Dark mode: ON

Infosec Decoded Season 3 #40: Concentrated Solar Power

With @sambowne@infosec.exchange

May 19, 2023

Sam Bowne

Potentially millions of Android TVs and phones come with malware preinstalled
Several lines of Android-based TV boxes sold through Amazon are laced with malware known as a clickbot. The TV boxes, reported to be T95 models with an h616, report to a command-and-control server that can install any application the malware creators want. It generates advertising revenue by surreptitiously tapping on ads in the background. Android devices that come with malware straight out of the factory box are, unfortunately, nothing new.
People in the market for an Android phone should steer toward known brands like Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory. To date, there have never been reports of higher-end Android devices coming with malware preinstalled. There are similarly no such reports for iPhones.

The concentrated solar power phoenix
Concentrated Solar Power (CSP) uses mirrors to concentrate the rays of the sun on a central "receiver" which gets so hot it melts sodium salts. These molten salts (at 600 C) can be used immediately to generate electricity, or they can be stored to be used later. The molten salts in their special reservoirs lose heat very slowly, so could be stored for days or even weeks.

I’m a Professor. Florida Just Banned Everything I Teach.
Gov. Ron DeSantis doesn’t want college students to learn anything but whitewashed history about racist violence in America. SB 266 not only forbids scholars of race, class, gender, and inequality from teaching in their areas of expertise, but also requires that general education courses indoctrinate students in the “Western canon,” drawing on a right-wing “American Birthright” curriculum.

Why We Forget That Most People Are Good
Data scientists at Stanford recently found that 74% of the conflicts on Reddit were instigated by only 1% of the users. And worse than that, the researchers found that most of these online conflicts were not fought by those who started them. They were fought by the innocent bystanders that got sucked into them. Research finds that 1% of people are convicted of 63% of the violent crimes, and 3% of doctors are responsible for roughly half of medical malpractice cases.

(0Day) (Pwn2Own) Mikrotik RouterOS RADVD Out-Of-Bounds Write Remote Code Execution Vulnerability
CVSS: 7.5 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Router Advertisement Daemon. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root.
Microtik won't patch it. The only mitigation strategy is to restrict interaction with the application.