Elsewhere online: 

• Russian hacktivist group Killnet invests in media stunts to build its clout
• Plugin used to secure WordPress caught logging plaintext passwords
• A fake Proof of Concept on GitHub exposes researchers to malware
• An executive at TikTok says Australian users’ data is accessible in China
• Millions of user records are exposed due to exploitable flaws in QuickBlox

Citing “Medical Misinformation,” YouTube Censors Australian MP’s Maiden Speech

During the COVID-19 pandemic, Australia was one of the strictest countries with regard to quarantining and other social distancing practices. Three years on, Didi Rankovic at ReclaimTheNet.org believes that the coronavirus is still being used as an excuse for governments to restrict otherwise free, legally protected speech.

Rankovic sees no better example of this than in the censorship of John Ruddick’s maiden speech to parliament as the new MP from New South Wales. The “misinformation” Ruddick allegedly spread in his address last Wednesday was in line with him disagreeing with the way his own party, the Liberal Democrats, chose to deal with the pandemic as early as 2021. YouTube flagged Ruddick’s speech under “medical misinformation.”

In his speech, Ruddick spoke out against how New South Wales had been turned into an “authoritarian Covid police state,” while enacting “(Covid) vaccine extremism“. He claims that people were forced by the government to receive a new, insufficiently tested vaccine – against their own personal autonomies — or face the threat of radical disruption to their professional and personal lives.

Despite YouTube’s general censorship of his speech, it is still available on the party’s own account on YouTube, as well as on Twitter, where it likely has a higher likelihood of survival.

“We’re obviously very disappointed that YouTube feels the need to censor something…as time-honored as a maiden speech, but we also oddly must thank them as we’ve benefited from the Streisand effect,” said the party, referring to the video raking in nearly a quarter million views on Twitter alone in a short amount of time.

Read: https://reclaimthenet.org/youtube-deletes-australian-politicians-first-speech-to-parliament

Microsoft Blocks OWA Tokens in Light of Chinese State Actor Cyber Attack on Western European Governments

Last Tuesday, Microsoft repelled a cyber attack by Chinese nation-state actors targeting two dozen organizations, including European government agencies, in a cyber espionage campaign designed to acquire confidential data. The attacks, which started on May 15, sought access to email accounts that affected nearly 25 entities.

The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe. “They focus on espionage, data theft, and credential access,” said Microsoft. “They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access.“

The breach was detected a month later, on June 16, after an unidentified customer reported the anomalous email activity to the company. Microsoft said it notified all targeted or compromised organizations directly via their tenant admins. It did not name the affected organizations or disclose how many accounts had been hacked.

According to the Washington Post, however, the attackers managed to break into a number of unclassified U.S. email accounts. This access was facilitated by forging authentication tokens through Outlook Web Access in Exchange Online (OWA) and Outlook.com.

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com,” said the Post. “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.“

Microsoft has since blocked the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack. “This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems,” said Charlie Bell, executive vice president of Microsoft Security.

Read: https://thehackernews.com/2023/07/microsoft-thwarts-chinese-cyber-attack.html

Revolutionary Zapple Pay Enables Bitcoin Tipping on Damus Despite Apple’s Objections

The newly introduced independent payment service promises to be independent of the Damus iPhone app, which Apple has attempted to ban and allows users to tip one another on any app that uses the Nostr protocol.

Apple (AAPL) has threatened to delete the Bitcoin-friendly social media app Damus from its App Store because it allows users to tip or “zap” each other with bitcoin (BTC) on content posted in the app – a prohibited practice that the tech giant apparently believes akin to selling digital media.

Damus developer William Casarin eventually relented, settling the dispute by removing the application’s capacity to send zaps on posts or notes; users may still reward each other at their profile level. Damus is famous among bitcoiners, thanks in part to the tipping feature, and cryptocurrency supporters have weighed in on its favor following Apple’s crackdown. Former Twitter CEO Jack Dorsey, whose current company Block (SQ) is mostly focused on Bitcoin, went so far as to criticize Apple CEO Tim Cook on the topic.

Read: https://www.coindesk.com/tech/2023/07/10/apple-may-not-like-it-but-zapple-pay-finds-workaround-for-bitcoin-tipping-on-damus/

Meta’s Threads Raises Privacy Concerns With Data Collection and Instagram Integration

Threads, Meta’s contender to Twitter, received a stroke of luck on its launch week as its rival limited user traffic and signups. Twitter’s unexpected move resulted in an influx of tens of millions of users to Threads, making for a successful launch.

The linkage of Threads and Instagram accounts appears to be permanent, which may pose regulatory issues for Meta. Removing Threads from a device would also result in the removal of Instagram, potentially leading to difficulties for the company. Although Meta has pledged not to run ads until it reaches a billion users, brands are already joining the platform, and data is being collected for future campaigns.

Although Threads has already begun in over 100 countries, the app’s launch in the EU has been postponed indefinitely because of privacy concerns. Meta is facing legal challenges on numerous fronts in the region, all of which could further delay the rollout.

Read: https://www.cpomagazine.com/data-privacy/newly-launched-threads-already-raising-privacy-concerns-with-sensitive-data-collection-instagram-sharing/

Updates to Google’s Terms and Conditions Say All “Publicly Available Information” Now Fair Game to Train Its AI

New additions to Google’s privacy policy have users worried. Google’s terms and conditions now explicitly state that all of your “publicly available information” will now be used to train in-house AI models alongside other products.

From the privacy policy page: “In some circumstances, Google also collects information about you from publicly accessible sources…We may collect information about you from trusted partners, such as directory services…marketing partners…and security partners. We also receive information from advertising partners to provide advertising and research services on their behalf.“

On clicking “publicly accessible sources” above, users are redirected to a pop-up window that gives more information on the terms used: “For example, we may collect information that’s publicly available online or from other public sources to help train Google’s AI models and build products and features, like Google Translate, Bard and Cloud AI capabilities.”

Given the controversy over AI use generally, it might not seem like the best idea to have this information easily missed on a page where it should perhaps be a lot more prominent. Whereas in the pre-AI era, any media posted online was likely to be scraped by a search engine, under these new terms, that same media will now be used to train its products and “AI models.”

Others seem to agree. In a class action lawsuit filed on July 11, eight individuals have accused Google of “harvesting data in secret” to build its AI products without consent. The lawsuit points out that Google’s decision violates rights and gives it an “unfair advantage” compared with its competitors, which lawfully obtain or purchase data to train AI. The plaintiffs argued that “publicly available” does not and has never entailed that it is “free to use for any purpose.” According to the lawsuit, Google could potentially owe upward of $5 billion in damages.

Read: https://www.malwarebytes.com/blog/news/2023/07/google-plans-to-scrape-everything-you-post-online-to-train-its-ai

Elsewhere online: 

Russian hacktivist group Killnet invests in media stunts to build its clout
Read: https://www.darkreading.com/attacks-breaches/killnet-wants-to-consolidate-russian-hacktivist-groups

Plugin used to secure WordPress caught logging plaintext passwords
Read: https://www.securityweek.com/popular-wordpress-security-plugin-caught-logging-plaintext-passwords/

A fake Proof of Concept on GitHub exposes researchers to malware
Read: https://thehackernews.com/2023/07/blog-post.html

An executive at TikTok says Australian users’ data is accessible in China
Read: https://www.bankinfosecurity.com/australian-users-data-accessible-in-china-tiktok-exec-says-a-22524

Millions of user records are exposed due to exploitable flaws in QuickBlox
Read: https://www.hackread.com/exploitable-flaws-quickblox-expose-user-records/

Previously on #AxisOfEasy