Categories
Links Writing

Brace yourselves—source code powering potent IoT DDoSes just went public

Brace yourselves—source code powering potent IoT DDoSes just went public:

Both Mirai and Bashlight exploit the same IoT vulnerabilities, mostly or almost exclusively involving weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox. But unlike Bashlight, the newer Mirai botnet software encrypts traffic passing between the infected devices and the command and control servers that feed them instructions. That makes it much harder for researchers to monitor the malicious network. There’s also evidence that Mirai is able to seize control of Bashlight-infected devices and possibly even patch them so they can never be infected again by a rival botnet. About 80,000 of the 963,000 Bashlight devices now belong to Mirai operators, Drew said.

Next time you see a vendor sell you something that can be connected to the Internet, be sure to ask:

  • How long will you be providing support for this product?
  • How will you be pushing security updates to this product?
  • What mitigation strategies have you implemented to ensure that a third-party doesn’t take control of this product?
  • What will you do to help me when this device is compromised because of a vulnerability in this product?

I can almost guarantee that whomever is selling the product will either look at you slackjawed or try to use buzzwords to indicate the product is secure. But they will almost certainly be unable to genuinely answer the questions because vendors are not securing their devices. It’s their failures which are have created the current generation of threats that the global Internet is just now starting to grapple with.

Categories
Links

Moto Z Play review: the best battery life of any smartphone today

But the Moto Z Play rarely feels like you’re doing much settling. Even when you add together the negatives like an average camera, Verizon’s annoying bloatware, and Lenovo’s poor track record with software updates, the Moto Z Play’s affordable price, zippy performance, and unbelievable battery life still add up to something very compelling. And yes, unlike the Z and Z Force, there’s even a headphone jack built in. Forget the Z’s before it; this is the practical Moto Z that most people should get. It’s available exclusively from Verizon Wireless for a limited time for $408, but starting in October you can get it unlocked on GSM carriers (and free of carrier bloat) for $450.

The Verge notes that if you buy a Moto Z you’re unlikely to get “software updates”. That doesn’t just mean you won’t get bells and whistles and neat new features as Google releases new versions of their operating system. It also means that Lenovo will not send you security updates. So you’ll have a long-lasting smartphone that is insecure to trivial attacks that could extract sensitive personal information or otherwise compromise your device.

But other than that, I’m sure it’s a great phone to recommend.

Categories
Links

More than 400 malicious apps infiltrate Google Play

Ars Technica:

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

“This malware allows threat actors to infiltrate a user’s network environment,” Thursday’s report stated. “If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.”

BYOD: a great cost-saving policy. Until it leads to an attacker compromising your network and potentially exfiltrating business-vital resources.

Categories
Links

This is where your smartphone battery begins

This is a brilliant (if saddening) long-form investigation into how the cobalt in contemporary electronics is mined in the Congo and the impacts such mining has on the local residents. It’s worth the (long) read.

Categories
Links

Why doctors are rebelling against Ontario’s crumbling healthcare system

Toronto Life:

The fact that doctors bill more than $11 billion annually makes them something like a corporation—their revenues are roughly the same as Air Canada’s or Canadian Tire’s. When companies of that size have to deal with revenue freezes or shortfalls, they respond by finding efficiencies, eliminating duplication and waste, lowering wages or prices, squeezing suppliers for discounts. They take a hard look at how they run their business, and they usually become better companies as a result. Doctors refuse to do this work. Hoskins is determined to force them.

I’m uncertain that the author has ever travelled on Air Canada. Unless, of course, they think that the ‘efficiencies’ Air Canada has achieved by laying of thousands of people, worsening service quality, and regularly failing to meet its agreements with customers have made Air Canada a “better company” as a result.

Categories
Links

Organizational Doxing and Disinformation – Schneier on Security

From Bruce Schneier:

Major newspapers do their best to verify the authenticity of leaked documents they receive from sources. They only publish the ones they know are authentic. The newspapers consult experts, and pay attention to forensics. They have tense conversations with governments, trying to get them to verify secret documents they’re not actually allowed to admit even exist. This is only possible because the news outlets have ongoing relationships with the governments, and they care that they get it right. There are lots of instances where neither of these two things are true, and lots of ways to leak documents without any independent verification at all.

No one is talking about this, but everyone needs to be alert to the possibility. Sooner or later, the hackers who steal an organization’s data are going to make changes in them before they release them. If these forgeries aren’t questioned, the situations of those being hacked could be made worse, or erroneous conclusions could be drawn from the documents. When someone says that a document they have been accused of writing is forged, their arguments at least should be heard.

As someone who routinely receives, and consults on, leaked documents I can emphatically say this is a serious issue. And that journalists are generally very cautious these days about publishing based on mysteriously sourced documents.

Categories
Aside Links

Google’s latest IM client, Allo, isn’t ready for prime time

Ars Technica:

It’s no secret that Hangouts was poorly supported inside Google, so will Allo be any different? I’ve heard that Google Hangouts was never given resources because Google felt it would never be a money-maker. In instant messaging, you talk to your friends and send pictures back and forth, and an ad-powered Google service is never involved. With Allo, that changes because the Assistant is a gateway to search. Every question to the Assistant is a Google Search, with in-app answers coming for questions and links to generic Web searches for everything else. With search comes the possibility for ads, both from the generic search links and in the carousels that answers often provide. I’ve yet to see an advertisement inside Allo, but since it seems possible for Allo to make money, maybe it will receive more support than Hangouts did.

Setting aside the basic privacy issues of Google having access to unencrypted, plaintext, chats you have with friends and colleagues, the fact that Google is apparently unwilling to support its own products if they can’t be used to empower Google advertising is just gross. Google has impressively wasted the skills and talents of a generation of developers: imagine what might exist, today, if people were empowered to write software absent the need to data mine everything that is said for advertising purposes?

Categories
Links

True stories of lawsuits, fisticuffs and harassment in condoland

Toronto Life:

Lifestyle clashes are inevitable when people of all ages and socio-economic backgrounds live on top of each other in a forced community. When different priorities collide, a siege mentality can set in. In the years since Pantoliano’s case, Toronto has sprouted tens of thousands of new condo units in every shape and size. Retired empty nesters live below boisterous hipsters. People who work night shifts are trying to sleep while parents are getting their toddlers off to daycare. Families with rowdy kids take up residence across the hall from quiet professional couples. And they all unrealistically expect the same degree of freedom and privacy as they’d have in a detached home. Instead, they’re keeping each other up at night, squabbling in hallways, sparring in elevators and petitioning condo boards. The shimmering vertical city has become a breeding ground for lawsuits, bullies and brawlers.

I’ve (generally) been blessed with good condo neighbours above, below, and around me for the entirety of my life. But having spoken to people in my own building who are living beside those who party all the time, cram 6+ people into three bedroom units, and drink and fight in the halls, I know that I’ve just been very fortunate.

Categories
Links

Congress Needs to Press the Pentagon, Saudi Arabia on Abuses in Yemen War

Just Security:

The panel also said the coalition should have warned medical staff at the Doctors Without Borders-supported Haydan hospital in Saada governorate before bombing it six times. But the panel dismissed the seriousness of attacking a hospital by concluding there had been no “human damage.” Besides the two patients who the aid group’s country director told me were injured, the attack destroyed the emergency room of the hospital, which had received about 150 cases a week. It was the only medical facility within an 80-kilometer radius, making the “human damage” of the attack incalculable.

The panel also concluded that a February 27, 2016 attack on a village marketplace didn’t kill any civilians, while we documented10 civilian deaths, including a woman and four children. In an attack on another marketplace on March 15 that United Nations research and ours found that 97 people died, the panel incredibly said it saw no proof of civilian casualties. One man told us he lost 17 relatives and another lost 16.

The coalition’s examination of attacks is a reversal of past practice, but there’s a long way to go before its investigations can be considered credible, transparent, and impartial. Since the Saudis haven’t released details about the panel members or the actual reports on each incident, it’s hard to know why their findings are so different from what we and the UN found on the ground.

There are also many more airstrikes that need to be investigated. It is unclear how the panel chose these 8 strikes over the more than 70 apparently unlawful airstrikes that we and Amnesty International have documented, and the more than 100 that the United Nations has. These documented coalition strikes have killed nearly 1,000 civilians.

For instance, a March 30, 2015 strike on a camp for internally displaced people killed at least 29 civilians and another strike a day later on a dairy factory near the Hodaida port killed at least 31. On May 12, the coalition struck a civilian prison in the western town of Abs, killing 25 people.

That same day, aircraft dropped at least five bombs on a marketplace in the town of Zabid, killing at least 60. A July 4 attack on another marketplace in the village of Muthalith Ahim killed at least 65. On October 7, the coalition bombed a triple wedding in the village of Sanaban, killing 43 civilians, including 13 women and 16 children.

There is an ongoing human rights crisis in Yemen, supported by Western technology systems and implicitly backed by the world’s largest superpower. And, at the same time, Canada is selling armoured vehicles to nations known to engage in similar types of human rights abuses.

Categories
Links

Trump’s Empire: A Maze of Debts and Opaque Ties

New York Times:

Tracing the ownership of many of Mr. Trump’s buildings can be a complicated task. Sometimes he owns a building and the land underneath it; sometimes, he holds a partial interest or just the commercial portion of a property.

And in some cases, the identities of his business partners are obscured behind limited liability companies — raising the prospect of a president with unknown business ties.

A revealing analysis of Trump’s actual financial situation.