Security News

Microsoft announced that it’s working on adding support for the privacy-focused DNS over HTTPS (DoH) protocol in a future Windows 10 release, while also keeping the addition of DNS over TLS (DoT) on the table.

DoH is designed to allow DNS resolution over encrypted HTTPS connections, while DoT encrypts and wraps DNS queries via the Transport Layer Security (TLS) protocol instead of using plain text DNS lookups.

By adding DoH to the Windows 10 Core Networking, Microsoft wants to boost its customers’ security and privacy on the Internet by encrypting all the DNS queries they make and thus removing the plain-text domain names normally appearing in unsecured web traffic.

“There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal,” Microsoft said.

“To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.”

Read more »

When it comes to open source software security, nobody could accuse Microsoft-owned development platform GitHub of not thinking big when it came up with the idea for Security Lab.

Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage.

It sounds so obvious, it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog:

The JavaScript ecosystem alone encompasses more than a million projects, not helped by the dauting 500:1 ratio of developers to security experts with the knowledge of how to fix things.

Lots of developers crank out vulnerable code, leaving a tiny clean-up squad to pick up the mess of a problem that sprawls across thousands of companies.

Feeling depressed yet? Don’t be – that’s where GitHub’s Security Lab steps in.

To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn.

This has already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said.

Read more »

Throughout 2019, Radware’s Threat Research Center (TRC) and Emergency Response Team (ERT) have been monitoring and defending against an increasing number of TCP reflection attacks.

TCP reflection attacks, such as SYN-ACK reflection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link. Instead, TCP attacks are leveraged to generate high packet rates (increased volumes of Packets Per Second – PPS) that require large amounts of resources from network devices to process the traffic and cause outages.


Over the last two years, there has been a steady growth in attackers leveraging TCP reflection attacks. In a TCP SYN-ACK reflection attack, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a wide range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. While your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification.

The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which is typically governed by a configurable parameter. The default setting for Linux systems (net.ipv4.tcp_synack_retries kernel variable) is five while the documentation advises against settings higher than 255. Independent research in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more than 5,000 packets within 60 seconds, causing a serious impact on a victim’s network.

Read more »

A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient’s data.

The hospital tried to recover the data but all efforts were in vain. This indicates that a ransom for decrypting the files was not paid.

Medical records unrecoverable

The attack occurred in late July but the hospital acknowledged it publicly only last week, following what the institution calls “an exhaustive investigation,” and after undertaking “diligent remediation efforts.”

Attempts to recover the encrypted records, however, remained fruitless, the hospital informs in a public notification. Not all patients are impacted by the incident but there is no estimation on how many are.

“On September 4, 2019, the investigation confirmed that due to the malware, and despite exhaustive efforts by the Hospital to recover the data, certain patient data was unrecoverable.”

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Ransomware attacks are about encrypting information, not stealing it, and asking for money in exchange for the decryption key.

In this case, the hospital did not provide any details about the ransomware strain used in the attack or the money demanded by cybercriminals.

Read more »


Data breach lookup site Have I Been Pwned has added the stolen data from the StreetEasy and Sephora data breaches to their engine so that users can check if their information was exposed.

According to HIBP, StreetEasy was hit with a data breach in June 2016 that disclosed the information for close to 1 million users. This information included email addresses, names, passwords, and usernames,

“In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to “”.”

HIBP also stated that Sephora Southeast Asia was breached in January 2017 and the data for 780,073 customers was stolen. The data stolen included customer’s dates of birth, email addresses, ethnicities, genders, names, and physical attributes

“In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to “”.”

The data for both of these breaches has been seen being sold and traded on online hacker forums.

Using this data, attackers can attempt to gain access to an affected user’s other accounts through the use of credential stuffing. Credential stuffing is when attackers try to access accounts at sites using the credentials disclosed in data breaches from other sites.

Due to this, it is strongly advised that everyone use unique passwords at every site they register an account. This way if one site is hacked and customer information is stolen, it won’t impact other sites that you have an account.

Checking if you are in the breaches

If you are a customer of either of these companies and did not receive a notification or you are concerned your information is part of the breach, you can now check on the Have I Been Pwned site.

To do this, simply go to and enter your email address in the search field and click on the pwned? button.


The site will check its databases for your email address and list any data breaches that are being monitored for your information.