CyberSecurity Pulse 2016-09-29

CyberSecurity Pulse 2016-09-29

“No man is good enough to govern another man without the other’s consent.”
Abraham Lincoln

Analyst Insight

Brian Krebs, expert in trouble

Brian Krebs, one of the most important figures linked to popularizing security and the editor of the blog KrebsOnSecurity, has been silenced by a denial-of-service attack after one of his latest revelations. The attacks started shortly after Krebs published information from the hack of a DDoS-for-hire service known as vDOS and leaders could have earned about $600,000.CyberSecurity Pulse 2016-09-29On Thursday morning, just two weeks after Krebs published his first post regarding this issue, he reported that a sustained attack has been bombarding his site with as much as 620 gigabits per second of junk traffic. Krebs was able to stay online thanks to the generosity of Akamai but at 4 pm, even such a famous provider gave Krebs two hours’ noticed that it would no longer be able to assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers.

As a reference to estimate the size of the attacks conducted, the organization of the Rio de Janeiro 2016 Olympic Games would have received systematic attacks in the order of dozens of gigabits per second with some peeks that exceeded the hundreads of gigabits per second. The existence of dedicated platforms focused on offering Distributed Denial of Service attacks which usually are being paid using cryptocurrencies such as Bitcoin or, more recently, Monero, is the materialization of a not neccessarily modern trend towards the concept of Crime as a Service or CaaS. In this case, Brian Krebs, is a new victim of the profesionalization of a phenomenom which, presumably, will increase its presence in the near future.

» More information at Ars Technica UK

Top Stories

About 500 Million Yahoo Emails May Have Been Exposed

CyberSecurity Pulse 2016-09-29 Yahoo’s Chief Information Security Officer, Bob Lord, announced on Thursday that the information of nearly half a billion registries may have been exposed recently. The alllegedly accessed information would include names, email addresses, telephone numbers, birth dates, hashed passwords and security questions and answers. The security breach, that would have taken place in 2014, would be one of the biggest one registered by a single website, a significantly bigger figure than the 360 million accounts leaked in Myspace incident or the nearly 160 million leaked in both, Linkedin and Adobe breaches.

» More information at Ars Technica UK

Facebook Can No Longer Share Data of German Users on WhatsApp

CyberSecurity Pulse 2016-09-29 Facebook has been banned from collecting and storing the data of German users on its messaging app, WhatsApp. According to the Hamburg commissioner for data protection and freedom of information, Facebook has not obtained effective approval from WhatsApp’s 35 million German users. Thus, Facebook said in a statement: “We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns”. EU and US regulators say that the update needed to be investigated. The UK’s information commissioner is investigating the changes.

» More information at SC Magazine UK

Rest of the Week´s News

Microsoft Launches Fuzzing-as-a-service To Help Developers Find Security Bugs

Microsoft announced the availability of a new cloud-based service for developers that will allow them to test application binaries so as to find security flaws before they are deployed. Called Project Springfield, the service uses “whitebox fuzzing” (also known as “smart fuzzing”) to test for common software bugs used by attackers to exploit systems.

» More information at Ars Technica UK

Google Is Looking to Reshape Web Defences with Strict Content Security Policies

Cross-site scripting has been one of the top web security vulnerabilities for over a decade. To help developers craft policies which meaningfully protect their applications, today we’re releasing the CSP Evaluator, a tool to visualize the effect of setting a policy and detect subtle misconfigurations.

» More information at SC Magazine UK

Facebook Releases Osquery Security Tool for Windows

OSquery, an open source framework created by Facebook has been released to permit organizations to look for potential malware or malicious activity being spread in their networks. This open source endpoint security tool has become one of the most popular security projects on GitHub since its release in mid-2014.

» More information at The Hacker News

Further Reading

Russia Blamed for Hacking Attack on German MPs

» More information at Telegraph News

Teen Social Site Is Leaking Millions of Plaintext Passwords

» Más información at Arstechnica

Fancy Bear Hackers Use a New Mac Trojan Against Aerospace Industry

» More information at Security Affairs