Weekly Threat Report 29th September 2016

Created:  30 Sep 2016
Updated:  30 Sep 2016
This report is drawn from open source reporting between the dates of 26th-29th September.

Threat assessment and trend analysis

Yahoo Data Breach largest on record 

The scale of the 2014 Yahoo data breach has been exposed as Yahoo have confirmed that over 500 million accounts have been compromised. Data leaked includes names, email addresses, telephone numbers, dates of birth and encrypted passwords and is believed to be the biggest public breach of personal data ever recorded. Yahoo have stated that the attack was “state-sponsored”, although this has been contradicted by information security firm InfoArmour, who have suggested that the attack was conducted by criminals. The methods and sophistication of the attack have not yet been revealed, but it demonstrates that the frequency and scale of reported data breaches continues to grow. Furthermore as each breach of personally identifiable information creates the risk of social engineering and fraud using the stolen data and, where passwords have been reused, the potential for further data breaches.

The IoT botnet - the new device of choice for DDoS?  

In the last week huge DDoS (distributed denial of service) attacks have been reported against hosting provider OVH and the domain.  Whilst there is an ongoing debate on the exact size of these attacks, they are indicative of the growing size of DDoS attacks over the last 12 months. In both cases, the use of Internet of Things (IoT) devices in the botnet, including CCTVs and DVRs, is thought to have contributed to the scale of the attack. As the IoT continues to grow it is likely that devices will increasingly be used in DDoS botnets. IoT devices are ideally suited for conducing DDoS attacks as:

  • Many use a version of the Linux operating system which is open by default and rarely patched, as a result these systems are more likely to be compromised than regularly updated systems

  • IoT devices often have stripped down security systems, where security measures are not typically built in to the design and manufacture of these devices, making them a softer target for attackers

  • Many IoT devices have total internet access without bandwidth limitations or filtering 

  • Default and re-used passwords are systemic across IoT, due to the frequent re-use of software or hardware across several classes of device. 

A combination of these factors are likely to have contributed to the recent harnessing of IoT in successfully launching the largest reported DDoS attacks to date.

Microsoft to open transparency facility in Beijing  

Microsoft is set to open a facility in Beijing to allow government IT workers to test and analyse the company’s products and services to ensure they meet security expectations. This is the third Microsoft Transparency Center after one in Belgium and the United States. 

Transparency Centres were announced in 2013 with the aim of increasing trust in Microsoft products and services amongst its community of users. The initiative came in the wake of the Snowdon revelations and aims to allay fears about backdoors in major hardware and software products. The Chinese government had previously mandated that foreign software vendors selling to Chinese banks had to reveal source code and submit to rigorous software audits, however it has subsequently stepped away from this requirement. The centre is not without precedent as IBM allegedly allowed Beijing auditors to review source code in late 2015. The emphasis on transparency highlights the cyber security industry’s concern regarding backdoors and the Centre may herald a new norm where transparency becomes a requirement to conducting business.  


The OpenSSL Project

The OpenSSL project has released patches for fourteen vulnerabilities, one of which is critical (CVE-2016-6304) and could be exploited to launch a denial of service (DoS) attack. CVE-2016-6304 impacts the Online Certificate Status Protocol (OCSP) verification process, and could be exploited in order to trigger a memory exhaustion attack resulting in a denial of service. A fix included in the updates introduced a critical vulnerability that could potentially lead to arbitrary code execution. OpenSSL have provided an advisory which can be found here. It states “The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location”. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.

Vulnerability Blog

This week there have been a large number of updates for quite a few different products and from a large number of different vendors. For access to more information including our full weekly vulnerabilities blog sign in or join CiSP. 

Sign in to CiSP More about CiSP


Was this report helpful?

We need your feedback to improve this content.

Yes No