Dailies
- Caoine
- Echoica
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Profession
- Security
- University and Studies
- Web Development
Monthly archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
Security is a Funny Business
You have to hand it Mark and his team, these videos are damn funny:
And uncanny how much that reminds me of my work!
Posted by Christian 
Posted in: General, Security 
No Comments » 
28 July 2008
Mobile Phishing Gets Easier
So Telstra has been promoting and advertising the imminent release of software updates for a large number of Australian mobile phone users that will allow their phones to read Quick Response Codes (QR Codes). The idea being that these barcodes can be put in magazines, on posters, on your bills, anywhere and it’s trivial for you to read the barcode with your mobile phone and be redirected to a website. In fact not just browse to a site, but save a contact, start an SMS or even call a number.
A colleague of mine at work has an N95 and he quickly discovered that his phone already had the software installed. Within minutes he was firing up the scanner at barcodes and to our surprise the technology appeared to work great. In fact, due to QR Codes being open (i.e. the specification is in the open) he was quickly creating his own barcodes. Think a physical, digital business card that can be instantly understood by your mobile phone.
The Problem
I’ve already started to hear some people commenting that perhaps this will be a great avenue for potential scammers to make mobile phone users visit sites that perhaps they don’t want to. Consider the scenario where you’re sitting at your bus stop and on the billboard next to you is a poster for the next upcoming movie release, and in the corner of the poster is a QR Code. Imagine you fire up your phone, point it at the code and click “Go”. The next thing you know your mobile phone is at a malicious website downloading a specially crafted piece of mobile malware.
I can see a couple of similarities between these QR Codes and URL shortening services such as tinyurl.com. Both offer a method to abstract and simplify a method to access more complicated information. Both don’t easily appear to disclose what they are hiding until perhaps it is too late. There has already been a number of people discussing the potential risks of these URL shortening services (one quick example is over from RISKS). I believe that these risks map almost one to one to QR Codes and automatic software on your mobile phone.
What next?
As these QR Codes become more ubiquitous maybe we’ll start seeing more people plastering phishing QR Code stickers over publicly exposed QR codes (Quishing? *erk* Someone shoot me). Maybe by making it easier for people to access mobile content we’ll see a spike in malicious mobile code. Maybe we’ll start to see an increase in bills which can be paid via your mobile phone, which in itself includes a whole host of risks.
Or maybe it will all just fizzle?
Posted by Christian Posted in: Computers, General, Profession, Security 1 Comment » 8 July 2008
More Than Meets The Eye
Just read this article by Michael Farnum over on computerworld.com and I have to say, what a spectacular example of security through absurdity.
Posted by Christian Posted in: General, Security No Comments » 3 June 2008
Web Server vs Reverse Proxy
Whilst being a member for over a year, I think this is the first time I’ve mentioned the Security Catalyst Community forum. Whilst not much of a frequent poster, I do find myself going back there almost daily to catch up on discussions that people are having that might be relevant to me either personally or professionally. The forum was started by Michael Santarcangelo over at SecurityCatalyst.com, and over the period that I’ve been following the forum the number of users actively participating certainly has been growing.
The reason I wanted to write about it today was primarily driven by a recent thread on the forum about “Web Server VS Reverse Proxy” (by David Stern) that mirrored conversations that I was also having with colleagues on:
“What exactly are the controls that reverse proxies provide to a 3-tier web application?”
The thread seemed to echo what we were talking about at work, so I was pleased to see the general acknowledgement that the actual control provided by a reverse proxy is more about introducing another layer between the data and the client, and that the consensus seemed to imply that this control is actually quite weak. Especially as most run of the mill reverse proxies would not help mitigate web application type risks, such as information disclosure or SQL injection.
Another comment (thank you Kees Leune) highlighted that traditionally, reverse proxies were designed to provide non-security functions, such as load-balancing, SSL offloading or aggregating your web presence through a single point (potentially to simplify your logging?). Of course, the point that really jumped out at me was from Michael Dickey who mentioned the down-side to reverse proxies, due to the method in which “they may not interpret it the same way a web server will. This can give rise to fun request smuggling attacks or other cache poisoning issues.”
I would highly recommend anyone involved with information security sign up to the forum as I think it’s an invaluable resource. Even if a topic only comes up occasionally that has relevance to you it’s definitely worthwhile.
Posted by Christian Posted in: General No Comments » 10 May 2008
Sub Rosa
Whilst I certainly don’t claim to be much of a literary critic or expert, I found the semantics behind the word of the day for yesterday to be really interesting, especially due to it’s ties with security.
sub rosa \suhb-ROH-zuh\, adverb:
1. Secretly; privately; confidentially.adjective:
1. Designed to be secret or confidential; secretive; private.
Further investigation (Wiki) highlighted the history behind the latin term, which means ‘under the rose’ and how it’s current understanding in english has come to mean secrecy or confidentiality:
…
The rose was the emblem of the god Horus in ancient Egypt. Later the Greeks and Romans regarded this as god of silence. This originates from a Greek/Roman misinterpretation of an Egyptian hieroglyphic adopting Horus along with Isis and Osiris as a god. The Greeks translated his Egyptian name Har-pa-khered to Harpocrates.
The rose’s connotation for secrecy also dates back to Greek mythology. Aphrodite gave a rose to her son Eros, the god of love; he, in turn, gave it to Harpocrates, the god of silence, to ensure that his mother’s indiscretions (or those of the gods in general, in other accounts) were kept under wraps. Paintings of roses on the ceilings of Roman banquet rooms were also a reminder that things said under the influence of wine (sub vino) should also remain sub rosa. In the Middle Ages a rose suspended from the ceiling of a council chamber similarly pledged all present (those under the rose) to secrecy.
In Christian symbology the phrase “sub rosa” has a special place in confessions. Pictures of file-leaved roses were often carved on confessionals, indicating that the conversations will maintain secrecy. The phrase has also understood to make reference to the mysterious virginal conception of Christ, which will remain a secret to a rational mind.
In current times, the term is actually used by the Scottish Government for a specific type of “off the record” meetings.
In a number of European countries a “sub rosa” remark is deemed to imply sexual innuendo, or at the very least a blow below the belt. More recently, “sub rosa” activities have become a byword for covert operations, usually by security services. Originating primarily in the USA, this meaning has been gradually spreading to other countries and in particular the United Kingdom.
Posted by Christian Posted in: General, Security No Comments » 4 May 2008
Mitigating DoS with Employee Monitoring. What.
This article over on Computerworld Australia seems to have a couple of conflicting items that have been bugging me since I read it the other day. The article begins by mentioning potential changes to federal government legislation:
The changes will give employers power to intercept all Internet-based communications without consent, including e-mails and instant message (IM) discussions.
It’s at this point that all of sudden we go on a massive tangent, whereby the Attorney-General is saying that these legislative changes are a counter-terrorism measure, and that these changes could prevent breaches occurring:
…similar to the Estonian Denial of Service (DoS) attacks in which a 19 year-old hacker disabled the Web sites of banks, schools and the Prime Minister’s office.
Hopefully someone out there can explain to me exactly how allowing employers monitoring rights to their employees is a control against denial of service attacks? Or even better, how exactly a denial of service attack equates to a breach? Especially after they’ve done such a good job of defining what an Information Security Breach is in the “Draft Voluntary Information Security Breach Notification Guide“.
An information security breach occurs when personal information is exposed to unauthorised access, use, disclosure or modification as a result of a breach of an agency’s or organisation’s information security.
The only saving grace in the article was the comment from Nick Elsmore from SIFT where he states that these new laws will have minimal impact on businesses due to most enterprises having provisions for Internet monitoring within employee contracts. My experience in a few different enterprises has proven this to be the case.
Posted by Christian Posted in: General 2 Comments » 25 April 2008
Voyeur
I think it must be the voyeur in me but I’m totally fascinated by the photos people take of the stuff they carry with them. I don’t really know why. Am I trying to understand just how popular Apple Macbooks and iPods are? Do I just want to reinforce my love of Moleskins? Am I trying to fill in the gaps of the stuff that I carry around with me?
It all started with the Screenshot Tour: Show Us Your Go Bag, which also had a sequel, and then today I stumbled upon the Items We Carry Flickr group!
Ah it’s all too much.
Posted by Christian Posted in: General 2 Comments » 27 August 2007
Remind Me
This weekend has been so much slower than last and I can’t even begin to explain how good that is. I think the problem with last weekend was that it was the culmination of my sister’s birthday and mother’s day. Combine that with my family, Sara’s family, having to celebrate with my sister in silos to prevent interaction between my mum and dad.. it felt like we never stopped.
Today on the other hand had me up and about, but not rushing about, caught a coffee with my mum and wandered around the city prior to me ending up in the rehearsal room for 4 hours and then just spending some time catching up some Internet reading.
Some of the more interesting things from today’s reading include:
- The new Google Analytics. With all its revised Web2.0 web site statistic goodness. The only problem I have with the new version is the fact that it’s still so good at telling me how poor my hits are.
- Another Google statistic item, this time the Gapminder World 2006. Provides you more information on global statistics, for example life expectancy versus income per capita, than you can poke a stick at.
- Finally, the Remind Me video clip from Royksöpp. Saw this on the core77 blog and was really impressed with it. I love this style of art.
Posted by Christian Posted in: Computers, Family, General, Web Development 3 Comments » 19 May 2007
25
It’s been a little under a week since I turned 25 and I have to say I’m doing a fantastic job of making it last. I mean there is still some cake left in the fridge 6 days after!
As far as birthday presents go I was spoilt rotten, as usual, here is a pic of some of the goodies.
For birthday cakes I was lucky enough to receive not one, not two, but four different cakes. My favourite was easily the chocolate cake made by Sara and adorned with Strawberries!
In addition to being long lasting it’s also been a fantastically interesting week, work wise. It’s been the 2nd week of my new job and every day is exposing more challenges and more things which are interesting me. The more I get to know my colleagues the happier I am at the decision I made to shift into this job.
Posted by Christian Posted in: Family, General, Profession No Comments » 4 May 2007
The Chicken’s Great Great Grand-daddy
I actually thought this was old news.
Posted by Christian Posted in: General No Comments » 14 April 2007