A new reflection attack was unveiled today which can increase the size of a DDoS attack by 51,000-fold. It uses memcached, an object caching system designed to speed up web applications, to amplify attacks against a target. This represents a substantial increase from previous attacks, which have used network time servers to amplify attacks 58-fold and DNS servers to amplify attacks 50-fold.
Attacks seen this week have surpassed 500 Gbps, which is pretty amazing considering only a small percentage of publicly-available memcached servers are being used to launch those attacks. It’ll be interesting to see if any larger attacks are launched in the coming weeks… and what their targets will be.
The article over at Ars Technica is pretty good, and is worth a read.
Another day, another vulnerability in a widely-used software package. Today’s bug (dubbed Optionsbleed by Hanno Böck, the journalist who documented the vulnerability) can reveal passwords and other pieces of vital information to attackers. While not as big of a threat as Heartbleed, a similar bug which allowed attackers to snag private encryption keys for servers (which is a Bad Thing, since this is how servers verify they are who they say they are; for an explanation of how this works, see my Asymmetric Encryption explanation from last year), this should still be regarded as a significant threat.
Patches are being rolled out now; patch your systems if you haven’t already.
The vulnerability was patched in WordPress v4.7.2 two weeks ago, but millions of sites haven’t yet updated. This leaves them open to a vulnerability in the WordPress REST API, which can allow malicious actors to edit any post on a site.
Ars Technica has a very nice writeup on the effects of the exploit, which has resulted in the defacement of a staggering number of websites (including the websites of Glenn Beck, the Utah Office of Tourism, and even the official Suse Linux site). Sucuri and Wordfence also have very good articles about the effects of the vulnerability.
If you have a WordPress site, you should immediately check to make sure you’re on the latest version (v4.7.2).
I’ve noticed a growing trend in more advanced computer users lately: some of them have begun advocating against using antivirus software. Instead, they suggest using browser extensions like uBlock Origin (which I use and recommend), combined with safe browsing practices, to remove the need for antivirus software altogether. Ars Technica did a very nice write-up on this trend today, and it’s worth a look.
For what it’s worth, I still use Avast as an antivirus package. But it hasn’t alerted me to any issues or found any viruses in at least a year, so perhaps it’s time to consider freeing up some memory on my computer.
Ars Technica did a nice job of creating an impartial write-up on why Hillary Clinton used an external email server, and how it was actually used. It sounds to me like there’s an institutional history of using private email to conduct business, largely due to obstructive or incompetent IT services (in fairness to the State Department IT team, there are likely a number of complicated policies and legal requirements that they’re trying to work around, which is difficult). Still, that’s not an excuse to use a home server to manage official communication– if you must use your own email address, at least use something like Google Apps or Microsoft Exchange Online, where you have teams of people professionally managing the email environment [1. Of course, there is still the issue of all email traffic being unsecured and transmitted in plaintext. But you could use a PGP solution to reduce risks there.].
It’s also interesting to see that the NSA basically shot down any possibility of her getting a secured mobile device; I would have thought that providing the Secretary of State– the person who comes fourth in the presidential line of succession– with secure communications at all time would be a priority for them.
You can read the full story here.