A DDoS Attack Powered by 25,000 CCTV Cameras

A new DDoS attack powered entirely by compromised CCTV units

Security researchers of Sucuri have revealed a unique new DDoS attack launched against a small business, which was powered entirely by thousands of compromised CCTV units.

25,513 IP addresses were spotted, with a plurality in Taiwan, the US and Indonesia — although they spread out over 105 countries in total.

By far the largest number of devices themselves were H.264 DVR units, they may have been compromised via a recently disclosed RCE bug in CCTV-DVR.

From Sucuri Blog:

It was a layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second(RPS) which was more than their web servers could handle.

In this case however, after the site came back up, the attacks increased their intensity, peaking to almost 50,000 HTTP requests per second. It continued for hours, which turned into days.

Since this type of long-duration DDoS is not so common, we decided to dive into what the attackers were doing, and to our surprise, they were leveraging only IoT (Internet of Things) CCTV devices as the source of their attack botnet.

Read the entire article here:


An introduction to Brainfuck programming

What can you do with a programming language with only eight commands and a pointer?

Brainfuck is an esoteric programming language created in 1993 by Urban Müller

It is fully Turing-complete, so it is not intended for practical use, but as challenge and amusement for programmers.

Brainfuck is represented by an array with 30,000 cells initialized to zero, eight commands and a data pointer that points at the current cell.

The pointer can be moved about in the array and the current cell can be incremented or decremented, by one.

The eight commands

> →increment the data pointer (to point to the next cell to the right).

< →decrement the data pointer (to point to the next cell to the left).

+ →increment (increase by one) the byte at the data pointer.

→decrement (decrease by one) the byte at the data pointer.

. → output the byte at the data pointer.

, → accept one byte of input, storing its value in the byte at the data pointer.

[ → If the value at the current cell is zero, skips to the corresponding ] . Otherwise, move to the next instruction.

] → If the value at the current cell is zero, move to the next instruction. Otherwise, move backwards in the instructions to the corresponding [ .

! → if the exclaim box is checked, allows the interpreter to use all characters to the right of the ! as program input.

The first program

I take as example a simple program that was written by Prajit Ramachandran on https://learnxinyminutes.com/docs/brainfuck/: it simply displays the letter ‘A’.

++++++ [ > ++++++++++ < — ] > +++++ .
First, it increments cell #1 to 6.
Cell #1 will be used for looping.
Then, it enters the loop ([) and moves to cell #2. 
It increments cell #2 10 times, moves back to cell #1, and
decrements cell #1.
This loop happens 6 times (it takes 6 decrements for cell #1 to reach 0, at which point it skips to the corresponding ] and
continues on).
At this point, we’re on cell #1, which has a value of 0, while cell #2 has a value of 60. 
We move on cell #2, increment 5 times, for a value of 65, and then print cell #2’s value. 
65 is ‘A’ in ASCII, so ‘A’ is printed to the terminal.

You can try Brainfuck on your browser with brainfuck-visualizer.

How to steal a Facebook account without being a security expert

Aaron Thompson published his misadventure on Reddit

On June 26 last year Aaron Thompson realized that he could no longer access your Facebook account: the email address and the phone numbers associated with the account had been changed.

In its mailbox Aaron has found an exchange of emails between the Facebook customer support and the intruder who had taken possession of his account.
The intruder, to avoid the two-step verification, said to the customer service that he had lost his mobile phone.

The customer service replies that he had to prove to be the real Aaron Thompson sending a scan of an identity document.

The intruder had responded by sending this fake document:

Image taken from http://motherboard.vice.com/read/how-a-hacker-got-facebook-to-let-him-take-over-someone-elses-account

None of the information on the document was real, except for the name, but it was enough to Facebook for the verifcation of the identity: so it has disable all account protections and permitting to the intruder to taking control.

Thompson has regained ownership of their account after publishing his misadventure on Reddit:

The Facebook reply about the incident was:

“Accepting this ID was a mistake that violated our own internal policies and this case is not the norm.”

All is well that ends well!