News
Hi everyone,
I know, I'm early this week. I have a full day offsite with my colleagues tomorrow, so I wanted to make sure I got this week's issue finished first :-) Enjoy the read, and have wonderful Friday and weekend!
P.S.: If you're looking for the Breaches section, I've placed it near the end of the newsletter together with the "Issues and fixes" section, just as an experiment to see if that works better for your reading flow.
New record breaking DDoS vector: HTTP/2 Rapid Reset attacks
AWS, Cloudflare and Google have released coordinated announcements to discuss a new DDoS (distributed denial of service) technique named 'HTTP/2 Rapid Reset'. They've been under several attacks since August, with the biggest reaching a whopping 398 million requests per second. To put that into perspective, as stated in the article: the entire Internet sees between 1 and 3 billion requests per second.
The attacks were executed with a relatively small botnet, so we'll very likely see even bigger attacks occur soon. Even more fun is the fact that there isn't really a fix for it, as it abuses a feature of the HTTP2 protocol and can't just be "patched", only mitigated by various anti-DDoS techniques.
The article does a good job of explaining the issue. If you want to dive deeper, here are the posts from all three companies:
23andMe scraping incident impacts 7 million people
This could have been an entry in the breaches section, but it's about a company that analyses and stores genetic information, and that triggers me.
Much is still unclear, but it seems that the data (but not the DNA info? Although the attacker does claim that) of 7 million people was scraped through the DNA Relatives feature of 23andMe, an opt-in feature to find relatives. The leaked dataset explicitly includes the information on 1.3 million people of Ashkenazi (Jewish) and Chinese descent.
Initial access was supposedly gained through credential stuffing, i.e. exploiting password re-use. The company seems to indicate that that is not their fault, but that is just not true. You can mitigate credential stuffing attacks by pro-actively finding re-used passwords and resetting the account, for example. And one can definitely argue that genetic information warrents that kind of proactivity.
The article also includes a warning of a researcher that the (limited) profile of a 23andMe user can be accessed by replacing the ID in the URL.
Google makes passkeys the default sign-in for personal accounts
It's very exciting and offers a lot of benefits, like being phishing resistant, but there are also some pitfalls, like what happens if you lose your device when you tie the passkey to hardware. See this Hackernews thread for one of many discussions.
Microsoft to kill off VBScript in Windows to block malware delivery
Good news and progress on eliminating another malware delivery vector. VBScript will first become an optional on-demand feature before it is removed entirely.
GlitchSecure: real-time and continuous security testing
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
Progress Software’s financial hit from MOVEit cuts deeper
Progress Software, the company behind the MOVEit file transfer service, has thus far racked up about $3 million in costs, $1 million after insurance coverage. But more lawsuits and damage claims are piling up. I expected worse though. Still, the article might be a good one to bookmark if you want to convince higher-ups of taking your place in supply-chain attacks seriously.
Bounty offered for secret NSA seeds behind NIST elliptic curves algo
A bounty of $12,288 has been announced for the first person to crack the NIST elliptic curves seeds and discover the original phrases that were hashed to generate them.
Security risks of Windows Copilot are unknowable
Interesting column with some thoughts on the risks that might come with giving built-in AI systems like Copilot first-class access to our systems.
Learn how to embrace shadow IT safely in your business
This blogpost was written by 1Password for Cybersecurity Awareness Month, focusing on how to safely manage shadow IT, which is the hardware and software that employees use that isn't managed by your company. (Sponsored)
Breaches and leaks
- MGM Resorts says cyberattack cost $100 million, resulted in theft of customer info: link.
- D.C. Board of Elections confirms voter data stolen in site hack: link.
- Air Europa customers urged to cancel cards following hack on payment system: link.
- Volex, a U.K-based company that produces a range of power products, hit with cyberattack: link.
- Blackbaud agrees to $49.5 million settlement for ransomware data breach: link.
- Third Flagstar Bank data breach since 2021 affects 800,000 customers: link.
- Shadow PC warns of data breach as hacker tries to sell gamers' info: link.
- Simpson Manufacturing shuts down IT systems after cyberattack: link.
Issues and fixes
- Microsoft Patch Tuesday fixes 3 zero-days, 104 flaws: link.
- Long-awaited curl vulnerability flops: link.
- GNOME Linux systems exposed to RCE attacks via file downloads: link.
- Confluence zero-day exploited by state actors since September: link.
- D-Link WiFi range extender vulnerable to command injection attacks: link.
- New critical Citrix NetScaler flaw exposes sensitive data: link.
- Microsoft Exchange gets better’patch to mitigate critical bug: link.
- 'Looney Tunables' Linux flaw sees snowballing proof-of-concept exploits: link.