Not just Mirai! Another IoT Botnet found

On the 21st October 2016, the internet was disrupted by 100,000 Internet of Things devices. DYN is a DNS provider for many websites including Twitter, Reddit, Github, PayPal, Pinterest and many more. This was done using the Mirai botnet which is specifically made to target Internet of Things devices with default usernames and passwords. A Chinese Electronics firm also stepped up and said their devices were also used in the attack and that their passwords were hardcoded on their devices. They have since recalled their smart cameras.

Now a new botnet named Linux/IRCTelnet is a piece of malware written in the C++ language.  It works in the same way that the Mirai malware works and relies on the default / hard-coded passwords to infect Linux based IoT devices.  It works by bruteforcing an IoT device through its Telnet port, which is basically SSH but not encrypted. Once the malware has been able to log into the device it adds it to its IRC based botnet. Every device that is hacked this way connects back to a command-and-control server and awaits instructions from the bot master.

The security researchers who have been studying the botnet called MalwareMustDie ( found around 3400 infected devices and have also said that it is fully capable of raising an army of 3500 bots every 5 days.

I will be doing a video about the IoT related Botnets soon, so stay tuned. But remember to secure your IoT devices or else your device could also become part of a large botnet and be partly responsible for the internet going down again.

Nintendo announces their next console: The Nintendo Switch

I’ve been a Nintendo fan for a very long time. I got my first gameboy for christmas which was a Purple Gameboy Advanced with Pokemon Ruby. But even before then I had seen the wonderful world of Nintendo 64 Mario Kart and Zelda. I still own my Gameboy Advanced, Gameboy Advanced SP, Original Gameboy, Nintendo DS and Nintendo 3DS XL, Nintendo Wii and I’m about to own the Nintendo Switch.

Previously known as the Nintendo NX which was its codenamed, there was a tonne of speculation to what they were actually making. We kind of already knew that it wouldn’t be anything to compete against Microsoft and Sony as that’s not what Nintendo do. I personally speculated that it would be a hybrid console like the NVIDIA SHIELD and I wasn’t wrong.

Yesterday October 9th Nintendo unveiled the trailer for the Nintendo Switch, a hybrid games console that will play on your TV and be portable – exactly what I personally wanted from the system.

The switch is a ‘tablet’ that docks at home where you can play with a wireless controller on your TV. When it’s time to go on the road or play in the bath you can simply slide each side of the controller off and then slide it onto the tablet, making it portable. What I love is that it looks really nice and it features a headphone jack and cartridges. You can also get a full size controller.

The device, while we don’t know the specs, looks like it packs quite a punch in terms of power. We know it features an NVIDIA GPU which makes me wonder if Android is going to be the Operating System it uses. Also from the trailer the games look to run super smooth. I’m actually really excited that I can play the new Pokemon Sun and Moon on my TV while sat in bed – it also makes me wonder / hope that the 3DS and Switch will  use the same cartridge.

We don’t know many details about the switch. Takashi Mochizuki tweeted out saying that Nintendo would not announce anything officially until March 2017 which include sgame suppoer, spec details and region-lock.

I estimated that the Nintendo Switch will cost around £250-350 due to a accidental leak from UK retailer Tesco which leaked a landing page with placeholder images and prices. The price listed was £349.99 which seems reasonable.

Personally I’m really excited for this, I’ve not owned a home-console since the Xbox 360 as I’m mainly a PC Master Race kinda guy, but sometimes I’d like to sit on my bed and play some Pokemon or Zelda – which this will deliver to me plus more!

Kali Linux 2016.2 is here!

Kali Linux 2016.1 has now been released to the public. The Offensive Security team said in DEF CON conference that they were going to release their second version of Kali Rolling. The biggest change to the operating system is multiple desktop variants specifically KDE, Xfce, MATE, LXDS and Enlightenment. Only for 64Bit however. The team have also said they will be bringing updated Live ISO images with new software versions and security patches. But mainly this version  has bug fixes and general updates to make sure that the ‘apt-get update’ isn’t massive. So get it downloaded!

How you can hack multiple Facebook accounts

Gurkirat Singh from California has recently discovered a loophole in the password reset for Facebook. Read on to learn how it works.

The theory of the attack is pretty simple, however the execution of the attack is more difficult. The idea is is that Facebook uses an algorithm to generate a 6-digit code. If you’re wondering how many different combinations that is, it’s 1,000,000. These codes do not change until it gets used. The algorithm that Facebook uses to generate these codes has not been cracked yet, it seems to be completely random. The idea is that if 1 million people request a password change within a very short amount of time and no one uses the code then the 1,000,001 person to request a code will get a passcode that somebody out of that 1 million will have already been assigned.

Singh tested this idea by sending 2 millions emails to get duplicated passcodes. This is also called the Pigeonhole Principle.

In mathematics, the pigeonhole principle states that if n items are put into m containers, with n > m, then at least one container must contain more than one item. This theorem is exemplified in real life by truisms like “there must be at least two left gloves or two right gloves in a group of three gloves”.

He then went on to decide on a random 6 digit number that is likely to occur. Integers less than 100,000 have a lower probability of occuring than integers between 300,000 and 699,999 or 800,000 and 999,999 which have a higher probability of occurring. He does go on to mention that this isn’t the rule of thumb, but from his testing it will help him later. So he picks a number and now he needs to brute force it against 2 million accounts.

Now how do you get 2 million accounts to send a request? You use the Facebook ID’s. Facebook ID’s tend to be 15 digits long. For example,000,000,000,000. If the ID number is correct then the ID will be changed to the username of that account. Now Singh has made this publicly available here: Download. There are other issues too, for example getting IP Blocked. If you send multiple password resets you will eventually be IP Blocked, so Singh made it so that he had a pool of 1000 IP Address that each one would send an password reset request. Singh also mentions that you need to simulate user behavior when requesting a passcode, so he used PhantomJS and created a multithreaded script in Java that requests a passcode to every user in the usernames list. Finally it was time to execute the attack, Singh used a free trial of the Google Compute Engine where he setup 8 Virtual Machines each with 12 cores and 20GB of RAM in different regions and let the scripts run. Below is a screenshot of the attack in progress.

8 Virtual Machines attempting to hack Facebook accounts

The next step to all of this was to brute force each of these accounts that had a pending Password reset on them with a random passcode that had a high probability of happening, so 338625. As you can see from a picture he took, he did find one that matched.




This meant that if he browsed to that link, he was prompted to enter a new password for the Facebook account which would allow him to take over the account.

Singh submitted the Bug Bounty to Facebook and recieved a reward of $500. Apparently Facebook said that this kind of attack is low priority (Interesting).

And that’s how Gurkirat Singh could have gotten full access to lots of Facebook accounts. Original article here: Click Me!

Pokemon GO! Released on Android & iOS

Pokemon GO! is finally here, kind of. Pokemon GO is the long awaited augmentation game where you wander round in real time (Yes, you need to get up and walk) while being tracked by GPS and you will have a chance to stumble across wild Pokemon and capture them with a ‘flick’ of the finger.

Unfortunately, Pokemon GO is only available for the US at the moment, however if you are an Android user you can simply download the APK file and install it and it’ll work fine. However, due to the popularity of the game at the moment the servers are very intermittent as the current load of players trying to play is crashing them and taking them offline for periods of time.

I’ve personally managed to play for a short amount of time, I found a Weedle on my dog and a pidgy in a field. It’s pretty fun to wander around and capture these Pokemon, but it won’t surprise me if you end up getting lost in strange places where you’ve never been before capturing virtual non-existent Pokemon, but hey, that’s part of the fun.

Obviously, like with everything, memes and discussion has been popping up everywhere. There is also a subreddit (/r/pokemongo) with people asking who’s going to be the first casualty for walking of a bridge or into traffic trying to catch a pidgy.

Anyway, it has it’s issues but it’s fun when you eventually get on and could potentially get you out the house

Funding for Raspberry Pi Cluster Computing

Hey guys,

Been awhile since I’ve made a blog post, however this one is a little different.

In my recent Explained video about ‘Super Computers’ I mentioned I’d like to do a video about Raspberry Pi cluster computing and how to set it up and how it works. The feedback for that has been great and now I’m really pumped to make it, however there is a small financial catch.

I’m wanting to use 4x Raspberry Pi 2 Model B’s, each cost around £30 each. £30 x 4 = £120 worth of Raspberry Pi’s. So basically this blog post if for anyone that wants to contribute towards the Raspberry Pi Cluster computing video, I’ve setup a donation button at the bottom of this page where you can donate anything you like and it’ll all go towards the project and of course I’ll give a nice little thank you shout out in the video when it comes out.

Anyway the button is below for anyone that is feeling generous!

The Pentagon launches a Bug Bounty

Interested in hacking into The Pentagon? Well now you can!

It has been dubbed ‘Hack the Pentagon’. It is a bug bounty program that invites hackers and security researches to try and break into the Pentagons systems and also Department of Defense public faced websites. The program will begin in April 2016 and participants will need to undergo and pass a background check before you can even start looking for vulnerabilities. Those successful at uncovering vulnerabilities within The Pentagon will be recognised for their work and also win money.

The systems that the hackers will be able to ‘play’ with are predetermined so you can’t just pick any and start breaking into it.

Hackers are actively targeting the goverment departments, which is why this Bug Bounty is been started. Malicious hackers who are successful at breaking into The Pentagon could potentially reveal national secrets.  By having a Bug Bounty it means that lots of people can be trying to break the systems which leads to things been fixed and secure and the hackers getting paid for their work.

Bug Bountys are not uncommon, infact activly finds people to break into companies.


Apple to recieve a $1Million Fine for every iPhone they don’t unlock


It seems that Apple can’t do do right for doing wrong at the moment with the whole encryption battle. Despite them winning the case in New York against the federal authorities, France has now jumped on the bandwagon.

Yann Gault who is a member of France’s Socialist Party has submitted an amendment to a bill aimed to strengthen the French government’s ability to fight against terrorism. This amendment states that Apple should have to pay $1.08Million fine for every iPhone Apple refuses to unlock when asked by the law. Not only Apple is been targeted by this, Goolge as well should be fined $1Million for not helping investigators to extract data from a suspect’s smartphone.

Depending on who’s side you’re on with this whole legal battle with depend on what you think is fair. Personally I am completely on Apple’s side and I’m looking from a business side. Apple is a worldwide company and sells its products to people from all around the world. Can you imagine how much their business would fail if people stopped buying their phones because the US Government has their own backdoor into the phones? I wouldn’t want one, the last people I would want screwing around in my phone would be the US Government. It’s not exactly something Apple can advertise and shout from the rooftops.  Encryption exists for a reason, it’s one way, as in that data is not supposed to be retrieved on demand.

If you want to fully understand my perspective on the whole situation watch this video by Louis Rossmann

Anyway, to finish this news post, I really doubt that Apple or Google are ever going to play $1Million to the French government.

The Raspberry Pi 3 – Now with WiFi, Bluetooth and much more!


If you’ve been following me for any amount of time then you’d probably know that I am a huge fan of the Raspberry Pi.

Not too long ago the Raspberry Pi 2 became available which featured a 900MHz quad core cpu and 1GB RAM and it was fast! (For what it was) and also had support for Windows 10 on it’s new ARM Cortex A7 CPU.

However, the Raspberry Pi 3 is now on sale, still for $35 and it comes with much more power. The cpu has been upgraded to a 1.2GHz 64Bit quad core CPU (ARM Cortex A53)  and still the same amount of RAM (1GB). I found that fact that it was still 1GB of RAM interesting and wondered why it hadn’t been pushed too 2GB. But my question was answered in the comments: “No plans. There is an architectural limitation with the VC4 which means 1GB is the limit. Learn to write less memory hungry code!” 

Along with the faster, 64bit cpu, the Raspberry Pi 3 now has built in 802.11n wireless and Bluetooh 4.1 – Finally! No more power hungry USB Dongles. I’m really glad this has been added to the new Pi.

If you’re interested just how much the Raspberry Pi project has changed over the years. Picture this: The orginal Raspberry Pi A had 256MB RAM and a 700MHz single core processor. The new Raspberry Pi has said to be 10x faster than the original model and the price hasn’t really changed at all. Infact, even the $5 Zero has a 1GHz single core processor – for $5! (If you can find one.)

Definitely going to be picking up one of these to add to my collection. It’ll be interesting to see how much faster it is. Are we going to be able to buy a full basic workstation computer for $35? It sure looks like it.





The blog is back!

Welcome back to the blog. I intend to post news stories here in the world of tech every day (We’ll see how well that goes). Hopefully you guys are enjoying the new blog layout and you can still access the forums by using the nav bar at the top of the page.