Security Roundup - 2016-09-29
Content Service Policies are a way to mitigate XSS attacks, and Google has rolled out a tool to evaluate CSP policies, allowing people to check the impact of rolling out CSP to their sites. Google goes into how they rolled out CSP to a large suite of their apps, which prompted to the creation of this tool.
Meanwhile, Microsoft is rolling out a new tool for automated fuzz testing, designed to automatically find bugs (and security vulnerabilities) before software even launches.
Megabreaches continue, as Yahoo discloses a 2014 breach resulting in half a billion user records stolen. Yahoo initially stated that the attack was state sponsored, but some security firms are suggesting otherwise. Other researchers suggest that Yahoo has poor cryptographic controls, which were a contributing factor. Unfortunately, it looks like this was suspected in August, when some records went up for sale on the DarkNet.
In other large attacks, two big DDoSes happened this week. The first was the security site KrebsOnSecurity, which was taken offline by peak traffic of 620 Gbps. Akamai, who was previously providing DDoS protection, apparently had to stop. Krebs has resurfaced under Alphabet’s Project Shield program. The second involved the OVH hosting site being hit by a DDoS attack topping 1.1 Tbps. It is believed that this attack was launched from a large number of compromised IoT devices.
Interestingly, Akamai has also released their Q2 2016 State of the Internet report. Some big jumps in attacks, including 276% increase in NTP reflection attacks YoY and 44% QoQ. Also, a 47% increase in UDP flood attacks QoQ. 12 attacks in the last quarter exceeded 100 Gbps (already blown away by records this quarter). Of all bot traffic they observed, they believe 63% of it was malicious in some way.
A Hacked Website Trend Report was released by Sucuri as well. Unsurprisingly, Wordpress showed the greatest number of compromises based on its overall popularity. Overall, it appears that compromised sites are decreasing, though out of date CMSes appear to be unchanged. Overall, compromises are primarily backdoors or malware, with spam being a slightly more distant third.
Honeypots, setting up a service that is weak to monitor what attackers do to it, is one way to gather threat intelligence. Sucuri recently set up a few on both IPv4 and IPv6, to see how quickly they would be compromised. They found that IPv4 was compromised in under 30 minutes, while IPv6 was (at time of writing) not compromised. Their experiment resulted in at least one of their machines being used in a DDoS attack, and they break down what the attackers actually did.
Malware of all types use various techniques to avoid detection and analysis by sandboxes. Threatpost has found a new unique strategy that is relatively straightforward, just check whether there are user like files to detect ‘clean’ installs.
As always Bleeping Computer has the best ransomware roundup. This week features a number of new ransomware strains, including one that does filename introspection to set the ransom amount, and Cerber infections on the rise, jumping from 6K infections per day to 80K infections per day.