Weekly Axis Of Easy #273
Last Week’s Quote was “We carry within us the wonders we seek without us.” was … by Thomas Browne. No one got it!
This Week’s Quote: “When something is important enough, you do it even if the odds are not in your favor,” … by ???
THE RULES: No searching up the answer, must be posted at the bottom of this post, in the comments section
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
In this issue:
- Take Control Over Your Social Media Presence with Mastodon
- A group of former Facebook employees took bribes to hijack user accounts
- SolarWinds attack threatens global government cyber-infrastructure
- Canadian critical infrastructure protection law Bill C-26 faces criticism from civil rights groups
- Massachusetts Department of Public Health accused of installing ‘spyware’ called COVID-19 on 1 million devices
- Microsoft subsidiary GitHub Copilot facing landmark AI copyright lawsuit
- Possible chinese state sponsored threat actors behind recent surge of Microsoft Zero Day attacks
- Republican senators urge FTC not to take online privacy regulations on itself
- Metrics like ‘Cooperation’ and ‘Diligence’ are used by TikTok to score influencers
- An FBI warrant is executed at the home of an Area 51-related website owner
Take Control Over Your Social Media Presence with Mastodon
Everything you wanted to know about Mastodon but were afraid to ask.
Including: why it’s so popular lately, where to get an account or even how to run your own node and what the benefits are and even the downsides.
FireEye reported last week that several major government security vendors had been subjected to a fresh wave of attacks by nation-state actors. This breach managed to give threat actors access to certain government internal systems and to FireEye’s red team tools. FireEye reported that the attack took place in the form of trojanized updates to SolarWinds’ Orion IT monitoring and management software. However, SolarWinds maintains that less than 18,000 of its global clients were compromised.
In light of these disturbing revelations around the SolarWinds software, the Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01, calling on “all federal civilian agencies to review their networks for indicators of compromise and to disconnect or power down SolarWinds Orion products immediately.”
Both the American Department of Homeland Security (DHS) and the British National Cybersecurity Centre (NCSC) has said that they are aware of the breaches across the federal cyber infrastructure. Both are working intimately with the public and private sectors to come up with a suitable response to the threat.
FireEye has recommended that all organizations with SolarWinds Orion software installed immediately adjust their settings according to the company’s latest guidance protocol. They have further suggested that all SolarWinds instances be installed behind firewalls and that all internet access to these instances is revoked. Sam Curry, the chief security officer at Cybereason, commented: “In general, now is not the time for security experts to panic. A practical and measured response is advised.”
Earlier this year, the Canadian federal government implemented its first-ever cyber security law. Bill C-26 amends the Telecommunications Act and introduces the Critical Cyber Systems Protection Act (CCSPA), which imposes data protection obligations on operators of critical infrastructure and facilitates threat information exchange.
Although reactions were positive at first, criticism has started to emerge from both civil rights groups and the business community.
The Canadian Civil Liberties Association, along with several other groups and academics, published a “Joint Letter of Concern Regarding Bill C-26” in late-September 2022. The CCSPA would enable the government to act without performing proportionality, privacy and equity assessments to protect against abuse, according to civil rights groups, and allow the Communications Security Establishment access to large amounts of sensitive data without being limited in how it uses such data to comply with its cyber security mandate.
However, the criticism doesn’t end there. The Business Council of Canada believes the CCSPA requires all operators to comply with the same regulations, without a risk-based approach, and without an information-sharing regime that would benefit all operators. Furthermore, the Council believes the proposed monetary penalties and prison terms are “overly high and unnecessary to encourage” operators to improve their cyber security posture.
The emerging stakeholder consensus appears to be that the bill contains many flaws, even though more groups are likely to comment on it in the future. As the bill goes through the Committee stage of its review, it will be interesting to see whether and how it emerges.
Over the last year, a total of two dozen Meta employees and contractors have been fired or disciplined for improperly hijacking user accounts, in some cases for bribes, says the Wall Street Journal. The news outlet reported that some of those fired worked for Meta as security guards and were given access to “Oops,” Facebook’s internal troubleshooting system for employees.
“Oops,” which stands for Online Operations, helps users if they either forget their passwords, lose their emails, or have had their accounts hacked. A user can recover their account by filing an “Oops” report, which includes a series of questions and whether the request is being made for someone on CEO Mark Zuckerberg’s team, a celebrity, or a Meta partner.
Typically, Oops is reserved for friends, family, business partners, and public figures who want to cut in line for assistance. However, because the mechanism is unavailable to a vast majority of Facebook users, a cottage industry of intermediaries has developed, charging users to regain control.
Meta’s spokesman, Andy Stone, said fraudulent individuals are always targeting online platforms and adapting their tactics to respond to detection methods commonly used throughout the industry and added that the company would continue to take “appropriate action against those involved in such schemes.“
The Massachusetts Department of Public Health (DPH) is facing a class action lawsuit for allegedly working with Google to install “spyware” onto the Android devices of a million state residents without their knowledge during the COVID-19 pandemic.
“This ‘android attack,’ deliberately designed to override the constitutional and legal rights of citizens to be free from government intrusions upon their privacy without their consent, reads like dystopian science fiction—and must be swiftly invalidated by the court,” said Peggy Little, the Senior Litigation Counsel from the New Civil Liberties Alliance (NCLA), the nonpartisan civil rights group that filed the lawsuit.
The app, once automatically installed, didn’t appear on the device’s home screen as newly-installed apps typically do. Instead, it was invisible and could only be found by opening “settings” and using the “view all apps” feature, according to NCLA.
The NCLA has asked the federal court to block the installation of the Massachusetts DPH app on private devices and to declare that the state’s actions violate Fourth Amendment rights.
Microsoft subsidiary GitHub Copilot facing landmark AI copyright lawsuit
Possible Chinese state sponsored threat actors behind recent surge of Microsoft Zero Day attacks
Republican senators urge FTC not to take online privacy regulations on itself
Metrics like ‘Cooperation’ and ‘Diligence’ are used by TikTok to score influencers
An FBI warrant is executed at the home of an Area 51-related website owner
Previously on #AxisOfEasy
If you missed the previous issues, they can be read online here:
- November 14th, 2022: Concern Over Rise In Number Of Phishing Attempts: Dropbox Breach Of 130 GitHub
- November 7th, 2022: No, Mark Jeftovic Is Not Trying To Pump Cryptos In Your Twitter DMs
- October 31st, 2022: TechCrunch’s Analysis Of TheTruthSpy And The State Of Other Stalkerware Apps
- October 24th, 2022: British Lawmakers Passed A Bill Allowing Protesters To Be Tagged Without Conviction
- October 17th, 2022: NYT Conspiracy Theory Comes True In Less Than 24 Hours