Issue 67

New memcached DDoS record at 1.7 Tbps

Last week's issue reported on a DDoS record of 1.3 Tbs, based on memcached reflection. The day after a new record of 1.7Tbs was reached in an attack on Arbor Networks, a DDoS mitigation service.


Mitigation against memcached reflection attacks

Good news too on the memcached front. There's a mitigation technique where you send a flush_all command to the servers that are attacking you. Memcached also released a new version with UDP disabled by default.


Reseachers found new flaws in the 4G LTE protocol

"An attacker could connect to a 4G LTE network using another user's identity, send messages on behalf of another user, intercept messages meant for that user, spoof the location of a mobile device, and even force other devices to disconnect from a mobile network."
Telecom protocols really aren't winning any points with me :/ And unfortunately there's no real chance of these issues getting fixed.


Kali Linux now available in the Windows Store

Things I never thought I'd write. Kali Linux is made specifically for pentesting, with tools like Metasploit, Burp Suite and much more. You can now install it on Windows 10. I did read cases where Windows Defender wasn't happy with all them hacker tools, so maybe read up a bit more before you try it :)


Researchers pull off a phishing attack against a Yubikey in Chrome

There is nothing wrong with the Yubikey. Rather, it's Chrome that allows for things to happen that shouldn't through its WebUSB API. The attack is very hard to pull off, but Chrome will issue a temporary fix and work with the FIDO alliance to dig deeper.


Update all the things \o/

A noninclusive list of updates I came across:

  • Chrome released an update fixing 45 security vulnerabilities and blocking 'tab-under redirects', where a site opens a new tab and redirects the original tab: link
  • Android received its March update with 11 critical vulnerabilities fixed, seven of which are remote code execution bugs: link
  • Updates were released for the Pivotal Spring framework, fixing serious remote code execution issues similar to those that tackled Equifax: link
  • HP released an update fixing a critical issue in its remote management tool called Integrated Lights-Out 3 (iLO3): link


GDPR - a practical guide for developers

Very interesting and down to Earth overview for dev/ops people on how you can go about implementing GDPR in your codebase and infrastructure.


GDPR SaaS index - curated list of GDPR statements by SaaS vendors

Speaking of GDPR, here's a list of well known services and a link to their GDPR statements.


Any.Run, an interactive malware analysis tool, is now open to the public

It's a pretty awesome looking service where you can upload a malware sample in a sandbox and see things like what network calls it makes and which registry values and files it changes.


List of companies and whether or not they have two-factor auth available

For those who haven't seen this yet: a cool project that lists the availability of 2fa for a whole lot of companies, divided by category and searchable by name.




Exploiting blind XSS and second order SQL injection vulnerabilities

Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.


Securing your company Macs

Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.