Month: August 2018

Ron Amadeo

Android 9 Pie launch day was yesterday, and while a major new version of Android is always a big deal, today Android hit another big milestone: the first ever day-one update on a non-Google phone.

For years, the Android ecosystem has made updating the OS of a device seem like an impossible task. Some of Android's biggest OEMs take anywhere from three to six months to update their flagship phone, and this is the best support they offer—many devices do not get updated at all. Consider that Android 8.0 Oreo is about a year old now and has shipped on a whopping 12 percent of the Android active install base. The terrible state of Android updates has led some people to call Android a "toxic hellstew of vulnerabilities" due to all the devices running old software.

Enlarge / FCC Chairman Ajit Pai at Fox Studios on November 10, 2017 in New York City. (credit: Getty Images | John Lamparski )

Federal Communications Commission Chairman Ajit Pai yesterday acknowledged that the FCC lied about its public comment system being taken down by a DDoS attack during the net neutrality repeal proceeding.

Pai blamed the spreading of false information on employees hired by the Obama administration, and said that he isn't to blame because he "inherited... a culture" from "the prior Administration" that led to the spreading of false information. Pai wrote:

I am deeply disappointed that the FCC's former Chief Information Officer [David Bray], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I'm also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn't feel comfortable communicating their concerns to me or my office."

Pai's admission came in a statement yesterday. "It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission's career IT staff were hesitant to express disagreement with the Commission's former CIO in front of FCC management," he also said.

Enlarge / Coming to a device near you: Freddi Fish 666—the Phishing Apocalypse. (credit: collage by Sean Gallagher from urraheesh iStock & Humongous Entertainment)

It's Friday, August 3, and I have hooked a live one. Using StreamingPhish, a tool that identifies potential phishing sites by mining data on newly registered certificates, I've spotted an Apple phishing site before it's even ready for victims. Conveniently, the operator has even left a Web shell wide open for me to watch him at work.

The site's fully qualified domain name is appleld.apple.0a2.com, and there's another registered at the same domain—appleld.applle.0a2.com. As I download the phishing kit, I take a look at the site access logs from within the shell. Evidently, I've caught the site just a few hours after the certificate was registered.

As I poke around, I find other phishing sites on the same server in other directories. One targets French users of the telecommunications company Orange; others have more generic names intended to disguise them as part of a seemingly legitimate URL, such as Secrty-ID.com-Logine-1.0a2.com.  Others still are spam blogs filled with affiliate links to e-commerce sites.