#AxisOfEasy 192: Another Supply Chain Breach: Codecov Hacked – Damage Unknown


Weekly Axis Of Easy #192


Last Week’s Quote was  “A society becomes totalitarian when its structure becomes flagrantly artificial: that is, when its ruling class has lost its function but succeeds in clinging to power by force or fraud” .. yes, it was (I thought) George Orwell again, winner being Adrian Crossley.  

This Week’s Quote:  “A nation of sheep will beget a government of wolves.”  …by???


THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.

 


In this issue:

  • Facebook’s ad system lets companies spin both directions
  • Big Tech’s fingerprints all over new privacy laws in US
  • Amazon is trying to strongarm Ecobee into sharing user data
  • NAME:Wreck DNS bug enables DoS and RCE
  • FBI removing web shells from infected Exchange servers without informing owners
  • Vulnerabilities in WordPress Elementor page builder
  • How to tell if you are already tagged in Google’s new FLOC system
  • ParkMobile leaks 21 million license plates and owner info
  • Geist: Trudeau Libs have become most anti-Internet government in history
  • Another supply chain breach: Codecov affects Godaddy, WaPo and more
  • EasyDNS is now accepting Dogecoin payments
  • Rogers shits-the-bed nationwide, all day
Facebook’s ad system lets companies spin both directions

One of our lawyers has a favourite expression, “You can’t suck and blow at the same time.” Except, it would appear on Facebook’s ad system, where companies can and do present very different messages of their corporate personas to different end users depending on their political beliefs.

Facebook’s data collection and profiling of users is honed to the point where an oil company, for example, can put feel-good ads about pivoting to a green economy and carbon capture technologies in front of liberals, and “oil companies are the backbone of the working class economy” in front of conservatives. End users are presenting with corporate personas that fortify their existing biases. This article from TheMarkup demonstrated this in action with the different ads put forth by Exxon depending on the Facebook-determined political bias profiles of the end user accounts.

“The Markup found 18 Exxon ads on Facebook targeted to political liberals and 15 to conservatives—many with messages implying a contradictory attitude toward the urgency of adapting to climate change.”

The article’s authors worked with NYU’s Cybersecurity for Democracy Project which provides a browser plugin to volunteers who then report back on the ads they’re shown and the reasons why they’re shown them when they click on Facebook’s “Why am I seeing this ad?” feature.

Read: https://themarkup.org/news/2021/04/13/how-facebooks-ad-system-lets-companies-talk-out-of-both-sides-of-their-mouths

And: https://cybersecurityfordemocracy.org/

In the same ballpark of opposing echo chambers, check out https://www.their.news which is a nifty website that lets you plug-in a search term, say, “climate change” or “Bitcoin” and then it shows you how that topic is being reported on by left/liberal vs right/conservative media.


Big Tech’s fingerprints all over new privacy laws in US

One of the constants between the former Trump administration and the new Biden regime is that the heat is being turned up on Big Tech for reasons ranging to their new monopoly control around narratives and the entire surveillance capitalism business model.

Now it appears as though Big Tech is attempting to get out in front of this by pushing for so-called “privacy” initiatives at the state level to introduce watered down legislation that only carries a veneer of consumer protection.

In March the State of Virginia “hastily” passed a new data privacy law that Protocol magazine found had been authored by Amazon “with input from Microsoft.” Since then, there are at least 14 separate state level initiatives in the works that are built on the Virginia bill or weaker.

They are being pushed through various state legislatures by armies of lobbyists and contain watered down or neutered provisions such as “opt-outs” required by end users instead of the other way around, and protection that companies cannot be sued for violations.


Read: https://themarkup.org/privacy/2021/04/15/big-tech-is-pushing-states-to-pass-privacy-laws-and-yes-you-should-be-suspicious

And: https://www.protocol.com/policy/virginia-maryland-washington-big-tech


Amazon is trying to strongarm Ecobee into sharing user data

We’ve been covering numerous examples throughout these pages on how Amazon abuses leverages its dominant market position to undercut its own vendors and even knock off their products.

Ecobee for their part, is a Toronto-based smart thermostat company. They compete with Google’s Nest. According to the Wall Street Journal, Amazon has been leaning on Ecobee to give Amazon access to user data such as audio from its voice activated devices, even when users aren’t using it.

To their credit, Ecobee has refused, citing privacy concerns. Amazon then threatened Ecobee that their refusal could “threaten their ability to sell in their platform.”

“Amazon’s tactic of leveraging dominance in one business to compel partners to accept terms from another is a familiar one, said former Amazon executives and officials at companies on the receiving end. Amazon’s tactics, they said, go beyond typical product bundling and tough negotiating in part because the company threatens punitive action on vital services it offers, such as its retail platform.

Partners often acquiesce to Amazon’s demands, the executives and officials said, because of its power in a range of market sectors.”

I see ads all over the internet for courses in building “FBA businesses” (Fulfilled by Amazon). Nobody in their right mind should be building or buying an Amazon FBA biz. There’s a reason we call Amazon “The company store,” and there’s a reason Amazon is under some well deserved anti-trust scrutiny.

Read: https://www.wsj.com/articles/amazon-strong-arms-partners-across-multiple-businesses-11618410439 (paywall)

Or: https://www.theverge.com/2021/4/15/22386086/amazon-strong-arm-power-ecobee-antitrust-tech

Ecobee’s CEO is Stuart Lombard, who as co-CEO of the dial-up era ISP Inforamp.net gave me my first job in the internet business.


NAME:Wreck DNS bug enables DoS and RCE

A recent finding out of Forescout Research Labs and JSOF Research has found a set of nine new DNS vulnerabilities in four TCP/IP stacks that open up potentially “billions” of devices to denial of service and remote code execution attacks. The stacks affected are:
  • FreeBSD
  • Nucleus NET
  • NetX
  • IPnet
The vulnerabilities lay within the DNS implementations that involve message compression, where attackers can manipulate the data streams in unanticipated ways.

Read: https://www.darkreading.com/vulnerabilities—threats/dns-vulnerabilities-expose-millions-of-internet-connected-devices-to-attack/d/d-id/1340664

And: https://www.forescout.com/research-labs/namewreck/


FBI removing web shells from infected Exchange servers without informing owners

The Microsoft Exchange ProxyLogon flaw is so bad and so widespread with the infection rate so out of control that the FBI has resorted to simply accessing compromised servers and deleting the web shells that are left behind by hackers to access them.

In other words, FBI is cleaning up these hacks when they can and they’re doing it without warrants or even alerting the server owners about it. The agency is acting under a court order obtained in Houston, TX on April 9th, that enables them over the following 14 days to: detect the hacked servers, take snapshots of the web shells as evidence and then issue commands to delete them, and delay notifying the owners.

Read: https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/


Vulnerabilities in WordPress Elementor page builder

The Wordfence team has issued an alert on a critical flaw within the Elementor page builder framework. It’s not the core Elementor plugin at risk but numerous supporting plugins (Wordfence found over 100 endpoints affected). This could be a big one, as Elementor is estimated to be in use in over 3.5 million sites. It’s a Cross Site Scripting flaw that enables any user to access the Elementor Editor and to arbitrarily add Javascript to posts.

The list of affected components is quite long, see the Wordfence post. If you’re an easyPress user we’ve already upgraded all the at risk plugins.

Read: https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ecosystem/


How to tell if you are already tagged in Google’s new FLOC system

We recently covered how Google was transitioning from allowing third-party cookie use to track end user activity (that pretty well the entire ad tech industry is reliant upon).

Instead they’re moving toward “FLOC,” which is Federated Learning of Cohorts, which is a system where Google will tabulate your interests and profile on the browser side, and then group you into “cohorts” based on your interests… which is more or less, your browser history. It will then allow advertisers target to the cohorts which, the logic goes (I think), that protects individual privacy. Or not.

Anyway, a new “Am I FLOC-ed?” tool will tell you if your browser has already been grouped into a FLOC:

Test here: https://amifloced.org/

The Brave browser blocks FLOC and they wrote up why here:

Read: https://brave.com/why-brave-disables-floc/

It now looks like WordPress is considering blocking FLOC at the codebase level, I wonder if this is a sign of things to come. WordPress is the most popular website CMS in use across the internet today.

Read: https://www.bleepingcomputer.com/news/security/wordpress-may-automatically-disable-google-floc-on-websites/


ParkMobile leaks 21 million license plates and owner info

It looks like parking app service ParkMobile has had a breach, since hackers are selling approximately 21 million data records on the dark web. Krebs on Security was notified of the breach via Gemini Security, a firm that monitors cybercrime forums. They provided him with data from his ParkLink account on four separate vehicles he has owned over the years.

The breached data included “customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.”

The timing isn’t stellar, as Parklink is in the process of being acquired by EasyPark (no relation), which operates 450 parking lots across North America.

Read: https://krebsonsecurity.com/2021/04/parkmobile-breach-exposes-license-plate-data-mobile-numbers-of-21m-users/


Geist: Trudeau Libs have become most anti-Internet government in history

Hot on the heels of my piece last week (ok, it was a rant), about Canadian Heritage Minister Steven Robspierre Guilbault’s intention to introduce legislation to censor and outlaw taunts directed at politicians, University of Ottawa law profession Michael Geist has weighed in on the topic, calling Canada’s federal government “the most anti-Internet government in history.”

Geist recounts the sense of “whiplash” he felt witnessing the about face the government has taken regarding the internet from the ideals they campaigned on back in 2015:

“Today’s Liberal government is unrecognizable by comparison as it today stands the most anti-Internet government in Canadian history:

  • As it moves to create the Great Canadian Internet Firewall, net neutrality is out and mandated Internet blocking is in.
  • Freedom of expression and due process is out, quick takedowns without independent review and increased liability are in.
  • Innovation and new business models are out, CRTC regulation is in.
  • Privacy reform is out, Internet taxation is in.
  • Prioritizing consumer Internet access and affordability is out, reduced competition through mergers are in.
  • And perhaps most troublingly, consultation and transparency are out, secrecy is in.”

For those of us in the ISP business, we’re looking at mandatory content-based takedowns within 24 hours, with promises of “heavy penalties” for not doing so. This should get interesting, because outside of pre-existing legal frameworks that are already in place to cover hate speech, we’re not taking down jack shit. We’ll go the distance to uphold the rights of our customers and the rights of all Canadians to heap the derision and contempt on our political overlords that they so richly deserve.

Read: https://www.michaelgeist.ca/2021/04/why-the-liberals-have-become-the-most-anti-internet-government-in-canadian-history/


Another supply chain breach: Codecov affects Godaddy, WaPo, P&G and more

Here we go again…

“U.S. federal investigators are probing an intrusion at San Francisco-based software auditing company Codecov that affected an unknown number of its 29,000 customers, the firm said.”

Codecov sells a software suite that helps firms test their own software for (wait for it)…. bugs and security vulnerabilities. Which means that any of the firms who were using the hacked version of Codecov to prevent hacks, may now be hacked.

It’s too early to tell what the fallout will be or if it’s anywhere near as bad as the Solarwinds Sunburst hack, Codecov lists firms such as Proctor & Gamble, Godaddy, and the Washington Post as their clients on their homepage.

Developing….

Read: https://bombthrower.com/articles/canada-to-censor-political-taunts-constituents-remain-fair-game/

As we were going to press, more details are emerging and so far it looks like “hundreds” of companies could be compromised by this.


EasyDNS now accepting Dogecoin payments
   
This one isn’t really a statement on the Dogecoin memecoin as much as it is a commentary on what a joke batted around in our Slack on a Friday night can turn into.

I’ve been aware of Dogecoin for years, never really paid much attention to it until I was listening to NLWs episode on the recent Dogecoin spike on Coindesk and asked in an off-the-cuff manner in our dev/ops channel “how hard would it be to add Doge as a payment method?” I was even walking the dog(e) at the time.

By the time I get home and I’m hanging up the leash and I see a message zap across my phone screen… “It’s live. Lol.”

…and here we are.
Read: https://easydns.com/blog/2021/04/16/easydns-now-accepting-doge-payments/


Rogers shits-the-bed nationwide, all day

Canadian cellular users were out of luck for pretty well all of Monday when the Rogers and Fido cellular systems went down hard, taking phone, LTE and the entire data network with it.

There was scant communications coming out of Rogers, other than bare minimum platitudes like “some users may be experiencing intermittent disruptions.” That’s putting it lightly, for a situation that would be more accurately described as “the entire fscking system is off the air, nationwide.”

Of course in the absence of meaningful communications and status updates, rumours abound, such as “ransomware,” “cyber attack,” Dogecoin, you name it.

Rogers eventually ascribed the entire outage to “an Ericsson software update that affected a piece of equipment in the central part of our wireless network,” which to me reads like a Single-Point-of-Failure if I ever saw one.

Given that Ontario is well into our third lockdown and under stay-at-home orders, the timing couldn’t have been worse.

Read: https://www.cbc.ca/news/business/rogers-outage-1.5992954

And: https://globalnews.ca/news/7771019/economic-implications-rogers-outages/

5 thoughts on “#AxisOfEasy 192: Another Supply Chain Breach: Codecov Hacked – Damage Unknown

  1. This week’s quote “A nation of sheep will beget a government of wolves” is by Edward R. Murrow, an American journalist and author.

Leave a Reply

Your email address will not be published. Required fields are marked *