MEGANews: The Most Important Cybersecurity Events of August
TOR Degradation: Fast and Cheap
Experts from Georgetown University and the U.S. Naval Research Laboratory presented an intriguing report at the USENIX conference, focusing on the performance degradation of the Tor network. The researchers claim that Tor’s functionality can be significantly disrupted by simple DDoS attacks targeting TorFlow, Tor bridges, and specific nodes. Worse yet, such attacks could cost only thousands or tens of thousands of dollars—trivial sums for government hackers or major cybercriminal groups.
Attacking the entire Tor network is unrealistic. A full-scale DDoS would require at least 512.73 Gbps of bandwidth, costing about $7.2 million per month. However, the researchers argue that such drastic measures aren’t necessary. Instead, they suggest targeting Tor bridges—special entry nodes whose IP addresses aren’t publicly listed, making them hard to block. Tor Browser includes a list of pre-installed bridges, and more can be found at bridges.torproject.org. Bridges help bypass censorship in countries where Tor is actively suppressed.
Currently, not all Tor bridges are operational (only twelve, according to the researchers), and a DDoS attack on them would cost just $17,000 per month. Even if all 38 bridges were active, attacking them would cost only $31,000 per month.
Another attack scenario involves DDoS attacks on TorFlow, the network’s load balancing system. TorFlow distributes traffic to prevent server overload and slowdowns. A sustained DDoS attack on TorFlow using public DDoS services would cost just $2,800 per month and could reduce average client download speeds by 80%.
The third scenario targets the most common type of Tor servers—relay nodes. Instead of DDoS, attackers could exploit logical flaws in Tor to slow down content loading. Such issues have been abused for years by malicious actors and rival hacker groups, and Tor developers are continually working to fix these bugs.
Attacks on specific .onion resources are also inexpensive. For example, an attacker could increase average traffic load times on a site by 120% for just $6,300 per month, or by 47% for $1,600 per month.
“Governments are known to sponsor DoS attacks, and the simplicity and low cost of our attacks suggest that authorities could use them to undermine Tor both short- and long-term. Governments might choose DoS as an alternative to traffic filtering, since Tor keeps improving its censorship circumvention capabilities,” the researchers write.
23% of Users Don’t Protect Their Personal Data
ESET conducted a survey on safe online behavior. According to the study:
- 23% of users do nothing to protect their personal data;
- 17% delete their search history;
- 15% cover their webcams to prevent spying;
- 14% avoid entering credit card data even on official sites;
- 11% regularly delete chat messages.
Additionally, 13% of users provide temporary email addresses during registration to avoid spam, as intrusive ads concern them as much as security.
Bug Bounty Programs: Big Rewards for Security Flaws
Google expanded its reward programs. Researchers can now earn rewards for discovering data abuse and vulnerabilities in any Android app with over 100 million installs. The Developer Data Protection Reward Program (DDPRP) allows security experts to report data abuse in third-party apps with access to Google APIs, Android apps from the Play Store, and Chrome Web Store apps and extensions. Rewards can reach up to $50,000 for credible evidence of data misuse.
Google also launched a program for vulnerabilities in major Play Store apps (100+ million installs). Reports are submitted via Google Play Security Reward (GPSRP) on HackerOne, and developers are required to fix issues or risk removal from the Play Store. Notably, researchers can report bugs both through GPSRP and directly to companies’ own bug bounty programs, potentially earning double rewards.
Apple
At Black Hat 2019, Apple announced an expanded bug bounty program. Rewards for iPhone bugs now reach up to $1 million, and by year’s end, researchers will be able to hunt for vulnerabilities in macOS, watchOS, and tvOS. The program is now open to all, with rewards varying by severity and potential impact. Previously, only select experts could participate, and only for iOS.
Apple now offers up to $200,000 for vulnerabilities granting full control over iOS devices (remote, no user interaction, kernel-level code execution). Starting fall 2019, this increases to $1 million, and similar rewards apply to macOS. Other vulnerabilities can earn between $100,000 and $500,000, with a 50% bonus for bugs found in pre-release builds.
Microsoft
In August 2019, Microsoft released the first beta of its Chromium-based Edge browser and launched the Edge Insider Bounty Program. Security experts can earn $1,000 to $30,000 for vulnerabilities found in the latest Edge Beta or Dev versions (not Canary), running on fully updated Windows or macOS. Bugs must be exclusive to Edge and not reproducible in Chrome. Issues affecting the older EdgeHTML engine may also qualify for up to $15,000.
Facebook expanded its Data Abuse Bounty program to Instagram apps. Researchers can earn up to $40,000 for discovering data abuse, with higher rewards possible for complex cases. Since 2018, Facebook has blocked over 200 apps for data abuse, following the Cambridge Analytica scandal. The expansion is linked to the August 2019 incident where Instagram partner Hyp3r was caught collecting and storing millions of user stories, images, geolocation data, and more, leading to its ban from the platform.
Microsoft Paid Out $4.4 Million for Bugs
At Black Hat 2019, Microsoft revealed it paid $4.4 million to security researchers over the past 12 months through its bug bounty program. The company also launched the Azure Security Lab sandbox, where experts can simulate criminal behavior. Rewards for Azure vulnerabilities have increased to $40,000.
Ransomware Hits Texas Cities and Dental Clinics
Texas Municipalities
Over 20 Texas cities fell victim to a coordinated ransomware attack, reportedly by the Sodinokibi (REvil) group. The Texas Department of Information Resources (DIR) confirmed 22 cities were affected, with over 25% already moving to recovery. Two cities, Borger and Keene, publicly acknowledged the breach, which disrupted financial operations and vital services. Keene’s mayor, Gary Heinrich, told NPR that attackers demanded $2.5 million for decryption keys. The attack was carried out via a managed services provider (MSP) used by multiple municipalities, a tactic previously used to spread ransomware like GandCrab.
Dental Clinics
In late August, cybersecurity journalist Brian Krebs reported that cloud provider PerCSoft, which supports the Digital Dental Record (DDR) backup service DDS Safe, was compromised. Hundreds of U.S. dental clinics using DDS Safe had their data encrypted by ransomware. PerCSoft and DDR decided to pay the ransom to quickly resolve the situation, and began helping clinics restore files. However, some clinics reported that the decryption tool was ineffective or only partially restored data. The attack was also linked to Sodinokibi (REvil).
Chrome Web Store: A Ghost Town
Extension Monitor researchers published statistics on the Chrome Web Store, revealing that half the extension ecosystem is essentially a ghost town. Of 188,620 extensions, about 50% have fewer than 16 installs. 19,379 extensions (10%) have zero installs, and 25,540 (13%) have just one user. A staggering 87% have fewer than 1,000 installs, despite Chrome’s user base exceeding one billion. Only 13 extensions have over 10 million users, including Google Translate, Adobe Acrobat, Tampermonkey, Avast Online Security, Adblock Plus, Adblock, uBlock Origin, Pinterest Save Button, Cisco WebEx, Grammarly for Chrome, Skype, Avast SafePrice, and Honey. Paid extensions account for just 2.6% of all installs.
Data Breaches of the Month
Unfortunately, data breaches now occur almost daily. Here are the most notable incidents from the past month:
Binance KYC Data
In early August 2019, KYC (Know Your Customer) data allegedly stolen from Binance, one of the world’s largest cryptocurrency exchanges, began circulating online. Attackers tried to extort 300 BTC (about $3.5 million) from Binance, threatening to release 10,000 photos resembling Binance KYC data. Binance refused to pay, noting inconsistencies and the absence of digital watermarks on the images. Later, Binance confirmed that some images matched those processed by a third-party contractor between December 2017 and February 2018, but many were altered or unrelated. Affected users were offered lifetime Binance VIP membership and advised to renew their identification documents. Binance also offered up to 25 BTC for information leading to the extortionist’s identification.
Coinbase Passwords
Coinbase discovered a bug on its registration page that caused the personal data of 3,420 users to be stored in plain text logs. While this affected a small fraction of Coinbase’s 30 million users, the company reset passwords for those impacted and confirmed that no data was compromised or abused. The bug occurred when registration failed, but user data—including names, emails, and proposed passwords—was still logged. No unauthorized access to the logs was detected.
Hostinger Client Data
Hostinger, one of the world’s largest hosting providers, reported that hackers accessed an internal server and potentially client data, affecting up to 14 million users. The breach occurred on August 23, 2019, and allowed access to usernames, emails, hashed passwords, names, and IP addresses via a RESTful API. Financial data and user websites were not affected. Hostinger reset passwords for affected accounts and switched from SHA-1 to SHA-2 hashing. The exact number of affected users is unknown, as API call logs were incomplete.
Imperva WAF
Cybersecurity firm Imperva disclosed a breach affecting customers using its Cloud WAF service registered before September 15, 2017. Exposed data may include email addresses, hashed and salted passwords, and for some, API keys and SSL certificates. Imperva is notifying affected users and resetting WAF account passwords. The cause and timing of the breach remain under investigation.
Digital Hygiene Recommendations
In early August, Russia’s Roskachestvo published digital hygiene guidelines, including some less obvious tips. Besides standard advice like installing antivirus software, they recommend covering your device’s microphone and camera—not as paranoia, but as a basic privacy measure:
“Cover your camera and microphone when not in use. This increases your chances of privacy and peace of mind—even if a hacker connects, they won’t see or hear you. Some may see this as paranoia, but many people lock their doors even when home. If you can avoid trouble by simply covering your camera and mic, it’s worth doing.”
Read this far? Congratulations.