This month’s round-up of cyber attacks is a story of extremes. The biggest data breach, a novel type of attack on a scale never seen before, and the biggest DDoS attacks – a record that was this month broken twice.
CBR delves into the month’s cyber activity and draws out the worrying figures.
1. Yahoo
Yahoo is the most notable cyber hack on this list for two main reasons: its sheer size and the controversy over how long it took for it to be reported.
This is the largest known data breach ever, with Yahoo reporting that 500 million user accounts have been stolen during the breach.
The data includes names, emails, telephone numbers, date of births and hashed passwords.
Yahoo still has a considerable share of the email market.
Content from our partners
The hack took place in 2014 but was only disclosed in September 2016. This is already generating lawsuits and interventions from influential politicians in the US.
For example, a California-based group of plaintiffs filed a class action on behalf of all of those affected by the breach. This was done under several parts of the California Civil Code such as the Consumer Legal Remedies Act, the Federal Stored Communications Act and the Unfair Competition Act. A man called Ronald Schwartz has also filed a suit in New York against Yahoo.
In addition, an influential group of senators wrote a letter to Yahoo CEO Marissa Mayer
According to data protection company Varonis, Yahoo might face action from California authorities over the delay in reporting the breach.
2. KrebsOnSecurity
The security blog KrebsOnSecurity was hit with what was reportedly one of the largest distributed denial of service (DDoS) attacks of all time.
The site, which is run by security expert Brian Krebs, was hit by a DDoS attack of around 620 Gbps on 20 September.
Initially, KrebsOnSecurity managed to stay online during the attack, due to defences from content delivery network provider Akamai.
However, the site ended up experiencing so much traffic that Akamai eventually chose, in Krebs’s words, “to unmoor my site from its protective harbor.”
Security blogger Brian Krebs was targeted.
The site went offline for a while before relaunching with Project Shield, a programme run by Google to help protect journalists from online censorship.
The attack was novel not just because of its size but because it used a large botnet of captured Internet of Things (IoT) devices. This could have involved hundreds of thousands of systems.
Devices such as internet-enabled cameras and routers often have weak security, and so can be ‘enslaved’ by a hacker to produce traffic.
Previous large-scale DDoS attacks, including a 336 Gbps attack recorded by Akamai, used well-known methods to amplify a smaller attack such as using unmanaged DNS servers.
Brian Krebs said that he believed the attack was a reprisal for reporting he had done on a DDoS-for-hire service.
3. OVH
The hunters are becoming the hunted: first security blogger Brian Krebs was hit, then OVH, a hosting provider and DDoS mitigation service, was targeted in a DDoS attack.
According to OVH’s founder, posting on Twitter, the combined brunt of the attack amounted to around 1.1 Tbps – dwarfing the Krebs attack mere days later.
He later commented that over 150,000 CCTV cameras participated in the DDoS during the 48-hour period.
This indicates that the attack was carried out in the same way as that on KrebsOnSecurity: through a botnet of captured IoT devices.
Since it targeted a hosting provider, this attack may tie into number 4 on this list.
OVH is a hosting provider which itself offers anti-DDoS services.
4. Web providers
Resilient CTO and seasoned security blogger Bruce Schneier reported a worrying trend: companies responsible for operating the infrastructure of the internet were coming under cyber attack.
He said that major firms were being hit by “probing” attacks: attacks designed to test their defensive capabilities.
Bruce Schneier is warning of an attack on the very foundations of the internet.
Several internet companies, unnamed, had been hit by distributed denial of service (DDoS) attacks which had started at a certain point and then been steadily ramped up before stopping. The attack would later resume at a higher point and continue.
Schneier said that the attacks looked “as if the attacker were looking for the exact point of failure.”
Schneier cited data he had seen supporting the idea that China was responsible. He said that this assessment was shared by people he had spoken with. However, he did not disclose this data.
5. Last.fm
The top 20 passwords found by Leaked Source.
Last.fm was hacked on 22 March 2012, according to LeakedSource, which posted details about the information on 1 September.
The records contained usernames, email addresses, passwords, join dates, and some other internal data.
The data for more than 43 million users was breached.
LeakedSource found that passwords were stored using unsalted MD5 hashing.
“This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords,” they wrote in a blog.
