The past couple of weeks have been an absolute rollercoaster. Last week we had a fairly hectic one with a number of our guys attending AusCERT, and then this week was a combination of busy work and getting ill. I find making the decision to call in sick to be one of the more difficult decisions I have to make. Am I actually sick enough not to go to work? Will I make myself much sicker if I just muscle through it? Will I make other people sick? I’m always of two minds with this issue. This instance was probably a bit easier, as the Tuesday night I was waking up every hour or so with head and body aches and so making the call on the Wednesday was really simple.

One of the interesting items that came out of AusCERT that had us all talking, and scratching our heads wondering why popular press weren’t getting into it, was the news that Telstra accidentally distributed malware on USB thumb drives (and here) they were handing out. I guess popular media has more important things to talk about. I know it certainly makes you question whether or not you’d want to use them for security services. Of course, I understand that chances are this was a sales/marketing mistake and so doesn’t necessarily highlight the professionalism of the Telstra security folk.

Another interesting entry I read this week (or was it last week?.. my memories still a little shattered from the cold/flu) was Kees Leune’s post on Never say ‘no’. Kees talks about the all too common situation where security people are seen as the ‘no’ people (thought police, policy nazis, project killers, whatever). More often than not this is actually a perception problem. If the security person is doing their job right they should not be saying no, they should be identifying and highlighting risk. It’s the owners of the risk who are the people who are saying no, not the people identifying the risk. Usually risk assessors are positioned in such a way that they can’t even own a risk, so for them to be saying no would imply some break in the risk management framework.

I can definitely relate to this problem, and further so believe that once your department has developed that reputation it is a very difficult thing to change it. It’s not just a name change that will fix it, it’s almost an entire culture change that has to occur. I’m not completely sure I understand the answer to the problem, it falls into the bucket of ‘you just have to keep on working hard at it.’

Just read this article over on core77 summarising an event held by the UK Design Council which collected forty leading technology designers and manufacturers plus a group of young people to discuss “new ways of harnessing the power of design to protect young people from crime – particularly theft of ‘hot products’ like mobile phones and MP3 players.” This event was conceived after the Design Council released some stats that show that the majority of 11-16 year olds in England carry a gadget with them at some point and that one in eight have been the victim of ‘hot product’ theft in the past three years. I believe ‘hot product’ theft is where the product is stolen from them whilst they’re still using it, such as on the mobile (cell) phone, or listening to an iPod.

Core77’s excerpt provides the most concise overview:

The focus is on generating innovative design briefs which offer a clear business opportunity for manufacturers who will be encouraged to develop them into the next generation of crime-safe gadgets. [...] Home Secretary Jacqui Smith said:

“I am delighted that so many of our best designers have contributed their time and expertise to today’s event and I look forward to seeing genuinely new and commercially viable products flow from it. The role that good design can play in cutting crime is well established but success depends on effective partnerships between Government, the police and the design industry.”

At first I didn’t quite understand what they meant by utilising “design” to prevent crime, believing that it was more centered on architecture, such as developing city spaces which demote crime. But after skimming this article it started to make sense. Richard Farson explains this concept by discussing the power of design:

Design achieves its power because it can create situations, and a situation is more determining of what people will actually do than is personality, character, habit, genetics, unconscious motives or any other aspect of our individual makeup. Nobody smokes in church, no matter how addicted.
…
Recently, the design disciplines have received research attention indicating that the physical environments designers create may have positive effects never before realized, potentially reducing all of the measures of despair. For example, studies show that if children grow up in a home designed to permit a view of greenery, they are less likely to turn to addiction and crime and more likely to achieve in school. Such thoughtfully designed environments can reduce the frequency of divorce and other signs of family dysfunction. It is no longer far-fetched to predict that intelligent design will help prevent mental and physical illness, child abuse and suicide.

Richard also explains that this design power also has a ‘dark side’:

Because it is so powerful, design also has a dark underside. If mindlessly conceived or corrupted, design can produce depressing consequences. The design of cities that plan giant shopping centers can erode traditional communities by forcing neighborhood businesses to close. Massive highway construction can divide and rupture a neighborhood. Kafkaesque office designs of row after row of monitored employees, or maze-like cubicles, can dehumanize. Graphic designs in advertising can be dangerously misleading, promoting unhealthy products or unworthy candidates. Some designers think these bad designs greatly outnumber the good ones.

I believe that a lot of these principles can map to web application security principles as well. At a high level it’s easy to relate the concept that mindlessly conceived or corrupted design of a web application will have an impact upon how many vulnerabilities it may have. In addition, the design of a web application, either be through its presentation layer, or more subtly through the way that business logic is represented in HTML (for example) can also create a false pretense that the system is secure. A good example is a traditional design firm promoting the security of their applications because they utilise SSL/TLS to encrypt the site, when employing SSL may be good for protecting data in transit, but doesn’t help prevent vulnerabilities exposed through XSS or CSRF.

On a deeper level, such as taking into account what the Internet provides for crime, I think the principles still align as well. If it wasn’t trivial to perpetrate crime remotely, anonymously and on such a large scale would it be so prevalent? Probably not. The Internet was not initially designed with a security hat on so of course it’s insecure at a low level.

Whilst being a member for over a year, I think this is the first time I’ve mentioned the Security Catalyst Community forum. Whilst not much of a frequent poster, I do find myself going back there almost daily to catch up on discussions that people are having that might be relevant to me either personally or professionally. The forum was started by Michael Santarcangelo over at SecurityCatalyst.com, and over the period that I’ve been following the forum the number of users actively participating certainly has been growing.

The reason I wanted to write about it today was primarily driven by a recent thread on the forum about “Web Server VS Reverse Proxy” (by David Stern) that mirrored conversations that I was also having with colleagues on:

“What exactly are the controls that reverse proxies provide to a 3-tier web application?”

The thread seemed to echo what we were talking about at work, so I was pleased to see the general acknowledgement that the actual control provided by a reverse proxy is more about introducing another layer between the data and the client, and that the consensus seemed to imply that this control is actually quite weak. Especially as most run of the mill reverse proxies would not help mitigate web application type risks, such as information disclosure or SQL injection.

Another comment (thank you Kees Leune) highlighted that traditionally, reverse proxies were designed to provide non-security functions, such as load-balancing, SSL offloading or aggregating your web presence through a single point (potentially to simplify your logging?). Of course, the point that really jumped out at me was from Michael Dickey who mentioned the down-side to reverse proxies, due to the method in which “they may not interpret it the same way a web server will. This can give rise to fun request smuggling attacks or other cache poisoning issues.”

I would highly recommend anyone involved with information security sign up to the forum as I think it’s an invaluable resource. Even if a topic only comes up occasionally that has relevance to you it’s definitely worthwhile.

I was fortunate enough to attend a two-day crash course on forensic image acquisition last week. The trainer was Phillip Russo from CIA Solutions, whilst a local Perth boy he spends a huge amount of his time running training elsewhere around the world. The course covered the basics of forensic acquisition, traditional investigation skills and computer crime, integrity tools (hashing), checklists, chain of custody, to shutdown or not shutdown, dead versus live forensics, media types, write blockers (software versus hardware), imaging and image types, and a summary of tools.

One of the highlights for me personally was having an opportunity to discuss more of the court room and legal aspects of presenting evidence, as Phillip had a history of presenting in court in a number of different contexts. I think it was through his experience that he had methods of dissecting fairly difficult concepts, so much so that I imagine even the mums and dads out there could understand. A good example is the concept of file slack. Whilst I may have a fairly good understanding of what file slack is, trying to explain this to people who don’t have any history or experience with computer forensics, even savvy IT people, can be a fairly daunting task. Combine this with trying to explain how hard drives, partitions and file systems work and you certainly have a fairly large task in front of you.

Another highlight was the opportunity, not only to get hands on with hardware write blockers and AccessData’s FTK Imager, but also to combine this with real life scenarios and the process of documentation. Due to studying computer forensics at University I was fairly comfortable with the technical process of data acquisition, but combining this with the realistic process of documenting the acquisition, including chain of custody forms, was quite interesting and surprisingly difficult to do effectively.

The question was raised, whether or not if all the forms were transitioned into digital form, whether that would still be admissible in court. Whilst the concept could not be completely discounted, the fact that such records are not ‘tangible’ seemed to be quite an important factor for court room presentation. Judges and juries seem to have a better grasp of concepts when they can see the evidence in front of them. This certainly made sense to me, and obviously relates quite closely with the KISS principle. I think this also makes sense for this type of environment, probably more so than applying it to web application development for example, as you are already bombarding people with foreign and complex concepts, let alone trying to explain to them the principles of digital signatures of your ‘running sheet’, as opposed to your hand written notes.

Overall a worthwhile 2 days, and whilst it whetted my appetite for further training in forensic analysis, I’ll just have to leave that for another day.

Whilst I certainly don’t claim to be much of a literary critic or expert, I found the semantics behind the word of the day for yesterday to be really interesting, especially due to it’s ties with security.

sub rosa \suhb-ROH-zuh\, adverb:
1. Secretly; privately; confidentially.

adjective:
1. Designed to be secret or confidential; secretive; private.

Further investigation (Wiki) highlighted the history behind the latin term, which means ‘under the rose’ and how it’s current understanding in english has come to mean secrecy or confidentiality:

…

The rose was the emblem of the god Horus in ancient Egypt. Later the Greeks and Romans regarded this as god of silence. This originates from a Greek/Roman misinterpretation of an Egyptian hieroglyphic adopting Horus along with Isis and Osiris as a god. The Greeks translated his Egyptian name Har-pa-khered to Harpocrates.

The rose’s connotation for secrecy also dates back to Greek mythology. Aphrodite gave a rose to her son Eros, the god of love; he, in turn, gave it to Harpocrates, the god of silence, to ensure that his mother’s indiscretions (or those of the gods in general, in other accounts) were kept under wraps. Paintings of roses on the ceilings of Roman banquet rooms were also a reminder that things said under the influence of wine (sub vino) should also remain sub rosa. In the Middle Ages a rose suspended from the ceiling of a council chamber similarly pledged all present (those under the rose) to secrecy.

In Christian symbology the phrase “sub rosa” has a special place in confessions. Pictures of file-leaved roses were often carved on confessionals, indicating that the conversations will maintain secrecy. The phrase has also understood to make reference to the mysterious virginal conception of Christ, which will remain a secret to a rational mind.

In current times, the term is actually used by the Scottish Government for a specific type of “off the record” meetings.

In a number of European countries a “sub rosa” remark is deemed to imply sexual innuendo, or at the very least a blow below the belt. More recently, “sub rosa” activities have become a byword for covert operations, usually by security services. Originating primarily in the USA, this meaning has been gradually spreading to other countries and in particular the United Kingdom.