shift change 2024-02-07
Welcome to your shift change report: news from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.
1. Say it with me now: toothbrushes don’t need to be network, c’mon now give it another go with gusto: TOOTHBRUSHES DO NOT NEED TO BE NETWORKED.
- An un-attributed threat actor turned roughly 3 million internet connected toothbrushes—yes, toothbrushes—into a botnet and used the processing power of those toothbrushes to knock Swiss newspaper Aargauer Zeitung offline:
According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The firm’s site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business.
In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.
- An internet connection is not necessary to track oral health information (but it is necessary to package and sell personal advertising data,) and you could get all the same bells and whistles if anyone designed (privacy and security by design are things) these toothbrushes to do their math on device (or with a limited link to your phone, which has plenty of processing power.) If Apple can build the next generation of Siri to run substantially on the iPhone, a toothbrush can be designed to minimize the connection the dental tool needs to the wider, exposed, web. Where it will be found, probably with (or something like) Shodan.
- Who is tracking the security updates their toothbrush needs? Is the company pushing out updates, or patches? Who or what is responsible for educating the already over-exhausted-with-tech-shit public about the the security implications of their freaking toothbrush?
- It is practically impossible for an individual to avail themselves of the data takedown offerings from all the data hoarders and services on the market—so of course, a service for a fee can automate it for you. These services, whether Mozilla or Deleteme, or otherwise, can never address every instance of your data being available. But they will help with what they can, until a better solution (like an aggressive federal privacy scheme that minimizes the ability to hoard personal data over time) can develop.
- You can get a free scan to better improve your awareness of the exposure of your information: here. Also avail yourself of the classic, have I been pwned?
3. Governments love buying vulnerabilities and spyware; Google points out those vulnerabilities and that spyware are coming for them.
- The first link above is the Amazon page for “This Is How They Tell Me The World Ends” by Nicole Perlroth, an outstanding expose on the birth and growth of the international vulnerabilities market—and the United States governments central role in the birthing and nurturing of it. The second link is to the front page of Google’s report about that same market, and how its products and services are coming back with against US companies (if it is happening to Google, it is happening to not-Google somewhere else.) The full report is here, and the index of “commercial surveillance vendors” that Google tracks is a great start to understanding or mapping the public faces of the market.
Unfortunately, Google’s plea to the US government to take a leadership role in killing this market, below, is unlikely to go anywhere or do anything because the US is an enthusiastic and successful participant in that market, and the American public has not experienced significant enough digital pain-and-frustration to make harming the market the US benefits from a priority. Google is warning us it is coming though.
4. If you are using FortiSIEM, maybe check this out: two vulns with provisional CVSS scores of 10 reported in Fortinet security monitoring software.
- Two vulnerabilities, in security monitoring software, and maxed out on the CVSS rating, is either big news or will be big news, It will sure pucker someone up somewhere.
- The vulnerabilities are CVE-2024-23108 and CVE-2024-23109.
## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted (especially if its free, virtual training or networking events that could help the community as a whole).