Thursday, March 15, 2018

Cyber Updates - 15th March 2018

Commercial  Disagreement leads to mass TLS certificate revocation

In a somewhat baffling story, 23,000 certificates sold by certificate reseller Trustico were suddenly revoked. It appears that Trustico wanted to move their customers to new certificates and saw this as a quick way of doing so.

Trustico requested that Digicert, the certificate issuer, revoke 50,000 certificates, citing some unspecified compromise. DigiCert refused without evidence of compromise so Trustico effectively created a compromise by emailing 23,000 private keys to DigiCert. At this point, DigiCert had no alternative under Certificate Authority rules other than to revoke these certificates meaning that visitors to these sites would potentially start receiving secure connection errors within 24 hours.

Key takeaways:

  • It is important to monitor the trustworthiness of your certificate provider. Let's Encrypt is a well respected, free and easy to automate certificate provider.
  • Never allow a certificate provider to generate or get access to your private key. You should always generate a Certificate Signing Request (CSR) and send that to the provider, see example instructions here.

Crypto-mining malware on UK and US government sites

Scott Helme, a UK based security researcher, discovered that various UK government sites were serving up JavaScript which used the browser to mine cryptocurrency, therefore causing significant CPU utilisation for the the end user. Further investigation indicated that a 3rd party called BrowseAloud who provide a script to read website content for blind/partially sited people, had been compromised. Their script had been altered to insert this crypto-mining script meaning that any site using their script would be infected by this.

Key takeaways:

  • If enterprises or consumers use anti-malware protection on web browsing, it would hopefully detect and block this script.
  • Web Site administrators can use Sub-Resource Integrity to monitor and block unexpected script changes.

Record DDoS attacks using memcached

A number of record-breaking DDoS attacks were seen in the last few weeks which utilised a service called memcached as an amplification vector. This occurs because when an attacker sends packets with a source spoofed to be the target's IP address to this particular service, it responds with a much larger response than the initial request leading to an amplification of up to 51,000x the size of the original request.

One high-profile victim was GitHub although they were able to continue operations with minimal disruption with help from their DDoS protection provider.

Key takeaways:

  • DDoS is a scenario you have to plan for in advance, if you don't have a plan by the time it starts, it is likely to take you offline.
  • DDoS protection for such a large attack will require the assistance of your upstream Internet provider and potentially a specialist service.
  • Comsec offers a DDoS readiness service where you can assess the ability of your systems to withstand this type of attack.

Josh Grossman
Senior Information Security Consultant and Team Leader