#AxisOfEasy 162: WordPress 0-Day Exposes Millions Of Sites To Compromise

Weekly Axis Of Easy #162

Last Week’s Quote was   Too many political “solutions” are solutions to problems created by previous political “solutions” — and will be followed by new problems created by their current “solutions.”  was Thomas Sowell, nobody got it again.

This Week’s Quote:  We seem to be getting closer and closer to a situation where nobody is responsible for what they did but we are all responsible for what somebody else did.” by ….???

THE RULES: No searching up the answer, must be posted to the blog.  The place to post the answer is at the bottom of the post, in the comments section.

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.

P.S Don’t forget, we are giving AxisOfEasy readers 10 MINDS tokens when they join the Minds.com social media platform.  Minds is open source and they don’t play games with your timeline or feed: the people and groups you follow are the ones you see your feed.

Join today and we’ll stake you with 10 MINDS tokens you can use to boost your content or tip writers you like.

Podcast: Axis Of Easy #162

In this issue:

  • WordPress File Manager plugin bug exposes millions of sites to compromise
  • Aussie cops arrest and cuff  pregnant woman in her home for Facebook post
  • Amazon spikes job posting for union-busting intel analysts
  • Pakistan blocks dating apps including Grindr and Tinder
  • Epic Games asks courts to reinstate it to Apple App Store
  • Apple accidentally approved malware in app store
  • MIT slams Elon Musks Neuralink dog-n-pony show
  • AoE Salon #20: Brenna Smith and the role of Bitcoin once nation states embrace digital currencies 

WordPress File Manager plugin bug exposes millions of sites to compromise

Over the past few days the news has broken via WordFence that millions of WordPress blogs are being actively targeted via a 0-day security vulnerability in the File Manager plugin.  This plugin is widely used, numbering in the hundreds of thousands of installations so it is imperative if you are using it to check that you’re using version 6.9. 

WordFence reports that a few indicators are emerging, including, in many cases, the presence of the file Feoidasf4e0_index.php

Also note, the plugin lists as “WP File Manager”, where another popular plugin, “File Manager Advanced” is different,  but if it’s out of date I would upgrade that one too (3.6, I believe).

If you’re an easyPress customer at Pro level and above (or an original customer grandfathered in with blogvault), then we’ve already upgraded the plugin for you.

The folks at WordFence also recommend that if you don’t need the file manager functionality, you should just deactivate it entirely.  File manager plugins are frequently the target of security compromises so if you don’t need it, get rid of it.

Aussie cops arrest and cuff pregnant woman in her home for Facebook post

A woman in Australia has been arrested for a post to Facebook promoting an anti-lockdown (COVID) protest.  A video of the incident has since gone viral, it depicts police officers entering the home of  Zoe-Lee Buhler, age 28 and pregnant, in front of her spouse and two children.  Victoria police warned that anybody organizing protests to violate the prevailing stay-at-home orders.  Buhler’s post was deemed a violation, and officers entered their home and placed her in handcuffs, still wearing her pyjamas. 

If you happen to agree with the Aussie authorities’ position that those promoting anti-lockdown protests should  be prosecuted, there is, IMHO  still a right way and a wrong way to do it.  They should have just shown up at her home, charged her, and issued a promise-to-appear notice and left it at that.  They would have avoided the viral scandal they find themselves in now, but instead, the incident was live-streamed to Facebook for the world to see. 

View the arrest: https://www.youtube.com/watch?v=y4LDTujPNtw

 Amazon spikes job posting for union-busting intel analysts 

Among the recurring themes that Charles, Jesse and I discuss on our AxisOfEasy Salons is the way Big Tech platforms are beginning to project power akin to new form of nation states (what Jesse calls “Network States”). 

When you see a job ad, from Amazon, for an “Intelligence Analyst”, it really seems to ring true.  Usually sovereign nations’ intelligence agencies hire intelligence analysts, while big corporations would hire competitive analysts, market analysts, even geo-political analysts – but intelligence analysts? Kind of makes it sound like Amazon has some sorta… intelligence apparatus, gathering intelligence to, you know, analyze. 

But since Amazon has a digital platform upon which the entire developed world shops, not to mention being one of the largest IT suppliers to the US defence industry, I guess they do.

The candour and frankness of the ad spurred a social media backlash, one of the roles and responsibilities of the intended hire was to protect the company from “labour organizing threats.”   Amazon has since pulled the ad, but my guess is they still intend to hire into those positions.

In another scheme thwarted by Amazon defence forces, the company has changed the way it routes delivery orders to gig economy drivers after it was discovered that freelancers in the Chicago area were gaming the driver selection algo by hanging smart phones in trees outside Whole Foods and Amazon Delivery locations, thus fooling the system into thinking they were the closest drivers to a pending pickup.

See: https://www.bloomberg.com/news/articles/2020-09-04/amazon-drivers-say-smartphones-in-trees-scheme-has-been-thwarted

Pakistan blocks dating apps including Grindr and Tinder

Tinder, Grindr, SayHi and several other dating apps have been blocked in Pakistan for promoting “immoral content.”   Pakistan has the second largest Muslim majority of any country in the world (largest is Indonesia).   Extra-marital affairs and homosexuality are illegal. 

Government officials sent notices to the dating app platforms requesting they accommodate their requests and did not receive responses before their deadlines.  They are also requesting that YouTube “immediately block vulgar, indecent, immoral, nude and hate speech content for viewing in Pakistan.”

If you’ve been following our commentary for any length of time you know our position on this:  tech companies should not try to comply with laws in other jurisdictions, they should adhere to their own domicile’s laws, police their own AUPs, and that’s it.  If Pakistan has issues with YouTube, they can block YouTube and deal with their own citizens reaction to that.

Epic Games asks courts to reinstate it to Apple App Store

Makers of Fortnite, Epic Games, have gone back to court asking it to grant a preliminary injunction against Apple to temporarily reinstate the game while the legal case winds its way through court.

An earlier request was denied by the courts, however Epic now has data showing how usage amongst iOS clients has dropped over 60% since Apple banned the game from the App Store over Epic’s inclusion of an in-app purchase system that circumvented Apple’s. 

Apple, for their part, has announced a new appeals process for app developers facing accusations that their apps are violating App Store policies. 

Read: https://www.theverge.com/2020/8/31/21406112/apple-app-store-appeals-process-live-guidelines-challenge-antitrust-fortnite

Apple accidentally approved malware in app store

Speaking of apps Apple does approve of, it looks like hackers managed to slip one past the goalie: 

“According to security researcher Patrick Wardle, Apple approved an app that contained code used by a well-known malware called Shlayer.  Shlayer is a trojan downloader that spreads through fake applications, bombarding users with an influx of adware.  Shlayer is the ‘most common threat’ to Macs, cybersecurity and anti-virus firm Kaspersky said in 2019.”

Wardle’s blog, Objective-See also includes an interesting backgrounder on Apple’s historical claim that “Macs don’t get viruses”, describing how that statement is nuanced, and highly subjective.  Macs do indeed get infected with malware as that aforementioned Kaspersky report noted a sharp uptick in malware threats against Macs lately.

Read: https://objective-see.com/blog/blog_0x4E.html

Kaspersky 2019 report: https://securelist.com/shlayer-for-macos/95724/

MIT slams Elon Musks Neuralink dog-n-pony show

I’ve noted before, some of the most notable luminaries of $TSLAQ, the collective that does bear-case analysis on all things Musk, are experts in fields that Elon has tried to bluff his way into.  TeslaCharts, for example, is an engineer who has worked in solar energy for decades who took one look at the “solar shingle” proposed by Musk and called b/s on it immediately… another Tesla bear was born (warning: language alert. Do not listen to that with your kids in the car.  Perhaps this interview with Grant Williams that just came out is a better overview.)

Now Musk is making more grandiose promises that his forthcoming Neuralink will cure everything from depression to cerebral palsy.  This time it’s the turn of actual neuroscientists to chime up and add a dose of reality to the carnival.  The MIT Technology Review called it “neuroscience theatre” in a scathing review of Neuralink’s “product update” that was live-streamed over YouTube.

“In a lot of ways, It’s kind of like a Fitbit in your skull, with tiny wires.”, Musk gushed.  But as the MIT piece observes, none of the claims are anywhere close to being reality, and many may never happen at all.  Although the livestream was described as a “product update”, there is currently no usable product from the company that anybody could actually buy to solve anything.   The article’s author, Antonio Regalado, MIT Tech Reviews senior biomedicine editor, thinks this may be “for the best” since most of the claims made where “highly speculative”.

In his usual circus ringmaster style, Musk produced a pig said to be implanted with Neuralink which deftly defeated super-computer at Go.  Just kidding, what really happened was they put a pig named Gertrude in a pen and let her sniff around and stuff while they superimposed the video over an oscilloscope and played some beeps and tones that were supposedly keying off a neuralink implanted in her brain.

As one commentator, (with an actual background in neuroscience) put it:

“I did not spend 5 yrs getting a neuroscience degree to watch this manchild literally brainf**k a pig on stage”

The rest of the article proceeds to throw cold water on Musk’s  phantasmagorical claims pointing out how Neuralink hasn’t produced any work toward depression, mental illness, let alone cerebral palsy in the last four years;  it hasn’t even addressed how to solve the “corrosion” problem of putting an implant in a brain for years on end, not to mention scientists still don’t even know how thoughts, feeling or emotions even manifest (a topic I pick up on in my next book about techno-utopianism).

The demo: https://www.youtube.com/watch?v=iOWFXqT5MZ4&feature=youtu.be&t=949

AoE Salon #20: Brenna Smith and the role of Bitcoin once nation states embrace digital currencies 

This week on the AxisOfEasy Charles wrote an amazing piece about small business and little guys fighting against “Big Everything” , while Jesse wondered out loud who really knows what their smartphone actually knows about them?

See: https://axisofeasy.com/oftwominds/fighting-and-winning-against-big-everything/

And: https://axisofeasy.com/metaviews/do-you-know-what-your-mobile-device-knows/

For our Salon, Jesse and I had the good fortune to speak with Brenna Smith, an investigative reporter currently for Bellingcat, who also runs her own newsletter CryptOSInt. We talked about where Bitcoin will fit in once the worlds’ governments make the move to digital currencies (note we are careful not to call government versions “crypto” currencies…)

View/listen: https://axisofeasy.com/podcast/salon-20-brenna-smith-where-does-bitcoin-fit-in-after-nation-states-embrace-digital-currencies/

2 thoughts on “#AxisOfEasy 162: WordPress 0-Day Exposes Millions Of Sites To Compromise

Leave a Reply

Your email address will not be published. Required fields are marked *