As we make the push toward releasing the platform that I'm working on we've installed exception_notification in our Rails app. With the increased visibility of all the exceptions it became apparent quite quickly that there were numerous hits against the server from automated vulnerability scanners. These attempts were causing routing errors as they looked for paths like '/user/soapCaller.bs' – thankfully not targeting Rails applications. 

The arrival of this sort of scan was not particularly surprising to me as I've seen similar scans in the past. I've even actively dabbled in some security research by running a few honeypot projects, I digress.

Even though these scans usually go after large installations such as WordPress, Drupal, Joomla and phpMyAdmin, it isn't stupid to take it as a reminder to keep up to date on security vulnerabilities. In the case of Ruby on Rails the starting point would be the rubyonrails-security google group and the Ruby on Rails blog. 

Another great resource is Rails Inside. Rails Inside usually picks up any serious flaws and relays them to the community. In addition to this, they follow new releases of popular plugins/gems that may form part of your app. The site provides an important service because keeping up-to-date is a good way of reducing the risk of being caught by a vulnerability that has been dutifully patched by the maintainer.

The above is certainly not a complete list, so I'd like to hear if there are any other rails/ruby security resources that you find useful. 

I don’t think that I’ve had this much adrenalin pumping through my system on a Saturday morning in quite a while. My girlfriend signed into her email (as she does most mornings), to discover an email from eBay Live Support asking for a code. She called me over and a few seconds later the email vanished. What happened after that point is a blur of password resets, both her and the would be hacker trying to gain control of the hotmail and through it the eBay account.

There were paranoid moments when passwords wouldn’t work, but in the end she’s still in control of the accounts. Just about every account she owns has now had the password and details changed to help protect it.

It’s intrusive though. How exactly did the attacker break into the account? Not phishing, Cherie is well aware of those type of malicious emails. Guessing the security questions? Maybe.

That raises other concerns though, email addresses become repositories of knowledge for our online lives. Just about every account you sign up for online has to have an email account linked to it, that means many details about your online life are there in fragments. We’ll never know exactly what the hacker had access to (albeit briefly).

I’m personally going to be reviewing all my accounts to make sure that they’re secure, and I’d advise you to do the same.

(And I’m hilarious)

Seems that simple lessons don’t get learned. Don’t get get me wrong, its very hard to protect every aspect against hackers who try to pry they’re way into your site. Storing passwords in plain-text is just dumb though. Even if the passwords for your own site are hashed, the proliferation of storing third party login details (which you could still encrypt with a symmetrical key) is a time bomb.

RockYou is just the latest site on the internet to learn this hard lesson. Supposedly the hacker is one of the good guys, but there is no guarantee that someone else didn’t get the information as well. It’s an argument for doing away with passwords altogether, how long will it be until we can use public/private key authentication with websites. It is now accepted best practice with SSH, since the advent of widespread SSH bruteforcing.

Private key authentication solves a lot of the problems with websites storing password information, the hacker would have gained nothing besides the ability to verify users were who they claimed to be.