Adobe Flash is finally dead, dead, dead
When I wrote, way back in AxisOfEasy #14 that Adobe was finally going to kill off Flash, one of the most prolific security nightmares in existence (the other is everything Microsoft), the cut-off-date for final End-of-Life on December 31, 2020 seemed like such a long way off. Like, so far away “surely we’ll have flying cars by then”.
Alas, 2020 went out with more of a whimper than a bang (except maybe for elected politicians luxuriating in far off staffed villas). 2021 is here, and Adobe Flash is, presumably, no more.
If you haven’t already done so, you should remove the Flash player from your computers:
Mac OSX: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html
Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html#main_Download_the_Adobe_Flash_Player_uninstaller
Read: https://www.adobe.com/ca/products/flashplayer/end-of-life.html
Magecart variant found in Shopify, BigCommerce, WooCommerce
The Dutch security team Sansec, that has been tracking all manner of Magecart credit cart skimmers (as detailed here, and here) have found another variant that infects vulnerable storefronts in places like Shopify, BigCommerce and the WordPress WooCommerce plugin.
Magecart scoops out a victim’s credit card data as they are about to conclude an online purchase, sending the details back to the attackers’ servers where the details are sold on the Dark Web.
This variant evades suspicion by overlaying a fake checkout screen, capturing the data, and then throwing an innocuous looking (but fake) error page that simply redirects the victim to the real checkout page, where they continue unaware that they’ve just had their cc details snarfed. Read: https://sansec.io/research/skimmer-dynamic-exfiltration-shopify-bigcommerce
Christmas Morning bombing disrupts AT&T network
I had to admit it was kinda weird to wake up Christmas Morning to the news of a car bomb being detonated in…. Nashville, Tennessee. Yet that’s what happened when what appears to be a lone actor blew up an RV (with himself inside it) in front of a major AT&T switching station in the early hours of December 25.
Fortunately the area seemed rather vacant, there were no fatalities, other than the bomber.
But the event did significantly disrupt the telecom system for AT&T, which had cascading effects for days.
Jesse expanded further on the implications whether the Internet is still too centralized over on Metaviews.
Read: https://axisofeasy.com/metaviews/is-the-internet-too-centralized/
More journalists hacked by NSO Group via Zeroclick
We’ve mentioned NSO Group here numerous times, the Israeli-based software company government and intelligence agencies use their Pegasus malware when they want to target the mobile devices of any journalists that get under their skin (it’s not as much of an issue here in the West, where most journalists have been replaced with cheerleaders and propagandists).
Toronto’s CitizenLab has released yet another investigative report detailing how journalists at Al Jazeera and UK-based Al Araby TV were targeted using a zero-click attack vector in Apple’s iMessage to compromise their phones.
They have attributed the hacks to two state-backed threat actors tracing back to Saudi Arabia (the same government who used the same software to hack Jamal Kashoggi’s phone before he was lured to one of their consulates and unceremoniously chopped into pieces), and the United Arab Emirates.
CitizenLab speculates that the NSO malware, dubbed Kizmet, is effective against most versions of iOS prior to 14, and thus, the compromises they’ve detected are a small fraction of the total deployed malware.
Solarwinds hack continues: Microsoft source code accessed
More details about the Solarwinds hack emerged over the holidays, including that Microsoft now admits the source code to multiple applications was obtained by the attackers.
The mainstream media continues to insert “Russian hackers” into the headlines around this in the most nonchalant way, despite the fact that nobody has produced anything tangible pointing that way. A security group I’m a member of had a lengthy thread on this internally and frankly, nobody in the cyber security industry that anybody knows has seen any first hand evidence of “Russian hacking”. It’s all just hearsay based on “unnamed sources” within the US intelligence apparatus which seems to have been originally perpetuated, as I said last issue, by Washington Post citing a one sentence article from Reuters.
It also turned out that the Solarwinds update server that was compromised and led to all this, had its remote access password set to…. “solarwinds123.” When I see idiocy like that I find it harder to swallow the “sophisticated nation state APT actor” narrative. It quite literally could have been anybody, let alone the Russians again. (Meanwhile, China probably laughing their asses off).
Read: https://www.techdirt.com/articles/20201215/13203045893/security-researcher-reveals-solarwinds-update-server-was-secured-with-password-solarwinds123.shtml
Blackstone will be selling data it acquires from companies it buys
Surveillance capitalism looks to continue unabated in the new year as this report via Bloomberg gushes over the revenue stream the world’s largest private equity firm will generate by selling the data of the companies it acquires:
“The largest U.S. manager of private equity funds is preparing to package and sell data from companies it acquires in future deals, turning insights that Wall Street powerhouses usually guard closely into a new revenue stream. Customers could range from hedge funds in search of a trading edge to corporations seeking to hone their own operations.”
Blackrock owns companies in many spaces, including health care, financial services, automotive, petro-chemicals, energy, analytics, pretty well anything. The plans were disclosed in an SEC filing back in June.
Read: https://files.adviserinfo.sec.gov/IAPD/Content/Common/crd_iapd_Brochure.aspx?BRCHR_VRSN_ID=647919
Remote code execution in Backblaze (check your versions)
If you’re using Backblaze for backups make sure you are on the latest version. There is a RCE (Remote Code Execution) vulnerability assigned CVE-2020-8289. The vulnerability allows an attacker to impersonate the Backblaze update server, from which it downloads an XML file that gets used as input for a command execution. Since Blackblaze runs as a system user on Windows and root on Macs, this can be problematic.
Backblaze has fixed this and by default auto-updates, so you should be ok. But check that you are on versions:
Windows: 7.0.1.433 Mac: 7.0.1.434
Zoom shared user data with Beijing
Until I read this article I always thought Zoom was actually a Chinese company, but it turns out they’re based in San Jose, CA and their software is coded in China. We reported previously in AxisOfEasy #150 how Zoom shut down meetings being conducted outside of China that were commemorating the Tiananmen Square Massacre, the June 1984 student protests that were brutally suppressed by the Chinese military.
Zoom terminated said meetings at the request of the CCP “for violating local law.” The US DoJ felt doing so violated some laws of their own, so a federal case was launched against the company and a senior executive who acts liaison between the company and the Chinese authorities has been charged.
Zoom for their part, has put out a couple of “we’ll try to do better” blog posts, here and here. The DoJ release: https://www.justice.gov/opa/pr/china-based-executive-us-telecommunications-company-charged-disrupting-video-meetings
Also China: As I finished writing this week’s issue the morning of Jan 4th, the news broke that Alibaba CEO Jack Ma is missing in action, speculated to possibly be in the process of being “re-educated” by Chinese authorities after making remarks critical of the Chinese Communist Party on the eve of the much anticipated ANT Financial IPO. Said IPO was canceled by the CCP, and it looks like Ma hasn’t been seen in months. What frightens me about China’s government (don’t get me wrong, the citizens themselves are wonderful people, cursed with living under a dictatorship), isn’t that they’re overtly totalitarian and literally Stalinist, it’s that the CCP governance model is so attractive to governments everywhere. Whenever you hear the Davos crowd talking about The Great Reset, this is the logical extension of what they’re pining for: an all powerful technocracy that re-educates dissent and minority opinions right out of existence.
Google orders staff scientists to “take positive tone” around AI
Before the holidays we reported on how Google forced Timnet Geru, their co-head of AI Ethics and a black woman, out of the company. They also tried to frame it as a voluntary resignation, which has been refuted by other Google employees. Geru raised objections around Artificial Intelligence and thorny issues like racial bias (and inaccuracies) in technologies like facial recognition.
Seeking to head off any future unpleasantness along those same lines, the company has enacted a new policy ordering company scientists to seek legal, policy and public relations approval from the company before researching or opining on matters related to Artificial Intelligence, specifically around “face and sentiment analysis and categorizations of race, gender or political affiliation.”
The Reuters piece went on to find that:
“Four staff researchers, including senior scientist Margaret Mitchell, said they believe Google is starting to interfere with crucial studies of potential technology harms.”
When contacted to comment on the article, Google did not respond.
IMF floats using web browsing history in social credit scores
The International Monetary Fund (IMF) thinks that studying your web browsing history will be part of the AI driven FinTech revolution that will yield superior analysis in things like credit scores. In a recently published paper on the IMF blog, they extol the virtues of using machine learning to solve the dilemma of analyzing credit-worthiness of “certain kinds of people:”
“Fintech resolves the dilemma by tapping various nonfinancial data: the type of browser and hardware used to access the internet, the history of online searches and purchases. Recent research documents that, once powered by artificial intelligence and machine learning, these alternative data sources are often superior than traditional credit assessment methods.”
Of course, by “certain kinds of people” they mean people for whom not enough “hard data” is available, and all this would be to promote inclusiveness, but given that we see the likes of Visa, Mastercard and PayPal cutting off companies and people from credit, this could also be used to exclude… “certain” kinds of people….
Read: https://blogs.imf.org/2020/12/17/what-is-really-new-in-fintech/
The Great Reset: a veritable wet dream for Technocrats
The phrase we’ve been hearing all over the place since COVID-19 broke out is “The Great Reset” or alternatively, “Build Back Better,” which are World Economic Forum slogans which originate from the Davos crowd: the wealthiest plutocrats on earth who have been re-imagining everybody else’s futures for decades now. If “broken clocks are right twice a day,” then ideological super-rich windbags with a collective Messiah Complex will eventually be presented with a catastrophe crisis opportunity that can be seized upon and parlayed into some “new era” or “new paradigm” that, coincidentally, leaves them calling all the shots and making The New Rules.
This article by Tim Hinchcliffe outlines:
“How the ‘great reset’ ideology of un-elected bureaucrats would steer society towards massive surveillance & control.” And notes how WEF founder Claus Schwab (a.k.a “Herr Schwab”) has been calling for his Great Reset for at least five years now, but that
“Prior to this year, implementing worldwide lockdowns that destroy businesses, wreck the economy, and leave people destitute and stripped of their constitutional rights while trying to enact invasive contact tracing, immunity passports, and otherwise massive bio-electronic surveillance apparatuses would never have been accepted by the citizens of a free society.”
Or, in the words of Herr Schwab himself, in his book “The Great Reset,” a crisis was required that could
“provoke changes that would have seemed inconceivable before the pandemic struck, such as new forms of monetary policy like helicopter money (already a given), the reconsideration/recalibration of some of our social priorities and augmented search for the common good as a policy objective, the notion of fairness acquiring political potency, radical welfare and taxation measures, and drastic geopolitical realignments.
The broader point is this: the possibilities for change and the resulting new order are now unlimited and only bound by our imagination, for better or for worse. Societies could be poised to become either more egalitarian or more authoritarian, or geared towards more solidarity or more individualism, favouring the interests of the few or the many…
You get the point: we should take advantage of this unprecedented opportunity to reimagine our world, in a bid to make it a better and more resilient one as it emerges on the other side of this crisis.”
Even though the pandemic, as Schwab notes, is comparatively not too serious and concedes that “Even in the worst-case horrendous scenario, COVID-19 will kill far fewer people than the Great Plagues, including the Black Deaths, or World War II did”, but that it has “the potential to be a transformative crisis.”
Read: https://sociable.co/technology/skeptical-great-reset-technocratic-agenda-waited-years-crisis-exploit/
On that note, though not specially technology related I also liked this Cosmo-styled riff on abusive relationships: Fifteen Signs you’re in an Abusive Relationship… with the Government
Yes, I’m a little pissed off. And you should be too. Welcome to 2021 and have as tolerable a New Year as is unconstitutionally permitted by your respective authorities.
AxisOfEasy Salons are dropping back to every two weeks, we should be doing the first episode of 2021 next week.
|
Ludwig von Mises
This Week’s Quote: “Every step which leads from capitalism toward planning is necessarily a step nearer to absolutism and dictatorship”… by???
This sounds like Donald Trump — except he doesn’t use big words like absolutism.
I don’t like capitalism….
I like planning…and good government… in the public interest.