October 25, 2023
In this Episode:
Marcel Brown: October 25th, 2001. Microsoft releases the operating system Windows XP, the successor to both Windows 2000 and Windows ME. With a nearly six-year run and the public debacle surrounding the release of Windows Vista, Windows XP remained the world’s most popular operating system until August of 2012.
Edwin Kwan: Super SA, a dedicated superannuation fund for state government employees in South Australia, suffered a data breach. The data loss was through a third-party call center, which Super SA had previously contracted.
Hillary Coover: Is your child’s online safety at risk? I’ve asked this before in the context of privacy, but today we’re talking about the health risks and implications of Instagram on young minds.
Mark Miller: On October 10, 2023, Grant Bourzikas disclosed the finding of a massive DDoS attack of over 201 million requests per second. According to the CVE report, the HTTP/2 protocol “allows a denial of service because request cancellation can reset many streams quickly as exploited in the wild in August through October, 2023.”
The Stories Behind the Cybersecurity Headlines
South Australian Superannuation Suffers Breach
This is Edwin Kwan from Sydney, Australia.
Over 14,000 members were impacted by the breach and the compromised data included name, address, and date of birth. The data loss was through a third-party call center, which Super SA had previously contracted.
The call center was contracted back in 2019 to field phone calls from members impacted by a cybersecurity breach. The call center retained the member data after its contract ended and that data was accessed in this latest security incident. As such, none of the breached data contain information post 2020.
Investigations are underway on why the call center provider retained data post contract and also whether other government agencies, which had contracts with the call center, were also caught up in the breach.
The South Australian Treasurer said that the latest cybersecurity breach proved that government agencies needed to improve their internal security.
– sa.gov: https://www.supersa.sa.gov.au/about-us/announcements/2023/external-provider-cyber-security-incident/
– ABC: https://www.abc.net.au/news/2023-10-18/sa-government-cyber-security-breach/102993794
– IT News: https://www.itnews.com.au/news/super-sa-discloses-third-party-data-breach-601379
Meta Lawsuits: Your Child’s Online Safety is at Risk
Is your child’s online safety at risk? I’ve asked this before in the context of privacy, but today we’re talking about the health risks and implications of Instagram on young minds.
Hi, this is Hillary Coover in Washington, DC.
A coalition of 41 states and the District of Columbia is taking legal action against Meta Platforms, the company behind Facebook and Instagram. These lawsuits, filed in both federal and state courts, allege that Meta deliberately designed its products with addictive features that are detrimental to young users. The states claim that Meta misrepresented the dangers its platforms pose to young people and unlawfully targeted users under the age of 13. Their objective is to compel Meta to alter product features that pose risks to young users. These legal actions follow failed settlement negotiations with Meta and resulted from a multi year investigation led by Attorneys General Jonathan Skrmetti and Phil Weiser.
Internal Meta documents revealed by former employee, Francis Haugen, contained extensive research on teen users’ behavior and Meta’s efforts to make its platforms more attractive to them. Researchers found that for most users, social media didn’t present significant users, but for some teens with pre existing mental health vulnerabilities, Instagram was problematic. Teens reported feeling “addicted” to the platform and believed it negatively impacted their mental health. The issue was particularly pronounced among young women. Meta suspended plans for a children’s version of Instagram following the revelations, but disputed claims of harm.
The federal lawsuit alleges that after the Wall Street Journal’s reporting and Haugen’s allegations, Meta provided false reassurances to parents and suppressed its research staff. The Attorneys General argue that young people can use social media safely if Meta addresses the identified concerns and modifies its product accordingly. They have initiated similar inquiries into Meta’s competitors, with some states seeking internal records from TikTok related to teen mental health.
Massive DDoS Attack: 201 Million Requests per Second (RPS)
On October 10, 2023, Grant Bourzikas disclosed the finding of a massive DDoS attack of over 201 million requests per second. The research done by CloudFlare, Google, and the Amazon AWS teams, are calling this zero day vulnerability the “HTTP/2 Rapid Reset” attack.
According to the CVE report, updated on October 17th, 2023, the HTTP/2 protocol “allows a denial of service because request cancellation can reset many streams quickly as exploited in the wild in August through October, 2023.”
Rapid Reset works by leveraging the HTTP/2 stream cancellation feature, sending a request and immediately cancelling it over and over. By automating this trivial “request, cancel, request, cancel” pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2.
Bourzikas describes how this was implemented through a modestly sized botnet consisting of roughly 20, 000 machines. Lucas Pardue and Julien Desgats have provided a detailed post mortem of the attack, with a technical deconstruction of how the attack was made possible by abusing some of the features of the HTTP/2 protocol and server implementation details.
Included in the report is a proof of concept reproducing the Rapid Reset DDoS on an off the shelf server. Bourzikas ends his article with recommendations that he says should be implemented immediately. You can find links to the resources and articles mentioned in this segment at 505updates. com.
I’d suggest, I’d highly suggest, reading Bourzikas’ article first to get an overview of the situation. If you’re technically oriented, review the Pardue and Desgats deconstruction for the details.
– Grant Bourzikas: https://www.linkedin.com/in/grantbourzikas/
– CloudFlare: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
– Details of the Attack: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
– CVE-2023-44487: https://www.cve.org/CVERecord?id=CVE-2023-44487
This Day, October 25, in Tech History
October 25th, 1955. Tappan introduced the first microwave oven for home use, the Radarange. It sold for $1,295 at the time. Raytheon developed the Radarange after engineer Percy LeBaron Spencer was working on an active radar set and accidentally melted a candy bar in his pocket.
October 25th, 2001. Microsoft releases the operating system Windows XP, the successor to both Windows 2000 and Windows ME. Designed to unify the Windows NT line and Windows 95 line of operating systems, Windows XP was not replaced by Microsoft until January of 2007 with Windows Vista. However, with a nearly six-year run and the public debacle surrounding the release of Windows Vista, Windows XP remained the world’s most popular operating system until August of 2012.
That’s your technology history for today. For more, tune in tomorrow and visit my website, thisdayintechhistory.com.