Category Archives: Hacks

It’s Back – The Mirai Botnet

A little over a year ago, the Mirai botnet launched a sustained attack on the servers of the Internet  provider Dyn, taking it offline and thereby knocking its customers, including Twitter, the Guardian, Netflix, Reddit, CNN and others, offline.  The Mirai botnet was simple – find Internet of Things devices (IoT) that still had their default passwords and take them over.  Use those IoT devices to launch an attack at your target.  At its peak, Mirai controlled about 600,000 devices.  The attack generated between 500 Gigabits and 1,000 Gigabits of traffic per second, the largest attack ever seen.

Well it’s back and it has a new plan.

Rather than taking over webcams and DVRs, this time it plans to take over light bulbs and other low end devices and there are way more light bulbs than cameras.  Since the attack itself is very simple, it does not require a powerful device to run the attack.  Just a lot of them.

And just to dispel any myths, Mirai was not a nation state attack.  It was the brainchild of a couple of college age kinds who wanted to knock their competitor’s Minecraft servers offline.  The FBI caught them and they pleaded guilty.

In this case, the target is the ARC processor, which sells over 1 billion units a year.  Very simple processor.  Used everywhere.

Do the math.  If 600,000 devices or less could take down Twitter, Netflix and a host of other sites, what damage could a billion devices do.

Of course we can’t assume all of those devices could be compromised, but 1% of those devices is a million and that is almost double the size of the original Mirai at its peak.

How many people change the password for their light bulb?

This variant is called Mirai OKIRU and a number of anti virus products detect it.   Only problem is that people don’t run A-V on their light bulbs.

Many people have been saying for a long time that the security of the IoT is a joke; as useful as a screen door on a submarine.  IF this botnet takes hold, we may see how useful that screen door is. IF it takes hold.  Maybe we caught this in time,but I am not holding my breath.

Information for this post came from The Inquirer.

Facebooktwitterredditlinkedinmailby feather

Not A Great Month for Intel

As if it wasn’t already a bad enough month for Intel, it just got a bit worse.

This is not related to Spectre or Meltdown;  this is an entirely new problem.

Intel processors have a remote management engine called Active Management Technology or AMT.  This allows corporate administrators to remotely take over those computers to manage them.

If the person “taking over” the computer is a good guy, then people don’t consider it a problem;  if it is a hacker “taking over” the computer, then it is a serious problem.

There are around 100 million computers that have been built in the last decade that have Intel’s Active Management Technology installed.

Last May Intel patched some bugs in AMT;  then last November they rushed out some more patches that fixed vulnerabilities that had been around since 2015.  Now there is a new vulnerability.

Except in this case, Intel is saying it is a feature.

This feature-bug was discovered last July and kept quiet until now.

The good news is that it does require physical access to the computer, but only for a minute or two.

All the attacker has to do is reboot the computer, enter the bios and configure the Intel Management Engine BIOS Extension (IMTBx).

The attacker will get a screen like this and can then set their own password.

Once they have done that, the hacker can bypass Bitlocker, Trusted Platform Module IDs and BIOS passwords.

One more time, Intel and PC Manufacturers configured the IMTBx with a single, default stupid password – ADMIN .  Technically, the password is admin – lower case.  Who would ever guess that?

This is one more example of SECURITY or CONVENIENCE, pick one.  Setting the password to admin is easier than making it unique to each machine or forcing people to change it the first time they power on the computer.

The hackers  can then enable remote access and take over the computer from anywhere in the world.

Of course, if the vendor or company changed the default password then this trick won’t work.

AND,  it would not have been a problem if Intel didn’t choose a stupid default password.

Intel tried to shift the blame on this one.  They said that they told OEMs in 2015 and again in 2017 to change the default password and improve security.

So if they thought this was a problem, why didn’t INTEL change that default password ?   Nice try blaming others, but it won’t work.

Also, this particular attack only works one computer at a time, so it would be used for targeted attacks.  Given that Intel announced the problem THREE years ago, you have to assume that the bad guys understand how to exploit this.

There is some good news, however, you can change the default password yourself and stop any attack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Ohio Man Indicted For Spying on People for 13 Years


A 28 year old Ohio man has been indicted for creating and installing malware on hundreds of Apple Mac and Microsoft Windows computers.

The man, Phillip Durachinsky, used the software to spy on people.  This includes recording what the camera and microphone pick up in the same room as the computer.

In addition to capturing audio and video, the software that he created also stole passwords and used that to access third party sites.  He also used the software to steal tax, medical and banking records and also photos and private communications.

The 16 count federal indictment includes the production of child pornography, so it doesn’t take much to figure out if you kid had a Macbook in the bedroom and it was infected, this guy may have captured video of your kids doing whatever and, apparently, while naked – something that doesn’t seem completely unexpected in a bedroom, but which you and your kids certainly do not expect.  People expect to be safe and secure in their bedroom.

The software alerted him when the user used certain search terms, such as pornography.  People who watch porn might be doing certain things while naked, hence the charge of producing child porn. Kind of boggles the mind.

As an indication of how deranged this guy is, he is alleged to have kept regular, detailed notes.

Durachinsky, who is 28 now, has been spying on people for the last 13 years, according to the feds, so he must have created this software when he was around 14 or 15.  If it weren’t so warped, the skill would be pretty impressive.

What has not been revealed yet is the total number of computers infected or the number of people affected.  It is also not clear how much video exists and if the video has been published or if he was keeping it for himself.  Given that he was charged with PRODUCING child porn and not with DISTRIBUTING child porn, you might conclude that he was not selling or giving away the video that he captured.

The researcher who found the software, called Fruitfly, discovered it on at least 400 Macs, so it looks like the software was not widespread.

A simple way to protect yourself, at least in part, is to join the ranks of Facebook founder Mark Zuckerberg and former FBI Director James Comey and cover your laptop camera with a piece of opaque tape.  Many companies make small devices that you can slide back and forth or remove that are a little more elegant than black electrical tape.

For parents, have kids close the lid on their laptops when they are not using it and, of course, do not use your laptop when you are sans clothing.

It is a sad thing that you have to worry about such things.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

Apple is Trying to Catch up With Windows

Update: Apparently if you are running macOS 10.13 and apply the patch to fix the root problem and then upgrade to 10.13.1, that patch gets undone, so you have to reapply the patch.  In addition, the patch does not take effect unless you reboot.  Just another bit of the mess.

The Mac OS has generally been considered a secure operating system, but lately Apple has been trying to imitate their friends from Redmond and not in a good way.

The first MacOS bug found recently is a new bug.  Linux and Unix administrator accounts are called ROOT, unlike Windows and other operating systems which call the account ADMIN or ADMINISTRATOR.  Apparently in the current version of MacOS, High Sierra, if you entered the user name of ROOT with no password, you got an error message, but if you entered it a second time with no password, it let you in with full administrative permissions.

Initially, people thought that this exploit required that you have local access to the computer, but it turned out that if you had remote access turned on as many or most corporate computers do, the attack would work remotely as well.

Apparently the OS detected there was no ROOT account and created one with no password.  The quick fix was to create a ROOT account with a complex password.

Apple quickly created a fix that was automatically and silently installed (I guess that is both good and bad), but that fix broke some other things and Apple had to release a fix to the fix.  That second fix had to be manually installed and required some advanced gyrations on the part of the user.

The good news was that Apple was able to fix the bug quickly once they were told about it.  The bad news is that if a user’s PC was compromised before the installed the patch – which statistically is possible but unlikely – then the only solution is to wipe the disk and start over.

But this was only the start of last month’s problems for Apple.

The second MacOS bug, which also granted users unlimited ROOT access had been around for at least a decade (sound like Windows again?), maybe two decades. or more.

The person who found it was neither a professional hacker nor a professional security researcher, but rather a self titled hobbyist.  This means that other people (and not the well intentioned ones) could have known about it for 20 years or more.

The bug was in the IOHIDF family of software.  This software has been a problem child in the past.  The hobbyist who discovered it released a proof of concept for all of the hackers to follow at the same time he announced the bug.

As of 17 hours ago, Apple had yet to comment on it, but I assume that their engineers are busy working on how to fix it.

Right now it counts as an 0-day, and a nasty one.  0-days are bugs that were not (publicly) known about prior to the announcement.  Except that in this case, it was probably known about by others, such as the Chinese, Russians or American spies and possibly exploited – maybe for many years.

For a while, Apple computers seemed to be immune to bugs.  I don’t think that is necessarily because the software is super secure, but rather because it is a niche player with a small market share (less than 8 percent according to NetMarketShare).  As other operating systems were attacked and started fixing bugs, MacOS became the next target of opportunity.

So, in this case, one bug is fixed, albeit a bit bumpily and the other is still open.

Happy New Year Mac users!

Information for this post came from CNet, The Guardian and BetaNews.


Facebooktwitterredditlinkedinmailby feather

Enterprises Using AD Connect at Risk of Stealthy Admins

Researchers have discovered a problem with AD Connect in an Office 365 hybrid AD environment.  In this situation, hybrid means both onsite Active Directory and cloud Active Directory.  This is the environment that most Office 365 users who federate accounts use.

The bug was discovered earlier this month by Preempt, a vendor of cyber security tools.

The result is users with unexpected and undesired elevated privileges.  While many tools will detect normal AD administrators, this particular flaw creates admins that are not obvious.

In this case, the flaw grants users elevated privileges through  Domain Discretionary Access Control List (DACL) configuration.  Preempt calls them stealthy administrators.

Curiously, this bug is only present if users installed AD Connect in EXPRESS MODE.

This is in addition to the problems related to AD Writeback (Microsoft KB 4033453) which grants Azure admins complete control over on premise AD.

As people rush to the cloud it is not surprising that there are unintended consequences.  The cloud is still very new.  The Internet is very new.  In the grand scheme of things, computers are relatively new. And, cloud computing itself is moving at an incredible velocity.

What there is to do is stay on top of these issues and apply the appropriate fixes as they are released.  An not panic.  It does not appear that this is the kind of flaw that is easy for hackers to exploit.

In the meantime, Preempt has created a free tool that allows admins to detect any accidentally created stealthy admins;  the link to the tool can be found in the article below.

Information for this post came from Preempt.

Facebooktwitterredditlinkedinmailby feather

Mirai Botnet Creators Plead Guilty

The creators of the Mirai botnet pleaded guilty earlier this month in an Anchorage courtroom.

The Mirai botnet unleashed a distributed denial of service attack on the French cellular carrier OVH and another DDoS attack against DYN, the DNS provider for Amazon, Netflix and many other heavy duty web sites.

The DDoS attacks took those and other sites down, confusing and inconveniencing users.  For a while, the feds those this was going to turn into an attack on critical infrastructure.

But the interesting part is what Paul Harvey used to call “the rest of the story”.

Mirai was created by a Princeton University student and two others.  But the why is the interesting part.  They were running a Minecraft server and in order to make more money, they had to get more kids to sign up for their server rather than their competitors.  The easy way to do this – take out their competitor’s Minecraft servers.  And take them out, they did.  Along with a LOT more.

In the first 20 hours, Mirai took over 65,000 Internet of Things devices.  It then DOUBLED in size every 76 minutes, eventually stabilizing at around 200,000 to 300,000 devices.  At it’s highest level, it was controlling 600,000 devices.

The scary thing is that the attack was not very sophisticated.  The Reaper attack that I wrote about the other day is way more sophisticated and way more dangerous if it is weaponized.

When Mirai went after OVH, the attack peaked at 1.1 terabits per second of garbage traffic.  Before then, a large DDoS attack was in the 10 to 50 gigabits per second range, so this attack was probably 20 to 100 times the size of what was considered a large attack.

For some sites like Brian Krebs, who was also attacked, the attack was so large that their DDoS prevention services – in Brian’s case, Akamai – shut down his web site.  Brian was off the air until Google stepped in to host him.  For Google’s engineers, this was likely considered a challenge.  After all, I am sure that Google faces lots of attacks themselves and if they could stop this attack (almost 700 gigabits per second), then they would be able to stop a similar attack against them.

We do not know what kind of sentences these three will face, but I am completely OK if it is a very long one.  They did some serious damage.

Information for this post came from Wired.


Facebooktwitterredditlinkedinmailby feather