Subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | Email | TuneIn | RSS
A bug in Mirai code allows crashing C2 servers
DuckDuckGo proposes “Do-Not-Track Act of 2019” to require sites to respect DNT browser setting
‘Matrix’-Themed Ransomware Variant Spreads
Transcript:M
[00:00:00] Welcome to Security led by you it is Tuesday, May 7th, 2019. Hope everybody had a wonderful weekend.
All right let’s kick things off here. First off from security affairs echoed by Pier Luigi Pagani a bug in Meri code allows crashing CE to servers. So as you may know the MRI botnet is out there and it’s taking over as the devices like crazy. It’s hard to go anywhere and not hear about MRI. Now when it comes to botnet society. So it is it’s prevalent. It’s across the world but apparently, it has a bug which according to this article the bad guys have known about for a while and they actually use this to take down a rival botnet which is fairly interesting. So essentially what this bug is is that the C2 several crashes when someone tries to connect to it using a user name sequence of 125 plus characters. So in this happens because the function within the code sets the byte limit at 1024. So if you do a thousand and twenty-five it will crash the server. So you know that that in and of itself is neat right. But what this article goes on to talk about is why isn’t somebody just running a script to constantly check to see if these C2 servers are up. I don’t pad packets tracks these things. Why isn’t somebody just pinging them seeing if they’re up and then if they are you take them down? Well, unfortunately, that would be illegal. But I would say well what they’re doing is illegal as well. Right. So you know two can play this game. Why not just go get a bulletproof server spin up this script and start pounding these things and taking them down. I’m not going to do that. I got enough to do in my life but I’m not saying that maybe you know I’m not saying it’s a bad idea. So you can go check that article out it’s really quick and easy there’s a link to the get hub although if you don’t know. The more I get sources. Just go search for it on Google I’m sure it’s been fought a thousand times. It’s pretty neat to read within the source code or in on the Github repos. There’s a list of username the password so fun project you can do that’s not illegal but you want to see maybe you’ve got a web server that is you can pump that listen and see if anybody see what the hits are there are some unique user names that are being used. So any little project for you if you’ve got a web server running whether AWB says or something like that. All right.
Next, from Security Boulevard, this one by strong got a lady Duck Duck Go proposes do not track the act of to 2019 to require sites to respect D.A. browser sizing settings. So for those that don’t know do not track essentially as a way of telling the Web site that no I don’t want you to track my activity across the browser across the site that I’m on is. You’re not allowed to do that. So that doesn’t necessarily some browsers have this but doesn’t necessarily mean they’re going to respect those wishes. So this act would do two things. No third party tracking by default which means that Web sites wouldn’t be allowed to use hidden trackers anymore on the sites that you visit. So on average when you go to a site there are up you know 15 20 different trackers running in the background that are collecting data whether it be Facebook Twitter Instagram all the social media’s or even in-house or even in-house trackers. One way to sort of combat that right now is I use personally it’s called ghost story. So it’ll tell you for instance actually let’s do this on security Boulevard right now. There are 12 trackers I see a Google. I see a discus HubSpot forums Google Tag HubSpot gravity car add any Twitter button Twitter syndication. So I mean that in that’s a security Web site. Imagine you know a bad Web site and no trackers are out there so you can use something like that to currently protect yourself from this to an extent. The next part of this would be no first party tracking outside what the user exempt it expects. I think you’re right. They gave a great example of this I’m just gonna read it right here. For example, if you use WhatsApp its parent company Facebook wouldn’t be able to use your data from WhatsApp you know unrelated situations like for advertising on Instagram also owned by Facebook as another example if you go to a weather site it could give you the local forecast but not share or sell your location history. So this is an extremely common practice and this is one of the reasons that these companies go and buy all this stuff up Facebook went and bought WhatsApp because as a massive user base. Right. And that just feeds right into its advertising. So that’s a separate conversation but you’ve got to be on the lookout for this stuff. Understand where the software you’re using comes from and how it’s connected for you know most folks that have used WhatsApp in the past have now shifted away from WhatsApp because of this exact purpose. If you’ve created an Instagram account lately you’ll know that it asked you if to use your Facebook account or associate your Facebook account so know what you’re using when you use things on the internet. Don’t talk to strangers either.
Next. This is your sort of you’re funny of the day. This one is from dark reading one of my favorite Web sites Kelly Jackson Higgins writes matrix themed ransomware variant spreads. So this is it’s called Mega cortex. At this point I think can we just call it its standard ransomware. But this isn’t standard but it’s just ransomware. It comes from the ransom note is read in the voice of Laurence Fishburne character Morpheus from the Matrix which is you know I want to hear that it’d be pretty funny I’m gonna go track that down. Maybe I’ll find it I’ll play for you guys. So what it is instead of asking for a bitcoin theorem whatever it is they’re asking for these days for monetary value. It is asking for consultation on how to improve your company’s cybersecurity and a promise that taking the attackers upon will on that will guarantee they won’t attack you again. I’m called bullshit on that right away. So this is something that Sophos found. Apparently whoever these guys are guys whoever these people are that are doing this they conducted 47 attacks in a 48 hour period so they’re clearly they’re trying to make money they’re just trying to do it in a different way. I hope to God that this isn’t some security consulting firm out there trying to drum up business because this is the fastest way to go out of business. So interesting read there’s some details in here about what makes it different. They’re using domain controllers and they’re snagging credentials off the domain controllers to do a lot of this and then it’s also they see this being dropped by Emotet So if you have iEmotet. You should already be cleaning them. But here’s another reason to do that. All right, folks, that’s it. That is our day today. It is what it was today. It is Tuesday, May 7th 20 19 is Security on the bayou. Everybody have a wonderful day. We’ll talk again tomorrow.