Weekly Axis Of Easy #120
Last Week’s Quote was “What is not surrounded by uncertainty cannot be the truth.” by Richard Feynman, winner was Dave
This Week’s Quote: “The greatest barrier to progress is not ignorance, but the illusion of knowledge.’ …by ?????
THE RULES: No searching up the answer, must be posted to the blog
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
- Stop reading this and go update Chrome browser now
- Google buys Fitbit
- Australia’s Home Affairs push to require facial recognition for viewing adult content
- Security researcher gains access to all IoT pet feeders in the world
- The unsung ramsomware hero from Illinois
- Breach of the week: 7.5M Adobe Creative Cloud accounts
- Racoon: Your friendly neighbourhood Malware-As-A-Service
- Unassailable release date pushed back
Podcast Edition for this week:
Stop reading this and go update Chrome browser now
If you are running Google Chrome browser on: Mac OSX, Linux or Windows, then do this right now:
- Click on Chrome pulldown
- Select About Google Chrome
- Look at version, should be 78.0.3904.87
If it isn’t, select “Upgrade” or “Download upgrade”, let it do its thing and then restart chrome.
The new release fixes two 0-day vulnerabilities that can lead to remote takeover. The bugs have been assigned CVE-2019-13720 and CVE-2019-13721. We put this out via our Twitter and Facebook feeds on Friday when we came across it, so if you aren’t already following us there, it may be worth your while given that we put these types of news out there as we discover it.
Google will be ponying up 2.1B to acquire personal health tracking device company, Fitbit. In my mind this is a perfectly predictable move for the company whose business it is to aggregate all possible data about everybody: what we read online, what goes on in our homes (Nest, home devices) and now, what goes on in our bodies – Fitbit.
The article I chose to link to out of the myriad pieces on the move is via PBS given that the focus on their piece is all about privacy, how health data can be monetized and what it means now that Google will own said data on a base of 27 million active users.
Australia’s Home Affairs push to require facial recognition for viewing adult content
It looks like Australia’s Department for Home Affairs is paying more attention to China, where citizens will have to undergo facial recognition in order to use the Internet (#AxisOfEasy 117), and not the United Kingdom, where a program to tighten up access to internet pr0n via ID cards and access fees was scuttled before it even launched (#AxisOfEasy 118).
The government agency wants to leverage Australia’s proposed Face Verification Service, to be used as a requirement before being allowed access to online adult websites. The Face Verification Service would be a government database of photo ID and facial recognition designed to prevent identity theft. It would prevent, for example, children using their parents’ drivers licenses to access online adult sites.
A few logistical barriers however: The Face Verification Service has been stalled because the required biometric legislation has not passed parliament. A Joint Committee on Intelligence and Security said the bill does not contain enough privacy protection and will need to be redrafted.
The other problem, is that such a plan is probably unworkable in liberal democracies, as the Brits found out when they ended up scrapping a like-minded plan.
(They can get away with this in China, because China is a technocratic dictatorship, and we aren’t, yet).
Security researcher gains access to all IoT pet feeders in the world
I’ve come to the conclusion that you can probably reduce your personal attack surface if you simply refuse to buy any product with the word “Smart” in its name. A Russian security researcher reported stumbling on a way to commandeer control over every Furrytail Smart Pet Feeder in the world. St. Petersburg based Anna Prosvetova reported via her private Telegram channel how she uncovered vulnerabilities in the API and firmware in the IoT enabled feeders that allow owners to connect with an app and release small amounts of food throughout the day. She was able to locate a further 10,950 feeders deployed throughout the world and had the ability to change their feeding schedules and doses without requiring a password.
The plot thickens somewhat: Ms. Prosvetova acquired her FurryTail Feeder from AliExpress, where they were selling under the Xiaomi brand. However, after she contacted them to report the flaws, the Chinese electronics company disavowed any knowledge or culpability because they say the devices are not theirs, and are being illegally sold using the Xiaomi brand.
The unsung ramsomware hero from Illinois
It seems like every other week we report another corporate ransomware victim, yet ransomware doesn’t stop there, lots of end users and ordinary netizens get hit with this all the time. We always harp on backups…backups…backups but it doesn’t help if you’re in the midst of a ransomware attack and you’re learning the hard way. It was nice to read the story of Michael Gillespie of Normal, Illinois. By day he works at Nerds On Call computer repair shop, by night he works on creating ransomware decryption utilities. He makes them available, for free, and in the process he’s helped thousands of victims recover their files.
He makes his decryption utilities available on his website and via the Bleeping Computer forums. He’s even helped the FBI track certain ransomware strains, and he doesn’t get paid for any of it. Not all heroes wear capes. Gillespie does accept donations via Bitcoin or Patreon, we’ve sent him some BTC for his efforts.
Read: https://id-ransomware.malwarehunterteam.com/
P.S Mr Gillespie, if you’re out there and you see this and want a domain name and website we’ll happily donate those for your operation.
As for the rest of you, BACKUP YOUR DATA!
Breach of the week: 7.5M Adobe Creative Cloud accounts
Adobe’s Creative Cloud service leaked data on 7.5 million accounts. Data exposed includes email addresses, products purchased, login IPs however according to Adobe, no financial data was leaked. This was not so much a hack as it was an exposure. Here again we have a trove of data sitting wide open on the web, which was then discovered by security researchers Bob Diachenko and Comparitech. Adobe remedied the exposure the same day they were notified of the breach.
Read Adobe’s statement: https://theblog.adobe.com/security-update/
Raccoon: Your friendly neighbourhood Malware-As-A-Service
As per Threatpost there’s a new information theft malware suite making the rounds called Raccoon. It is spreading fast through the cybercrime underworld, leading to the infection of hundreds of thousands of devices in just a few months (the article subtitle says “hundreds of millions of users” have been infected but I think that may be a misprint. That’s a lot.) Apparently not too sophisticated, and easy to operate for non-technical attackers lends it to widespread uptake in the underground economy.
Once Raccoon infects a device, it starts scanning for credit card details, login credentials, crypto currency wallets and any other sensitive data it can find.
Unassailable release date pushed back
I’ve pushed back the release of Unassailable from the original Oct 31st date to November 21st. After initial reviews from my proof readers I ended up moving some stuff around for coherency and (surprise!) adding a new chapter and a couple additional sections. For what was originally supposed to be a 15-page free ebook, we’re up over 200 pages now.
A dark conspiracy theory on the Adobe data breach and other similar incidents: Company (the data holder) can’t sell identifiable user data based on privacy policy and other agreements, but Client (the data buyer) comes along and offers a healthy sum for it. Shady deal is made, funds for transaction laundered through any other unrelated service/product/discount/property/etc. Selected engineers at Company then “forget” to password protect data on a prototype/dev server, client grabs it anonymously from this location. Company makes announcement, knowing that if “no financial data was compromised”, the issue will blow over in a couple of days with no real consequences. But with the announcement, they’ve insulated themselves from any potential blowback if somebody got wind of the deal. Everybody moves on. Data sold.
Stephen Hawking