Reader Mark Wilson writes: Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet. In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as "just as powerful as the most dangerous one to date". The concern for 2017 is that "it's about to get a lot worse". Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.

Russian hackers have used fake websites and bots to steal millions of dollars from advertisers. According to researchers, the fraud has siphoned more than $180 million from the online ad industry. CNNMoney reports: Dubbed "Methbot," it is a new twist in an increasingly complex world of online crime, according to White Ops, the cybersecurity firm that discovered the operation. Methbot, so nicknamed because the fake browser refers to itself as the "methbrowser," operates as a sham intermediary advertising ring: Companies would pay millions to run expensive video ads. Then they would deliver those ads to what appeared to be major websites. In reality, criminals had created more than 250,000 counterfeit web pages no real person was visiting. White Ops first spotted the criminal operation in October, and it is making up to $5 million per day -- by generating up to 300 million fake "video impressions" daily. According to White Ops, criminals acquired massive blocks of IP addresses -- 500,000 of them -- from two of the world's five major internet registries. Then they configured them so that they appeared to be located all over the United States. They built custom software so that computers (at those legitimate data centers) acted like real people viewing those ads. These "people" even appeared to have Facebook accounts (they didn't), so that premium ads were served. Hackers fooled ad fraud blockers because they figured out how to build software that mimicked a real person who only surfed during the daytime -- using the Google Chrome web browser on a Macbook laptop.

Core evangelist Thibaut Rouffineau writes about the results of Ubuntu's survey of 2000 consumers about their Internet of Things devices: This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices... Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.

Canonical has taken the view for some time now that better automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the way to a secure IoT. We need to remove the burden of performing software updates from the user and we need to actively ban the dreaded 'default password', as Canonical has done with Ubuntu Core 16... It's clear to us that too many of the solutions to IoT security proposed today involve either mitigating security issues after-the-fact, or living in a world where IoT security problems are the accepted norm. This should not and cannot be the case.
They'll be publishing their complete findings in a new paper in January.

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

Security firm Forcepoint has discovered a DDoS competition which requires participants install a DDoS software which contains a backdoor. An anonymous reader quotes CSO: A hacker in Turkey has been trying to encourage distributed denial-of-attacks by making it into a game, featuring points and prizes for attempting to shut down political websites... Users that participate will be given a tool known as Balyoz, the Turkish word for Sledgehammer, that can be used to launch DDoS attacks against a select number of websites... The attack tool involved is designed to only harass 24 political sites related to the Kurds, the German Christian Democratic Party -- which is led by Angela Merkel -- and the Armenian Genocide, and others... Forcepoint noticed that the DDoS attack tool given to the participants also contains a backdoor that will secretly install a Trojan on the computer.

New submitter mikehusky quotes a report from The Register: Washington D.C. think tank the Institute for Critical Infrastructure Technology is calling for regulation on "negligence" in the design of internet-of-things (IoT) devices. If the world wants a bonk-detecting Wi-Fi mattress, it must be a malware-free bonk-detecting Wi-Fi mattress. The report adds: "Researchers James Scott and Drew Spaniel point out in their report Rise of the Machines: The Dyn Attack Was Just a Practice Run [PDF] that IoT represents a threat that is only beginning to be understood. The pair say the risk that regulation could stifle market-making IoT innovation (like the Wi-Fi cheater-detection mattress) is outweighed by the need to stop feeding Shodan. 'Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy. Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top 10 countries from which malicious IoT traffic originates.' State level regulation would be 'disastrous' to markets and consumers alike. The pair offer their report in the wake of the massive Dyn and Mirai distributed denial of service attacks in which internet of poorly-designed devices were enslaved into botnets to hammer critical internet infrastructure, telcos including TalkTalk, routers and other targets."

Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price, PCWorld reports. From the article: One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday. The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven't actually cracked it, they believe it's only a matter of time until someone does. Sony released a patch to the affected camera models last week.

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

A last-ditch effort in the Senate to block or delay rule changes that would expand the U.S. government's hacking powers failed Wednesday, despite concerns the changes would jeopardize the privacy rights of innocent Americans and risk possible abuse by the incoming administration of President-elect Donald Trump. Reuters adds: Democratic Senator Ron Wyden attempted three times to delay the changes which, will take effect on Thursday and allow U.S. judges will be able to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, potentially even overseas. His efforts were blocked by Senator John Cornyn of Texas, the Senate's second-ranking Republican. The changes will allow judges to issue warrants in cases when a suspect uses anonymizing technology to conceal the location of his or her computer or for an investigation into a network of hacked or infected computers, such as a botnet.

An anonymous reader writes: Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone's behest. The hackers have quite a reputation on the hacking underground and have previously been linked to the GovRAT malware, which was used to steal data from several US companies. Renting around 50,000 bots costs between $3,000-$4,000 for 2 weeks, meaning renting the whole thing costs between $20,000-$30,000.

After the Mirai source code leaked, there are countless smaller Mirai botnets around, but this one is [believed to be the one] accounting for more than half of all infected IoT devices...that supposedly shut down Internet access in Liberia. The original Mirai botnet was limited to only 200,000 bots because there were only 200,000 IoT devices connected online that had their Telnet ports open. The botnet that's up for rent now has received improvements and can also spread to IoT devices via SSH, hence the 400,000 bots total.
Interestingly, the article claims the botnet's creators had access \to the Mirai source code "long before it went public."

According to the Washington Post (Warning: source may be paywalled; alternate source), the "fake news" phenomenon that circulated thousands of phony stories during the election was aided by a sophisticated Russian propaganda effort that aimed to punish Democrat Hillary Clinton, help Republican Donald Trump and undermine faith in American democracy. Slashdot reader xtsigs shares with us an excerpt from the Washington Post's report: The flood of "fake news" this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation. Russia's increasingly sophisticated propaganda machinery -- including thousands of botnets, teams of paid human "trolls," and networks of websites and social-media accounts -- echoed and amplified right-wing sites across the Internet as they portrayed Clinton as a criminal hiding potentially fatal health problems and preparing to hand control of the nation to a shadowy cabal of global financiers. The effort also sought to heighten the appearance of international tensions and promote fear of looming hostilities with nuclear-armed Russia. Two teams of independent researchers found that the Russians exploited American-made technology platforms to attack U.S. democracy at a particularly vulnerable moment, as an insurgent candidate harnessed a wide range of grievances to claim the White House.

Oracle announced today it is buying DNS provider Dyn, a company that was in the press lately after it was hit by a large-scale DDoS attack in October that resulted in many popular websites becoming inaccessible. From a TechCrunch report:Oracle plans to add Dyn's DNS solution to its bigger cloud computing platform, which already sells/provides a variety of Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) products. Oracle and Dyn didn't disclose the price of the deal but we are trying to find out. Dan Primack reports that it's around $600 million. We've also asked for a comment from Oracle about Dyn's recent breach, and whether the wheels were set in motion for this deal before or after the Mirai botnet attack in October.

To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall: It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?

Reader Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices. In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren't manufactured in the United States, so regulation would have no effect on their security. Another piece of the puzzle is the fact that there's no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle. "I actually think we need a new agency. We can't have different rules if a computer makes calls, or a computer has wheels, or is in your body," said cryptographer Bruce Schneier, another witness during the hearing. "The government is getting involved here regardless, because the stakes are too high. The choice isn't between government involvement and no government involvement. It's between good government involvement and stupid government involvement. I'm not a regulatory fan but this is a world of dangerous things."

An anonymous reader shares a report on The Register: At least five Russian banks weathered days-long DDoS attacks this week. A wave of assaults began on Tuesday afternoon and continued over the next two days. Victims including Sberbank and Alfabank both confirmed DDoS attacks on their online services, RT reports. The attacks were powered by compromised IoT devices, according to an unnamed Russian Central Bank official. Early indications are that the Mirai IoT botnet that disrupted DNS services for scores of high-profile websites might be behind the latest attacks but this remains unconfirmed. DDoS attacks on Russian banks are far from unprecedented. The last attack on this scale affected eight major banks in October 2015. David Kennerley, director of threat research at Webroot, commented: "These latest DDoS attacks are extremely similar to the recent ones targeted at Dyn last month, and really drives home the security issues of the Internet of Things. While attacks like these are complicated, there's still an element of basic security that could have reduced success -- password management.

An anonymous reader quotes a report from The Verge: Yesterday, as groups across the country hit the final stretch of their get-out-the-vote campaigns, workers at NextGen Climate noticed some problems with their automated dialer program. As the team started its morning hours, the program used to initiate and monitor voter calls was suddenly clunky, and cut out entirely for crucial hours in the afternoon. The downtime wasn't a coincidence. Just after midnight on Sunday night, a post on 4chan's /pol/ board announced an impending denial-of-service attack on any tools used by the Clinton campaign, employing the same Mirai botnet code that blocked access to Twitter and Spotify last month. One of those targets was TCN, the Utah-based call center company that runs NextGen's dialer. According to the post's author, the company was also providing phone services to Hillary Clinton's offices in Nevada. "List targets here that if taken out could harm Clinton's chances of winning and I will pounce on them like a wild animal," the post reads. "Not sleeping until after this election is over." TCN confirmed the outage in a statement, describing the attack as "fairly sophisticated in nature." According to the statement, "the primary impacts were a slow site and a few brief periods of unavailability." The statement also makes it clear that NextGen Climate was far from the only group slowed down by the outage. TCN manages calling services for 2000 different clients, with a particularly brisk business during campaign season handling "everything from inbound information IVRs, outbound surveys to volunteer outreach."

Zack Whittaker, reporting for ZDNet: One of the largest distributed denial-of-service attacks happened this week and almost nobody noticed. Since the cyberattack on Dyn two weeks ago, the internet has been on edge, fearing another massive attack that would throw millions off the face of the web. The attack was said to be upwards of 1.1 Tbps -- more than double the attack a few weeks earlier on security reporter Brian Krebs' website, which was about 620 Gbps in size, said to be one of the largest at the time. The attack was made possible by the Mirai botnet, an open-source botnet that anyone can use, which harnesses the power of insecure Internet of Things devices. This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country Liberia, sending it almost entirely offline each time. Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen. One transit provider said the attacks were over 500 Gbps in size. Beaumont said that given the volume of traffic, it "appears to be the owned by the actor which attacked Dyn." An attack of that size is enough to flatten even a large network -- or as was seen this week, a small country. Update: 11/03 19:37 GMT: The title of the story (same as the ZDNet's story) was updated to mention the name of the country. The summary was updated to reflect the same, as well.

An anonymous reader quotes a report from Ars Technica: There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report. Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices. Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6. The best-of-breed approach "is driving a high infection speed of Linux/IRCTelnet (new Aidra) so it can [infect] almost 3,500 bot clients within only five days from the moment its loader was first detected," a researcher who goes by the handle Unixfreakjp wrote in a blog post reporting on the new malware. "To incarnate a legendary botnet code into a new version that can [target] the recent vulnerable threat landscape is really inviting more bad news."

A Phoenix teenager mistakenly tweeted a link to JavaScript exploit which forced iOS devices to automatically dial and re-dial 911. An anonymous reader quotes Softpedia: The teenager created several weaponized versions of this bug which would constantly dial a phone number, or show annoying popups. The teenager says he wanted to prank his friends, thinking it would be "funny," but when he shared the weaponized link online, he shared a version that instead of showing annoying popups, redialed a phone number, which in this case was 911.
In September researchers calculated just 6,000 smartphones can take down an entire state's 911 system, while more than 1,849 people clicked on this link, according to the article. Sheriff Joe Arpaio's office searched the teenager's home -- "several items were seized" -- and they've charged him with three felony counts for computer tampering.