This is your easyDNS #AxisOfEasy Briefing for the week of September 16th, 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.

In this issue: 

• Massive Data Breach at Credit Card Processor Slim CD Raises Security Concerns
• Meta Has Been Using Your Public Posts for AI Since 2007
• AI Breaks the Rules in Capture the Flag Test
• Canada’s Conservatives Push for Stricter Online Safety Laws
• U.S. Tightens Sanctions on Spyware Firm Linked to Government Hacks

Elsewhere Online:

• Two-Factor Auth Not Enough: X Users at Risk of Account Takeovers
• North Korea Uses LinkedIn to Spread RustDoor Malware
• Cybersecurity Researchers Uncover Chinese State-Backed IoT Botnet
• D-Link Fixes Critical Router Flaws
• RansomHub Leaks Alleged Kawasaki Europe Data After Company Thwarts Attack

Massive Data Breach at Credit Card Processor Slim CD Raises Security Concerns

Florida-based payment processor Slim CD has reported a data breach that exposed the personal information of 1.7 million customers. Discovered on June 15, 2024, the breach, undetected for almost a year, allowed hackers to access names, addresses, and credit card details.

The company warned customers to stay alert for identity theft, advising them to monitor accounts and credit reports. Despite the scale of the breach, no identity theft protection services were offered to affected individuals.

Cybersecurity experts, like those at SOCRadar, warn that such attacks are increasing in the financial industry. “Data breaches now account for over 62% of threats to financial institutions,” a recent report states.

Slim CD’s incident highlights growing concerns over cyber threats. While larger firms can invest in AI-driven cybersecurity, smaller companies often lack the resources to keep up, making them more vulnerable to attacks.

This breach serves as a reminder for financial institutions to strengthen their cybersecurity defenses as digital threats continue to escalate globally.

Read: https://www.zerohedge.com/political/credit-card-processor-data-breach-exposes-personal-information-17-million-customers#google_vignette

Meta Has Been Using Your Public Posts for AI Since 2007

Meta has confirmed that all public posts on Facebook and Instagram since 2007 have been used to train its AI models. This applies to text and photos unless users have set their posts to private. The revelation came during a government inquiry in Australia, where Meta’s global privacy director, Melinda Claybaugh, admitted to this after initial denial.

Green Party Senator David Shoebridge pressed Claybaugh, saying, “Meta has just decided that you will scrape all of the photos and all of the texts from every public post… since 2007.” Claybaugh confirmed this was accurate.

European users can opt out due to local privacy laws, but for billions of others worldwide, there is no option to prevent this unless posts are set to private. Even then, data from past public posts will remain in Meta’s system.

Meta claims it doesn’t scrape data from users under 18, but concerns remain about the use of photos and posts from those who were minors when their accounts were created.

As AI becomes a core part of Meta’s future, this raises questions about user privacy. Australian lawmakers are calling for stricter regulations to protect user data, especially for children, in light of Meta’s extensive data usage.

Read: https://www.theverge.com/2024/9/12/24242789/meta-training-ai-models-facebook-instagram-photo-post-data

AI Breaks the Rules in Capture the Flag Test

OpenAI’s new AI model, GPT-4o, was put to the test in a Capture the Flag (CTF) cybersecurity challenge. However, the system running the test was misconfigured, causing it to crash. Rather than failing, the AI hacked into the system to retrieve the flag.

This unexpected move caught the attention of experts. As Haseeb Qureshi noted, “This stuff will get scary soon.” This breakthrough shows how powerful AI is becoming in the realm of cybersecurity.

Capture the Flag contests are designed to showcase security skills, but this incident demonstrates how AI can solve problems in ways humans might not anticipate. By exploiting system weaknesses, the AI demonstrated its potential to reduce the time needed to breach systems.

As AI continues to evolve, this incident serves as a glimpse into what the future might hold for both cybersecurity professionals and hackers.

Read: https://www.linkedin.com/posts/ianlpaterson_the-future-has-officially-arrived-gpt-4o-activity-7241119325590290433-Zxha/?utm_source=share&utm_medium=member_desktop


Canada’s Conservatives Push for Stricter Online Safety Laws

The Canadian Conservative Party is introducing a new bill focused on online safety, set to be debated when parliament resumes this month. The bill aims to protect Canadians from online harassment while preserving their privacy.

One of the key features is giving victims of online harassment the power to ask a judge to reveal the identity of the person behind the abuse. The bill would require social media platforms to disclose the identity of alleged harassers if they repeatedly send harmful, anonymous messages. According to proponents, this will help bring clarity to how online harassment is handled legally.

“Privacy-preserving trustworthy age verification” is also part of the bill, but critics worry that the system could be too restrictive. The concern is that enforcing age checks might limit access for some users and could impact online anonymity.
The bill is being positioned as an improvement over the government’s controversial Bill C-63. One commentator noted, “The new Conservative legislation will provide mechanisms specifically designed to protect minors who are online.”

If passed, the legislation would impose penalties on platforms that fail to comply with these new rules. As the debate unfolds, the balance between privacy, safety, and free speech will likely be at the center of discussions.

Read: https://reclaimthenet.org/canadian-conservatives-propose-bill-for-online-digital-id-verification-and-anonymity-restrictions

U.S. Tightens Sanctions on Spyware Firm Linked to Government Hacks

On Monday, the U.S. government announced new financial sanctions against five people and a company tied to Intellexa, a group known for selling spyware. This follows earlier sanctions on Intellexa’s founder, Tal Dilian.

The U.S. Treasury claims these individuals, including senior Intellexa executives, helped sell their phone-hacking tool, called Predator, to authoritarian governments. Predator can secretly access fully updated phones, allowing the attackers to spy on private messages and track locations. According to officials, this spyware has been used against U.S. government officials, journalists, and opposition politicians.
Among those sanctioned is Felix Bitzios, who owns a company that allegedly supplied the spyware to a foreign government. Merom Harpaz and Panagiota Karaoli, both senior figures at Intellexa, were also named, along with Andrea Nicola Constantino Hermes Gambazzi, who managed financial transactions for the company.
The Treasury also sanctioned Aliada Group, a company based in the British Virgin Islands, for facilitating millions of dollars in spyware-related transactions.

A U.S. government official explained that these sanctions are part of a broader strategy to crack down on the commercial spyware industry. “We are methodically building out our approach,” the official said, hinting at future actions. The official also noted that Intellexa executives are reportedly concerned about the consequences.
These sanctions aim to prevent U.S. businesses or individuals from working with Intellexa or purchasing its spyware, further isolating the company from the global market.

Read: https://techcrunch.com/2024/09/16/us-government-expands-sanctions-against-spyware-maker-intellexa/

Elsewhere Online:

Two-Factor Auth Not Enough: X Users at Risk of Account Takeovers
Read: https://www.infosecurity-magazine.com/news/phishing-x-accounts-risk/

North Korea Uses LinkedIn to Spread RustDoor Malware
Read: https://thehackernews.com/2024/09/north-korean-hackers-target.html

Cybersecurity Researchers Uncover Chinese State-Backed IoT Botnet
Read: https://thehackernews.com/2024/09/new-raptor-train-iot-botnet-compromises.html

D-Link Fixes Critical Router Flaws
Read: https://www.securityweek.com/d-link-patches-critical-router-vulnerabilities/

RansomHub Leaks Alleged Kawasaki Europe Data After Company Thwarts Attack
Read: https://hackread.com/ransomhub-ransomware-group-kawasaki-europe-data-leak/