Weaponized Networked Printing Is Now A Thing

It’s a fairly safe bet that a Venn diagram of Hackaday readers and those who closely follow the careers of YouTube megastars doesn’t have a whole lot of overlap, so you’re perhaps blissfully unaware of the man who calls himself [PewDiePie]. As such, you might not know that a battle between himself and another YouTube channel which uploads Bollywood music videos has reached such a fever pitch that his fans have resorted to guerrilla hacking to try to sway public opinion towards their side. It’s perhaps not the dystopian future we imagined, but it just might be the one we deserve.

To briefly summarize the situation, a hacker known only by the handle [TheHackerGiraffe] decided to help out Dear Leader by launching an automated attack against 50,000 Internet connected printers. When the hack was successful, the printer would spit out a page of digital propaganda, complete with fist ASCII art, that urged the recipient to go on YouTube and pledge their support for [PewDiePie]. There’s some debate about how many of the printers [TheHackerGiraffe] targeted actually delivered their payload, but judging by reactions throughout social media, it was enough to get the message out.

While the stunt itself may have come as a surprise, the methodology wasn’t. In fact, the only surprising element to the security researchers who’ve weighed in on the situation is that this hasn’t happened more often. It certainly isn’t the first time somebody’s done it, but the fact that this time its been connected to such a high profile Internet celebrity is putting more eyes on the problem then there have been in the past. Now that the proverbial cat is out of the bag, there are even websites springing up which claim to be purveyors of “Printer Advertising”. Odds are good this won’t be the last time somebody’s printer starts running off more than TPS reports.

We here at Hackaday don’t have much interest in the battle for YouTube supremacy. We’re just pulling for Dave Jones’s EEVBlog channel to join [AvE] in breaking a million subscribers. But we’re very interested in the technology which made this attack possible, how likely it is we’re going to see more people exploit it, and what are we supposed to do now that even our own printers can be turned against us?

Continue reading “Weaponized Networked Printing Is Now A Thing”

Hello, And Please Don’t Hang Up: The Scourge Of Robocalls

Over the last few months, I’ve noticed extra calls coming in from local numbers, and if you live in the US, I suspect maybe you have too. These calls are either just dead air, or recordings that start with “Please don’t hang up.” Out of curiosity, I’ve called back on the number the call claims to be from. Each time, the message is that this number has been disconnected and is no longer in service. This sounds like the plot of a budget horror movie, how am I being called from a disconnected number? Rather than a phantom in the wires, this is robocalling, combined with caller ID spoofing.

Continue reading “Hello, And Please Don’t Hang Up: The Scourge Of Robocalls”

Defeating Reddit’s CAPTCHA

cap

Here’s something we’re sure SEO specialists, PR reps, and other marketeers already know: how to write a script to game reddit.

The course of upvotes and downvotes controls which submission makes it to the front page of reddit. These submissions are voted on by users, and new accounts must log in and complete a CAPTCHA to vote. [Ian] discovered that reddit’s CAPTCHA is not really state-of-the-art, and figured out how to get a bot to solve it

The method exploits the 8-bit nature of the distorted grid in the CAPTCHA. Because this grid isn’t pure black or pure white, it’s at a lower intensity than the letters in the CAPTCHA. Putting the CAPTCHA through a threshold filter, deleting any blocks of pixels smaller than 20 pixels, and running it through a classifier (PDF there), a bot can guess what the letters of the CAPTCHA should be.

Out of the 489 CAPTCHAs [Ian] fed into his algorithm, only 28 – or 5.73% – were guessed correctly. However, because he knows which CAPTCHAs had failed segmentation, ignoring those can increase the success rate to 10%. Theoretically, by requesting new CAPTCHAs, [Ian] can get the accuracy of his CAPTCHA bot up to about 30%.

Combine this with a brilliant auto voting script that only requires someone to enter CAPTCHAs, and you’ve got the recipe for getting anything you want directly to the front page of reddit. Of course you could do the same with a few memes and pictures of cats, but you knew that already.

Reddit Hacking For Votes And Profit

Looks like someone figured out how to game the Reddit system. This probably has been done before, but as far as we know nobody’s actually shared the methods in detail. [Esrun] wrote some scripts that allow him to register multiple accounts and use them to up-vote stories.

The hack goes something like this. A script registers a group of accounts. Each uses a different IP and the only part that requires intervention is typing in the Captcha. This doesn’t take long. You can see the script interface above as well as a demonstration video after the break.

Once the accounts have been acquired a story is submitted and the new accounts vote on it. They’re not all up-votes though, as having both up and down votes puts the article into the controversial section of Reddit (which is desirable), and doesn’t rouse as much suspicion from the moderators. He ran a few tests that he shares and it seems that as long as the article is interesting, this can be quite successful.

Great, more spam with our social media please.

Continue reading “Reddit Hacking For Votes And Profit”

Company Shutdown Causes 2/3rds Drop In All Spam

The Washington Post is reporting that the shutdown of one hosting company has caused the total volume of spam to drop by 2/3rds. The company in question is McColo Corp. Both Hurricane Electric and Global Crossing pulled the plug today after a damning report revealed a number of illegal activities happening on McColo’s servers. McColo already had a reputation with the security community. When contacted about abuse, the company would often shift servers to new IP ranges instead of shutting them down. Although not the main source of spam, the company was host to many botnet control servers and phishing sites.

[photo: mattdork]

[via Waxy]

Antivirus Products Still Fail On Fresh Viruses


Many computer users rely on antivirus software from McAfee and Symantec to protect their computers from malware, worms, and viruses. Since the creation of viruses outpaces the protection abilities of the software, antivirus protection lags behind and may not be as secure as you think. [Gary Warner] provides some examples of current malware making the rounds that continue to be unaddressed by anti-virus vendors, including the recent “CNN Alerts: Breaking News” spam, which morphed into MSNBC alert spoofs. Our advice? Keep your antivirus software updated, but don’t believe that it will catch everything for you. Only open files from sources you know and trust.

[via Waxy]