Category Archives: News

Article note: It's interesting/surprising how many people have the savvy to flash a custom firmware and still leave it with default credentials.

Enlarge (credit: advancedtomato.com)

Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday.

The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers.

Article note: Man, did that turn out to be prescient.

Article note: That is turning out more credible than I expected - especially in the context of the firmware shenanigans involved putting normal Linux on Chromebooks (my $80 used Chromebook 11-3189 still has unresolved issues with sound and input).

Article note: They were a (slightly douchey) fixture of a previous generation of internet culture. And it looks like a major part of the kill was the same "Facebook lying about user engagement" thing that took out a whole bunch of formerly prominent web content - I have to wonder how intentional that was, and how much was just layers of lying to look good, because both are entirely plausible.

Article note: Mmmmhm. Systematic coercion without a central actor just by a fucked-up incentive structure.

Article note: Oh, so that's what the dire rumors have been about. Windows' certificate validation is broken in a way that could subvert both network validation and code signing (eg. MITMs could inject bogus updates), it looked like enough of an infrastructure threat that that the NSA disclosed instead of using it, and y'all want to patch now.

Enlarge / The NSA says to patch now. (credit: National Security Agency)

Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.

Microsoft has rated the update as "important" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because "we have not seen it used in active attacks."

However, researchers outside Microsoft—including Google's Tavis Ormandy—have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.

Article note: As I've been snarking lately, My body is ready for AI Winter 3.0. The bullshit has boiled over and is making it hard to accomplish useful work in even vaguely adjacent fields.

Article note: This is an interesting reflection, with things to think about for ecosystem churn in general.

Article note: Neat.