#AxisOfEasy 188: Signal is down in China

Weekly Axis Of Easy #188

Last Week’s Quote was   “We live in a world in which data convey authority. But authority has a way of descending to certitude, and certitude begets hubris.” by Brett Stephens, winner was Joy Bruce

This Week’s Quote: “The way to crush the bourgeoisie is to grind them between the millstones of taxation and inflation”… by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.


In this issue:

  • Fintech company demonstrates reason example.com exists
  • Signal is down in China
  • Feds seize Sky Global domain
  • Copper Stealer hijacks social media credentials
  • FBI releases cybercrime report for 2020
  • Hacker leaks data from We Leak Info
  • Researcher uses even simpler dependency confusion attack on Azure
  • Hackers can hijack your SIM card for about $16
  • Tech types think Big Tech is too powerful ….and want to work more closely with China  
  • Walmart joins international vaccine passport initiative
  • AxisOfEasy Salon #40: Subprime Attention NFTs

Fintech company demonstrates reason why example.com exists

The TL, DR of this one is this: never use some random domain you pick out of the air for your documentation, or example configuration files. Either register the domain you are going to use for this, or else use literally “example.com,” which is an IANA reserved domain that will never be assigned, because it is defined precisely for use in documentation, placeholders and as, you know, examples.

A publicly traded fintech company called Fiserv (Nasdaq:FISV) used “defaultinstitution.com” in various email templates, which for one reason or another, got picked up and used across some of their subsidiaries and acquisitions.

A keen eyed security researcher named Abraham Vegh noticed this, checked and saw that the domain wasn’t registered, and went ahead and regged it. Hilarity ensued.

He started getting all kinds of email messages, bounce messages and even replies from angry customers.

(This one reminds me of the days when we had server.com on the system and the guy wasn’t using it anymore so he parked it and the MX was pointed at us and we got billions of messages and hits from all kinds of packages under the sun that were using “server.com”  as placeholder in their documentation or worse, configuration files. )

Signal is down in China

The encrypted messaging app Signal was, until last week, possibly the only privacy enabled app that was available in China without using a VPN. That changed in the last week when reports began emerging that Signal was down behind The Great Firewall of China.

Signal provides end-to-end encryption, which means nobody, not even Signal can eavesdrop on communications or sniff traffic, which is problematic in China where the government heavily censors regulates internet content and news. Tencent’s WeChat, by contrast, is only encrypted between client and server, which means communications can still be interpreted and inspected, and thus, conversations around China’s internment of Uyghur Muslims in concentration camps, or the Tiananmen Square massacre “disturbance” can be neutralized.

A spokesman for the Cyberspace Administration of China, which regulates thought on the internet, said

“That China’s internet is open and the government manages the internet in accordance with the law.”

An image

Signal is still available in the Apple App Store in China and has been downloaded over 500,000 times, indicating that Apple has not yet received a CCP government order to remove it. Android apps are distributed via local channels and do not list Signal. Google Play is not available in China.

Read: https://techcrunch.com/2021/03/15/signal-is-down-in-china/

Feds seize Sky Global domain

The same day last week’s AxisOfEasy came out with the story about Canadian-based Sky Global, the company that sells encrypted messaging apps, the US Feds seized their domain name.

Sky Global’s CEO is vigorously denying the allegation and is calling the actions and the charges a government assault on privacy. Maybe it is. When I read about the case and looked at the website (before it was seized), I just got a sense that this isn’t really in the same ballpark if one reads between the lines, what might be happening is this:

The “former high level distributor” mentioned in the DoJ indictment was selling boatloads of these encrypted phones to the criminal underworld, and the CEO was charged because the DoJ is alleging he knew it and didn’t stop it.

That’s just my guess, and it could be completely wrong.

CopperStealer hijacks social media credentials

Security firm Proofpoint has written up details on a new malware they’ve dubbed “CopperStealer” which targets social media accounts like Facebook and Instragram, as well as other large tech providers like Google. They believe it’s from the same family of malware called SilentFade, which was discovered in 2019 and “sourced from China.”

“While we analyzed a sample that targets Facebook and Instagram business and advertiser accounts, we also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter,”

Once the users credentials are obtained, the account is used to run malicious ads for profit and to spread more malware.

Read: https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft

FBI releases cybercrime report for 2020

The US FBI released its 2020 cybercrime report showing that reported incidents were up nearly 70% over 2019. Americans reported over 769K cybercrime incidents, costing citizens and businesses over $4 Billion USD.
BEC (Business Email Comprise) was responsible for $1.3 Billion USD  in losses on its own. That figure was up $100 Million USD in damages from the year previously, albeit from fewer incidents.

Of the remainder of the complaints, most of those were from phishing, non-payment/non-delivery scams and extortion. I’m going to go out on a limb and guess that of the “extortion” figure, I’ll bet that many of those email scams were spammers purporting to have garnered compromat from your computer. Those are just scams, you can ignore them, we wrote that up a long time ago and I still get people forwarding ones they got to me,  asking what they should do.

Ransomware is listed separately from extortion, and compared to 76K extortion incidents, ransomware came in at just 2,474 but I’d guess that there are many more that go unreported. FWIW, terrorism came in at the bottom of the list at 65 reported incidents.

Report: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Over on Domainsure we’re working on a BEC protection component which should be ready soon.

Hacker leaks data from We Leak Info

We Leak Info was at one time a database of compromised login credentials that would sell said credentials to all comers. It’s somewhat irresponsible compared to how places like HaveIBeenPwned handle it, where they will only tell you about leaks on your own email address – We Leak Info would give you anybody else’s creds that they had in the database.

Eventually, they were taken down, as reported in AxisOfEasy 129.

Now BleepingComputer reports that We Leak Info’s user and customer database had been breached… and has now been leaked via another online breach forum called RaidForum.

Researcher uses even simpler dependency confusion attack on Azure

We’ve reported in “dependency confusion” attacks in the last couple issues of AoE. In AoE 183 we reported how a researcher name Alex Birsan wrote up his initial discovery and proof of concept deployment that led to astounding results. In the next issue  those types of attacks were being seen in the wild.

Now we get the news that somebody successfully ran this attack against Microsoft Azure when they managed to get their proof-of-concept package listed into the Microsoft Azure SDK page. SDKs are Software Development Kits other developers use to save time and build integrations, so compromising an SDK can spread far and wide. Dependency Confusion attacks are when you use a typo of a package name, or override a private package name with a public one and get your own code included in a package build.

Apparently this attack was not a dependency attack per se, but an even simpler exploit wherein this new researcher (currently anonymous) simply listed his test package author as a collaborator on the Azure suite, and then waited. Then in some fashion I don’t fully understand, a package compiler bot of some sort picked up his demo package and listed it to the SDK page. Microsoft has since removed it.

The upshot is that Birsan’s original PoC hack has opened the door and package dependancy hacking will soon be a thing, if it isn’t already.

Hackers can hijack your SIM card for about $16

A lot of people have been warning for some time that using your phone to receive SMS 2FA codes for second-factor authorization is not very secure, even insecure because of SIM card hijacks. Attackers convince your cellphone carrier, via social engineering, to allow the attacker to port your phone number away or otherwise clone your SIM. Then when they log into your account (somehow already hacked your password), they can then get your 2FA one-time code and they’re in.

Now a trivial way to hack a SIM in plain site has been revealed via a security researcher who demonstrated it on a VICE reporter. He simply bought an account with a legit SMS marketing service, for $16 dollars, and had the target phone number ported to them. Done. It’s opened a can of worms and the company in question says they’re going to tighten things up, but they aren’t the only company providing this service.

It seems as thought cellular carriers can port phone numbers based on a simple LOA (Letter of Authorization), which is largely manual, and all it really is, is an attestation from one party (the receiving carrier) to another (your carrier) that “this SIM port is on the up-and-up.”

Read: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/

(If you really want to be scared, internet routing tables work in a similar fashion. Just convince somebody to accept a manual LOA and then you to can start announcing BGP routes through them for pretty well anybody).

Tech types think Big Tech is too powerful ….and wants to work more closely with China

A news source you may have noticed I’ve picked up lately is Protocol, who gives some pretty good coverage of the tech space with a focus on what’s going on in China.  Recently they undertook a survey with 1,578 members of the US tech community.  Among the results was a surprising consensus among this group that “Big Tech” is both too powerful and causes more harm than good.

More than 40% feel that Amazon, Google, Facebook and Apple should be broken up.

Another item is co-operation with Law Enforcement, where 44% of the respondents felt that Big Tech should not cooperate with Law Enforcement Agencies.

That said, over half the respondents want better relations with China and that if a Cold War with China were to erupt (I think we’re a little past that, tbh), it would “cripple U.S Tech Companies.”

The issue as I see it is where in the US, Big Tech is emerging as another check against state power, à la Network State vs Nation State that we talk about in the AxisOfEasy salons so often, in China’s Big Tech is the State, or at least just an appendage of it.

I think if Big Tech here thinks they can bring China around to a more classically liberal economy through osmosis, remember that’s what the Western diplomats thought would happen since their admittance to the WTO, and that isn’t exactly how things have played out.

Instead, as per James Green’s lengthy account of US-China relation to liberalism:

“China is now presenting itself as an alternative model to liberal democracy in the areas of economic management, political governance, media manipulation, and technology control. “

Let’s face it for what it is: Big Tech wants to work with China because a) China throws a lot of money around and is one of the forces (along with Saudi Arabia) buoying up unicorn valuations in Silicon Valley and b) they’re salivating over the prospect of gaining access to the Chinese market and are willing (despite their performative woke-isms at home) to turn a blind eye to the systemic human rights abuses there.

Walmart joins international vaccine passport initiative

The largest vaccine provider in the US is… Wal-Mart. Who announced last week that they’ve

“Signed on to an international effort to provide standardized digital vaccination credentials to people. The company joins a push already backed by major health centers and tech companies including Microsoft, Oracle, Salesforce, Cerner, Epic Systems, the Mitre Corporation and the Mayo Clinic.”

The Commons Project Foundation is a non-profit based in Geneva that has developed immunity passports called “CommonPass” for use around the world. Global use of CommonPass was authorized and mandated via legislation called the… (checks notes) …uh, nevermind.

Yes, this is the same CommonPass that MintPressNews has been reporting on since last year. Don’t hear much about ‘em in the mainstream press for some reason.

AxisOfEasy Salon #40: Subprime Attention NFTs

Last week on Salon #40 we talked a lot about Tim Hwaung’s book “The Subprime Attention Crisis” which let us to a discussion on Attention Markets, NFTs, the coming civil war within Ethereum, and much more.

Watch: https://axisofeasy.com/podcast/salon-40-subprime-attention-nfts/

I also wrote an article over on Bombthrower on how if Bitcoin didn’t exist already, we’d have to invent it:

Read: https://bombthrower.com/articles/if-bitcoin-didnt-exist-wed-have-to-invent-it-right-now/


7 thoughts on “#AxisOfEasy 188: Signal is down in China

  1. “It’s somewhat irresponsible compared to how places like HaveIBeenPwned handle it, where they will only tell you about leaks on your own email address – We Leak Info would give you anybody else’s creds that they had in the database.” Is not accurate: the entire haveIbeenpwned database is available as a 32GB zip download (for the super-paranoid people who don’t want to type in their email addresses). HaveIbeenpwned never gives out the passwords of any email address in the database, to anyone for any reason, however.

    1. You are correct, I misspoke there. There are some enterprise level services that will show you the passwords, but you have to prove ownership of the domains first.

  2. Who knows?
    But just one thing: It most certainly was NOT Lenin.
    Hmm.. perhaps it was John Lennon? Maybe but… HEY-
    “OVER THE LINE, SMOKEY! This is a tournament game.”

    Aw, WTF – I already won my free DN for a year…
    So how do I collect? Your assistant has not inquired…

Leave a Reply

Your email address will not be published. Required fields are marked *