40 thousand routers compromised: Hashtag Trending for Wednesday, March 27th, 2024

A new cyberthreat is taking down home routers. Germany passes a law insisting on end to end encryption. Reports expose the craziness of tech hiring practices, the US government has had it with SQL injection attacks and Elon Musk gets a smackdown from a federal judge as we see more from the X files – The Musk is out there

These stories and more on the “check your references” edition of Hashtag Trending. I’m your host, Jim Love, let’s get into it:

A major new cyber threat has been uncovered that is targeting routers and smart home devices around the world. Researchers at communications company Lumen Technologies have revealed details of a widespread hacking campaign that has already infected tens of thousands of vulnerable devices.

A notorious botnet known as TheMoon, which researchers thought was taken down years ago, has been resurrected by hackers. In just a 72-hour period earlier this month, it infected more than 6,000 Asus routers.

But that’s just the tip of the iceberg. Lumen’s investigation uncovered that from January through February, TheMoon compromised over 40,000 routers and smart devices across 88 countries.

Many of these infected gadgets are now being used to power a criminal proxy service called Faceless, allowing users to disguise their identities and malicious internet activities.

Experts believe TheMoon’s revival is linked to cybercriminals seeking new ways to cover their tracks as law enforcement ramps up investigations into online crime rings. Nearly 7,000 new users are joining the Faceless network weekly.

While the specific hackers are unknown, it’s a disturbing broader trend. Lumen has seen seven separate campaigns just in the last two years exploiting vulnerabilities in routers and other smart home technology with poor security controls.

For consumers, the advice is clear – keep your router software updated with the latest security patches. Lumen has blocked access to the infected devices on its networks for now, but this evolving threat underscores how prevalent outdated and insecure connected devices have become.

Sources include: Axios

In a stark contrast to efforts by many governments to undermine digital privacy, Germany is taking a totally different approach by enshrining the “right to encryption” into law.

While the United States, United Kingdom and others push for ways to weaken encryption in the name of security, the German government is taking the opposite approach – drafting first-of-its-kind legislation to make end-to-end encryption mandatory for messaging, email and cloud service providers.

The proposed law, published this week by Germany’s Ministry for Digital and Transport Affairs, would require tech companies to use strong encryption wherever technically feasible to guarantee confidentiality and protect users’ fundamental rights.

Digital rights activists are applauding the draft bill as a landmark win for online privacy and data protection – areas where Germany has historically been a leader with its strict data laws.

The legislation specifies that “individual messenger services” can no longer forgo full encryption or only partially encrypt, unless there are legitimate technical limitations.

Maximilian Funke-Kaiser, digital policy spokesperson for Germany’s Free Democratic Party, says it’s a “necessary measure” to prevent future erosions of encryption after anti-encryption efforts like the controversial “Chat Control” proposals.

While the draft law still needs to pass Parliament, likely in 2025, its intent is being celebrated by privacy proponents as Germany bucks the global trend of governments seeking encryption backdoors or client-side scanning capabilities.

Ten years after encrypted email service Tutanota launched in Germany, the country is now poised to be the first in the world to enshrine digital secrecy and “the right to encryption” as fundamental citizen rights in federal law.

Sources include: Tuta

The U.S. government is cracking down on SQL injection flaws once and for all.

SQL injection attacks have plagued websites and applications for decades, allowing hackers to maliciously access and manipulate backend databases. Now, U.S. authorities say they’ve had enough of companies shipping products with these “unforgivable” vulnerabilities.

In a new alert, the FBI and the Cybersecurity and Infrastructure Security Agency are pressuring software vendors to launch formal code reviews and build security into their development lifecycles from the ground up.

Their call comes after last year’s massive supply chain hack against Modefit file transfer software, enabled by a SQL injection zero-day flaw that exposed data on 95 million individuals.

SQL injection holes exist when user input isn’t properly sanitized, allowing it to modify back-end database queries maliciously.

While a well-known issue for over 15 years, the government says such vulnerabilities are still prevalent and indefensibly included in new software releases.

Vendors are being advised to incorporate “secure by design” principles – using techniques like parameter binding that separate code from user input – rather than relying on brittle sanitization filters easily bypassed by hackers.

Beyond pushing for better coding practices, the alert urges transparency, telling companies to properly disclose SQL flaws using the standard CVE system so customers can track their exposure.

Analysts say the government message is clear – businesses dragging their feet on well-established security basics are jeopardizing the economy and national security.

Sources include: The Register

A federal judge has dismissed a high-profile lawsuit from Elon Musk’s social media platform X against an anti-hate group in a ruling is seen as a victory for free speech over the billionaire’s attempts to stifle criticism of his company’s policies.

The lawsuit against the Center for Countering Digital Hate, an organization that has been highly critical of the social network’s handling of hate speech and misinformation under Elon Musk’s ownership.

In a scathing ruling, Judge Charles Breyer said X’s motivation was clear – “to punish the defendants for their speech” criticizing the company, and perhaps “dissuade others” from similar criticism in the future.

The Center had published reports blasting X, formerly known as Twitter, for failing to act on hateful content posted even by premium users. It also alleged racist and antisemitic posts went unaddressed.

Musk’s company sued the non-profit last year, claiming it had waged a “scare campaign” that drove away advertisers and cost X tens of millions in lost revenue. It accused the Center of unlawfully scraping data from the platform.

But Judge Breyer dismissed the breach of contract and illegal scraping allegations, saying X did not adequately show any actual losses. He stated that if the Center’s reports were defamatory, that would be one thing – but X carefully avoided claiming they were.

The Center says the landmark ruling will embolden public interest researchers to ramp up efforts holding social media companies accountable for hate and misinformation they host.

It’s a stinging rebuke of Musk’s scorched-earth legal tactics against one of his chief critics – the very kind of speech his self-professed “free speech” stance claimed to uphold.

Sources include: The Verge

Is tech hiring is broken? The tech industry’s hiring practices are facing intense scrutiny.

It’s a tale of two extremes when it comes to hiring at Big Tech.

On one side, you have Google’s notoriously grueling interview process that has rejected highly skilled engineers. Ironically, one that they rejected is the creator of the popular Homebrew package manager, that a lot of Google teams use.

At Google, countless would-be employees talk about interviews that fixated on theoretical problems and rote memorization over practical troubleshooting abilities.

On the other, you have Meta reportedly hiring candidates for critical AI roles without any interviews at all, such is the company’s desperation to rapidly onboard talent amid the artificial intelligence arms race.

And Meta has CEO Mark Zuckerberg personally recruiting from rivals like DeepMind and offering extravagant counteroffers just to stanch the AI brain drain caused by the company’s push into generative AI.

However, the rush to hire has Meta employing candidates sight-unseen based on credentials alone, raising eyebrows about vetting standards.

The dysfunction isn’t limited to those two companies either. Accounts also depict Amazon discarding engineers every two years in a philosophy of constantly refreshing its workforce with new, wide-eyed talent.

Big tech’s hiring insanity is putting talent through the wringer or failing to properly evaluate it at all.  And then, of course, there’s the layoffs.

Just checking – anybody think there’s a correlation between Google’s hiring process and its failure to get traction with anything that grabs public imagination?

In a world where we know that your big advantage is your team and culture, this situation is nuts. I’ve said it before and I’ll say it again – we are smart people, with emphasis on people. We can do better than this.

Sources include: IndiaToday

And finally, the Daily Beast did a story on how older people are falling for AI generated fakes on Facebook.

According to a research report quoted in the article, older people are much more likely to be fooled by AI generated pictures and voices.

We used to dread the “talk” we had to have with our kids. Well, there’s another “talk” youhave to have – with your parents.

There’s one scam in particular that is growing – the fake kidnapping of a child.

If you think it can’t happen to you, I’ll tell you, my dad – a smart man – was fooled by a similar scam where someone told him my brother was being jailed and needed bail to get out. He sent them money. When he told me about it, he said, he knew it could be fake, but could he take the chance?

Now with AI and deep fakes, anyone could be fooled and they are being. So here’s out public service announcement and most our audience may be pretty savvy, but tell your friends – get a password with your kids and if you don’t have one, and god forbid you ever get one of these calls, ask for what the cops call proof of life – some piece of info only your kids or grandkids would know – not something they’d put on Facebook. Think about it now – not when you or your parents get a call in the middle of the night.

Sources include: The Daily Beast and WCPO TV

And that’s our show for today…

Remind your friends that they can get us anywhere you get audio podcasts Google, Apple, Spotify, wherever, and even on their smart speakers – and remind yourself that if you like the podcast, please give us a good review – it matters. And as I’m sure you know, there is a copy of the show notes at itworldcanada.com/podcasts

I’m your host, Jim Love. Have a Wonderful Wednesday.

 

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Jim Love
Jim Love
I've been in IT and business for over 30 years. I worked my way up, literally from the mail room and I've done every job from mail clerk to CEO. Today I'm CIO and Chief Digital Officer of IT World Canada - Canada's leader in ICT publishing and digital marketing.

ITWC podcast network

Subscribe to ITWC podcasts and never fall behind on the conversation in technology again. Our daily podcasts are perfect to add to your smart speaker’s daily briefing or to your favourite podcast app on your smartphone. 

Cyber Security Today Podcast

#Hashtag Trending Podcast