We are still hot on the tracks of DDoS attacks: Akamai had reported a doubled number of DDoS attacks since last year. In the last week it was reported that OVH were hit by the largest DDoS attack ever recorded at 990Gbps. The source of this attack was thought to be derived from over 152,000 compromised Internet-of-Things devices such as internet connected cameras. Want to learn more about the source code of the toll facilitating these attacks?
It’s believed to be the same source that hit security researcher Brian Krebs’ website the day before with a 620Gbps attack. Obviously this amounts to a major threat right now. It won’t be resolved until the networks these devices operate on can be secured or are patched to secure them from use in such attacks.
Compromised Internet of Things Sobers Analysts
The source code for the tool that ran these DDoSes has now been released and the analysis makes for sober reading. For the most part a lot of the Internet-of-Things devices used in these attacks have been compromised using telnet and a small number of common login credentials. The public release of this information is likely to, for the short term at least, increase the frequency of attacks coming from this source.
Another Giant Faces Security Breach
In news of security breaches, it has been discovered that Yahoo! has suffered a breach revealing user details of a half billion user accounts. The data was taken back in 2014 and has just come to light. How? It came up for sale on the dark web. This seems to be following a similar pattern that we’ve seen in data breach announcements over recent weeks where data was stolen some years back and has only just been acknowledged after coming up for sale online.
Google Launches CSP Evaluator Tool
WoSign Shunned By Apple
In a blow to the trustworthiness of the SSL certificate system, Apple has decided not to trust the intermediate certificates signed by the Chinese certificate authority, WoSign. The reason stems from a discovery by Mozilla engineers that the authority had been issuing backdated certificates using insecure SHA-1 cryptography. The use of SHA-1 was banned in January and now browsers will not accept a certificate using the SHA-1 that was issued after the ban was imposed. The backdating of certificates has been seen as a method to avoid the ban on SHA-1. Apple’s decision not to trust WoSign certificates will currently affect new certificates being issued, while certificates issued before September the 19th will still be valid for now. Mozilla are in discussions about what to do about the certificates.