Categories
security

“Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

This is serious. Dubbed “Dirty Cow“, there are already exploit kits out there for Android and possibly others.

Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.

Source: “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

Categories
security

Singapore telco StarHub says hit by cyber attacks | Reuters

A massive DDoS attack on key DNS infrastructure happened last Friday. It appears that one of Singapore’s telco – Starhub – was also under attacked on Saturday and Monday. There was no further information whether it is from the same attackers or whether it was a copycat attack.

The company said it analysed network logs of the disruptions and found that it had experienced intentional and likely malicious distributed denial-of-service (DDoS) attacks on its domain name servers (DNS).

Source: UPDATE 1-Singapore telco StarHub says hit by cyber attacks | Reuters

Categories
security

Why Friday’s Massive DDoS Attack Should be Terrifying

Well, it didn’t take long to up the ante.
Major websites were down for a period of time due to DDoS attack. This time featuring tens of millions of IoT devices.

Categories
security sysadmin

Strange Loop – IP Spoofing

A very clear explanation to the DDoS problem that has been plaguing the Internet and recent advances in DDoS techniques.

The internet was originally created as a collection of equal connected peers. Everyone connected had equal rights, could consume content, produce content.

It was normal to host DNS or HTTP services on your home land-line.

But this is not possible anymore. It’s just too easy to knock unprotected websites off line.

Strange Loop – IP Spoofing

Categories
security

150,000 IoT Devices behind the 1Tbps DDoS attack on OVH

This is not the first incident where large number of IoT devices are being used to launch a DDoS attack. It’s a worrying sign that the number of compromised devices are getting larger and the technique is getting more popular.

The hosting provider OVH continues to face massive DDoS attacks launched by a botnet composed at least of 150000 IoT devices.

Source: 150,000 IoT Devices behind the 1Tbps DDoS attack on OVH

Categories
privacy security

Hack Brief: Yahoo Breach Hits Half a Billion Users

Largest password breach so far – 500M users.

After earlier reports of a cybercriminal hack that affected 200 million users, the real breach turns out to be far more serious.

Source: Hack Brief: Yahoo Breach Hits Half a Billion Users

[2016-09-29]: Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say. ‘Cos it doesn’t affect the bottom line, no?

“Yahoo is already suffering. I don’t think they’ll suffer more because of this,” said Avivah Litan, a security analyst with the research firm Gartner.
Ouch.

Categories
privacy security

The Dropbox hack is real

It’s not a suspect breach. Change your Dropbox password now.

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that “someone has cobbled together a list of credentials that work on Dropbox” hacked either, but proper hacked to the tune of 68

Source: The Dropbox hack is real

Categories
security

The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender – The Citizen Lab

The dark side of the cybersecurity industry has surfaced once again – companies that provide cyberweapons to organizations with deep pockets. In this case, the cyberweapon is a chain of zero-day exploits that requires no more than clicking on a link from an SMS. Good thing the target is discerning enough not to click on it – which means a million dollars (or two, or three) is wasted.

This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.

Source: The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender – The Citizen Lab

Categories
security

The NSA Leak Is Real, Snowden Documents Confirm

Yes any organization can be hacked. Even the NSA. The stolen cyberweapons – there may be more than one group who possess them – are now being auctioned publicly. This is why it’s a bad idea to add backdoors that only governments can use.

A never-before-published NSA manual makes it clear that malware released by a hacker group this week came from the spy agency.

Source: The NSA Leak Is Real, Snowden Documents Confirm

Categories
privacy security

New air-gap jumper covertly transmits data in hard-drive sounds

Your secrets should be safe as long as your machine is not connected to any network right? Think again. There have been extremely innovative ways of transmitting information from unplugged (or what is known as air-gapped) computers to other devices, including:

and now.. via the sound that a hard drive makes.

“DiskFiltration” siphons data even when computers are disconnected from the Internet.

Source: New air-gap jumper covertly transmits data in hard-drive sounds