AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/22/2022

Google blocks largest HTTPS DDoS attack ‘reported to date’

A Google Cloud Armor customer was hit with a distributed denial-of-service (DDoS) attack over the HTTPS protocol that reached 46 million requests per second (RPS), making it the largest ever recorded of its kind. In just two minutes, the attack escalated from 100,000 RPS to a record-breaking 46 million RPS, almost 80% more than the previous record, an HTTPS DDoS of 26 million RPS that Cloudflare mitigated in June. The attack started on the morning of June 1, at 09:45 Pacific Time, and targeted the victim’s HTTP/S Load Balancer initially with just 10,000 RPS.

 

TikTok’s in-app browser could be keylogging, privacy analysis warns

‘Beware in-app browsers’ is a good rule of thumb for any privacy conscious mobile app user — given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok’s in-app browser after independent privacy research by developer Felix Krause found the social network’s iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging. “TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data,” warns Krause in a blog post detailing the findings. “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”

 

Debit card fraud leaves Ally Bank customers, small stores reeling

Ben Langhofer, a financial planner and single father of three in Wichita, Kansas, decided to start a side business. He had made a handbook for his family, laying out core values, a mission statement, and a constitution. He wanted to help other families put their beliefs into a real book, one they could hold and display. So Langhofer hired web developers about two years ago and set up a website, customer relationship management system, and payment processing. On Father’s Day, he launched MyFamilyHandbook.com. He’s had some modest success and has spoken with larger groups about bulk orders, but business has been mostly quiet so far.

 

Hackers Target ATM Maker for Bitcoins

A Bitcoin ATM company has had its systems compromised by a zero-day exploit which enabled hackers to siphon off an undisclosed amount of the digital currency. General Bytes noted in a “highest” severity alert on Friday that a zero-day bug in its critical Crypto Application Server (CAS) was to blame for the attack. “The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” the alert revealed. “This vulnerability has been present in CAS software since version 20201208.” The Prague-based firm, which claims to be the world’s large maker of cryptocurrency ATMs, said that after creating a new default admin user, the hackers were then able to modify the crypto settings of two-way machines. “Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM,” it added.

The Pentagon may require vendors certify their software is free of known flaws. Experts are split.

Should the Pentagon require that vendors only sell the military software that’s free of known vulnerabilities or defects that could cause security problems? On the surface, it seems like a reasonable request. But when security researcher Jerry Gamblin tweeted a screen shot of the House of Representative’s software vulnerability provision from within the massive 2023 National Defense Authorization Bill — passed July 14 — it divided the cybersecurity community. The debate boils down to two key arguments: the requirement is unnecessary and impossible to achieve or a game-changing move that will begin holding software vendors accountable for selling faulty technology.

Related Posts