Permanent Denial-of-Service Attack Sabotages Hardware

You don’t have to take an ax to a piece of hardware to perform a so-called permanent denial-of-service (PDOS) attack. A researcher this week will demonstrate a PDOS attack that can take place remotely.

A PDOS attack damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the infamous distributed denial-of-service (DDOS) attack — which is used to sabotage a service or Website or as a cover for malware delivery — PDOS is pure hardware sabotage.

“We aren’t seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today,” says Rich Smith, head of research for offensive technologies & threats at HP Systems Security Lab.

Smith says a PDOS attack would result in a costly recovery for the victim, since it would mean installing new hardware. At the same time, it would cost the attacker much less than a DDOS attack. “DDOS attacks require investment from an attacker for the duration of the extortion — meaning the renting of botnets, for example,” he says.

Smith will demonstrate how network-enabled systems firmware is susceptible to a remote PDOS attack — which he calls “phlashing” — this week at the EUSecWest security conference in London. He’ll also unveil a fuzzing tool he developed that can be used to launch such an attack as well as to detect PDOS vulnerabilities in firmware systems.

His so-called PhlashDance tool fuzzes binaries in firmware and the firmware’s update application protocol to cause a PDOS, and it detects PDOS weaknesses across multiple embedded systems.

Read the rest of this story…

Posted in Coding, Hardware, Internet, Networking, Privacy, Security | No Comments

Firefox developers tinker with new security protections

Developers of the Firefox browser are designing new technologies aimed at protecting users from some of the nastiest and most prevalent forms of website attacks.

One protection is designed to minimize end users’ risk to cross-site scripting (XSS) attacks and cross-site request forgeries (CSRFs), both of which subvert basic internet security by exploiting the often misplaced web of trust that exists between two or more different sites. The protection would allow developers of one site to explicitly define which domains are allowed to initiate or answer cross-site requests for code, cookies and other site resources.

“These policies will describe which scripts in a page should be treated as valid and how web content should be permitted to initiate cross-site requests,” Brandon Sterne, a member of Mozilla’s security group, wrote in an email. Sterne recently described his work to security professions at Yahoo.

The idea is to enable websites to define security policies that the browser enforces. That will protect users from vulnerable sites and prevent sites from receiving forged requests. Site developers could indicate an explicit set of domains that should be treated as valid sources of javascript, so that code embedded in sites that aren’t specifically white-listed would not be executed.

Read the rest of this story…

Posted in Coding, Internet, Privacy, Security | No Comments

How To Run Linux From A USB Flash Drive

Most of the time, Linux is run from either an installation on a hard drive or a live CD/DVD distribution. The first is fast, but not very portable; the second can be run anywhere you have a computer and a CD drive with boot access, but typically isn’t very fast. Over the last few years, though, we’ve seen the emergence of something that combines the speed of a hard drive install with the convenience of a live CD: running Linux from a USB flash drive.

While flash memory prices are still high enough that a flash-based 100-GB hard drive is still way out of the realm of what would be affordable for most people, 2-GB and 4-GB flash drives are cheap enough to make a streamlined Linux installation practical.

You won’t be able to pack your MP3 collection and your gigs of vacation photos to go with you — at least, not yet! — but you will be able to run Linux with most of the applications you need, and bring the more crucial of your data with you as well. What’s more, there are ways to run Linux from a flash drive that don’t even require an OS reboot, especially if you’re running Windows.

Read the rest of the story…

Posted in Hardware, Linux, Privacy | No Comments

Tomorrow’s Malware

My favorite tech quote is from Giorgio Maone. It goes like this: If today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.

Part of my job at GNUCITIZEN is to spot trends. There is nothing magical in this line of work but I believe that some people are more suited for it then others. This is my opinion and it is based entirely on my experience and knowledge which has been accumulating for the past 7 years.

A trend which I saw emerging several years ago has already started to shape up. I am talking about Web2.0. The Web is the single most important and most critical platform we have ever build. Some of you may argue that it is not the Web, it is the Internet in general. To an extend I agree but I find the Web mission critical for most people. While it may be OK to turn off certain Internet protocols, HTTP is often let go free. It just makes the business sense.

This is the reasoning I applied when doing my Web2.0 hacking research, the XSS and CSRF stuff I’ve been toying with, the Social Networking experiments and most of the things behind the GNUCITIZEN umbrella. If you haven’t noticed yet, everything is pushed into the cloud, not only your social life but your personal data and now even your health records thanks to Google. Hacking into your box is not valuable anymore unless attackers are building a botnet. But hacking into your box is hardly scalable if your data is what attackers are after. The cloud is what matters today and will matter tomorrow.

Source: GNUCITIZEN

Posted in Coding, Internet, Privacy, Security | No Comments

Attacking Banks – Encrypted Strings and Local Content Injection

We have been noticing quite a few binaries lately that target Brazilian banks. While most tend to have the same behavior, we found a particular piece that actually encrypted most of its strings to slow down analysis. In this blog we analyze the decryption routine and write a decryption algorithm, as well as note some other general ways to automate dumping of encrypted strings and their associated plaintext. In addition to this technical dive, we also touch on other interesting behaviors of this particular malware, including its ability to detect the presence of G-Buster Browser Defense, a security solution offered by some Brazilian banks, such as Caixa Economica Federal.

Decrypting the Strings

The executable was packed with Themida, a commercial protection offered by Oreans Technologies. Because no trial splash screen appeared on execution, it is assumed the malware author probably used a pirated copy to protect the executable.

Read the rest of the story…

Posted in Internet, Security | No Comments