Chinese electronics manufacturer Hangzhou Xiongmai Technology has admitted that weak security in its line of webcams and DVRs were the likely culprit for the DDoS attack that left a portion of the internet without service on Friday. The Mirai malware used in the attack likely took advantage of the fact that customers purchasing these products would fail to change their login details from the default settings, and as a result upwards of a half-million devices could be infected. A botnet powered by the same malware is suspected in the 665 Gbps attack that took down Brian Krebs website last month.
Author Archives: shinohai
Peace On Earth: AdultFriendFinder Data Liberated Again
Just in time for the coming holiday season, security news site sophos reports that Peace may still be amongst us despite reports an aspect of the notorious quiet and tranquility may have been arrested at the behest of the US government. In an interview with Motherboard last week Peace stated he was responsible for the latest AdultFriendFinder breach, and had given “everything, all [FriendFinder Network],” to other hackers. AFF confirmed this stating:
We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected.
Peace further stated to Motherboard that the current breach was accomplished by opening "a backdoor that had been publicized on the hacking forum Hell" The Russian language forum was the site where the data from the previous hack was listed for sale at a price of 70 BTC. Information to corroborate the veracity of his claims was sent to Motherboard, and was verified by an independent security researcher Dan Tentler (WoT:nonperson). Tentler said the files contained employee names, their home IP addresses, and SSH keys used for remote access to AdultFriendFinder's servers.
Him In Our Time.
Buggered Bitfinex Begs Burgler For Bitcoins Back
Bitfinex has made a desperate attempt to reach out to the hacker that buggered their bum and liberated almost 120k Bitcoins from their platform in August with a post on their blog detailing the channels opened for dialogue. One of the methods even goes as far to suggest blockchain spam as a viable communication protocol.
From the announcement:
We believe that a combination of Tor and an anonymous email service should suffice to protect your identity and location. Encrypting your message with our PGP key further guarantees privacy from prying
eyes, but to prove your authenticity to us, we ask that you provide the public key associated with 1QDBWKgfftwuraEasMGSUvj9PPrswZv19q and sign your message with the corresponding private key.Instead of using e-mail, you can send the authenticating information via Bitmessage and Tor. Our Bitmessage address is BM-2cW79647sMFe3fJKKGKAwXWwTSS293meq8.
Alternatively, you can send us a message on the Blockchain using OP_RETURN. You can encrypt a message (containing your pub key) with our PGP key, split up the message into 80-byte chunks, and send
transactions to 19eT7KGKo1gFjgBhEF4957wVNugkc2cakK from any one of the 2072 addresses currently holding the bitcoins in question.
Despite not being registered in the WoT, Bitfinex also somehow managed to make a gpg key and post it as well. The post closed by stating that they were "very anxious to hear" from the attacker, and asked if there is perhaps a different way that they would prefer to communicate, as absconding with $75 million in Bitcoin evidently did not send a clear enough message. (archived)
Dyn DNS Suffers Packet Inflation, Many Other "Services" Affected
Dyn DNS is reporting a large-scale DDoS attack on it's servers this morning, which has caused sporadic interruptions of service for users, mainly on the East Coast of the US. Github, Twitter, and Reddit all use the service as their upstream DNS provider and have reported many outages and total downtime lasting hours. DynDNS president released a statement saying:
This morning, October 21, Dyn received a global DDoS attack on our Managed DNS infrastructure in the east coast of the United States. DNS traffic resolved from east coast name server locations are experiencing a service degradation or intermittent interruption during this time. Updates will be posted as information becomes available.
Upon recognition, active mitigation protocols were initiated and have been working to resolve the issues.
Customers with questions or concerns are encouraged to check our status page for updates and reach out to our Technical Support Team.
No information was available as to whom might be behind the attack, leading to speculation that it may have been launched to protest the recent arrest of an aspect of Peace on Earth earlier this week.
The Sacred Dies In India
24 cattle died, and 20 more reported injured during a stampede that occurred at an Indian religious festival. Police of Uttar Pradesh said they only expected 3,000 cult members, however 70,000 showed up and started rumors along a packed bridge that led to the disaster. Taking a page from the Bitfinex playbook, the Indian Prime Minister is offering families of the dead 200`000 rupees as SFYL compensation. October has seen an increase in lulz featuring India on the pages of Qntra, with highlights being a telemarketing scam being busted and Preet Bharara's latest antics showing a trend in this behavior for the immediate future.
Butt-erin Seeks Another Bailout Fork
The "Timothy Leary of Ether Huffing" Vitalik Butt-erin (WoT:nonperson) officially announced his application to become Roger VERified today, suggesting that perhaps another hard fork is the answer to recent problems the failed altcoin is experiencing. The news comes in response to a series of denial-of-service attacks on the network that have affected first Geth, and now the Parity implementations of the traditional ether huffing bag. The same exploit has been widely reported across various ether huffing splinter groups. that continue to build on clones of the ET(her)H(uff) protocol. The majority of participants in the scheme are dubiously said to have voiced support for the fork, just like the last time when they needed a bailout.
Huffers At Ether.Camp Baking Next "Smart Contract For Your Loss"
Ether huffers are already working on their next large scale Sorry For Your Loss with a new type of "smart contract" that some are already calling "The DAO 2.0". The contract, dubbed "Hacker Gold" is sure to live up to it's name for would-be attackers, as some eagle-eyed users have already attempted to compile the code and found that it wouldn't. The creators at ether.camp responded that the code on github "isn't the final version". The creators are hoping to raise 50 million US dollars in funds through an ICO and have reportedly been using sock-puppet accounts on reddit to manipulate threads in r/startups and others, in an attempt to generate buzz. The ether.camp team has been mostly silent on the criticisms, apparently betting on the fact that if the initiative fails they can simply hard fork the coin and get everyone's money back like last time.
Backpage CEO Criminally Arrested On Pimping Allegations
State agents in Texas have arrested Carl Ferrer, CEO of backpage.com in a raid after allegations he might know other people could be using his website to engage in adult and child sex-trafficking. Mr Ferrer was arrested on a warrant out of the state of California at the airport in Houston, and warrants were also issued for the ad site’s controlling shareholders, Michael Lacey and James Larkin. The charges levied against Mr. Ferrer include felony charges of pimping a minor, pimping, and conspiracy to commit pimping, and he faces an extradition hearing before he can be returned to California to face the charges. Mr. Ferrer is facing these charges for running a website, not for actually running girls in the street. Sorry for your laws and your lues.
US Tax Department Busted By Indian Police
Police in rural Thane, India have arrested over 500 people working in a call center, accusing them of scamming U.S. citizens in a fraud scheme. The callers allegedly would tell the victims they were with the "US Tax Department" and demanded financial and bank details, and threatened them with legal action if they refused to provide the details. The employees would then use the information to withdraw funds from the accounts, with officials estimating the scheme could make upwards of $160,000 USD a day. Police said the investigation was ongoing and further information was to be released soon, although no word was available as to whether any iTunes gift cards were recovered in the haul
Oasis Drained While Major Monero Webwallet Languishes Offline
Altcoin Monero has suffered a blow in its push to become the dominant currency of darknet markets, with reddit users reporting that the owners of Oasis market have apparently pulled an exit scam, absconding with around 150 Bitcoin and a yet undetermined amount of Monero. Reports from reddit also indicate that users attempting to withdraw Monero from the Alpha Bay marketplace are meeting similar frustrations, though the site is still online. This news caps a very bad week for XMR, with the MyMonero web wallet service run by developer fluffypony (WoT:fluffypony) also being was offline for several days now, with users reporting silence from support channels and inability to withdraw funds, though private keys can still be recovered and imported into an actual wallet. These particular wallets have been target by hackers several times in the past few months, resulting in several millions of USD vanishing. At the time of the writing of this article, the sorry for your loss was at -17% and continued to plunge.