PDOS Attacks

We often talk about security risks that are used often, but there exists one that can completely destroy a users computer, and one that has little protection. The attack method is called PDOS, and although it was once thought as being theoretical, It is cheaper and much more efficient than a denial of service attack, or malware (depending on what the attacker wants to do with his victim) and all that is required is an extreme in-depth knowledge of what hardware the target is using.

What is a PDOS attack? It basically damages a system’s hardware to such an extent that will require the owner to replace it in order for the computer to continue functioning. It does this by attacking the most vulnerable, most overlooked component in a computer: embedded devices. It does this by finding out what type of embedded device is used, and flashing or plashing (malicious term of flashing) the device so it becomes completely corrupt.

It has successfully been performed by Rich Smith, head of research for HP Systems Security Lab, and was done at EUSecWest security conference in London. He developed a tool he called ‘PhlashDance’ which corrupts the binaries of a firmware and then flashes those corrupt binaries to the system. Most systems are vulnerable from this since they usually get firmware updates automatically and aren’t developed for mitigating malicious attacks, and some mechanisms don’t have authentication from the user so anyone could perform a firmware update. The benefits of a PDOS attack for the attacker are that it’s a one-shot attack and afterwards it requires nothing more from the attacker, unline a DoS or DDoS attack.

However, there are more drawbacks then benefits. A PDOS attack is extremely hard to perform due to intricate knowledge that the user must have of the system’s hardware. Also there is really no benefit for the attacker, since they just crash the system rather than infecting it. There is no way for it to spread, making it very unlikely for an attacker to spend the time developing let alone use.

Smith has no plans to release ‘PhlashDance’ and this remains as the only proven use of a PDOS attack in public. Even though this is a very big risk, it benefits no one and the attacker wouldn’t get any profit from an attack like this. Overall, while it is very unlikely to happen, it is public in some systems, which makes for an interesting scenario: What if someone decided to use it?

Sources:
http://www.darkreading.com/security/news/211201088/permanent-denial-of-service-attack-sabotages-hardware.html

Yet another reason not to eat fast food…

Image

Gross, right? Pictured above is a Burger King employee ruining what is probably the only healthy thing that you can find at a Burger King. What’s even worse is that employee decided that this wasn’t enough, and that he wanted to post this picture with the caption “This is the lettuce you eat at Burger King” to the Internet to stir up some trouble. Well trouble is exactly what he got. Shortly after posting this picture to 4chan.org, our star employee was surprised to find out that the collective effort of 4chan users was able to determine which Burger King he worked at in the United States. Before he could do some damage control and delete the thread, people were already sending Burger King emails and phone calls about the incident. This lead to the employee, the photographer, and the supervisor on duty being promptly fired. How did this happen, though? How were they able to find out where this guy lived just from a picture?

The answer is EXIF Data. EXIF Data, which stands for Exchangeable Image File data, is the data that almost all digital cameras store along with the picture taken. This information includes time and date, aperture settings, shutter speed, ISO speed, focal length of the lens, and even the model of the camera phone. It also just so happens to store your geological location when taking the picture. That’s right, that’s how they did it. It isn’t even that hard to view someone else’s EXIF Data on their picture, there are simple web browser plug-ins that let you do just this. Why is all this information being stored, though? I’m not a photographer, but I can see the usefulness. Having this kind of information handy on your pictures can be useful if you’re trying to tweak, or recreate a shot using the same settings on your camera. Also, these EXIF data browser plug-ins are available for photographers to see the data on other photographer’s shots if they happen to like it. It seems like this is a case of good used for bad.

So what should we all take from this? First off, don’t mess with other people’s food. Secondly, if you’re going to post a picture online then you have to be careful, especially if you don’t know the people you are posting to. Finally, if you absolutely feel the need to post a picture online make sure that you are using something like Windows QuickFix, which will completely erase the EXIF Data, along with your GPS location.

As a little bit of added controversy, I think it’s worth mentioning the employee’s side of the story. He claims that he was just playing a joke, and that the lettuce was past the throw out date. After standing in it and taking the picture, he claims he just got rid of it. In my opinion, that is still nothing to joke about and deserved to be fired, but what do you think?

Sources

http://www.labnol.org/software/remove-photograph-metadata/19588/

http://www.digicamhelp.com/glossary/exif-data/

http://www.latimes.com/business/money/la-fi-mo-burger-king-lettuce-4chan-20120718,0,3874620.story

Cloud Concern

Image

 

 

As cloud computing grows into one of the largest divisions of the IT industry, one might question the security. Many companies switched to the cheaper and more convenient service of using a cloud. And as these companies are putting all their information in the cloud, many feel concerned about how safe the cloud is.

     A recent survey of over 700 firms found that 57.7 % believe that internal storage of the data would be safer than cloud service. While the other 42.3% is mainly unsure of what could be safer. Most firms believe that security is the biggest concern of cloud computing. Although all these companies are worried about the security of the cloud, many of them will find a reason to use it anyways. The greatest reasons being cost savings, availability, and access to more features. 

     So how safe is cloud computing? Well the answer to that depends. Since most cloud services are through third parties, which to companies can often seem risky, the security of the cloud will vary among the provider. Like all forms of security it is not all made equal. Since this cloud services are relatively recent it is difficult to find the most trusted cloud providers. This is when the security of a cloud could be a concern. Cloud computing is much newer which can be scary because many companies do not know as much about the standards of clouds. Just over half of the firms were aware of ISO/IEC certificate of security standards and of those half only a fourth were aware of the cloud security alliance standards (CSA security, trust, and Assurance Registry). Most of the time the largest problem in security of anything is ignorance, cloud computing is no exception. Companies need to be vigilant in how their cloud provider operates such as how they protect passwords. As a company the goal shouldn’t have to be skeptical about a cloud provider losing/exposing your information.

 

sources:

http://www.v3.co.uk/v3-uk/news/2207982/companies-remain-distrustful-of-cloud-email-security-tools

http://blogs.csoonline.com/cloud-security/2373/cloud-security-alliance-set-unleash-20-plus-research-and-guidance-reports

https://cloudsecurityalliance.org/

Twitter Can Give You A Virus & It’s Not the Avian Flu…

Twitter, people either love it or hate it. I view Twitter as a “Diet Facebook”, I still know what people are doing and thinking at every second of the day, I just don’t get Farmville notifications to go with it.

Recently, Twitter users have been the target of a new Trojan infiltration scheme. A Twitter user will receive a DM, direct message, from a supposedly trusted source with a nondescript but tantalizing message. The messages usually reference a supposed elicit picture or video of said user, with a link that will, supposedly, take the user to the referenced content.

According to reports, users are taken to “YouTube”, please note the quotes. They are then prompted that an update is needed to view this video, with a link to download a file titled “FlashPlayerV10.1.57.108.exe”. In reality, people are actually downloading a Windows compatible Trojan application, right to their computer. Simple social engineering. What makes this so easy is not only the promise of discovering embarrassing content about yourself on the internet, but the fact that a URL shortening service is being used to disguise the actual target URL. Using URL shortening services on Twitter is not uncommon, so to the average Twitter user, there is no apparent cause for alarm when receiving one of these messages.

This should go without saying, but, if your Twitter account happens to be the one sending out these false messages, change your password immediately. If the information is coming from a friends account, it is recommended that you alert them, and recommend that they change their password too. People just need to remember to be safe, make sure what you are receiving is real content. If you’re unsure about a link, don’t click it, or at least verify it with the sender.

Happy Tweeting.

Information Sources:

http://www.nbcnews.com/technology/technolog/direct-messages-twitter-link-malware-1B6095619

http://www.informationweek.com/security/attacks/twitter-direct-messages-disguise-trojan/240007914

Picture Source:

http://media.smashingmagazine.com/images/twitter-tips/twi.jpg

I smell a RAT

According to Dell’s SecureWorks Counter Threat Unit, since April this year, hackers using a Remote Access Trojan (or RAT for short) named Mirage have been conducting systematic cyber espionage against a Canadian energy company, a large oil firm in the Philippines and several other entities.  It is the second attack targeting oil companies to be found by SecureWorks this year.

According to SecureWorks, the domains of three of the command and control servers used to control Mirage appear to belong to the same individual or group of individuals.  Another interesting fact is that the IP addresses for the command and control servers belong to China’s Beijing Province Network.  This network was also implicated last year in an attack on security vendor RSA.  An attack which resulted in the theft of confidential information about RSA’s SecurID two-factor authentication technology.  Command and control servers from the Beijing Province Network were also involved in the 2009 GhostNet cyber espionage campaign.

Mirage has so far affected companies in Canada, the Phillippines, a Taiwanese military organization, and other entities in Nigeria, Egypt, Brazil, and Israel, according to SecureWorks researcher Joe Stewart.  The Mirage malware itself is designed to evade easy detection,  and its communications with its command and control servers are disguised as the URL traffic pattern associated with Google searches.  One of the ways Mirage gets into networks is by tricking mid-level to senior executives with phishing emails containing attachments meant to install Mirage onto their systems.

Also, over the past few months, several customized variants of Mirage were discovered.  They had been designed to evade detection by anti-virus, as well as anti-malware programs.

Source:

http://www.computerworld.com/s/article/9231596/Cyber_espionage_campaign_targets_energy_companies?taxonomyId=17