News
Hi folks,
I hope you all had a good week. Mine was great, but I do look forward to the weekend, some rest, and playing some more Helldivers 2 ;-) But first sit back, have some coffee, and enjoy browsing through this week's issue.
Have a good one!
Loop DoS attack: 300,000 systems vulnerable
I'm having a hard time figuring out how big of a deal this is, but it seems like a brilliant find. It's an issue in UDP implementations, which have been around for, well, forever, in Internet terms.
It abuses the fact that UDP packets can be spoofed and that some applications will respond to this by replying with an error to the spoofed IP. You, the attacker, can send a packet to server A with the IP of server B (the victim). Server A will then respond with an error message to server B. Which in turn will respond back to server A, which will respond back to B, and so forth, getting stuck in a resource-exhausting loop of network traffic, sending errors back and forth. And all you have to do is send that first message to server A.
Various products from Broadcom, Honeywell, Microsoft, and MikroTik, among others, are vulnerable. These vendors were notified in December 2023 and some have released patches.
One interesting mitigation, should you be a victim of this, is to trigger packet loss between the affected devices. Once some traffic is siphoned off, the loop breaks and it would have to be re-initiated.
For more information, see the advisory itself. At the bottom is a link to a Google doc with a more elaborate explanation.
GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code
Very interesting development. It's currently available for JavaScript, Typescript, Java, and Python, with support for C# and Go coming next. It's enabled by default on all private repositories of GitHub Advanced Security (GHAS) customers.
1Password for developers: secrets, SSH keys, and more
I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects tokens and other secrets in CLI scripts, and much more. (Sponsored)
Quick links
- White House and EPA warn water sector of cybersecurity threats: link.
- Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver: link.
- Flipper Zero makers respond to Canada’s ‘harmful’ ban proposal: link.
- Microsoft announces deprecation of 1024-bit RSA keys in Windows: link.
- US Defense Dept received 50,000 vulnerability reports since 2016: link.
Breaches and leaks
- Misconfigured Firebase instances leaked 19 million plaintext passwords: link.
- Fujitsu found malware on IT systems, confirms data breach: link.
- International Monetary Fund email accounts hacked in cyberattack: link.
- Jacksonville Beach and other US municipalities report data breaches following cyberattacks: link.
- International freight tech firm, Radiant Logistics, isolates Canada operations after cyberattack: link.
- Apparel giant VF sends out breach letters to millions following 2023 cyberattack: link.
- Nations Direct Mortgage alerts 83,000 to personal data leaks from December cyberattack: link.