Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #2

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. The most important event of this issue are the recent, massive DDoS attacks, and their aftermath.

A couple of weeks ago, the web has been hit with two massive distributed denial of service attacks, targeted at journalist Brian Krebs, and hosting provider OVH. Unlike previous DDoS attacks, these attacks added up to 620 Gbps and 1 Tbps, and were launched from a botnet of various Internet-connected devices, such as routers, cameras, …

A few noteworthy events that have happened since these attacks:

  • The source code that powered the botnet behind these attacks has been released, which worries people that it might lead to additional attacks in the future.
  • MITRE, a non-profit organization striving for more security, is offering a hefty price for practical solutions to spot rogue devices on the network.
  • A Hungarian security firm has tried for a year to get AVTECH to fix 14 severe vulnerabilities affecting all of its CCTV equipment. Because they failed to get a response, they finally decided to publicly disclose this irresponsible behavior.
  • Akamai has investigated the DDoS attacks it has seen, and concluded that 2 million devices are vulnerable to a decade-old security flaw in the SSH protocol.

A team of researchers has outed serious concerns about commonly used Diffie-Hellman keys, which may contain undetectable trapdoors that would allow the recovery of the key. These latest concerns come on top of earlier concerns regarding pre computation attacks.

The best course of action to take is to retire 1,024 bit keys and generate new and stronger Diffie-Hellman groups. Practical information on how to do this for TLS deployments can be found here.

The previous websec digest already mentioned the largest data breach of all times at Yahoo!. Since then, things have taken a turn for the worse. A report has come out that accuses Yahoo of having covertly built software to allow the US government to search all of its customers’ incoming e-mails for specific information. Because of this news, and the news of the data breach, Verizon is asking for a $1 billion discount on the purchase of Yahoo!.

And in an effort to combat online credit card fraud, Oberthur has developed a credit card where the CVV changes every hour. The card has an embedded screen which displays the actual CVV. This means that if that data is ever stolen, it is likely that it has already become obsolete. These cards have been used in a trial in Poland, and will be rolled out by two major French banks.

Upcoming Events

There are a few upcoming events I really want to highlight:

  • Last week, we have launched our 2-day Web Security Essentials training course, which runs in the beginning of December.
  • I’m talking about AngularJS security at a couple of events. This month, I’ll be at DevFest Brussels, next month you can find me at Devoxx Belgium, and in December I’m addressing the folks at NG-BE.

As usual, you can find the full list of events on my speaking page.


Comments & Discussion