Trailrunner7 quotes a report from On the Wire: The man who developed a bot that frustrates and annoys robocallers is planning to take on the infamous Windows support scam callers head-on. Roger Anderson last year debuted his Jolly Roger bot, a system that intercepts robocalls and puts the caller into a never-ending loop of pre-recorded phrases designed to waste their time. Anderson built the system as a way to protect his own landlines from annoying telemarketers and it worked so well that he later expanded it into a service for both consumers and businesses. Users can send telemarketing calls to the Jolly Roger bot and listen in while it chats inanely with the caller. Now, Anderson is targeting the huge business that is the Windows fake support scam. This one takes a variety of forms, often with a pre-recorded message informing the victim that technicians have detected that his computer has a virus and that he will be connected to a Windows support specialist to help fix it. The callers have no affiliation with Microsoft and no way of detecting any malware on a target's machine. It's just a scare tactic to intimidate victims into paying a fee to remove the nonexistent malware, and sometimes the scammers get victims to install other unwanted apps on their PCs, as well. Anderson plans to turn the tables on these scammers and unleash his bots on their call centers. "I'm getting ready for a major initiative to shut down Windows Support. It's like wack-a-mole, but I'm getting close to going nuclear on them. As fast as you can report fake 'you have a virus call this number now' messages to me, I will be able to hit them with thousands of calls from bots," Andrew said in a post Tuesday.

chicksdaddy New data suggests that some 14,500 web domains stopped using Dyn's Managed DNS service in the immediate aftermath of an October DDoS attack by the Mirai botnet. That's around 8% of the web domains using Dyn Managed DNS... "The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai)," said Dan Dahlberg, a research scientist at BitSight Technologies in Cambridge, Massachusetts... BitSight, which provides security rating services for companies, analyzed a set of 178,000 domains that were hosted on Dyn's managed DNS infrastructure before and immediately after the October 21st attacks.
It's possible some of those domains later returned to Dyn -- and the number of actual customers may be smaller than the number of hosted domains. But in the end it may not have mattered much, since Dyn was acquired by Oracle the next month, and TechCrunch speculates that the deal had already been set in motion before the attack.

They also add that "Oracle, of course, is no stranger to breaches itself: in August it was found that hundreds of its own computer systems were breached."

"Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks -- or never -- until a patch is put out," says Carnegie Mellon professor David Brumley. "Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched." An anonymous reader quotes MIT Technology Review: Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world... Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors... ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students, has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.

Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

Last year an attacker forced thousands of unsecured printers to spew racist and anti-semitic messages. But this year's attack is even bigger. An anonymous reader writes: A grey-hat hacker going by the name of Stackoverflowin has pwned over 150,000 printers that have been left accessible online. For the past 24 hours, Stackoverflowin has been running an automated script that searches for open printer ports and sends a rogue print job to the target's device. The script targets IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections. From high-end multi-functional printers at corporate headquarters to lowly receipt printers in small town restaurants, all have been affected. The list includes brands such as Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki, and Samsung.

The printed out message included recommendations for printer owners to secure their device. The hacker said that people who reached out were very nice and thanked him.
The printers apparently spew out an ASCII drawing of a robot, along with the words "stackoverflowin the hacker god has returned. your printer is part of a flaming botnet... For the love of God, please close this port." The messages sometimes also include a link to a Twitter feed named LMAOstack.

An anonymous reader shares a report: You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk. Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router's password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings. What is particularly alarming is that the bug affects at least 31 different Netgear models, with the total magnitude of the vulnerability potentially leaving over a million users open to attacks. Even more unsettling is the fact that affected devices could in certain cases be breached remotely. As Trustwave researcher Simon Kenin explains, any router that has the remote management option switched on is ultimately vulnerable to hacks.

mi writes: Turns out, there are researchers studying ways to identify bots on Twitter -- fake accounts used by individuals or groups for various purposes. They identified, what seems like a collection of 350,000 accounts, all of which share the same subtle characteristics: tweets coming from places where nobody lives; messages being posted only from Windows phones; exclusively including quotes from Star Wars novels. "Considering all the efforts already there in detecting bots, it is amazing that we can still find so many bots, much more than previous research," Dr Zhou, a senior lecturer from UCL, told the BBC. Juan Echeverria uncovered the massive networks by combing through a sample of 1% of Twitter users in order to get a better understanding of how people use the social network. He is now asking the public via a website and a Twitter account to report bots to get a better idea of how prevalent they are. Some bots are easy to spot as they likely have been created recently, have few followers, have strange usernames and little content in the messages.

The Mirai botnet caused serious trouble last fall, first hijacking numerous IoT devices to make a historically massive Distributed Denial-Of-Service (DDoS) attack on KrebsOnSecurity's site in September before taking down a big chunk of the internet a month later. But who's responsible for making the malware? From a report on Engadget: After his site went dark, security researcher Brian Krebs went on a mission to identify its creator, and he thinks he has the answer: Several sources and corroborating evidence point to Paras Jha, a Rutgers University student and owner of DDoS protection provider Protraf Solutions. About a week after attacking the security site, the individual who supposedly launched the attack, going by the username Anna Senpai, released the source code for the Mirai botnet, which spurred other copycat assaults. But it also gave Krebs the first clue in their long road to uncover Anna Senpai's real-life identity -- an investigation so exhaustive, the Krebs made a glossary of cross-referenced names and terms along with an incomplete relational map.

Reader Mark Wilson writes: Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet. In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as "just as powerful as the most dangerous one to date". The concern for 2017 is that "it's about to get a lot worse". Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.

Russian hackers have used fake websites and bots to steal millions of dollars from advertisers. According to researchers, the fraud has siphoned more than $180 million from the online ad industry. CNNMoney reports: Dubbed "Methbot," it is a new twist in an increasingly complex world of online crime, according to White Ops, the cybersecurity firm that discovered the operation. Methbot, so nicknamed because the fake browser refers to itself as the "methbrowser," operates as a sham intermediary advertising ring: Companies would pay millions to run expensive video ads. Then they would deliver those ads to what appeared to be major websites. In reality, criminals had created more than 250,000 counterfeit web pages no real person was visiting. White Ops first spotted the criminal operation in October, and it is making up to $5 million per day -- by generating up to 300 million fake "video impressions" daily. According to White Ops, criminals acquired massive blocks of IP addresses -- 500,000 of them -- from two of the world's five major internet registries. Then they configured them so that they appeared to be located all over the United States. They built custom software so that computers (at those legitimate data centers) acted like real people viewing those ads. These "people" even appeared to have Facebook accounts (they didn't), so that premium ads were served. Hackers fooled ad fraud blockers because they figured out how to build software that mimicked a real person who only surfed during the daytime -- using the Google Chrome web browser on a Macbook laptop.

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

Security firm Forcepoint has discovered a DDoS competition which requires participants install a DDoS software which contains a backdoor. An anonymous reader quotes CSO: A hacker in Turkey has been trying to encourage distributed denial-of-attacks by making it into a game, featuring points and prizes for attempting to shut down political websites... Users that participate will be given a tool known as Balyoz, the Turkish word for Sledgehammer, that can be used to launch DDoS attacks against a select number of websites... The attack tool involved is designed to only harass 24 political sites related to the Kurds, the German Christian Democratic Party -- which is led by Angela Merkel -- and the Armenian Genocide, and others... Forcepoint noticed that the DDoS attack tool given to the participants also contains a backdoor that will secretly install a Trojan on the computer.

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price, PCWorld reports. From the article: One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday. The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven't actually cracked it, they believe it's only a matter of time until someone does. Sony released a patch to the affected camera models last week.

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

A last-ditch effort in the Senate to block or delay rule changes that would expand the U.S. government's hacking powers failed Wednesday, despite concerns the changes would jeopardize the privacy rights of innocent Americans and risk possible abuse by the incoming administration of President-elect Donald Trump. Reuters adds: Democratic Senator Ron Wyden attempted three times to delay the changes which, will take effect on Thursday and allow U.S. judges will be able to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, potentially even overseas. His efforts were blocked by Senator John Cornyn of Texas, the Senate's second-ranking Republican. The changes will allow judges to issue warrants in cases when a suspect uses anonymizing technology to conceal the location of his or her computer or for an investigation into a network of hacked or infected computers, such as a botnet.

An anonymous reader writes: Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone's behest. The hackers have quite a reputation on the hacking underground and have previously been linked to the GovRAT malware, which was used to steal data from several US companies. Renting around 50,000 bots costs between $3,000-$4,000 for 2 weeks, meaning renting the whole thing costs between $20,000-$30,000.

After the Mirai source code leaked, there are countless smaller Mirai botnets around, but this one is [believed to be the one] accounting for more than half of all infected IoT devices...that supposedly shut down Internet access in Liberia. The original Mirai botnet was limited to only 200,000 bots because there were only 200,000 IoT devices connected online that had their Telnet ports open. The botnet that's up for rent now has received improvements and can also spread to IoT devices via SSH, hence the 400,000 bots total.
Interestingly, the article claims the botnet's creators had access \to the Mirai source code "long before it went public."

According to the Washington Post (Warning: source may be paywalled; alternate source), the "fake news" phenomenon that circulated thousands of phony stories during the election was aided by a sophisticated Russian propaganda effort that aimed to punish Democrat Hillary Clinton, help Republican Donald Trump and undermine faith in American democracy. Slashdot reader xtsigs shares with us an excerpt from the Washington Post's report: The flood of "fake news" this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation. Russia's increasingly sophisticated propaganda machinery -- including thousands of botnets, teams of paid human "trolls," and networks of websites and social-media accounts -- echoed and amplified right-wing sites across the Internet as they portrayed Clinton as a criminal hiding potentially fatal health problems and preparing to hand control of the nation to a shadowy cabal of global financiers. The effort also sought to heighten the appearance of international tensions and promote fear of looming hostilities with nuclear-armed Russia. Two teams of independent researchers found that the Russians exploited American-made technology platforms to attack U.S. democracy at a particularly vulnerable moment, as an insurgent candidate harnessed a wide range of grievances to claim the White House.

Oracle announced today it is buying DNS provider Dyn, a company that was in the press lately after it was hit by a large-scale DDoS attack in October that resulted in many popular websites becoming inaccessible. From a TechCrunch report:Oracle plans to add Dyn's DNS solution to its bigger cloud computing platform, which already sells/provides a variety of Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) products. Oracle and Dyn didn't disclose the price of the deal but we are trying to find out. Dan Primack reports that it's around $600 million. We've also asked for a comment from Oracle about Dyn's recent breach, and whether the wheels were set in motion for this deal before or after the Mirai botnet attack in October.