Security Roundup - 2018-03-01

Biggest DDoS attack to date hits Github. And Github (relatively) came through with only minor bruises, despite traffic being measured at 1.35 terabits per second. Akamai technologies thwarted the attack, having planned for 5x traffic volume from the last major DDoS attack at 1.2 terabits/second. The attack leveraged memcached, a service used as a key value store to improve data lookups, of which indicates ~90k instances open on the internet and Rapid7 indicates similar numbers at around 100K instances.

Trustico or trust no more?. TLS certificate reseller Trustico hit the limelight this week when they attempted to revoke 50K TLS certificates they had issued and, as proof, emailed Digicert 23K private keys. Certificate Authorities are not supposed to store private keys, since they can be used to MitM traffic/allow someone to masquerade as a legitimate site if they happen to be leaked or stolen and Trustico is in some hot water over this revelation as security researches have found certificates for companies like banks.

Conterfeit code certificates more common than expected. Researchers at Recorded Future have indicated that an increase in legitimately signed malware isn’t due to stolen certificates, but actually due to stolen corporate identities allowing criminals to create new signing certificates effectively on demand (and thus undermining their value). While costs are still high, a determined and/or sophisticated user could use these certificates to lower the likelihood that their malware payload is detected as a malicious app.

Password leak checking. Checking for bad passwords got a lot of attention this week due to Troy Hunt releasing v2 of his Pwned Passwords list, designed to allow companies to build in better password checks (now at half a BILLION hashes and including counts for uniqueness checks), as well as news that 1Password was integrating this list into their service to let users know if a new password they would like to use has already been part of a breach.

Alexa top one million header analysis. Scott Helme has completed his by-annual analysis of security header adoption for the Alexa top million. In good news, adoption is increasing, mostly by double digits! Bad news, adoption is still in single to low double digit ranges.

To disclose, or not to disclose. This is the question more and more security researchers are starting to have to ask themselves as a number of companies have initiated lawsuits against security researchers that have publically revealed their findings. In the age of bug bounty programs like HackerOne and BugCrowd, this seems like two giant steps back.

Written on March 1, 2018