A new wave of malicious attack has been discovered.  This one doesn't attack your programs or your data.  It doesn't take advantage of some software flaw or bombard the network stack.  This attack is more damaging.  This attack is permanent.  The Permanent Denial of Service attack is a relatively new method for attackers to cause harm to an organization.

Primarily targeting the update function in firmware, well planned PDoS attacks can decimate a company's network infrastructure, bricking every switch, router, and firewall in the building.  While this attack is brand new and hasn't even been found in the wild, it presents a devastating risk to a fairly benign part of IT systems.  Embedded device firmware is usually something IT managers don't have to worry about often and its quite possible that if PDoS attacks, aka "phlashing", become prevalent, millions of dollars in equipment could be lost.

The method of doing this was discovered by HP Systems Security Labs.  RIch Smith of HPSSL demonstrated his phlashing tool, PhlashDance, at the EUSecWest conference in London.  Its basically a fuzzer that attacks the firmware's binaries and update protocol.

About the only thing you can do to protect yourself at this time is to implement authentication on your devices.  You can read more about phlashing at DarkReading.

By default, VirtualBox OSE when installed from apt in Ubuntu uses its own internal DHCP server and is segregated from your LAN.  This may not be an issue if all you need to access is the Internet, but if you need to access other machines on your network from it or access it from other machines on your network, you'll need to setup a bridge.  There are bits and peices of how to do this on the Ubuntu forums but I'm gonna lay it all out right here and tell you exactly what to do.

First, you'll need to setup a tun/tap interface in the Ubuntu host.  We do that with the following commands:

sudo tunctl -t tap1 -u yourusername
sudo brctl addbr br0
sudo ifconfig eth0 0.0.0.0 promisc
sudo brctl addif br0 eth0
sudo dhclient br0
sudo brctl addif br0 tap1
sudo ifconfig tap1 up
sudo chmod 0666 /dev/net/tun

We now have a new network interface called tap1.  In VirtualBox, open your settings for whatever guest you're setting up and go to the Network section.  Set "Attached to" to Host Interface and set the Interface Name to tap1.

That's it.  You're done.  Now your guest operating system will get its IP from your DHCP server.  If for some reason, you're not using a DHCP server, all you have to do is replace the line

sudo dhclient br0

With

sudo ifconfig br0 youripaddress

To have the tap interface automatically start every time you boot, you can setup an init script.

#/bin/bash

tunctl -t tap1 -u yourusername
brctl addbr br0
ifconfig eth0 0.0.0.0 promisc
brctl addif br0 eth0
dhclient br0
brctl addif br0 tap1
ifconfig tap1 up
chmod 0666 /dev/net/tun

Stick that in /etc/init.d and save it as vbox-networking or something to that effect and chmod +x it.  It will then run every time your computer boots and you won't have to worry about it anymore.  I'm using certain interfaces here like eth0, br0, tap1, etc., but you may have to change these depending on your system.  eth0 is the nic that's connected to the network, br0 is the first bridge I have set up, tap1 is the first tap I have set up.  You can change all these to suit your configuration.

Note:  This is true with Ubuntu, but it should be completely portable with any other distribution.

A vulnerability in the popular open source IDS.  It seems that Snort doesn't properly reassemble fragmented fragments, allowing an attacker to avoid detection.  The issue has been fixed in Snort version 2.8.1 so if you can upgrade to that, you should immediately.  Snort versions 2.6.x and 2.8.0 are vulnerable.  Snort 2.4 is not vulnerable.  There is a workaround if you can't upgrade right away.  Find the preprocessor frag3_engine: ttl_limit line and set the value to 255 as such:

preprocessor frag3_engine: ttl_limit 255

This vulnerability allows an attacker to bypass all Snort rules.  All that has to be done to exploit this vulnerability fragment IP packets to a specific host making sure the TTL difference is greater than the maximum allowed, which by default is 5.  This is a very easily exploited vulnerability and you should update your Snort configurations immediately.

For more information regarding this vulnerability, read the public advisory over at iDefense.

In my last post, I outlined the potential dangers of using Twitter to give out excessive amounts of information.  Here, I'll talk about using Twitter against anyone you may have around more than you want.  If you have a stalker, the first thing you should do is contact the police.  They can help you stay safe and they'll do their best to apprehend the person causing you trouble. If an ex-boyfriend, girlfriend, husband, or wife is giving you problems, you should get a restraining order immediately.  This will give police a rock solid case against them and give you more power to keep them away.  If these don't work, it may be time to take a little offensive action.

If you think the stalker or ex-lover is also tracking you online, there's a good chance he's got your Twitter page.  They know that you post your activities and plans on there and they plan on using this against you.  You can inform the police of the continued problem and let them know your plan to use Twitter to bring the suspect in easily.  You may have to do some explaining, I'm not bashing police officers but I'm sure more than a few are too busy to know what Twitter is.  It would be a trivial thing to setup a sting operation where the police are waiting on the person while you go do something, expecting him to find you.  All you'd have to do is post to Twitter about a public place you were going to be where they might find you.  You'll have to find a suitable situation to bait them into, depending on the aggressiveness of your enemy and the police could help you with that.  Then all you have to do is bait and wait.

Make SURE you have the police as backup before you attempt any of this and make SURE you don't try to take matters into your own hands.  If you do, you could bring down the law on yourself instead of your target.  I encourage police to look to this method more, especially in large tech-oriented cities where more of the population might use Twitter or other social networking outlets.

On a totally unrelated note, here's my Twitter :)  Don't get any big ideas, all you'll learn from me there is what kind of beers I've been drinking.

If you're one with the web2.0 trend, you've surely heard of Twitter.  Its the first generation of what's being called 'microblogging' and its used by thousands upon thousands of people to let people know what they're doing at any given point in time.  It's great for groups of close friends who like to hang out, it provides a perfect place to keep up-to-the-minute details of what might be going on.  Used properly, Twitter is a great platform.  However, if you're one of the people that use Twitter to update your every move at every moment of the day and someone targets you personally, you could be in a world of danger.

Don't panic, I have yet to hear of anyone using Twitter as a platform for malicious behavior, but its bound to happen sooner or later.  The candid release of information such as whereabouts and activities one is participating in can give your enemies like stalkers, ex-lovers or ex-employees out for revenge, or even child molesters (parents, supervise your children on the internet) far too much information about you and could put you in serious danger.  Here are a few simple rules to follow to avoid these things.

• Don't be too specific about where you're going, you can say where but try not to give times.
• If you want to get together with friends, send them a message requesting a more personal method of communication such as a phone call to work out details.
• Don't make a habit of posting every 5 minutes about what you're doing.  This could give your enemies clues to your daily routine which they could use against you, your family, or your property.
• Don't give details about where you work if at all possible, again it could give people an idea about your schedule and it lets them know where you are on a regular basis.

Of course, there are situations where one might want to give this information, such as if you're in entertainment and promoting show times.  This isn't as dangerous because you know there will be a crowd around in those environments and those events are usually on a more random schedule than work.

Whether you're using Twitter or Myspace or Facebook, you should keep in mind that the information you make available about yourself could be used against you.  Be careful about what you tell a mass audience, especially if you think you may already be a target.

Ever opened up task manager (windows) or top (*nix) and saw a process running that you were curious (or suspicious) about?  Me too, There are ways of finding out what it is, and it never hurts to look it up.  It could be a trojan, virus, or any other form of malware. 

The first option is simple enough, Google.  Just google the name of the executable and you'll usually find out some decent information in the first record.  Try that first. 

Second, there is Exelib.  This is a search engine exclusively for executable files.  It gives a detailed description of what the file is, but doesn't necessarily elaborate on what may be bad about it.  For instance, the svchost.exe page tells you that svchost.exe is a normal Windows executable file that it probably doing something important, but it does have a threat level of 3 out of 10.  What it doesn't tell you is what that threat might conceivably be.  I'll tell you, if svchost.exe is running as a normal user account, you've got a trojan on your hands. 

ProcessLibrary is a site similar to Exelib but its a little older.  While it may be a little older, it's also more outdated.  It doesn't list any threat whatsoever from svchost.exe.  I know from personal experience that svchost.exe is a commonly trojaned executable for Windows operating systems.

While nothing's perfect, the first place I would look for information on strange processes is Google.  Then hit up Exelib.  ProcessLibrary should be used as a last resort, its not only outdated but its inundated with ads for crap you don't want.

Another aspect to this concept is unknown file extensions.  This is very common and I run into it very often.  This website is a comprehensive resource for finding out what that weird file extension is and therefore, what you can do with it.  Superbly valuable resource.

I found some more online classes, this time specifically for network security and cryptography.  These come from reputable sources but I have not tried them to see exactly what they offer... yet.

An Introduction to Information Security -The Open University

Network Security - The Open University

Network and Computer Security - MIT

Cryptography and Cryptanalysis - MIT

PC Tools, vendor of the popular ThreatFire antivirus software, has released some interesting information about what ThreatFire has found on Vista machines.  It turns out that about 3/4 of the Vista machines running ThreatFire were infected with adware or trojans.  No matter what Microsoft wants you to believe, Vista is susceptible to the same malicious software that XP is.  Even though you're running the latest, "greatest" product from Microsoft that has all those new security features, run antivirus and antimalware programs regularly.

I was down at a popular cell phone provider's store today and I had an idea.  What if I go around and load up my blog in the favorites on the web browsers of all these smartphones on display while under the guise of a curious customer.  I did just that and now that particular store has about 10 cell phones with this very page in their favorites.  I didn't really know how to set the home page and I didn't want to take the time to figure it out for each phone so I didn't get that far.  I also have no idea how often those display phones are serviced/reloaded/looked at by staff so all that work may be gone tomorrow.  I also realize that your average Joe isn't going to be looking in the Favorites of a display phone.

I propose that more people do this.  Lets see if we can get this viral.  If nothing else, just pull up your website on the phone and leave it sitting, which I did with several of the phones I hit.  Don't do anything harmful though.  This is purely in the spirit of fun and mischief.

Most programmers that have worked with C or C-like languages are familiar with the main() function.  Its the heart of the program and from where all other portions of the code execute.  Python doesn't have a built-in main() function so it can be a little foreign to people like me so I found a way to create a main() and have my code structured more like I'm used to.  Its actually quite simple to do.

def main():

     <your python here>

if __name__ == "__main__":
    sys.exit(main())

Thats it.  You'll declare a function called main and call it with the two lines at the bottom.  Now you can structure your code with other functions and classes and have everything originate from the main().