#AxisOfEasy 265: Record-Breaking DDoS Attack With 25.3 Billion Requests


Weekly Axis Of Easy #265


Last Week’s Quote was  “It’s all to do with the training: you can do a lot if you’re properly trained.” – was by Queen Elizabeth II.  No one got it right again. 

This Week’s Quote:  “Be yourself; everyone else is already taken.” … by ???

THE RULES:  No searching up the answer, must be posted at the bottom of this post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.


This is your easyDNS #AxisOfEasy Briefing for the week of September 26th, 2022, wherein our our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

In this issue:

  • Record-breaking DDoS attack with 25.3 billion requests and HTTP/2 Multiplexing abused, mitigated
  • Is Open-source Software Secure? Fear of vulnerabilities, exposures, or hazards is causing a decline in the use of Open-source software
  • Domestic intelligence in Germany runs hundreds of fake accounts for right-wing extremists on social media
  • Information can be leaked via the reflections in your glasses while on a Zoom call
  • Google and Microsoft enhanced spell check features can reveal your passwords

Elsewhere online

  • Scams involving cryptocurrency giveaways grow fivefold in H1 2022
  • An exploitable vulnerability in Oracle Cloud Infrastructure enabled unauthorized access to information
  • Intelligence firm finds that 62% of security teams lack adequate tools and training to detect the dark web
  • During the past five years, LinkedIn has conducted social experiments on more than 20 million users
  • Task force outlines steps to deal with ransomware

 

Record-breaking DDoS attack with 25.3 billion requests and HTTP/2 Multiplexing abused, mitigated

The cybersecurity firm Imperva revealed, on June 27, 2022, that it mitigated a distributed denial-of-service (DDoS) attack that involved over 25.3 billion requests and was launched from a botnet comprised of approximately 170,000 unique IP addresses spread across more than 180 countries, primarily the U.S., Indonesia, and Brazil.

According to reports, the “strong attack,” which was directed at an unnamed Chinese telecommunications company, peaked at 3.9 million requests per second and persisted for four hours (RPS).

In a report published on September 19, Imperva stated that “attackers used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections.”

This discovery comes after web infrastructure provider Akamai reported that on September 12, it fielded a fresh DDoS attack against a customer in Eastern Europe, with attack traffic surging at 704.8 million packets per second (pps).

The same victim was targeted in a similar way on July 21, 2022, with the attack volume ramping up to 853.7 gigabits per second (Gbps) and 659.6 million pps over a 14-hour period.

In light of Russia’s ongoing conflict with Ukraine, Akamai’s Craig Sparling claimed that the company has been “bombarded relentlessly with sophisticated distributed denial-of-service (DDoS) attacks,” which suggests that the offensives may have political undertones.

Is Open-source Software Secure? Fear of vulnerabilities, exposures, or hazards is causing a decline in the use of Open-source software

Is Open-source Software Secure? Fear of vulnerabilities, exposures, or hazards is causing a decline in the use of Open-source software.

Anaconda issued its annual 2022 State of Data Science report, outlining common trends, opportunities, and perceived blockers the fields of data science, machine learning (ML), and artificial intelligence (AI) are facing. The global study included three cohorts of academics, industry professionals, and students.

20% of respondents to the poll said that open source’s affordability and pace of innovation were its two most prized advantages. However, when questioned about the major challenges to further open-source innovation and advancement, they focused on many areas, stating that:

  • Open-source security issues are becoming more of a concern.
  • Organizations are distressed by talent shortages.
  • More emphasis should be paid to ethics, bias, and regulation—particularly in education.

31% of professional respondents stated that “security vulnerabilities” were the biggest challenge in the open-source community today, with 40% indicating that their organizations scaled back their open-source software usage in the past year due to concerns around security.

Regarding talent shortages,  Jessica Reeves, SVP of Operations at Anaconda, stated, “Solutions proving successful to help close this gap include upskilling existing workforces and permitting stronger remote work options.” She further urged academic institutions to fill in student skills gaps by helping them become assets as they prepare to join the workforce.

From the results that reveal the need for educational institutions to modify their learning curriculum in data science, only 19% of student respondents are currently learning ethics in AI/ML/data science classes. In comparison, 32% have never or rarely received lectures on bias in AI/ML/data science classes.

“Many companies wouldn’t exist without the open-source foundations they’re built on today,” Peter Wang, CEO of Anaconda, said, “But to tackle these challenges successfully and continue innovating the future enterprise, we must keep reinvesting in the open-source community and its infrastructure.”

Domestic intelligence in Germany runs hundreds of fake accounts for right-wing extremists on social media

German domestic intelligence is running hundreds of fake right-wing extremist social media accounts. According to a German newspaper Süddeutsche Zeitung report, the Federal Office for Constitutional Protection (BfV) argues that these accounts are necessary to “effectively monitor the extreme right.”

The newspaper’s research indicates that the authority has invested heavily in “virtual agents” since 2019 to track right-wing extremists and Islamists. Let’s remember that Germany’s left-wing government has labeled right-wing extremism the biggest threat to the country and has turned the domestic security state against political opponents.

According to the report, the BfV operates hundreds of right-wing extremist accounts on social media and argues that it is about “playing a little right-wing radical yourself” to gain other users’ trust. However, there is little to no public oversight regarding these activities.

The number of accounts operated by different German authorities has gotten so high that a nationwide agreement is now necessary. If not, these agents would compete for surveillance and monitoring among themselves.

Germany’s new government targets anonymity on the web and free speech and will open thousands of hate speech cases yearly. The obvious question is: How much of the purported growth in “right wing extremism” online are state-run honeypots?

Information can be leaked via the reflections in your glasses while on a Zoom call

Boffins from the University of Michigan and Zhejiang University in China collaborated to determine whether wearing eyeglasses while using a computer posed a security concern. The researcher’s paper proves that “it was possible to reconstruct and recognise on-screen text with over 75% accuracy when reflected in the glasses of a video conference participant.”

Several factors affect this procedure’s effectiveness, such as the arc of the eyewear’s lenses—with prescription glasses outperforming blue-light-blocking eyewear in terms of giving a meaningful reflection—and the quality of the video camera.

According to the study, a regular 720p webcam can read on-screen text with reflections as small as 10mm. However, snooping with better quality 4k webcams can allow access to text with smaller fonts.

“We found future 4k cameras will be able to peek at most header texts on almost all websites and some text documents,” researcher Yang Long told The Register. With the researchers finding out the technique also reveals which websites a user is viewing with a 94% accuracy, they came up with uncommon mitigation.

They advise Zoom users to make use of a video filter feature that may automatically dress their faces in reflection-blocking cartoon sunglasses. This feature can be found under “Background and Effects” in the video conferencing app’s settings.

While Google Meet and Skype currently provide a different level of security, they probably wouldn’t find it difficult doing so if the threat eventuated.

Google and Microsoft enhanced spell check features can reveal your passwords

Josh Summit, co-founder and CTO of JavaScript security firm otto-js, discovered that extended spell check features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and sometimes passwords, to Google and Microsoft.

Except for the basic chrome spellchecker, Chrome Enhanced Spell check and Edge’s Microsoft Editor are the main affected features in this case. This means that when these two features are enabled on the browsers, every data entered in the form fields are transmitted to Google and Microsoft. This includes your passwords if you click on “show password.”

“Some world’s largest websites have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms,” explains otto-js.

Depending on the website you visit, the form data transmitted may also include “Social Security Numbers (SSNs), Social Security Numbers (SSNs), address, date of birth (DOB), contact information, bank and payment information, and so on.

This does raise concerns about what happens to the data after transmission and how safe they might be. An even greater concern for businesses is the risk of exposing enterprise credentials to internal assets such as databases and cloud infrastructure.”

Thus, reacting to otto-js’ report, both AWS and LastPass have mitigated the issue. In LastPass’ case, the solution was as simple as adding the HTML attribute spellcheck= “false” to the password field.

Users may also independently turn off Enhanced spell check in their Chrome browser by copy-pasting this link to their address bar chrome://settings/?search=Enhanced+Spell+Check and manually turn it off.

Elsewhere Online

Scams involving cryptocurrency giveaways grow fivefold in H1 2022


An exploitable vulnerability in Oracle Cloud Infrastructure enabled unauthorized access to information

Intelligence firm finds that 62% of security teams lack adequate tools and training to detect the dark web

During the past five years, LinkedIn has conducted social experiments on more than 20 million users

Task force outlines steps to deal with ransomware

Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:

 

 

 

 

 

9 thoughts on “#AxisOfEasy 265: Record-Breaking DDoS Attack With 25.3 Billion Requests

Leave a Reply

Your email address will not be published. Required fields are marked *