straight from phusion’s installer…):
   <VirtualHost *:80>
      ServerName http://www.yourhost.com
      DocumentRoot /somewhere/public 
      <Directory /somewhere/public>
         AllowOverride all
         Options -MultiViews
      </Directory>
   </VirtualHost>