SlideShare a Scribd company logo
1 of 34
News Bytes
by Shreyasi Rao
Overview
1. Ghost DNS
2. Facebook hacked
3. Whatsapp video call compromised.
4. Hacking into yCombinator HackerNews
GhostDNS: New DNS Changer Botnet
• Between September 21 and 27, the GhostDNS
campaign compromised greater than 100,000
routers (87.8% devices in Brazil)
• Many similarities with the notorious
DNSChanger malware.
• It attempts to guess the password on the
router's web authentication page or bypass the
authentication through the dnscfg.cgi exploit,
then changes the router's default DNS address
to the Rogue DNS Server.
• It is a real threat to the Internet as it is highly
scaled, utilizes diverse attack vector, adopts
automated attack process.
DNS Domain Name System
• Resloves domain names
to IP addresses.
• Cybercriminals create DNS
changer malware to
modify the DNS settings
of a system Resolver Server/ ISP
Top Level Domain Server
(.com, .net)
Authoritative
Name Server
13 clusters
.
• DNSChanger worked by changing DNS server entries in infected
computers to point to malicious servers under the control of the
attackers, rather than the DNS servers provided by any ISP or
organization.
• The DNS changer malware did not target browsers, rather it targetted
routers that run unpatched firmware or are secured with weak admin
passwords.
How does Ghost DNS work?
.
These four parts work together to perform DNS hijacking function.
Here we call the whole campaign GhostDNS:
• DNS Changer. This is the main module of GhostDNS designed to
exploit targeted routers based upon collected information
• Web Admin. It seems to be a web admin website on one of the PyPhp
DNSChanger node for attackers secured with a login page.
• Rogue DNS. Lets the hackers to figure out domain names from the
attacker controlled web server. A total of 52 domains being hijacked.
• Phishing Web. The rogue DNS server hijacks specific domains and
resolves their IP addresses to the Phishing webserver, which will
respond the victims with specific phishing sites for the corresponding
hostname.
.
label "Elite Priv8" on the login page of the Web Admin System. After
some googling, researchers found the same description on a post on a
Brazilian security forum
IP address of Web
Admin Server
198.50.222.139
"AS16276 OVH SAS"
Below is the hijack result details of a rogue DNS server (139.60.162.188)
DNSChanger Module
Includes 100+ attack scripts altogether, affecting 70+ different routers.
It has three modules, which Netlab has dubbed Shell DNSChanger, Js
DNSChanger, and PyPhp DNSChanger.
PyPhp DNSChanger
• PyPhp DNSChanger, written in a combination
of Python and PHP, is the most potent of all
three.
• Deployed on over 100 Google Cloud servers,
from where the attackers are constantly
scanning the Internet to identify vulnerable
routers.
The PyPhp DNSChanger node has infection
statistics.
.It mainly composes of three parts:
• Web API. Through which attacker can control and schedule to run the
program conveniently.
• Scanner. The scanner utilizes both Masscan port scanning and Shodan API
service (to pick specific banners) to obtain target router IPs located only in
Brazil.
• Attack Module.This attack module totally includes 69 attack scripts against 47
different routers/firmwares.
• It collects active router IPs from scanner and launchs Web authentication
bruteforce or dnscfg.cgi vulnerability exploits to bypass authentication, after
that it will change the routers' default DNS resolver to the rogue DNS server,
which is used to hijack specific websites for phishing.
Preventions
• The broadband users in Brazil update their router systems.
• Check if the router's default DNS server is changed and set more
complicated password for router web portal.
• Router vendors increase the complexity of router default password
and enhance the system security update mechanism for their
products.
Facebook HACKED!!!
• The company has said the cyber-attack disclosed on Sept 28 was one of the
worst to hit Facebook. It affected 30 million people.
• For 15 million people, attackers accessed two sets of information – name and
contact details (phone number, email, or both, depending on what people had
on their profiles).
• For 14 million people, the attackers accessed the same two sets of
information, as well as other details people had on their profiles.
• This included username, gender, locale/language, relationship status, religion,
hometown, self-reported current city, birthdate, device types used to access
Facebook, education, work, the last 10 places they checked into or were
tagged in, website, people or Pages they follow, and the 15 most recent
searches.
• For 1 million people, the attackers did not access any information.
How did this happen?
• The attackers exploited a vulnerability in Facebook’s code that existed
between July 2017 and September 2018.
• The vulnerability was the result of a complex interaction of three
distinct software bugs and it impacted “View As,” a feature that lets
people see what their own profile looks like to someone else.
• It allowed attackers to steal Facebook access tokens, which they could
then use to take over people’s accounts.
• Access tokens are the equivalent of digital keys that keep people
logged in to Facebook so they don’t need to re-enter their password
every time they use the app.
• First, the attackers already controlled a set of accounts, which were
connected to Facebook friends.
• They used an automated technique to move from account to account
so they could steal the access tokens of those friends, and for friends
of those friends, and so on, totaling about 400,000 people.
• In the process, however, this technique automatically loaded those
accounts’ Facebook profiles, mirroring what these 400,000 people
would have seen when looking at their own profiles.
• That includes posts on their timelines, their lists of friends, Groups
they are members of, and the names of recent Messenger
conversations.
How did Facebook find out?
• They saw an unusual spike of activity that began on September 14, 2018.
• So they started an investigation.
• On September 25, they determined this was actually an attack and identified
the vulnerability.
• Within two days, they closed the vulnerability, stopped the attack, and
secured people’s accounts by resetting the access tokens for people who were
potentially exposed.
• As a precaution, they also turned off “View As.”
• Facebook continues to investigate the incident with the FBI.
• This sort of personal detail can help identity thieves accomplish hacks for
years into the future.
Don't pick up the whatsapp video call!!!
Google Project Zero security researcher Natalie Silvanovich found a
critical vulnerability in WhatsApp messenger that could have allowed
hackers to remotely take full control of your WhatsApp just by video
calling you over the app
The vulnerability is a memory heap overflow issue triggered when the
WhatsApp mobile application receives a malformed RTP packet (Real-
time Transport Protocol) via a video call request, which results in the
corruption error and crashing the WhatsApp mobile app.
WhatsApp: Heap Corruption in RTP processing
To reproduce the issue:
• 1) Apply the attached patch to libwhatsapp.so in the Android application using
bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and
alters the RTP buffer. The SHA1 of the original library used was
cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the
modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4.
• 2) Build the attached file, natalie2.c for the Android device the application is
running on, and copy it to /data/data/com.whatsapp/libn.so.
• 3) Copy the files in the attached folder into /data/data/com.whatsapp/files so
that /data/data/com.whatsapp/files/t0 is a valid location.
• 4) Restart WhatsApp and call the target device and pick up the call. The deivce
will crash in a few seconds.
.
Silvanovich discovered and reported the vulnerability to the WhatsApp
team in August this year.
• WhatsApp acknowledged and
• Patched the issue on September 28 in its Android client
• and on October 3 in its iPhone client.
Hacking into yCombinator HackerNews
• An exaple of a true whitehat hacking ft. dfranke
• The news.yc code, prior to the the release of arc3, contains a
remotely-exploitable vulnerability permitting account theft.
• Hacker News login cookies are random eight-character strings, stored
server-side in a hash table mapping them to user names.
• These strings were rather less random, and, through a delightful
combination of exploits, could be predicted, enabling an attacker to
steal accounts.
.
Here's the rand-string function from arc.arc, version 2. It gets
called with n=8 to generate login cookies,
and n=10 for the "fnids" that get used all over the site as hash keys
identifying closures.
(def rand-string (n)
(with (cap (fn () (+ 65 (rand 26)))
sm (fn () (+ 97 (rand 26)))
dig (fn () (+ 48 (rand 10))))
(coerce (map [coerce _ 'char]
(cons (rand-choice (cap) (sm))
(n-of (- n 1) (rand-choice (cap) (sm) (dig)))))
'string)))
.• The 'rand' function is an arc primitive, bound directly to mzscheme's 'random':
The comment seen here is prescient, as we'll see. The mzscheme's 'random' fn:
; need to use a better seed
(xdef 'rand random)
static long sch_int_rand(long n, Scheme_Random_State *rs)
{
double x, q, qn, xq;
/* generate result in {0..n-1} using the rejection method */
q = (double)( (unsigned long)(m1 / (double)n) );
qn = q * n;
do {
x = mrg32k3a(rs);
} while (x >= qn);
xq = x / q;
/* return result */
return (long)xq;
}
• It was obviously, not a cryptographically strong PRNG. It was possible that
someone could break it but was TOO MUCH MATH!
• So he went looking for an easier approach.
Where does the RNG seed come from? Ah ha
The random seed is merely the number of milliseconds since epoch at the time
the seed function was called
rs = scheme_make_random_state(scheme_get_milliseconds());
long scheme_get_milliseconds(void)
{
struct timeb now;
ftime(&now);
return now.time * 1000 + now.millitm;
}
• For starters, he thought, perhaps I could determine the server's start
time to within a few seconds or minutes.
A boring way to go about this would be simply to monitor the server
for downtime, and record when it became accessible again.
a more proactive approach: crash it!
• A few months ago news.yc recovered from some downtime and the
server had since been upgraded, so these crashes are/were no longer
happening.
• He figured that the watchdog works by requesting a page and
checking to make sure it gets a response, and that if it doesn't get
one, then it assumes the server is wedged and restarts it.
• So, there's a limit of 50 concurrent threads, and threads are killed after 30 seconds if
they haven't already terminated. So if I were to hold open 50 concurrent connections,
and the watchdog were to run during the following 30 seconds, then the server ought to
restart.
• So, a one-minute interval is 60,000 possible PRNG seeds.
• If he kept polling to see when the server came back up after the watchdog killed it, then
he very conservatively assumed that he could be among the first 50 people to issue an
HTTP request.
• Each page that comes back from the server typically contains 2-3 fnids, so the reply he
got would contain some from among first few hundred to be generated, and thus from
among the first few thousand iterations of of the PRNG.
• This leaves determination of the PRNG seed comfortably within the reach of brute force:
run the PRNG for 10,000 iterations for each of the 60,000 possible seeds, and see which
one produces the fnids he saw in response to his request and wrote a program that does
just this
• So now he was able to determine PRNG seeds.
• But only a tiny fraction of rand-strings that the server generates
correspond to login cookies.
• Since fnids and login cookies have different lengths, and since the
PRNG gets called for a few other purposes at unpredictable times.
• Every individual PRNG iteration begins a candidate login cookie.
That's 40 or more false candidates produced for every page view.
• If each page view produces an average of 50 candidates, and one in
every thousand page views is a login (this might be slightly
optimistic), that's 50,000 attempts necessary in order to find a
working login. HN gets about 500,000 hits on a busy day, so this could
be done in a day or two while likely staying under the radar.
• To login:-
• 1. Request a page. Find a generated fnid from the page source and look it up in our candidate list. Call this A.
• 2. ERC> /join #startups <dfranke> Hey guys, I haven't been able to log in to news.yc since the server restarted a little
while ago. Anyone else having problems? <jrandomsucker> dfranke: Works for me. <dfranke> Hmm, weird. I'll just try
again later I guess.
• 3. Request another page, note the fnid, find it in the candidate list. Call this B.
• Step 4: Test the cookies that fall between A and B.
If this conversation takes one minute, then this reduces the search to about 17,500 attempts -- less than a day's worth at
a modest rate of querying -- and possibly picks up multiple accounts in the process.
In the End
• His better implementation of rand-string which reads from
/dev/urandom and obeys a proper uniform distribution was
implemented in arc3.
• The 50-thread concurrency limit was removed and replaced with a
per-IP rate limiter, so the DoS attack described here should no longer
work.
References
• https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-
100000-are-being-hijacked-by-ghostdns-en/
• https://www.bloomberg.com/news/articles/2018-10-12/facebook-s-recent-
hack-exposed-user-location-search-data
• https://newsroom.fb.com/news/2018/10/update-on-security-issue/
• https://bugs.chromium.org/p/project-zero/issues/detail?id=1654
• https://news.ycombinator.com/item?id=639976

More Related Content

What's hot

Internet Security Issues
Internet Security IssuesInternet Security Issues
Internet Security Issuesanides
 
Operation Blockbuster
Operation BlockbusterOperation Blockbuster
Operation BlockbusterTom K
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
27.2.15 lab investigating a malware exploit
27.2.15 lab   investigating a malware exploit27.2.15 lab   investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingSathishkumar A
 
CTM360 adv-0317-01 dns messenger
CTM360 adv-0317-01 dns messengerCTM360 adv-0317-01 dns messenger
CTM360 adv-0317-01 dns messengerMigin Vincent
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?HBServices7
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Wrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus TimochencoWrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus TimochencoLonginus Timochenco
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab   isolate compromised host using 5-tuple27.2.14 lab   isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tupleFreddy Buenaño
 

What's hot (18)

Internet Security Issues
Internet Security IssuesInternet Security Issues
Internet Security Issues
 
Operation Blockbuster
Operation BlockbusterOperation Blockbuster
Operation Blockbuster
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service
 
27.2.15 lab investigating a malware exploit
27.2.15 lab   investigating a malware exploit27.2.15 lab   investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hacking
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
CTM360 adv-0317-01 dns messenger
CTM360 adv-0317-01 dns messengerCTM360 adv-0317-01 dns messenger
CTM360 adv-0317-01 dns messenger
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-Ransomware
 
Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?Ethical Hacking : Why Do Hackers Attack And How ?
Ethical Hacking : Why Do Hackers Attack And How ?
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
Wrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus TimochencoWrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus Timochenco
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab   isolate compromised host using 5-tuple27.2.14 lab   isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 

Similar to News2 bytes

Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Rahul Sasi
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016Andrey Apuhtin
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Apurv Singh Gautam
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis MPhil/MRes/BSc
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017Ettore Fantin
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinEslam Hussein
 

Similar to News2 bytes (20)

Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017InfoSec Monthly News Recap: April 2017
InfoSec Monthly News Recap: April 2017
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk   apt, cyber espionage threat(130119) #fitalk   apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam hussein
 

Recently uploaded

Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...EduSkills OECD
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSAnaAcapella
 
Understanding Accommodations and Modifications
Understanding  Accommodations and ModificationsUnderstanding  Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...Gary Wood
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lessonQUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lessonhttgc7rh9c
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfPondicherry University
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfNirmal Dwivedi
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxakanksha16arora
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...Nguyen Thanh Tu Collection
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17Celine George
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....Ritu480198
 

Recently uploaded (20)

Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
 
Understanding Accommodations and Modifications
Understanding  Accommodations and ModificationsUnderstanding  Accommodations and Modifications
Understanding Accommodations and Modifications
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lessonQUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 

News2 bytes

  • 2. Overview 1. Ghost DNS 2. Facebook hacked 3. Whatsapp video call compromised. 4. Hacking into yCombinator HackerNews
  • 3. GhostDNS: New DNS Changer Botnet • Between September 21 and 27, the GhostDNS campaign compromised greater than 100,000 routers (87.8% devices in Brazil) • Many similarities with the notorious DNSChanger malware. • It attempts to guess the password on the router's web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router's default DNS address to the Rogue DNS Server. • It is a real threat to the Internet as it is highly scaled, utilizes diverse attack vector, adopts automated attack process.
  • 4. DNS Domain Name System • Resloves domain names to IP addresses. • Cybercriminals create DNS changer malware to modify the DNS settings of a system Resolver Server/ ISP Top Level Domain Server (.com, .net) Authoritative Name Server 13 clusters
  • 5. . • DNSChanger worked by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization. • The DNS changer malware did not target browsers, rather it targetted routers that run unpatched firmware or are secured with weak admin passwords.
  • 6. How does Ghost DNS work?
  • 7. . These four parts work together to perform DNS hijacking function. Here we call the whole campaign GhostDNS: • DNS Changer. This is the main module of GhostDNS designed to exploit targeted routers based upon collected information • Web Admin. It seems to be a web admin website on one of the PyPhp DNSChanger node for attackers secured with a login page. • Rogue DNS. Lets the hackers to figure out domain names from the attacker controlled web server. A total of 52 domains being hijacked. • Phishing Web. The rogue DNS server hijacks specific domains and resolves their IP addresses to the Phishing webserver, which will respond the victims with specific phishing sites for the corresponding hostname.
  • 8. . label "Elite Priv8" on the login page of the Web Admin System. After some googling, researchers found the same description on a post on a Brazilian security forum IP address of Web Admin Server 198.50.222.139 "AS16276 OVH SAS"
  • 9. Below is the hijack result details of a rogue DNS server (139.60.162.188)
  • 10. DNSChanger Module Includes 100+ attack scripts altogether, affecting 70+ different routers. It has three modules, which Netlab has dubbed Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.
  • 11. PyPhp DNSChanger • PyPhp DNSChanger, written in a combination of Python and PHP, is the most potent of all three. • Deployed on over 100 Google Cloud servers, from where the attackers are constantly scanning the Internet to identify vulnerable routers. The PyPhp DNSChanger node has infection statistics.
  • 12. .It mainly composes of three parts: • Web API. Through which attacker can control and schedule to run the program conveniently. • Scanner. The scanner utilizes both Masscan port scanning and Shodan API service (to pick specific banners) to obtain target router IPs located only in Brazil. • Attack Module.This attack module totally includes 69 attack scripts against 47 different routers/firmwares. • It collects active router IPs from scanner and launchs Web authentication bruteforce or dnscfg.cgi vulnerability exploits to bypass authentication, after that it will change the routers' default DNS resolver to the rogue DNS server, which is used to hijack specific websites for phishing.
  • 13. Preventions • The broadband users in Brazil update their router systems. • Check if the router's default DNS server is changed and set more complicated password for router web portal. • Router vendors increase the complexity of router default password and enhance the system security update mechanism for their products.
  • 14. Facebook HACKED!!! • The company has said the cyber-attack disclosed on Sept 28 was one of the worst to hit Facebook. It affected 30 million people. • For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). • For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. • This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. • For 1 million people, the attackers did not access any information.
  • 15. How did this happen? • The attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. • The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As,” a feature that lets people see what their own profile looks like to someone else. • It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. • Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
  • 16. • First, the attackers already controlled a set of accounts, which were connected to Facebook friends. • They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. • In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. • That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations.
  • 17. How did Facebook find out? • They saw an unusual spike of activity that began on September 14, 2018. • So they started an investigation. • On September 25, they determined this was actually an attack and identified the vulnerability. • Within two days, they closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. • As a precaution, they also turned off “View As.” • Facebook continues to investigate the incident with the FBI. • This sort of personal detail can help identity thieves accomplish hacks for years into the future.
  • 18. Don't pick up the whatsapp video call!!! Google Project Zero security researcher Natalie Silvanovich found a critical vulnerability in WhatsApp messenger that could have allowed hackers to remotely take full control of your WhatsApp just by video calling you over the app The vulnerability is a memory heap overflow issue triggered when the WhatsApp mobile application receives a malformed RTP packet (Real- time Transport Protocol) via a video call request, which results in the corruption error and crashing the WhatsApp mobile app.
  • 19.
  • 20. WhatsApp: Heap Corruption in RTP processing To reproduce the issue: • 1) Apply the attached patch to libwhatsapp.so in the Android application using bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and alters the RTP buffer. The SHA1 of the original library used was cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4. • 2) Build the attached file, natalie2.c for the Android device the application is running on, and copy it to /data/data/com.whatsapp/libn.so. • 3) Copy the files in the attached folder into /data/data/com.whatsapp/files so that /data/data/com.whatsapp/files/t0 is a valid location. • 4) Restart WhatsApp and call the target device and pick up the call. The deivce will crash in a few seconds.
  • 21. . Silvanovich discovered and reported the vulnerability to the WhatsApp team in August this year. • WhatsApp acknowledged and • Patched the issue on September 28 in its Android client • and on October 3 in its iPhone client.
  • 22. Hacking into yCombinator HackerNews • An exaple of a true whitehat hacking ft. dfranke • The news.yc code, prior to the the release of arc3, contains a remotely-exploitable vulnerability permitting account theft. • Hacker News login cookies are random eight-character strings, stored server-side in a hash table mapping them to user names. • These strings were rather less random, and, through a delightful combination of exploits, could be predicted, enabling an attacker to steal accounts.
  • 23. . Here's the rand-string function from arc.arc, version 2. It gets called with n=8 to generate login cookies, and n=10 for the "fnids" that get used all over the site as hash keys identifying closures. (def rand-string (n) (with (cap (fn () (+ 65 (rand 26))) sm (fn () (+ 97 (rand 26))) dig (fn () (+ 48 (rand 10)))) (coerce (map [coerce _ 'char] (cons (rand-choice (cap) (sm)) (n-of (- n 1) (rand-choice (cap) (sm) (dig))))) 'string)))
  • 24. .• The 'rand' function is an arc primitive, bound directly to mzscheme's 'random': The comment seen here is prescient, as we'll see. The mzscheme's 'random' fn: ; need to use a better seed (xdef 'rand random) static long sch_int_rand(long n, Scheme_Random_State *rs) { double x, q, qn, xq; /* generate result in {0..n-1} using the rejection method */ q = (double)( (unsigned long)(m1 / (double)n) ); qn = q * n; do { x = mrg32k3a(rs); } while (x >= qn); xq = x / q; /* return result */ return (long)xq; }
  • 25.
  • 26. • It was obviously, not a cryptographically strong PRNG. It was possible that someone could break it but was TOO MUCH MATH! • So he went looking for an easier approach. Where does the RNG seed come from? Ah ha The random seed is merely the number of milliseconds since epoch at the time the seed function was called rs = scheme_make_random_state(scheme_get_milliseconds()); long scheme_get_milliseconds(void) { struct timeb now; ftime(&now); return now.time * 1000 + now.millitm; }
  • 27. • For starters, he thought, perhaps I could determine the server's start time to within a few seconds or minutes. A boring way to go about this would be simply to monitor the server for downtime, and record when it became accessible again. a more proactive approach: crash it!
  • 28. • A few months ago news.yc recovered from some downtime and the server had since been upgraded, so these crashes are/were no longer happening. • He figured that the watchdog works by requesting a page and checking to make sure it gets a response, and that if it doesn't get one, then it assumes the server is wedged and restarts it.
  • 29.
  • 30. • So, there's a limit of 50 concurrent threads, and threads are killed after 30 seconds if they haven't already terminated. So if I were to hold open 50 concurrent connections, and the watchdog were to run during the following 30 seconds, then the server ought to restart. • So, a one-minute interval is 60,000 possible PRNG seeds. • If he kept polling to see when the server came back up after the watchdog killed it, then he very conservatively assumed that he could be among the first 50 people to issue an HTTP request. • Each page that comes back from the server typically contains 2-3 fnids, so the reply he got would contain some from among first few hundred to be generated, and thus from among the first few thousand iterations of of the PRNG. • This leaves determination of the PRNG seed comfortably within the reach of brute force: run the PRNG for 10,000 iterations for each of the 60,000 possible seeds, and see which one produces the fnids he saw in response to his request and wrote a program that does just this
  • 31. • So now he was able to determine PRNG seeds. • But only a tiny fraction of rand-strings that the server generates correspond to login cookies. • Since fnids and login cookies have different lengths, and since the PRNG gets called for a few other purposes at unpredictable times. • Every individual PRNG iteration begins a candidate login cookie. That's 40 or more false candidates produced for every page view. • If each page view produces an average of 50 candidates, and one in every thousand page views is a login (this might be slightly optimistic), that's 50,000 attempts necessary in order to find a working login. HN gets about 500,000 hits on a busy day, so this could be done in a day or two while likely staying under the radar.
  • 32. • To login:- • 1. Request a page. Find a generated fnid from the page source and look it up in our candidate list. Call this A. • 2. ERC> /join #startups <dfranke> Hey guys, I haven't been able to log in to news.yc since the server restarted a little while ago. Anyone else having problems? <jrandomsucker> dfranke: Works for me. <dfranke> Hmm, weird. I'll just try again later I guess. • 3. Request another page, note the fnid, find it in the candidate list. Call this B. • Step 4: Test the cookies that fall between A and B. If this conversation takes one minute, then this reduces the search to about 17,500 attempts -- less than a day's worth at a modest rate of querying -- and possibly picks up multiple accounts in the process.
  • 33. In the End • His better implementation of rand-string which reads from /dev/urandom and obeys a proper uniform distribution was implemented in arc3. • The 50-thread concurrency limit was removed and replaced with a per-IP rate limiter, so the DoS attack described here should no longer work.
  • 34. References • https://blog.netlab.360.com/70-different-types-of-home-routers-all-together- 100000-are-being-hijacked-by-ghostdns-en/ • https://www.bloomberg.com/news/articles/2018-10-12/facebook-s-recent- hack-exposed-user-location-search-data • https://newsroom.fb.com/news/2018/10/update-on-security-issue/ • https://bugs.chromium.org/p/project-zero/issues/detail?id=1654 • https://news.ycombinator.com/item?id=639976