For those of you who used to avidly read our security roundups on this blog and have been asking where our roundups went, we’re happy to announce that SecurityScorecard is bringing them back! For newcomers to our blog, a security roundup is a quick, no-nonsense recap on some of the latest interesting cybersecurity events straight from the minds of our in-house, brilliant tech minds.
This week’s roundup is courtesy of Sean Smith and Michael Cereda.
Kudos to a Young Cybersecurity Enthusiast. The Air Force recently ran a bug bounty program, and the overall winner (with 30 unique vulnerabilities disclosed) was Jack Cable, a 17 year old cybersecurity enthusiast from Chicago. HackerOne has an interview with Jack, on how he got involved in bug bounties and security.
Don’t Deny the DDoS News. First comes from Incapsula, a CDN provider who has observed a new DDoS pattern they term “pulse waves”. Their belief is that some DDoS providers are leveraging their botnets to have peak traffic readily available, and then rotate through targets. If a target goes down, mission accomplished, and the company likely has to spend hours or even days to recover. Since traffic is already peak, this makes some strategies like auto-scaling ineffective given the ramp up time for more resources to come online. Talos Intel has notices an increase of DDoS as a Service providers in China (http://blog.talosintelligence.com/2017/08/chinese-online-ddos-platforms.html), after someone started selling the platform online. Expect more DDoS news in the coming months.
iPhones in Danger, a Whole New Way. Last week ended with the release of the decryption key for Apple’s Secure Enclave Processor (SEP) firmware. SEP is a coprocessor that handles cryptographic data and is also used to verify TouchID (fingerprint) transactions. Even if this leak by itself doesn’t constitute any danger for iPhone users, it’s still concerning that the firmware has been exposed. Why? Now, companies, researchers, and others will have a chance to analyze an area of the iOS devices that was previously locked, opening the doors to the development of exploits that can bypass the fingerprint authentication or approve fraudulent transactions.
Targeted Phishing Attack Comes With Huge Price Tag. We are also noticing an increment of targeted phishing attacks, noteworthy are phishing campaigns conducted against the Raiffeisen Bank and Enigma ETH marketplace that resulted in a loss of 500,000 US dollars in ETH coins. And as if phishing could not get any more intimidating, we recently heard about first attempt in exploiting a Power Point vulnerability to bypass anti-viruses and execute malevolent code; we are going to keep an eye on this one too!