Elsewhere online: 

• FortiOS Vulnerability [CWE-121] Allows Privileged Attackers to Execute Arbitrary Code via CLI Commands
• Unveiling Reptile: Sophisticated Linux Malware Targeting South Korean Systems
• Clop Ransomware Exploits Zero-Day Vulnerability to Leak Stolen Data in MOVEit Torrent Attacks
• FBI Warns Against Cyber Crooks Masquerading as Legitimate NFT Developers to Steal Cryptocurrency from Users
• Colorado Department of Higher Education (CDHE) Puts Students and Staff on Notice Following Ransomware Breach

Worldcoin’s Controversial Eyeball-Scanning Technology Empowers Governments with Digital ID System

OpenAI CEO Sam Altman’s Worldcoin serves as a notable illustration of private enterprises contributing towards promoting and implementing digital ID schemes among a wide populace. While such initiatives are typically spearheaded by governments with the support of various interest groups, Worldcoin’s involvement showcases the active participation of private companies in this domain.

The goal is undoubtedly to get as many people on board as possible, thus the “generosity” in providing the iris scanning technology geared to authenticate people’s identities. We are building the biggest financial and identity community possible, said Ricardo Macieira, chief of Tools for Humanity (the company behind Worldcoin).

Worldcoin can be utilized for a variety of purposes, including distinguishing between human and artificial intelligence, paving the path for universal basic income, and “enabling worldwide civic processes.”
Worldcoin is now focusing on increasing popularity in Africa, Latin America, and Europe.

Read: https://reclaimthenet.org/controversial-eyeball-scanning-worldcoin-to-allow-governments-to-use-its-digital-id-system


IPv6: The Good, the Bad, and the Ugly of Migration

According to Mathew Duggan, cloud providers such as AWS, GCP, Azure, and Hetzner are now charging for the use of public IPv4 addresses. This, he argues, is a sign that the era of cloud providers purchasing more IPv4 space is coming to an end and that it is time to switch to IPv6.

Duggan admits that he has not done much with IPv6 in the past due to a lack of market demand for those skills. However, he decided to migrate his blog to an IPv6-only server and was horrified by what he found: almost nothing works out of the box, and major dependencies cease functioning right away. In his view, the migration process for teams to IPv6 will be very rocky since almost no one has dealt with it.

Despite the challenges, IPv6 is worth the effort, according to the author. Some of the benefits of IPv6 include a larger address space, faster processing and routing, easier QoS, auto-addressing, and the ability to add IPsec with the Authentication Header and Encapsulating Security Payload. Perhaps most importantly, he notes that IPv6 addresses are free while IPv4 ones are not.

Read: https://matduggan.com/ipv6-is-a-disaster-and-its-our-fault/


Prospect Medical Holdings Targeted in Countrywide US Primary Care Cyber Attack

Last week, on August 3rd, a widespread cyber-attack targeted medical facilities across the US that were operated by Prospect Medical Holdings. The California-based company has hospitals and clinics in Texas, Connecticut, Rhode Island, and Pennsylvania. The attack led to the closure of several emergency rooms and the diversion of emergency ambulance services.

In response to the attack, Prospect Medical Holdings took its systems offline and initiated an investigation with the help of third-party cybersecurity specialists.

“Our computer systems are down with the outage affecting all Waterbury Health inpatient and outpatient operations,” Prospect Medical’s hospital in Waterbury, Connecticut, posted on its Facebook page on Friday.

The company also said it was in the process of reevaluating its downtime capabilities and might have to reschedule certain appointments. According to the statement, affected patients would be contacted accordingly.

“The impact on healthcare, already strained under the weight of the ongoing global health crisis, has immediate and far-reaching consequences on human lives,” commented Dasera CEO Ani Chaudhuri.

“Moreover, the Covid-19 pandemic has accelerated the digital transformation in healthcare, pushing many providers to adopt cloud technologies quickly, often without the opportunity to implement robust security measures.”

In fact, the severity of the attack prompted primary care services to remain closed on Friday while security experts worked to assess the extent of the damage and find a resolution.

“While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible,” Prospect Medical Holdings said in a statement.

Read: https://www.infosecurity-magazine.com/news/us-primary-care-services/

The Supreme Court Holds the Fate of the Internet in Its Hands

When the Supreme Court agreed to hear the Gonzalez v. Google case involving Section 230 of the Communications Decency Act, the tech-policy world was laser-focused on its implications. The week before oral arguments, Google’s general counsel wrote that the “decision could radically alter the way that Americans use the internet.” Those predictions fell short a few months later when the court released its opinion and completely punted on any interpretation of Section 230, the 1996 law that protects platforms from liability for user content.

Despite their reluctance to decide lofty cyber issues, there is a good chance that the Supreme Court will not be able to avoid the issue next year. Two similar laws from Texas and Florida that restrict platforms from moderating certain speech have recently come under attack. The Texas law states that large social media platforms “may not censor a user, a user’s expression, or a user’s ability to receive the expression of another person” based on viewpoints or the users’ location. NetChoice, a group representing tech companies, has challenged both laws.

Although their laws are not identical, both states find reconciling their courts’ opinions impossible. While one allows tech companies to moderate user content as they see fit, the other does not. Lawyers refer to this problem—having different legal rules depending on what part of the country you’re in—as a “circuit split,” which is particularly problematic for issues involving the internet, which reaches across state borders.

The Supreme Court is likely to take an interest in such a high-profile case and may offer its verdict by next June. The NetChoice cases are about more than just liability in lawsuits; they will require the Supreme Court to decide whether online platforms have a First Amendment right to moderate user content and will “threaten to transform speech on the internet as we know it today,” according to NetChoice.

Read: https://www.wired.com/story/tech-policy-netchoice-scotus/

AI Controversy Leads Zoom to Backpedal on Updates to its Terms of Service

On July 26th, Zoom added a concerning clause to its Terms-of-Service (TOS). The clause allowed the video conferencing company to use customer-generated content for any purpose they see fit, including training artificial intelligence (AI) models, with no option for users to opt out.

Nestled within section 10.4, for those brave enough to venture, is a language that confers upon Zoom a carte blanche right to exploit what it coins as “Service Generated Data” (SGD). This expansive designation encompasses a cornucopia of user-generated information – from innocuous telemetry data to incisive diagnostic insights – all grist for the AI mill.

Section 10.4 also describes the company’s use of Customer Content (defined as “data, content, files, documents, or other materials”), which it can use “for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof.”

The company makes clear that it will be using data for, among other things, fine-tuning AI models and algorithms. The potential consequences are manifold, raising red flags for privacy pundits and sparking debates over the boundaries of user consent.

Zoom contends that these data maneuvers are vital to service provision, bolstering software quality and enhancing the broader Zoom ecosystem. The augmentation of AI capabilities, epitomized by Zoom IQ, has been touted as a beacon of collaboration, promising efficient meeting summaries, task automation, and optimized follow-ups, all enabled by the seamless integration of user data.

However, as of 2.30 am on August 7th, Zoom reached out to Zero Hedge with an update to these TOS. The new clause now states that Zoom will not use customer content (whether audio, video, or chat) to train its artificial intelligence models without user consent.

Read: https://www.zerohedge.com/technology/privacy-storm-brewing-zooms-updated-terms-greenlight-ai-model-training-user-data

 Elsewhere online: 

FortiOS Vulnerability [CWE-121] Allows Privileged Attackers to Execute Arbitrary Code via CLI Commands
Read: https://www.fortiguard.com/psirt/FG-IR-23-149

Unveiling Reptile: Sophisticated Linux Malware Targeting South Korean Systems
Read: https://thehackernews.com/2023/08/reptile-rootkit-advanced-linux-malware.html

Clop Ransomware Exploits Zero-Day Vulnerability to Leak Stolen Data in MOVEit Torrent Attacks
Read: https://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/

FBI Warns Against Cyber Crooks Masquerading as Legitimate NFT Developers to Steal Cryptocurrency from Users
Read: https://thehackernews.com/2023/08/fbi-alert-crypto-scammers-are.html

Colorado Department of Higher Education (CDHE) Puts Students and Staff on Notice Following Ransomware Breach
Read: https://www.infosecurity-magazine.com/news/colorado-education-ransomware/

Previously on #AxisOfEasy