October 27, 2023
In this Episode:
Marcel Brown: October 28th, 1998. US president Bill Clinton signs into law the Digital Millennium Copyright Act, or DMCA. The law is intended to criminalize production and dissemination of technology designed to circumvent digital copyright protection, known as Digital Rights Management, or DRM.
Edwin Kwan: Security researchers discovered critical misconfiguration flaws in the implementation of the Open Authorization or OAuth standard by three popular websites. The flaw would have allowed attackers to take over user accounts and could lead to identity theft, financial fraud, access to credit cards, and other cybercriminal activity.
Katy Craig: Recently, Google services and Cloud customers found themselves in the crosshairs of a novel and formidable distributed denial of service, or DDoS, attack, peaking in August, with one assault clocking a staggering 398 million requests per second.
Olimpiu Pop: HTTP/2 was the first major revamp of the HTTP protocol in ages. It brought significant performance improvements enabled by stream multiplexing. This enables the simultaneous transmission of multiple request and response messages over a single connection without interference between streams.
Shannon Lietz: I would like to see the industry be a little bit more actionable about what’s happening, because you had to parse this one out to really understand it. I came to the realization of is, if you do have companies that you work with, or vendors that you work with, and they’re getting told right away, all of a sudden they have a CVE they have to go deal with, it is going to set a whole bunch of things behind.
The Stories Behind the Cybersecurity Headlines
OAuth Implementation Flaw Allowing Account Takeover
This is Edwin Kwan from Sydney, Australia.
Security researchers discovered critical misconfiguration flaws in the implementation of the Open Authorization or OAuth standard by three popular websites.
Those sites are Grammarly, which is an AI-powered writing tool, Vidio, which is an online streaming platform, and Bukalapak, which is an Indonesian e-commerce site. The flaw would have allowed attackers to take over user accounts and could lead to identity theft, financial fraud, access to credit cards, and other cybercriminal activity.
OAuth is a widely popular standard for cross-platform authentication, allowing users to log into websites using their social media or Google accounts. The flaw isn’t with the OAuth standard, but with how the web services have implemented the standard. There was a lack of token verification on the three websites which allowed account takeover.
The security researchers disclosed vulnerabilities to those three websites and waited until the flaw was mitigated before publishing their research. However, they believe that there would be many other websites that would be exposed to the very same flaw.
– Salt.Security: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
– Dark Reading: https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-takeover-millions
This Day, October 27, in Tech History
October 27, 1980. The ARPANET, the precursor to the modern Internet, stops functioning for about four hours after the network’s routing tables are corrupted by a malfunctioning interface message processor.
This was considered the first major ARPANET outage, and was a significant enough event that they wrote an RFC about it. RFC 789 to be exact, if you’d like to look up more information.
October 28th, 1998. US president Bill Clinton signs into law the Digital Millennium Copyright Act, or DMCA. The law is intended to criminalize production and dissemination of technology designed to circumvent digital copyright protection, known as Digital Rights Management, or DRM. However, the law has been very controversial, with accusations of abuse of the law to stifle innovation and competition.
And that’s your technology history for this week. For more, tune in next week and visit my website, thisdayintechhistory.com.
HTTP/2 RapidReset Attack
Recently, Google services and Cloud customers found themselves in the crosshairs of a novel and formidable distributed denial of service, or DDoS, attack, peaking in August, with one assault clocking a staggering 398 million requests per second. Unlike previous Layer 7 attacks, this one showcased a fresh challenge.
This is Katy Craig in San Diego, California.
Thanks to Google’s robust global load balancing infrastructure, the attacks were largely deflected at the network’s edge, ensuring minimal impact and no outages. Post-attack, Google’s DDoS response team sprang into action, bolstering defenses and partnering with industry peers to beef up the digital ecosystem’s resilience.
The crux of these attacks lies in the exploitation of HTTP/2, that’s Hypertext Transfer Protocol 2, a protocol utilizing “streams” for bidirectional message exchanges. A core feature, stream multiplexing, maximizes the use of TCP connections, taking efficiency up a notch by processing the streams in parallel rather than serially.
However, this efficiency turned into a vulnerability when attackers exploited a feature allowing clients to cancel a previous stream, coining this, the “Rapid Reset” attack. They could cancel requests while keeping the HTTP/2 connection open, introducing a unique challenge.
This episode underscores the evolving cyber threat landscape, highlighting the imperative for robust infrastructure and collaborative action to counter such avant-garde threats. As cyber adversaries continue to innovate, staying ahead in this unyielding game of cat and mouse is paramount for safeguarding our digital realms.
This is Katy Craig. Stay safe out there.
– Google: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack/
– CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
HTTP/2 RapidReset: Zero-day Vulnerability
HTTP/2 was the first major revamp of the HTTP protocol in ages. It brought significant performance improvements enabled by stream multiplexing. This enables the simultaneous transmission of multiple request and response messages over a single connection without interference between streams. And, further improvements to the protocols are in place with the works on HTTP3. But that’s another story.
One of the features of the protocol is the ability of the client to indicate to the server that a stream is cancelled, and it can do that unilaterally. The intention of the feature was good, mainly to save bandwidth, to optimize resources. But it also enabled a vulnerability in the fiber of the protocol. Just think about it- a protocol is actually a set of ideas on a piece of paper that applications implement. That means that it affected universally all products that implemented the protocol browsers, servers, proxies, gateways, and all other HTTP/2-enabled tools and gadgets. In a world that heavily relies on the protocol, it’s not a small thing. Just look at the size of the scroll on the resources on-page of the CVE.
This zero-day vulnerability enabled hackers to conduct the hardest distributed denial of service attack in history. Among the targets are Google, CloudFlare, and Amazon Alphabet search engine. Alphabet’s search engine is the gold medalist, being bombarded with almost 4 million requests per second.
The good news is that the technology giants managed to stop the attack. The sad news is that being a flaw at the protocol level, it will be quite hard to fix, and it’s just a 7.5 score out of 10.
505updates.com contains more resources on the topic.
Olimpiu Pop, reported from Transylvania, Romania.
RapidReset: How Critical is It
Shannon Lietz: When we look at the ambulance chasing on RapidReset, the thing that comes to mind for me is that the current CVE process allows for the notification to go out, but companies that are leveraging HTTP/2 are right now getting notified that they need to go patch their products.
So, I think there is a bit of ambulance chasing, but it’s because really, in reality, open source products, because people don’t know who’s using them in their products, and this is sort of an SBOM problem, we’re seeing the behaviors of people are kind of getting flat footed. Now they’ve got to go into a patching cycle. They didn’t anticipate. They’re having to set things aside to get patches out for their customers.
While we’re all waiting, folks are actually encountering real world attacks based on this CVE. The current process is probably sort of not working for open source that’s deeply critical or a core component part of software that’s out there.
When that’s widespread, that actually can cause us to see the behaviors of, “You need something right now to keep up and running while all of your vendors are figuring out how to provide you a patch to put the capabilities that you have back into working order.”
That’s what we’re seeing right now.
Mark Miller: One of the things that you and I both had difficulty with in the series of articles as we were researching this, it took some digging to find somebody who was telling you what you should do about it.
Shannon Lietz: Yeah, absolutely. Probably the best of all has been Google. I would like to see the industry be a little bit more actionable about what’s happening, because you had to parse this one out to really understand it. I came to the realization of is, if you do have companies that you work with, or vendors that you work with, and they’re getting told right away, all of a sudden they have a CVE they have to go deal with, it is going to set a whole bunch of things behind.
It is quite surprising and alarming for those companies. It does take some time. So if they have slow velocity on patches, you could be waiting for a while.
In the articles, it would be great to know, look , you could end up waiting for three months. You’re going to need a mitigation if you have an availability need, or this could represent a serious problem.
We just need to, as an industry, get really much more crisp about how we communicate. There’s a lot of companies right now that have mitigating capabilities, or they’re able to mitigate this threat, like CloudFlare, like Google, like Amazon. Anybody who can take a lot of traffic and make it go away, so that you don’t have to deal with that abuse. They’re absolutely out there.
There could be a better way for those companies to articulate what they’re trying to get you to understand, versus having to disassemble the entire problem for you. Basically, what’s the shorthand so you can understand quickly what you need to do.
Mark Miller: My final question would be, this is labeled a CVE 7. 5. criticality. There are so many things that are of a higher priority than this based upon that 7. 5. Was this just an easy market piece, for visibility, or is it really worth putting it in front of other things that you’re trying to mitigate?
Shannon Lietz: This is where I get a little bit bothered by CVSS. I’m one of those folks that looks at it and says, it’s an interesting number.
Right now, the geopolitical climate suggests that availability, any availability issues that you might have, or any availability weaknesses you might have, could be really useful to set back the technology industry or, providers, suppliers, anything that’s out there.
This is where I think 7.5 is interesting. But for some companies, it could be a 10 in their minds because if an adversary could take them down, that could be a pretty critical event. This is why some of the CVSS doesn’t really work.
The adversaries of one company are going to be different than the adversaries of another company.
The adversaries of a government entity versus the adversaries of a small mom and pop shop vary. And so 7. 5 is not very useful when it comes to the differences and variances in how those companies and organizations are going to need to actually protect themselves.
In my mind, if you’re a government entity and you have this problem, this is a solid 10. Get off your butts, go figure it out, mitigate your threats. If you’re a mom and pop shop, you might be caught up in the fallout. Should you go sign up for say CloudFlare, Google’s DDoS capabilities or any of these things? I think the answer back to you is going to be how much risk are you willing to take, not having a mitigation while these companies are figuring out how to patch.
Mark Miller: I think you hit it pretty well from my perspective. When I first read about the attack, it came to mind that this might just be a proof of concept. It was a relatively small botnet. 20,000, as opposed to millions of a botnet. It’s almost a test of if we wanted to take down a national infrastructure, could we use this technique?
Shannon Lietz: I think that’s true when they’ve got a cyber weapon, they tend to actually want to test their stuff. They will actually throw out traffic to go figure it out, or they actually do have a target somebody’s paying for and 20,000 systems was all they needed to make that, entity go down.
We’ve seen some availability outages over the last couple of weeks that have been decently significant and interesting, depending on where you are in the world right now.
My take on this is , if you can’t patch, you need to have a mitigation in place if you have the risk and the concern and the adversary that’s going to cause you to have the losses that would actually deem it useful.
Mark Miller: This is Mark Miller in White Rock, New Mexico, and Shannon Leitz in San Diego, California. Thank you, Shannon.
Shannon Lietz: Thank you!