This week on DIY Cyber Guy:
- Massive attack briefly shut down several popular sites, I’ll tell you what happened and why you need a little patience this week. Bottom line -News of the death of Internet is premature!
- Update on Intel, and why I am still recommending that you avoid buying computers with certain intel chips inside. But that could change soon
- Microsoft will facilitate Intel Code Update! Great news – easier for Windows users – BUT BACKUP!!
- Flash is declining faster than we expected! Great news!
My guest is Charles Givre.
Intel coming along
Hair on Fire 1 of 5
Advice – don’t buy an Intel computer yet. If you must, be sure that it does not have an Intel chip in the “planning” stage!
Microcode updates: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
Progress Update: Intel has released microcode update:
“…we have now released production microcode updates to our OEM customers and partners for Kay Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. …
The new microcode will be made available in most cases through OEM firmware updates. I (author: Navin Shenoy) continue to encourage people to always keep their systems up-to-date. There is also a comprehensive schedule and current status for planned microcode updates available online.”
https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/
Microcode updates: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
Microsoft has decided to include Intel’s Update Microcode Update!
Hair on Fire 1 of 5
Much easier for listeners b/c you don’t have to go to MANUFACTURER for update.
(Apple is manufacturer and software producer. MS is just software vendor.)
https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates
Currently supporting the following chip sets:
- Skylake H/S, 6th Generation Intel Core Processor Family, 506E3
- Skylake U/Y & Skylake U23e, 6th Generation Intel Core m Processors, 406E3
Caution!
Make a full system backup! Hair on Fire 5 of 5
Windows: https://support.microsoft.com/en-us/help/17127/windows-back-up-restore
Apple systems – no word yet how Apple is handling Intel’s latest update.
https://support.apple.com/mac-backup
Flash phase-out is accelerating!
Still Hair on fire 5 of 5
The percentage of daily Chrome users who’ve loaded at least one page containing Flash content per day has gone down from around 80% in 2014 to under 8% in early 2018.
These statistics on Flash’s declining numbers were shared with the public by Parisa Tabriz, Director of Engineering at Google, during a keynote speech at Network and Distributed System Security Symposium (NDSS) held in San Diego last week.
Flash’s demise was to be expected, though. Adobe announced last year plans to stop supporting the Adobe Flash Media Player by the end of 2020.
But while Chrome, Firefox, Edge, and all major browsers have already moved from a Flash-enabled-by-default to a Flash-click-to-play policy since last year, the massive drop in Flash usage numbers is a huge surprise for most industry experts.
This big drop could, at least in theory, be explained by the fact that most advertising networks and video streaming portals have moved away from Flash to HTML5, meaning most people can go days before encountering a website that still loads some kind of Flash object.
Source: https://www.bleepingcomputer.com/news/security/google-chrome-flash-usage-declines-from-80
-percent-in-2014-to-under-8-percent-today/
Again – Hair on Fire 5 of 5: UNINSTALL FLASH!
If you see an auto-update, then UNINSTALL FLASH!
Questions from Listeners:
Steve from Michigan:
I heard the internet was going extinct because of a new kind of attack. Seriously. What’s going on?
Nothing to worry about; this will get fixed.
Attack called “Memcache Distributed Denial of Service attack”
Main factors:
- UDP not designed to be ‘exposed’ to public internet; easily spoofed
- Small request = big response
- Titanic result:
Source:
-
Easy fix – disable UDP on Memecache servers.
-
Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.
-
Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.
-
Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.
Article Continues:
The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, and Pinterest.
https://thehackernews.com/2018/03/memcached-ddos-attack.html
This issue is already fixed! (kill UDP)
What’s the problem? ~17k servers worldwide to patch.
So, this is a hair-on-fire 1 of 5, because all you can do is have a little patience because you may not be able to access site.
Thanks, Steve.
Next Question:
Roland from California,
“I recently completed a bitcoin transaction. I hade a small donation to a non-profit. I cut and pasted the Etherium account key they they sent me, but the donation never made it. But, my Etherium account was definitely debited the amount. Am I being scammed by the non-profit, or did my Etherium just get lost on the way?”
Evrial and CryptoShuffler and Combojack.
Click here for article – great explanation:
…ComboJack enters into an infinite loop. Every half second it checks the contents of the clipboard. The contents of the clipboard are checked for various criteria to determine if the victim has copied wallet information for various digital currencies. In the event a wallet of interest is discovered, ComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the victim accidentally send money to the wrong location. This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors. If any potential currency addresses are found, they are replaced following the criteria in the table below:
| Checks for this criteria | Replaces with | Wallet Type |
| Length of 42 and starts with a ‘0’ | 0xE44598 AB744254 50692F7b 3a9f89811 9968da8Ad | Ethereum |
| Length of 106 and starts with ‘4’ | 4BrL51JCc 9NGQ71kW hnYoDRffsD Zy7m1HUU7 MRU4nUMX AHNFBE | Monero. It’s important to note that this replacement string is not long enough, as Monero wallet addresses are either 95 or 106 characters in length. This was likely a mistake made by the author. |
| Length of 34 and starts with ‘1’ | 1LGskAycx vcgh6iAoig cvbwTtFjSfd od2x | Bitcoin |
| Length of 34 and starts with ‘L’ | LYB56d6Te Mg6Vmahc gfTZSALAQ RcNRQUV | Litecoin |
| Length of 11 and starts with ‘8’ | 79965017478 | Qiwi |
| Length of 13 and starts with ‘R’ | R064565691369 | WebMoney (Rubles) |
| Length of 13 and starts with ‘Z’ | Z152913748562 | WebMoney (USD) |
| Length of 13 and starts with ‘E’ | 888888888 888888888 888888888 888888888 888888888 88888 | Unknown |
| Length of 15 and starts with ‘4100’ | 4100144741 25403 | Yandex Money |
Table 1. Replacement address lookup table hardcoded into ComboJack.
Source:
Creative Commons License
This work is licensed under a Creative Commons License: Attribution required if you republish or reuse this material. For details, see:
https://creativecommons.org/licenses/by/4.0/
DIY CyberGuy with David W. Schropfer 
One thought on “#10 – The Biggest Internet Attack In History Is Not Over (Yet)”
Comments are closed.