The Effect of CSRF on a Forensic Investigation

Whilst I mostly agree with the issues raised in this article over at Dark Reading [Exploit Could Taint Forensics], there is one comment that really ground my gears, and I would recommend that the author/editor get their technical facts straight before publishing.

These investigations often rely on a user’s Web browser cache and history to reconstruct a user’s suspicious activity, so if the user’s machine is infected with CSRF, that data isn’t reliable and an innocent user could be mistakenly accused of wrongdoing when it was actually an attacker behind it.

My concern is focused on how a user’s machine can get infected with CSRF as if CSRF is a form of malicious software, when CSRF is not an “infectious” type of software.

I’m not going to go into what CSRF is as a quick check of Wiki is sufficient.

Regardless of this slip up, the issue of these sorts of exploits tainting a forensic investigation is a valid point. Of course, a thorough review of a user’s web history could potentially unveil the site which instantiated the CSRF attack, and highlight that the user’s web history may not be a good source of evidence in a case. This of course does not mean that this evidence is not good evidence, it just has to be reviewed appropriately.

Posted by Christian Posted in: Computers, Security, Web Development No Comments » 29 January 2008

The Risk of Remote Controlled Mining Equipment

I wonder what you get when you cross this with this.

The idea of remotely controlled mining equipment does raise a number of questions. I hope that they’ve been paying close attention to all the SCADA security articles that have been going around. Please keep your control network completely isolated from your standard network. Do you really have a requirement for your staff to control your heavy machinery from their homes or the airport lounge?

Posted by Christian Posted in: Computers, Security No Comments » 18 January 2008

Virtual Private Server Security

I’d never really heard about this until reading this article from digg, where the developer wanted to setup a hosting environment for his upstart wizz-bang webapp really quickly. So instead of purchasing a piece of “shared web hosting”, he purchased a “Virtual Private Server” from Slicehost.

For $20 a month you have a slice with 256MBs of RAM, 100GB transfer, a complete virtual machine (read: root access), and an IP address. All running your choice of Ubuntu, CentOS, Gentoo, Debian, Fedora or Arch.

This seems to raise a number of security risk concerns that I hope people are taking seriously, especially as this product appears to be marketed at developers, who we all know are fantastic at securing their resources. Instead of having the security of the servers handled by on-staff, security / server admins you let the client secure their own servers. I can’t help but think that surely this increases the likelihood of these hosts getting compromised. Let alone when(if) we start seeing hypervisor exploits emerge.

Posted by Christian Posted in: Computers, Security, Web Development No Comments » 8 January 2008

Google and Postini

It’s interesting that I haven’t read about this anywhere. But it appears as if Google is pushing Communication Policy Management and Message Recovery into their Google Apps Premier suite.

At first, I didn’t quite understand what this added to Google’s current archiving and anti-spam technology, but thinking about it further, and reading a couple of articles, did highlight how these new features could be very positive to those SOHO/SMBs looking to move their communication infrastructure over to Google Apps.

I mean, I’m aware that there are a number of ways that one can achieve archiving of Gmail messages (IMAP/POP access) and Gcal stuff (command line Gcal access via gcalcli), but having these features in-built are pretty good and certainly a lot less fidgety and fraught with problems. I assume it’ll just be a matter of time before these become standard, non-Postini features.

And as an aside, how many SOHO/SMBs are currently rolling their communication infrastructure onto Google Apps, entirely?

Posted by Christian Posted in: Computers, Security No Comments » 6 January 2008

Protecting Australians (Privacy or Otherwise)

There have been a couple of recent events that have occurred in Australia that I’ve wanted to write about or mention but never gotten around to. Fortunate for me someone else has written up some commentary, from the Planet-websecurity mailing list was a post to this article from Sûnnet Beskerming on Information Security Ups and Downs Down Under.

Firstly was the move from the newly elected Labour government to cancel the National ID Card scheme and close the office, and secondly was the possible legislation to restrict inappropriate content to minors and the wide-spread adoption of ISP based Internet filtering.

I’m interested to see how this second point pans out, because I feel it’s one of those political statements that while appearing to be a “really good idea”, doesn’t have much technical support to back it up. From ABC:

Online civil libertarians have warned the freedom of the internet is at stake, but Senator Conroy says that is nonsense.

He says the scheme will better protect children from pornography and violent websites.

“Labor makes no apologies to those that argue that any regulation of the internet is like going down the Chinese road,” he said.

“If people equate freedom of speech with watching child pornography, then the Rudd-Labor Government is going to disagree.”

Whilst I agree with their comments on child pornography under the freedom of speech banner, I’m still having a hard time understand how technically this could be implemented. Either blacklists are used, which obviously aren’t accurate or current and would introduce false positives etc, or some sort of image/content filtering is used, which I imagine would slow down our already comparatively slow Internet.

Posted by Christian Posted in: Computers, Security No Comments » 5 January 2008