Weekly Axis Of Easy #271
Last Week’s Quote was “There is only one success to be able to live your life in your own way,” … was by Christopher Moreland. No one got it.
This Week’s Quote: “Making suppository remarks about our country.” … by ???
THE RULES: No searching up the answer, must be posted at the bottom of this post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
In this issue:
- No, Mark Jeftovic is not trying to pump cryptos in your Twitter DMs
- Latest Hacking Attempt on Liz Truss’ Phone Raises Concerns about the State of British Government Cybersecurity
- Freedom of Speech Concerns Following Department of Homeland Security’s Move Towards Fighting Disinformation Online
- Musk Has the Opportunity Now to Stop Twitter’s Fake Accounts and Change it For Better
- FTC Accuses Chegg of Careless Security Practices That Compromised 40M Customers
- The perpetrator of the Twilio hack was linked to a previous vishing attack that stole private data of employees
- Cyberattackers Focus In on State-of-the-Art ALMA Observatory
- Maple Leaf Foods suffers outage following weekend cyberattack
- US DOJ announces seizure of $3.36B in cryptocurrency
- Silicon Valley Job Cuts Are No Cure-All for Tech’s Falling Stock Prices
We’ve had multiple reports over the past week that there now exist multiple fake Twitter profiles mimicking Mark Jeftovic’s twitter account, and they are DM-ing people shilling sh*tcoin scams.
It goes without saying that if somebody calling themselves “Mark Jeftovic” is trying to entice you into a crypto scheme via your Twitter DMs, it isn’t legit.
On this very topic, are Mark’s recent posts on how DNS can be used to solve the fake Twitter handle problem (along with a proof-of-concept Chrome plugin on our Github, which builds on a previous article Mark wrote for Bitcoin Magazine about how to use DNS to route crypto payments to their legitimate entities.
Our GitHub: https://github.com/easydns
According to a new report by The Mail on Sunday, former Prime Minister of the UK Liz Truss’ personal phone was hacked by Russian agents earlier this year. Certain unnamed security forces have stated that the Conservative Party was well aware of the security breach before the party elected Truss to office, and then-PM Boris Johnson is said to have ordered a nationwide media blackout of the incident. It is assumed that nearly a year’s worth of sensitive material was stolen from Truss’ phone, including private conversations with international foreign ministers about the war in Ukraine.
According to security experts, the use of personal devices for government use is a growing problem among politicians and government employees. ESET global cybersecurity advisor Jake Moore believes that the malware used in the Truss attack was the spyware app Pegasus. “Its quiet, under-the-radar delivery method enables it to monitor the vast majority of a device and those targeted will have no idea of its residence,” says Moore.
Moore also stressed that everyone from the highest politician to the newest government hire is an attractive target for foreign hacking attempts. To prevent security breaches in the future, it is imperative that wide-scale cybersecurity training be provided and strictly enforced at all levels of government.
The Department of Homeland Security (DHS), originally founded after the 9/11 attacks to coordinate intelligence operations across the U.S., is expanding its reach to restrict dangerous speech online. This move towards fighting online disinformation was solidified after word of Russian meddling in the 2016 U.S. elections. The department has also made a serious effort to mitigate inaccuracies around “the origins of the COVID-19 pandemic and the efficacy of COVID-19 vaccines, racial justice, U.S. withdrawal from Afghanistan, and the nature of U.S. support to Ukraine.”
The DHS justifies this move into the domestic space by claiming that widespread disinformation can exacerbate the risk of terrorist threats and activity. Concerns, however, have been raised regarding the lack of clear government guidelines on what actually constitutes disinformation, thereby giving rise to a murky gray area that is rife for political maneuvering. An example of such manipulation can be found in the summer of 2020 when, during the George Floyd protests, the DHS monitored the social media accounts of countless Americans for domestic terrorism. Though the Privacy Act of 1974 limits the government’s ability to surveil Americans who are exercising their First Amendment rights, the act maintains exemptions for legal investigations.
In 2018, Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act (CISA), thus creating a new DHS sub-agency that was tasked with regulating misinformation. From the beginning, CISA’s mission has been to trawl social media while flagging perceived misinformation to the concerned private sector platform. Though CISA claims that the platform concerned will independently decide the course of action to take on the flagged material, its real aim seems to be to make platforms more receptive to its counsel.
Despite a 2021 report by the Election Integrity Partnership finding that only 35% of flagged material was subjected to action by social media platforms, the extent to which the DHS influences Americans’ daily feeds is unknown. As recently as August 2022, it was reported that the DHS, FBI, and several social media platforms were having biweekly meetings to discuss how to deal with concerning material online.
With Elon Musk as the company’s new owner, Twitter’s never-ending battle against spam accounts has become a concern. In April, Musk vowed to eradicate the bot infestation, or he said that ”I’ll die trying.”
High stakes surround the challenge. The bot count is important because advertisers, Twitter’s main source of income, demand to know how many ads are reaching real people. In the fight against bad actors assembling an army of accounts to spread false information or harass political rivals, it’s also crucial to keep a closer look at real and fake accounts.
Emilio Ferrara, a bot-counting specialist who worked over the summer to look into the issue for Musk, said, “The wider picture in my mind is: How can we make Twitter a better environment for everyone.“
To find out just how bad the bots are, Musk hired Ferrara and other data scientists to investigate. What Musk will do with that knowledge is the question at hand. Ferrara claimed he can’t reveal his results because his presentation, which is a 350-page study and supporting documentation, is tied up in secret court files.
Since 2017, the Federal Trade Commission has accused education technology provider Chegg of “careless” security procedures that have resulted in the compromise of personal data. Among the offenses, the business allegedly exposed personal information for around 40 million users in 2018 when a former contractor used their login to access a third-party database.
Names, email addresses, passwords, and even religion, sexual orientation, and parents’ income ranges were included in the compromised information. Some of the information stolen belonged to employees. Chegg divulged Social Security numbers, medical information, and other employee information. The FTC further claims that Chegg did not implement “commercially reasonable” measures. It allegedly allowed employees and contractors to log in with a single sign-on, did not require multi-factor authentication, and did not screen for threats.
According to the Commission, the company maintained personal data in plain text and used “outdated and weak” encryption for passwords. Officials further claim that despite three phishing assaults, Chegg did not have a formal security policy in place until January 2021 and did not give adequate security training.
Chegg has agreed to comply with a proposed order for restitution, according to the FTC. The business must identify and limit the breadth of the data it collects. It intends to put in place multi-factor authentication as well as a “comprehensive” security program that will include encryption and security training. Customers will be able to view their data and request that Chegg delete it.
The Twilio attack in August was the result of a campaign that barraged employees with SMS texts, eventually persuading them to go to a fake login page.
After recently concluding its investigation into this incident, the business discovered that the same perpetrator was also responsible for a smaller hack in June. However, in that earlier event, a different strategy was used; a vishing attack (voice phishing) was successful in persuading a firm employee to divulge their login information over the phone.
Since those attacks, Twilio has reset many employees’ credentials that were compromised, and it is currently distributing FIDO2 hardware security keys to all of its staff members as a two-factor authentication technique.
Vishing and SMS attacks are displacing phishing emails, which up to now have primarily been used by ransomware and other criminal organizations to initiate contact with targets. Defense.com CEO, Oliver Pinson-Roxburgh, says, “It’s critical for businesses to stay on top of these evolving social engineering trends, since thieves frequently repurpose successful techniques.”
Every employee in an organization, regardless of rank, needs to be cyber-aware and on the lookout for threats. If they are, the weakest point might easily turn into the best line of defense.
Cyberattackers Focus In on State-of-the-Art ALMA Observatory
Maple Leaf Foods suffers outage following weekend cyberattack
US DOJ announces seizure of $3.36B in cryptocurrency
Silicon Valley Job Cuts Are No Cure-All for Tech’s Falling Stock Prices
Previously on #AxisOfEasy
If you missed the previous issues, they can be read online here:
- October 31st, 2022: TechCrunch’s Analysis Of TheTruthSpy And The State Of Other Stalkerware Apps
- October 24th, 2022: British Lawmakers Passed A Bill Allowing Protesters To Be Tagged Without Conviction
- October 17th, 2022: NYT Conspiracy Theory Comes True In Less Than 24 Hours
- October 10th, 2022: The White House Unveiled A Blueprint For An AI “Bill of Rights” To Safeguard The American Public’s Rights
- October 3rd, 2022: Drop What You’re Doing, Thunderbird Edition