The Kavalan Cyber Safety Newsletter

Cyber security and cyber hygiene spoken simple

(This newsletter contains links to external websites. Please review their terms of use and privacy policies before using those websites.)

August 2023 Edition

EXECUTIVE SUMMARY: We cover the fantastic tale of the hacker sometimes known as 'The Doctor' and other times as the 'Janit0r' who played cyber Thanos and destroyed over 10 million devices to save the planet from another hacker - or so he says. Maureen The Clean discusses Phlashing while juggling kids and her day job. Jake The Pedantic reveals his command of the 'come to papa' phrase while discussing 'Juice Jacking' while Samuel The Harangued continues to whack-a-mole Aunt Mabry's cyber indiscretions.
Follow us on Social Media

Know Your Cyber Threats


Maureen The Clean

Phlashing Attacks

In 2016, a hacker known who called himself/herself 'The Doctor' but was given the nickname 'The Janit0r' destroyed over 10 million internet connected home devices, including 60,000 Indian home internet routers, and made them completely unusable. Thanos would have blushed with a move like THAT! '

'The Doctor', in a letter admitting guilt written to a news outlet, called it an 'Internet Chemotherapy'. 'The Doctor' used what is called a Phlashing attack, also known as Permanent Denial of Service (PDoS), where the attacker runs malicious code on a device and causes irreparable damage rendering the device completely unusable (also called 'bricking a device' since it can only be used as a brick or paper weight afterwards). His motivation was to remove poorly designed, insecure devices in homes from connecting to the internet before they were compromised by a more malicious hacker to launch a larger attack on the internet that used those same devices as weapons! But he didn't stop there. He released the source code to his malware and soon it ran wild amongst people who had a lot more malicious intent and many variants sprouted. Do you call 'The Doctor' a hacker? A vigilante? Irresponsible? Ethical or unethical? If so, what about the makers of these home internet devices who continue to sell devices with known vulnerabilities? The debate continues as devices increase exponentially in our homes!

read the full story

What do Phlashing Attacks Target?

Internet connected devices in companies and homes such as smart TVs, home routers, security cameras are all prime targets. Unpatched vulnerabilities are how they are exploited. Unfortunately, these are plentiful and pretty much every major brand has been guilty of pushing out poorly secured code in their devices including code from Chinese manufacturers

How to Protect Yourself?

Here are 3 things you can do to reduce your risk. Unfortunately, these issues mostly stem from the vendor:
  • Change the default password on all internet connected devices and make them strong passwords.
  • Make sure to update all devices to the latest patches. Enable automatic updates, if possible.
  • Check to see if your device manufacturer is still issuing software updates or patches for your device. If they have issued an 'end-of-life' notice for the device or components inside the device, it may be prudent to remove that device from your home network.

'Come to Papa!'


Jake The Pedantic

'Juice Jacking' With USB Ports

Hackers have figured out how to install malware behind those free USB charging stations in airports, malls, etc. It is perfect for them - they install the malicious USB once and people walk over to get hacked! Hackers call it 'Juice Jacking'. It is a big enough issue that the FBI and FCC have issued warnings about it. Juice jacking has been around since at least 2011 and major phone manufacturers have built in protections since then requiring user permission on data transfer or software install. But jail broken phones and other devices such as hand held gaming systems or devices from lesser known vendors could still be vulnerable.

  • Use the right power adaptor! It comes with most of the common devices like phones!
  • Use your own battery charger!
  • If you are in a bind and have to use a USB outlet, power off your phone - still not foolproof but at least you are making it harder and lowering your risk.

Aaargghh! with Samuel the Harangued

Sunny With A Chance Of Privacy Breach

Why are there so many weather apps out there? Some even require you to pay for them? They are all selling data from the National Weather Service that is free anyway. Weather apps capture your geolocation. But why do they need access to your contact list, camera, microphone, your email and more? It is because they want your data. There are hundreds of weather apps on each of the top app stores, many operated by shady app developers looking to make a quick dime selling your data. Make sure to enable the least amount of privileges or access required for the app. Always check the app developer's privacy policy to see what they do with your data.

weather apps spying

Threats and Breaches

Fool me once, shame on you. Fool me twice, shame on me! Imagine losing money in a crypto scam and then being targeted again by a scammer who promises to recover your money? Crypto recovery scams are now a thing. Read the FBI warning.

Crypt Recovery Scams

Are you using an old router that the manufacturer has issued an 'end-of-life' notice on? These are ripe targets for hackers to convert them into botnets or worse steal your data. Some old Zyxel routers are being targeted actively.

Old Home Routers Being Attacked

99.98% of Americans can be uniquely identified with just 15 characteristics such as marital status, age, gender. The data broker industry trades over 1500 characteristics about each of us thousands of times a day across every app, device and website we use.

No Such Thing As Anonymous Data