Sign of the times: Mirai botnet strain fine-tunes itself to infect digital signage, projectors A strain of the botnet malware Mirai has emerged focused on a wider set of embedded internet-connected devices. Researchers at Palo Alto Networks' Unit 42 this week stated that a variant of the notorious Internet-of-Things infector is now looking to hijack TVs and projectors designed to display information and adverts, as well …
Yet another batch of vulnerabilities in my router that Netgear are never going to fix.
It's really time to move on to something more up-to-date that still gets firmware updates, but how to choose?
It's about time all manufacturers were required to state on the product packaging a clear date up to which they will provide security fixes.
"suppliers MUST maintain the security and functionality of any Internet-connectible device for at least 5 years after that last sale of the product"
Firstly, "suppliers" or "manufacturers" - I don't believe suppliers are on the hook for maintenance, manufactures are.
Secondly, for the vast majority of impacted devices it is already the case that they are beyond the "end of sale" date as set by the manufacturer.
You concept is valid, there is a case to be made for manufacturers providing fixes for a period. What is a "fair" length of time, and what if they've gone out of business?
Firstly, "suppliers" or "manufacturers" - I don't believe suppliers are on the hook for maintenance, manufactures are.
Mostly the manufacturers are in a far-off land and you only have legal power over the suppliers which are typically in your own country, so make them liable as well so they have to get the appropriate contract provisions, code escrow, liability insurance, etc in place.
You concept is valid, there is a case to be made for manufacturers providing fixes for a period. What is a "fair" length of time, and what if they've gone out of business?
I guess "fair" is up to the legislators to define, but I suggested 5 years as the typical write-off period in accounting for many items (as well as the sort of time scale I expect keep stuff for). If the manufacturer (or supplier) has gone out of business then the other should be on the hook - again, it places some onus on both to have some sort of system in place to keep things going (or replacements/compensation if they can't).
Yes, I know this will drive up costs, etc, but in the long run it would lower the costs to society for which we all eventually pick up the tab for.
A spot of wishful thinking there, I think. Of sure, medium and large businesses may have the clout to do so, but there are a number of small but rather wealthy businesses (think lawyers and doctors and vets) that haven't a clue, yet might have a need for that shiny screen in waiting room. I don't think they have the faintest idea what Mirai even is and why they should bother about it.
They might not have the need for a "business" screen either and just prop up a bland, non-connected screen like any sane person would, but when you couple ignorance with money, crazier things have happened.
Why, just last month I had a very interesting conversation with my ophthalmologist who talked about his laptop (yes, he knows I'm an IT guy) and that his work application needed an update and told me that he had another "expert" who promised him he could get it for him for free. I had to then explain that first, there isn't a big chance that a company making ophthalmology software would leave their updates on BitTorrent, and if so, there was an even smaller chance that the update wouldn't have an "update" of its own. I then proceeded to explain that the golden age of people hosting cracks for various software and games out of the goodness of their hearts was long gone and today, said cracks are to be assumed to be accompanied by malware.
In the end, he agreed that it was probably a better idea to just pay for the damn upgrade. Whew ! One bullet dodged. This time.
This being my use case, you must understand that this professional is not only an intelligent man and a good professional, he's also far from poor. Yet, he was entirely ready to rely on some schmuck offering a free upgrade for an obscure application. You really think that he'd be able to spot some Mirai infection on the screen he has in his waiting room ? I can assure you, he wouldn't even notice the impact on his bandwidth, because I'm sure he's got a 100Mbit line and he uses one percent of that.
Right - I was getting my teeth cleaned a year ago and was chatting with the hygienist about a movie and she said, "I'll look it up on Google" - she clicked on the big screen showing my X-rays and mouth layout and voila - they were still running Windows-XP ... and browsing the Internet on the same PC that had all the customer data.
That was a useful heads-up; I checked and the WePresent / WiPG1000 thingy we have in our boardroom was indeed potentially an issue. In amongst all the other messes I inherited from a predecessor with a vague idea of IT admin, it had the same admin password he used everywhere (at least not factory default, I guess), a DHCP address with a valid default gateway (why does it need internet access - it can't pick up its own firmware) and hadn't been updated since 2015. My excuse for not getting it sooner is that it was hiding above a ceiling panel...
The manufacturer's site is decent (https://www.barco.com/en/product/wepresent-wipg-1000); the latest firmware from this month is sitting there ready to download and you can register your product to receive update notifications via email. Good work Barco!
YMMV with your router...
OTOH a boardroom projector suddenly running a competitor's ads might be a less damaging wakeup call
Boardroom projects have very small "target audience". Think bigger.
Those LG Supersign panels with built-in digital signage in them? Some of them can be found in airports. Imagine what would happen if some fut nuck would hack into them and start spewing out messages like "I have hacked the airport. I have hacked your aeroplane. Have a safe flight".
The word "panic" would be an understatement of the year. I'll take Petya/Wannacrypt over this.
Of late I find that I assume that any system I use is compromised, or will be soon, and any place with data about me will inevitably be hacked, or the data sold to an outside party.
I assume nothing is secure, and that no corporation will voluntarily admit when their system has been compromised. I have utterly no trust in Google, Facebook, Twitter, or that ilk.
Yes I still use the Internet, and no, I don't like it,
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
