Weekly Axis Of Easy #128
Last Week’s Quote was “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.” …was the late great Alvin Toffler, winner was Thatch.
This Week’s Quote: “It is wisdom to cultivate the tree which you have found to bear fruit in your soul” ..by ????
THE RULES: No searching up the answer, must be posted to the blog
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
New Firefox security hole is under active attack
Surprise: nearly every Android app leaks personal data
Chinese malware found pre-installed on certain phones
Doomsday 2020 election simulation projects scores dead, martial law
DNS lookup speeds of various TLDs
Ring Employees fired for viewing customer video footage
Amazon threatens to fire workers critical of company’s climate impact
You are unpaid labour for Silicon Valley
Government searches shift from device to the cloud
New phishing vector targets persistence, not passwords
If you haven’t already, take a moment to check that you are running the most recent version of Mozilla’s Firefox, which is 72.0.1. If you think you are safe because you just upgraded to version 72 which came out a few days ago, check again: The following bug was discovered two days after version 72 was released.
Security research company NowSecure published a study showing that a scant 8% of apps available for the Android mobile o/s do not leak personal data. Included in their findings where that 92% of retail apps and 82% of apps from so-called bricks-n-mortar businesses all leak data such as names, usernames, phone numbers, email addresses, geo-location data, account numbers and device IDs:
“After extensive testing, NowSecure is issuing a global warning to the millions of mobile app consumers and businesses to temporarily stop using top retail and e-commerce apps,” the company told Retail Dive. “Millions of users operate under the false assumption that the apps on their phones are safe.”
It’s not as bad for Apple’s iOS ecosystem, apparently. Apple has always kept tighter control on apps available, which a separate study confirms finding Android’s fraud rate to be 6X that of iOS.
A separate item via DarkReading tells us about a particular budget Android device called the Unimax U686CL, which is offered to low-income Americans through a US government initiative. The phones retail for a price point below $35 via an outfit called Assurance Wireless, which is under a US federal assistance program run by Virgin Mobile.
The bad news? Well, they seem to ship with some sort of Chinese malware. And it’s “unremovable”. Researchers began receiving complaints that the phones were infected in October 2019, so they started buying them and digging in. For starters, the Wireless Update app, which is the only way to update the phone’s o/s is itself a variant of the Adups malware – named after a Chinese company by that same name that surreptitiously mines user data and installs backdoors in devices.
But that’s not all, the Settings app contains Android/Trojan.Dropper.Agent.UMX malware, which is a trojan.
This one is just plain weird. An IT security firm called Cyber Reason, which specializes in virus scanners and ransomware protection purportedly ran a war game to model cyberwar based disruption of election voting in Anytown, USA for the upcoming 2020 Presidential vote.
In this simulation, dubbed “Operation Blackout”, the bad guys used a variety of tactics ranging from disseminating false info via social media to tell citizens that polling stations were closed, to remote hacking buses and running them into lines of voters, killing dozens.
The simulation ended with the election being canceled and the imposition of martial law.
The mainstream media reported on this, back in November when the simulation actually ran via a piece in Quartz media, somehow I missed it.
I mention it now as I became aware of a recent Whitney Webb piece about it. In it she tracks the key players in Cyber Reason, its ties to government contractor Lockheed Martin, financiers connected with Saudi Arabia, and for completeness – Israeli military intelligence.
The simulation summary is available here: https://www.documentcloud.org/documents/6548629-Operation-Blackout-Wrap-Up-Report-November-2019.html
Webb’s articles are, as a rule, a trip down the rabbit hole. But she never fails to copiously document her work. She’s also done a nice series on Jeffrey Epstein (who didn’t kill himself).
The folks at BunnyCDN did a study on how the Top Level Domain (TLD) of various domains affects DNS lookup performance. They were motivated to undertake this after on boarding a customer who was complaining of inordinately slow DNS lookups (> 150ms) and when they dug into it, they realized that 100ms of that was in the TLD nameservers themselves.
They found that .org and .info were among the slower TLDs, and .com turned out to be slower than they expected outside of North America. Looking at their chart, some of the new TLDs like .top are pretty bad, over 150ms.
We also wrote an article about this a long time ago which is referenced by some of the performance monitoring sites.
We’ve reported over the months how certain Ring employees were viewing customer video footage under the catch-all every company uses, which is “to train the AI”. But this time the Amazon-owned company fired several employees after they were discovered viewing customer video footage beyond the scope of their assigned tasks. Whatever that means.
Also Amazon: The Guardian reports that the company is investigating a group of employees who have publicly spoken out about Amazon’s inaction on climate issues. Maren Costa divulged an email he received from HR to the Guardian showing that in addition to having launched an investigation into her activities, she would not be punished, —yet. But should the activities continue could face termination.
At least four Amazon employees are known to be under the ire of the company, having been interrogated by both HR and legal departments and at least two have been warned that should they continue to express criticism regarding Amazon’s stance on, or contribution to, climate change without seeking express approval in advance, they will face termination.
I came across this thought provoking article by way of Charles Hugh Smith’s “Was Marx Right About Capitalism Destroying Itself from Within?” (We are thrilled that we will be including Charles’ OfTwoMinds feed in the forthcoming stand-alone version of AxisOfEasy). In it Charles references Jacob Silverman’s “You Are Literally Working for Silicon Valley and Don’t Know It”.
Both excellent reads that compliment each other nicely. Silverman’s article puts forth the proposition that we are all, in essence, digital proletariats, whether we like it or not:
“As social networks, sensors, and digital systems became mobile and spread throughout society — bringing their logics of surveillance, bulk data collection, and targeted advertising with them — the work of data production began to permeate practically everyone and everything. We all became, however unknowingly, workers in a factory whose profits are immense and whose wages are nonnegotiable: zero”
Personally, I think this is a product of the prevailing monetary system of our era, with it’s debt-based fiat money, issued by unaccountable central banks that penalize savers, cannibalize everything via financialization, thus fuelling escalating Cantillon Effects which exacerbates ever-widening wealth inequality.
This article looks at how the focus has shifted for law enforcement and government agencies when it comes to searching your digital activities. Your mobile phone is ground zero when being searched, but increasingly it is treated more as the gateway or key to gain access to your data in the cloud. They are more interested in what’s there than what is on the device, thus “cloud extraction” technologies are the new fetish among intelligence agencies, law enforcement entities and pretty well anybody who wants to spy on you.
There is a relatively new form of phishing attack that I have to admit, even I wasn’t really aware of until I read this Krebs On Security article about it. Unlike traditional phishing attacks, which try to capture your password by fooling you into entering it into a fake login screen somewhere, this attack bypasses all that, and instead gets you to click through to the actual target site but doing so in a way where you send your authentication session token to the attacker. With that session token they can then head to the real site, which is tricked into thinking it’s still you, and lets them in.
It’s a highly specialized attack vector, the most recent cases targeting Microsoft’s Office 365 suite.