Amnesia-33 vulnerabilities affect 158 vendors, millions of devices

Thirty-three vulnerabilities in open-source TCP/IP stacks often buried deep in internet-connected devices may cause years of issues for hundreds of manufacturers, and business and home customers alike. Further complicating matters, manufacturers who are affected may not immediately know their devices are at risk. The package of vulnerabilities, discovered by researchers at Forescout and dubbed Amnesia-33, are buried deep in the supply chain: third-party software used in components assembled into everything from printers to picosatellites, smart plugs and operational technology equipment. “Many vendors have been willing to work on mitigating the vulnerabilities,” said Elisa Costante, vice president of research at Forescout. “But some of the vendors we’ve spoken to are still trying to figure out if they are impacted.” The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is expected to make a public announcement about the issue today, and has been working with manufacturers behind the scenes on disclosure.

Smellicopter drone uses a live moth antenna to detect smells

Researchers from the University of Washington have created a drone that accurately detects smells using a live moth antenna. The antenna has two tiny wires coming out of it that allow it to be connected to a circuit, allowing the drone to essentially smell.  The sniffing drone can fly autonomously by using the antenna to fly toward smells while avoiding obstacles simultaneously. The big reason researchers explored using biological sensors is that they are much better than those we can create. Lead author Melanie Anderson, a University of Washington doctoral student in mechanical engineering, said: By using an actual moth antenna with Smellicopter, we’re able to get the best of both worlds: the sensitivity of a biological organism on a robotic platform where we can control its motion.

Cloudflare and Apple design a new privacy-friendly internet protocol

Engineers at Cloudflare  and Apple say they’ve developed a new internet protocol that will shore up one of the biggest holes in internet privacy that many don’t know even exists. Dubbed Oblivious DNS-over-HTTPS, or ODoH for short, the new protocol makes it far more difficult for internet providers to know which websites you visit. But first, a little bit about how the internet works. Every time you go to visit a website, your browser uses a DNS resolver to convert web addresses to machine-readable IP addresses to locate where a web page is located on the internet. But this process is not encrypted, meaning that every time you load a website the DNS query is sent in the clear. That means the DNS resolver — which might be your internet provider unless you’ve changed it — knows which websites you visit. That’s not great for your privacy, especially since your internet provider can also sell your browsing history to advertisers.

Open Source Developers Still Not Interested in Secure Coding

Coding new features, improving tools, and working on new ideas are the top 3 activities that motivate open-source developers to continue coding. At the bottom of the list? Security. In a survey of 603 free and open source software (FOSS) contributors, the Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard University (LISH) discovered that the average FOSS developer only spent 2.3% of their time on improving the security of their code. While the contributors expressed the desire to spend significantly more time on their top 3 activities, they did not feel compelled to spend additional time on security, according to the 2020 FOSS Contributor Study released this week. Developers’ opinions of security and secure coding — calling it a “soul-withering chore” and an “insufferably boring procedural hinderance” —  highlight that companies who want to harden their applications against attacks have a significant gap between those desires and getting their own developers on board.

Suspect in case of Mirai botnet, which knocked major sites offline in 2016, pleads guilty

The U.S. Department of Justice on Wednesday announced that an unnamed defendant has pleaded guilty in connection with a cyberattack that rocked the internet in 2016. The October 2016 distributed denial-of-service attack affected Dyn, an internet infrastructure company, before rippling out to cause outages for sites including Twitter, Netflix, Spotify, AirBnb and Reddit, among others. DDoS attacks typically occur when attackers access a network of hacked computers, then direct those connections to a single point on the web, overwhelming the target with traffic and knocking it offline. In this case, the defendant in question conspired with others in September and October 2016 to leverage an offshoot of an army of hackers computers known as the Mirai botnet, the Justice Department said Wednesday. The malicious tool relied on connected video cameras, recorders and other devices to carry out the incident.

Facebook hit with antitrust suits that seek to ‘unwind’ Instagram, WhatsApp acquisitions

A consortium of 48 attorneys general and the U.S. government filed antitrust lawsuits against Facebook Inc. on Wednesday, claiming it committed unlawful, anticompetitive acts that put rivals out of business and cemented its status as the pre-eminent social-networking giant. The states’ suit, spearheaded by New York Attorney General Letitia James, focuses on Facebook’s FB, -1.93% acquisitions of photo-sharing app Instagram and messaging service WhatsApp, and their role in turbocharging Facebook’s market dominance. The suit could force Facebook to divest some of those business, and to inform state AGs of significant merger and acquisition activity of more than $10 million. “For nearly a decade, Facebook has used its dominance and monopoly power to crush smaller rivals and snuff out competition, all at the expense of everyday users,” James said during a 20-minute press conference Wednesday announcing the charges. The attorneys general of 46 states, as well as the District of Columbia and Guam, were named in the suit, while Alabama, Georgia, South Carolina and South Dakota did not participate.