- Four major security flaws were identified in the HTTP/2 protocol, including a slow read attack, an HPACK bomb attack, a dependency cycle attack, and stream multiplexing abuse. These vulnerabilities have now been fixed.
- Hong Kong-based Bitcoin exchange Bitfinex had $72 million worth of bitcoins stolen after a security breach. The cause of the breach is unknown but it allowed attackers to bypass withdrawal limits. The price of bitcoin dropped by 20% after the hack was announced.
- Torrentz.eu, one of the largest BitTorrent search engines, shut down following legal pressure and arrests targeting other torrent sites such as Kickass Torrents. Its shutdown comes as many piracy sites independently
2. Severe Vulnerabilities identified in HTTP/2
The new HTTP/2 protocol (considered a replacement to the HTTP/1) was
approved by the IESG in February 2015
Included the benefits over the HTTP/1 like header compression, multiplexing
and concurrency and Server push
There were 4 major flaws identified in the protocol which as mentioned
below:
Slow read attack or the Slowloris attack (CVE-2016-1546) – Attack calls on a
malicious client to read responses very slowly. This vulnerability also existed in
HTTP/1.1 protocol
HPACK Bomb Attack (CVE-2016-1544, CVE-2016-2525) – An attacker sends a small
message to the server that unpacks into gigabytes of data thereby consuming all
the server memory resources
Dependency Cycle Attack (CVE-2015-8659) - A specially crafted requests can be
used to prompt a dependency cycle getting the server into an infinite loop. Can
cause a DoS attack or allow to run arbitrary code.
Stream Multiplexing Abuse (CVE-2016-0150) - Attack allows attacker to exploit
vulnerabilities in the way servers implement the stream multiplexing functionality
in order to crash the server.
All these vulnerabilities have now been fixed!!!
3. Bitcoins worth USD $72 Million stolen
Hong Kong-based Bitcoin exchange 'Bitfinex' had shutdown its operation on 2nd
August 2016, after discovering a security breach that allowed an attacker to
steal some user funds.
The cause of the breach and the people behind the incident is still not known,
but the attackers appear to have bypassed Bitfinex’s mandated limits of
withdrawals.
Bitfinex is the third-largest Bitcoin exchange in the world.
After the news of the Bitfinex hack, the price of Bitcoin dropped almost 20%,
from $602.78 to $541 per Bitcoin, within a day
Bitfinex's security firm Bitgo — a Bitcoin security company that allows bitcoin
exchanges to provide separate, multi-signature wallets for each user's funds
said it did not find any evidence of a breach on any BitGo servers during its
investigation
So is this a possible case of corporate vengeance to bring down bitcoin
popularity or is it an insider job, only time will tell
4. Torrentz.eu Shutdown!!!
Few days after US authorities arrested the owner of Kickass Torrents in
Poland, Torrentz.eu, the Internet's biggest BitTorrent meta-search engine, has
shut down
Torrentz was a free, fast and powerful meta-search engine combining results
from dozens of search engines
The purpose of the site was to index torrents from several large portals and
aggregate all the different trackers. This allowed users to download torrent
files with multiple trackers in their source, speeding up downloads and
preventing dead links in case servers went down
All Torrentz backup domains including the main .EU domain and its backups
.ME, .CH, and .IN are also down. The site's HTTPS version also features the
messages “Torrentz will always love you. Farewell”
With legal pressure increasing on The Pirate Bay and following the Kickass
Torrents arrests, many piracy portals have decided to shut down on their own,
so could be the case with torrentz as well
A possibility of a hostile takeover by a group of attackers can not be
neglected as such websites generally do not have strong defense controls
5. Other News…
A newly discovered PoS (Point-of-Sale) malware can bypass computer
defences such as User Account Control (UAC) by posing as a legitimate
Microsoft application, Doctor Web researchers have discovered
Adobe’s Flash Player might be the most targeted product when criminal
exploit kits are involved, but Microsoft products such as Office, Windows and
Internet Explorer take centre stage when Russian advanced persistent threat
(APT) groups are involved
Just two weeks after Chrome 52 was released in the stable channel, Google
has issued an update to resolve 10 security vulnerabilities, 7 of which were
discovered by external developers
Server Push - The server can send resources the client has not yet requested
Dependency Cycle Attack - Attack leverages the flow control mechanisms used by HTTP/2 uses for network optimization.
Server Push - The server can send resources the client has not yet requested
Dependency Cycle Attack - Attack leverages the flow control mechanisms used by HTTP/2 uses for network optimization.
Server Push - The server can send resources the client has not yet requested
Dependency Cycle Attack - Attack leverages the flow control mechanisms used by HTTP/2 uses for network optimization.