The week in security: DDoS attack savages US Internet; Biometrics for newborns

It didn’t take long for hackers to leverage the newly released Mirai source code to build new Internet of Things (IoT) botnets, with an observed surge in Mirai-generated botnets.

But it was a massive DDoS attack that raised the bar further, targeting DNS provider Dyn with a massive IoT-based DDoS to take out hundreds of Web sites – including those of Twitter, GitHub, Spotify, the New York Times and others – in a series of attacks that affected a significant portion of the United States’ Internet. As the postmortem commenced, analysts said the DDoS attacks suggested reuse of old technology.

Other clever hackers were found to be storing stolen payment card data inside Website product images – the kind of lateral problem solving that, one report suggests, is more important to keeping cybersecurity experts than even high pay.

A UK court ruled that the country’s spy agencies had breached the European Convention on Human Rights for years by secretly surveilling British citizens, while US lawmakers were asking questions about a Department of Justice appeal against a decision over Microsoft’s obligations to disclose information stored on a server in Ireland.

Also in US law, investigators in California are forcing suspects to unlock their smartphones even when protected using fingerprints. This, as a new biometric finger scanner targets newborns and a study finds that US police have photographs of 117m US adults in facial-recognition databases that are poorly if at all regulated.

There were reports that Julian Assange’s Internet access had been cut by a ‘state actor’ – alleged by WikiLeaks to be the United States but subsequently revealed to be Ecuador. Similarly, former CIA chief Robert Gates warned that politics was keeping the US from securing private-sector network.

While a critical vulnerability was found in open-source encryption software VeraCrypt and a second vulnerability was identified in Samsung Pay, Oracle was fixing hundreds of vulnerabilities in its enterprise products.

A flaw in Intel CPUs could be used to defeat ASLR anti-exploit technology, while a Windows GDI flaw was allowing attackers to launch PowerShell attacks. And a free tool was released to help protect PCs from master boot record attacks.

Czech police arrested a Russian hacker suspected of targeting the US in the massive 2012 breach of LinkedIn, while it was revealed that a Russian hacker group used a phony Google login page to infiltrate Hillary Clinton’s campaign and that the hackers of the US Democratic National Committee (DNC) had at least six zero-day exploits on hand.

Yahoo requested the US government clarify the story around requests for its users’ data, even as it was revealed that a former NSA contractor was found to be hoarding two decades’ worth of classified materials.

Indian banks were forced to block or ask customers to change PINs for 3.2 million debit cards after concerns about a security breach, while a new banking Trojan was found with striking similarities to the Dyre malware threat that had been thought to be long-dead.

One new report said that younger consumers were more likely than older users to fall for tech-support scams. Intel asserted its trademark rights against John McAfee to head off potential brand confusion.

Tags MicrosofttwitterJulian AssangebiometricsGitHubSpotifyvulnerabilityUS InternetDDoS attackInternet of Things (IoT)CSO AustraliaMirai source codeUS policeRobert Gatescredit card payment

Show Comments