This is your easyDNS #AxisOfEasy Briefing for the week of June 3^rd, 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Legend click here.

In this issue:

• Massive Google Leak Exposes Search Algorithm Mysteries and Legal Implication
• AT&T and Verizon Outage Disrupts Service in 24 States
• Push to Protect AI Whistleblowers Led by Former OpenAI Employees
• Google’s Privacy Failures Expose Sensitive Data and Children’s Voices
• TikTok Zero-Click Attack Compromises Celebrity Accounts

Elsewhere Online

• WordPress Plugins Vulnerability Exposes Millions to Attacks
• Arctic Wolf Detects New Ransomware Threat: Fog
• Cloud Security Lapses: Lessons from Ticketmaster Breach
• Russian Ransomware Gang Qilin Targets London Hospitals
• RansomHub Hackers Use Flaw Patched in 2020 for Attacks

Massive Google Leak Exposes Search Algorithm Mysteries and Legal Implication

On May 31st, the SEO world was rocked by a massive leak of internal Google API documentation, inadvertently committed to a public repository and cloned on Github. Google later confirmed the leak’s authenticity. This disclosure offered an unprecedented look into Google’s search ranking algorithms, long shrouded in mystery.

The documents revealed several key insights: First, despite Google’s past denials, domain rank—or “siteAuthority”—is a factor in search results. Small personal sites, under the attribute “smallPersonalSite,” are seemingly penalized compared to big brands, highlighting a significant disadvantage for independent businesses.

Additionally, the existence of a “sandbox” for new websites was confirmed, contradicting Google’s previous statements. New sites, as specified in sandbox_config.ex, are indeed sandboxed, delaying their inclusion in the main index. Moreover, the leak disclosed that user clicks on search results do influence rankings, contrary to Google’s sworn testimony to the Department of Justice, suggesting possible legal implications for perjury.

The leak, comprising over 40,000 files, promises ongoing revelations. Notable SEO expert Clint Butler from SEO Intel advised caution, stressing the need for rigorous testing and validation before drawing conclusions from the leaked data. This prudent approach underscores the complexity and potential for misguided strategies based on unverified information.

This event marks a pivotal moment, shedding light on Google’s closely guarded search algorithms and igniting discussions on the transparency and fairness of digital search mechanisms. The SEO community remains vigilant, anticipating further insights as the extensive trove of documents continues to be scrutinized.

AT&T and Verizon Outage Disrupts Service in 24 States

Many AT&T and Verizon customers faced service disruptions on Tuesday, impacting their ability to make calls, including to 911. The outage began around noon ET and worsened over the next few hours. AT&T notified the Hanover County Department of Emergency Communication about a multi-state emergency call outage. Verizon acknowledged the issue, stating, “Some customers, primarily in the Northeast and Midwest, are experiencing issues.”

By early afternoon, AT&T saw 3,074 outage reports, peaking around 5pm ET. Verizon reported 2,583 complaints at its peak. The outages affected at least 24 states, including New York, Ohio, and Michigan. Problems included dropped calls, inaudible connections, and internet issues. Outage reports for both providers started to decline after 5pm ET, with significant reductions by 7pm ET.

This is not the first time these providers have faced such issues. Verizon experienced a four-hour outage in January. AT&T has had multiple outages, the most recent being on May 22, affecting North Carolina and Virginia customers.

Push to Protect AI Whistleblowers Led by Former OpenAI Employees

Current and former employees of OpenAI are urging AI firms to safeguard whistleblowers who highlight AI risks. On Tuesday, they published an open letter calling for stronger protections for those who raise concerns about AI safety. Daniel Kokotajlo, a former OpenAI employee, stated, “I decided to leave OpenAI because I lost hope that they would act responsibly.” He criticized tech companies for prioritizing rapid development over safety.

OpenAI responded, saying they have measures for employees to express concerns, including an anonymous hotline. “We’re proud of our track record providing the most capable and safest AI systems,” the company stated. The letter, signed by 13 individuals, including AI pioneers Yoshua Bengio, Geoffrey Hinton, and Stuart Russell, demands an end to “non-disparagement” agreements that silence critics. The letter also addresses recent social media outrage over OpenAI’s agreements, leading the company to release former employees from such clauses.

This initiative comes as OpenAI develops the next generation of ChatGPT technology and forms a new safety committee. The AI community remains divided over the risks and commercialization of AI, contributing to distrust in leadership, exemplified by the ouster and return of OpenAI CEO Sam Altman last year.

Google’s Privacy Failures Expose Sensitive Data and Children’s Voices

A leaked internal Google database reveals serious security lapses in the tech giant’s handling of user data. The database, spanning 2013 to 2018, contains thousands of incident reports filed by Google employees. One report highlights an incident where over a million email addresses were exposed for more than a year. Another case from 2016 showed that Google’s Street View algorithm accidentally recorded license plate numbers as text, creating a geolocated database of these plates.

In a significant breach, Google’s speech service, meant to filter out children’s voices, failed. About 1,000 data files with children’s voices were recorded in just an hour. Google claims these files were deleted. Additional issues include a Waze carpool feature leaking users’ home addresses and trips, and a Google employee accessing private videos on Nintendo’s YouTube channel, leaking information ahead of planned announcements. YouTube also violated its own policies by making recommendations based on deleted watch history and exposing uncensored versions of pictures using its blurring feature.

These incidents, deemed unintentional, paint a troubling picture of Google’s data security practices. As Daniel Kokotajlo, former OpenAI employee, noted in a different context, “Tech companies are disregarding the risks and impact” of their actions. This statement resonates with the current concerns over Google’s practices.

TikTok Zero-Click Attack Compromises Celebrity Accounts

TikTok recently disclosed a security issue exploited by attackers to take over high-profile accounts. The attack, reported by Semafor and Forbes, involved zero-click malware spread via direct messages, compromising brand and celebrity accounts without user interaction.

A TikTok spokesperson stated the company has implemented measures to prevent future attacks. They are working with affected users to restore access, noting that only a “very small” number of accounts were impacted. Specific details about the attack and mitigation efforts remain undisclosed.

In January 2021, Check Point revealed a flaw in TikTok that could have allowed attackers to build a user database with associated phone numbers. In September 2022, Microsoft found a one-click exploit in TikTok’s Android app, enabling account takeovers via a crafted link. Additionally, 700,000 Turkish accounts were compromised through insecure SMS channels.

The “Invisible Challenge” on TikTok has also been used to spread malware, highlighting ongoing security challenges. Concerns over TikTok’s Chinese origins have led to fears of data gathering and propaganda, prompting legislative actions in the U.S. and bans in several countries.

TikTok recently challenged a U.S. law banning the app unless divested from ByteDance, calling it an “extraordinary intrusion on free speech rights.” Similar bans exist in India, Nepal, and other nations, with restrictions on government devices in the U.S., U.K., Canada, Australia, and New Zealand.

Elsewhere Online

WordPress Plugins Vulnerability Exposes Millions to Attacks

https://hackread.com/popular-wordpress-plugins-backdoor-attack/

Arctic Wolf Detects New Ransomware Threat: Fog

https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/

Cloud Security Lapses: Lessons from Ticketmaster Breach

https://www.darkreading.com/cloud-security/ticketmaster-breach-showcases-saas-data-security-risks

Russian Ransomware Gang Qilin Targets London Hospitals

https://www.standard.co.uk/news/health/russian-national-cyber-security-centre-london-ireland-ransomware-b1162210.html

RansomHub Hackers Use Flaw Patched in 2020 for Attacks

https://www.darkreading.com/cyberattacks-data-breaches/ransomhub-actors-exploit-zerologon-vuln-in-recent-ransomware-attacks