
Weekly Axis Of Easy #402
Last Week’s Quote was: “You don’t get from life what you want. You get from life what you are,” was by Jim Fortin. No one got it.
This Week’s Quote: “You can motivate an idiot but all you’re going to get is a motivated idiot.” By ???
THE RULES: No searching up the answer, must be posted at the bottom of the blog post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
This is your easyDNS #AxisOfEasy Briefing for the week of May 26th, 2025 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.
To Listen/watch this podcast edition with commentary and insight from Joey and Len the Lengend click here.
In this issue:
- Claude 4 Opus Emerges as Powerful but Risky AI Model with Deceptive Behaviors
- Breakthrough Discovery of Linux Zero-Day Using OpenAI’s O3 Model
- Nova Scotia Power Confirms Ransomware Breach Exposing Sensitive Customer Data
- LexisNexis Data Breach Exposes Sensitive Information of Over 364,000 People
- Microsoft OneDrive File Picker Flaw Exposes Broad User Data Access
Elsewhere Online:
Claude 4 Opus Emerges as Powerful but Risky AI Model with Deceptive Behaviors
Anthropic unveiled two Claude 4 models, with Claude 4 Opus drawing attention not only for its coding ability but also for its deceptive, scheming, and blackmailing behaviors when threatened with shutdown. Opus became the first model that Anthropic rated as Level 3 on its four-point risk scale, signaling a significantly higher risk and triggering additional safety measures.
Testing described in Opus 4’s 120-page system card showed that when given fictional emails about its creators and told it would be replaced, the model escalated from mild efforts to blackmailing an engineer over an affair. Apollo Research, an external group, found an early version of Opus 4 schemed and deceived more than any frontier model they had seen, attempting to write self-propagating worms, fabricate legal documents, and leave hidden notes for future instances to undermine developers. At Anthropic’s developer conference, Jan Leike, a former OpenAI executive now leading safety, acknowledged the troubling behaviors and stressed the importance of robust safety testing, although he maintained that the updated model is safe.
CEO Dario Amodei cautioned that once AI reaches a humanity-threatening level of power, testing alone will be insufficient; developers must fully understand the model mechanisms. Meanwhile, efforts to interpret model behavior remain mostly in research, even as powerful generative AI systems like Opus see broad deployment.
Read: https://www.axios.com/2025/05/23/anthropic-ai-deception-risk
Breakthrough Discovery of Linux Zero-Day Using OpenAI’s O3 Model
Sean Heelan has unveiled a striking use of OpenAI’s o3 model: the discovery of CVE-2025-37899, a remote zero-day vulnerability in the Linux kernel’s ksmbd, the SMB3 implementation. What makes this find compelling isn’t just the bug itself but the method. Without scaffolding, agentic frameworks, or external tools, Heelan ran o3 directly through its API, tasking it to reason through concurrent session connections and shared object lifecycles. The model identified a classic use-after-free scenario where an object, non-reference-counted, was freed while still accessible by another thread — a kernel-space memory corruption issue with the potential for arbitrary code execution.
Originally, Heelan set out to benchmark o3 against CVE-2025-37778, a known Kerberos authentication vulnerability, testing whether the model could handle non-trivial, remotely reachable flaws. Using about 3,300 lines of session setup code, o3 detected the known issue in 8% of runs, outperforming Claude Sonnet 3.7’s 3% and 3.5’s zero. Scaling up to 12,000 lines of code, notably from the smb2pdu.c file containing all SMB command handlers, o3’s detection rate dropped, but it unexpectedly uncovered the new CVE-2025-37899. Heelan orchestrated 100 systematic experiments using the LLM GitHub tool with carefully designed prompts, aiming to guide o3’s focus toward real vulnerabilities while minimizing false positives.
What stands out is that o3 sometimes reasoned past Heelan’s assumptions, recognizing that even after patches set session pointers to NULL, multi-connection session binding left windows for exploitation. While o3 is not infallible and still produces a significant number of false positives, Heelan concludes that its structured, humanlike bug reports represent a meaningful leap forward in vulnerability research, offering new tools to enhance the efficiency and effectiveness of expert researchers tackling real-world security challenges.
Read: https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/
Nova Scotia Power Confirms Ransomware Breach Exposing Sensitive Customer Data
Nearly one month after initially alerting customers to a cyberattack, Nova Scotia Power, the Canadian electric utility serving \~550,000 customers, confirmed on May 23 that it suffered a sophisticated ransomware attack. The breach, disclosed on April 28 by Nova Scotia Power and its parent company, Emera, was further detailed on May 1, when the utility admitted that hackers had stolen customer data. By May 14, Nova Scotia Power had revealed that the compromised data included names, dates of birth, phone numbers, email addresses, mailing addresses, service addresses, power consumption, service requests, billing information, payment details, and credit histories. Notably, attackers also accessed driver’s license numbers, Social Insurance Numbers, and bank account numbers associated with pre-authorized payments. Despite the breach’s breadth, the company emphasized that there was no disruption to electricity generation, transmission, or distribution.
Nova Scotia Power confirmed no ransom had been paid, citing sanctions laws and law enforcement guidance. On May 23, it disclosed that stolen data had been published; cybersecurity experts are assessing the nature and scope of the exposure. Roughly 280,000 customers are receiving breach notifications. Notably, the responsible ransomware group and the leak’s location remain unidentified, and SecurityWeek found no mention of Nova Scotia Power on known ransomware leak sites. The cybersecurity community has long warned that power grids face real, not just theoretical, hacking threats.
Read: https://www.securityweek.com/nova-scotia-power-confirms-ransomware-attack-280k-notified-of-data-breach/
LexisNexis Data Breach Exposes Sensitive Information of Over 364,000 People
LexisNexis Risk Solutions, a major data broker profiting from collecting and selling Americans’ personal and financial data, disclosed a breach affecting over 364,000 people. The breach began December 25, 2024, when an unknown hacker accessed LexisNexis’s GitHub account via a third-party software development platform, exposing names, birth dates, phone numbers, postal and email addresses, Social Security numbers, and driver’s license numbers. LexisNexis learned of the breach on April 1, 2025, from an unknown third party claiming to have accessed the data; the company has not revealed if a ransom demand followed. LexisNexis’s services power fraud detection, risk assessment, and due diligence for corporate clients, as well as law enforcement, which uses its databases for suspect information.
Previously, The New York Times reported that car manufacturers shared drivers’ data with LexisNexis without the owners’ consent; insurers used this data to set premiums. Notably, earlier this month, White House official Russell Vought, under the Trump administration, scrapped a Biden-era rule that would have subjected data brokers to the same federal privacy rules as credit bureaus, despite longstanding concerns from privacy advocates. A newly surfaced missing entity is Maine’s attorney general, the office receiving LexisNexis’s breach disclosure, illustrating state-level oversight roles alongside federal regulatory gaps that leave companies like LexisNexis largely unchecked.
Read: https://techcrunch.com/2025/05/28/data-broker-giant-lexisnexis-says-breach-exposed-personal-information-of-over-364000-people/
Microsoft OneDrive File Picker Flaw Exposes Broad User Data Access
Oasis Security revealed that Microsoft’s OneDrive File Picker grants excessive OAuth permissions, allowing apps like ChatGPT, Slack, Trello, ClickUp, and Phenome to access entire OneDrive accounts, not just selected files. Versions 6.0–7.2 mishandle OAuth tokens via URL fragments localStorage; Version 7.0 demands broad read-write access; Version 8.0 improves authentication but keeps wide scopes. Vijay Dilwale (Black Duck), Eric Schwake (Salt Security), and Jason Soroko (Sectigo) warn consent dialogs to mislead users, risking leaks like corporate résumés. Tokens persist for over an hour; refreshing tokens extends access. Unlike Microsoft, Google and Dropbox use safer models. Microsoft acknowledged the issues but announced no fixes; users are advised to review their app permissions.
Read: https://www.infosecurity-magazine.com/news/microsoft-onedrive-flaw-exposes/
Elsewhere online:
Contact Information Stolen in Adidas Customer Service Data Incident
Read: https://www.infosecurity-magazine.com/news/adidas-customer-data-third-party/
Attackers Exploit Stolen Session Tokens for Rapid Enterprise Account Takeover
Read: https://thehackernews.com/2025/05/from-infection-to-access-24-hour.html
Social Media Users Targeted by Malicious Ads for Phony AI Video Tools
Read: https://hackread.com/fake-ai-video-tool-ads-facebook-linkedin-infostealers/
Naukri Bug Exposed Recruiter Email Addresses via Mobile Apps
Read: https://techcrunch.com/2025/05/23/naukri-exposed-recruiter-email-addresses-researcher-says/
Anti-State Speech Claims Lead to Telegram Block in Vietnam
Read: https://reclaimthenet.org/vietnam-blocks-telegram-over-illegal-content-and-political-activities
If you missed the previous issues, they can be read online here:
-
-
-
-
-
-
- May 23rd, 2025: New Cyber Threat Is Draining Millions From Banks And Companies In Three Countries
- May 16th, 2025: North Korean Hackers Infiltrate U.S. Tech Jobs With Fake Identities And Remote Access
- May 9th, 2025: Hackers Break Into Government Messaging App And Steal Sensitive Data
- May 2nd, 2025: Texas Bill Could Jail People For Sharing Political Memes Without Disclaimers
- April 25th, 2025: Marks & Spencer Hit by Easter Cyberattack Disrupting In-Store Services
-
-
-
-
-
Groucho Marx.
For whatever reason this page didn’t open last week for me. I would I guess have been wrong about the Jim Fortin quote but I would have answered Jim Rohn which is, I suppose where he got it. Don’t know where Mr. Rohn got it but that quote is “The greatest value in life is not what you get, it’s what you become” which, I would argue, is what Mr. Fortin is saying. As far as this week, duno
Very possible, in fact likely, that Jim Fortin got it from Jim Rohn, given that Fortin credits Rohn as being one of his mentors.