Weekly Axis Of Easy #68
Buckle in, there’s a lot to cover this week…
- Beware of voice phishing calls from your bank
- Zoho platform taken out by over zealous domain registrar
- Hidden audio tracks hijack assistants like Alexa, Siri & Cortana
- Facebook breached, again, affecting 50 million users.
- Facebook uses your 2FA phone number for more than 2FA
- Inventor of the World Wide Web is back with a decentralized version
- Google to pay Apple 9 Billion to remain default search option on iOS Safari
- Apple to use call and email data to build “trust scores” for your device
- Legal challenge to India’s nationwide biometric database defeated
- Five-eyes Intel Agencies issue statement in favour of security back doors
- Get a job, freak: easyDNS is hiring in two positions
A detailed article in Krebs On Security on how professional thieves can trick you into revealing enough details over the phone to clone your bank card and drain your account. The theme of the article is “I would never fall for that”, but can you be sure? I know the guy in this article and he’s quite tech savvy, as are many of us reading this newsletter. When you get caught off guard and the caller id shows that it’s your bank calling, if they get you when you are preoccupied or distracted, who knows? H/T tip to Matt Gamble for the article.
(Speaking of Matt Gamble, he’s running for the CIRA Board of Directors this year. He would be a fine choice and if you still haven’t voted, you should do so before Oct 4)
The entire Zoho CRM and email system was taken offline last week after their domain registrar got a tad overzealous about some phishing complaints and took the entire domain offline. It underscores the importance of using a domain registrar with a clueful abuse desk that can tell the difference between a SaaS platform that has tonnes of downstream users and an individual scam domain.
A group of researchers at Ruhr-Universität Bochum in Germany have released a paper detailing “Adversarial Attacks against Automatic Speech Recognition Systems”. It’s a method of taking over your Alexa, Siri or Cortana personal assistants by psychoacoustically hiding speech commands within audio tracks. You can’t hear them, but Alexa et al can, ’cause let’s face it, they can hear everything. Thanks to the reader who sent this one in.
I really should just have a cookie cutter template for this along the lines of:
Facebook announced that a vulnerability in their system exposed the data of _____ million users.
In this case the magic number was 50 million users affected by a security bug in the “View as” feature which, as it turns out, not only allowed you to see how your Facebook profile looks to other users, but enabled hackers to take over accounts.
Also Facebook: It turns out that when you enter your phone number for use as a second-factor authentication or password recovery contact, Facebook was making that phone number available to advertisers and allowing them to target ads at you based on it.
Sir Tim Berners Lee, TimBL for short, is the inventor of the World Wide Web as we know it. He hasn’t been overly thrilled about this being on his resume, given that it’s “turned into an engine inequity and division, swayed by powerful forces who use it for their own agendas”. So now he’s trying to effect a do-over. His new company, Inrupt, has been operating in stealth mode for 9 months, and it wants to create a framework for decentralizing the web, taking aim directly at the likes of Facebook, Google and Amazon. They’ve released a framework called “Solid” wherein “you own your data, and choose the apps to manage it”.
(Don’t worry, we’re already checking into becoming a Solid pod provider. If you’re interested just leave a comment or send me an email and let me know).
Apparently this is well known, but not discussed in polite company: Google pays Apple about $12.85 per iPhone in “traffic acquisition costs” to be the default search engine in the iOS Safari browser (however it’s pretty easy to change that, I have mine set to DuckDuckGo). Goldman Sachs analyst Rod Hall calculated that this year’s payment to Apple would come in around $9 billion and is on track to be $12 billion next year. That’s more money than Apple makes from iCloud or Apple Music. Search is free, so why is Google paying that much be your default search engine on your mobile device? Think about it.
Apple will soon start logging phone call and email meta data to develop a “trust score” for your device. The idea is that it will help them detect fraudulent transactions, fake reviews or accounts. The initiative was discovered when Venturebeat reporters noticed a new provision had been quietly tucked into Apple’s Terms of Service.
In India, a constitutional challenge to that country’s nationwide biometric database has been defeated, however some new boundaries were put around the system. Introduced 7 years ago, the Aadhaar program is the world’s largest biometric identification database using photos, fingerprints and eye scans. The ruling upheld its use in disbursing welfare payments but barred it from being a requirement for using mobile devices, opening bank accounts or school admission. The decision was 1,448 pages long.
I missed this, but last month the intelligence agencies of “The Five Eyes” (US, UK, Canada, New Zealand, Australia) issued a joint statement encouraging legislation and voluntary compliance on the part of technology providers to facilitate government back doors into their products and services.
Cybersecurity law and policy expert Susan Landau wrote an excellent analysis around the backstory to this joint statement. It looks like this may have been a PR exercise to soften up media sympathy ahead of a piece of Australian legislation that would mandate compliance with encryption circumvention requirements for Aussie companies to provide “lawful access” to law enforcement and intelligence agencies.
Landau is also the author of a new book “Listening In: Cybersecurity in an Insecure Age” on Yale University Press which I am pre-ordering right this second.
Get a job, freak: easyDNS is hiring in two positions
After 20 years without a sales force, we’re going to start building one. To that end we’re actively seeking a “jockey/coach” type who can help create our sales process, execute against it, and then build-out their team as it scales.
We’re also looking for a part-time WordPress expert who can work on maintaining our various public facing websites. This position can easily lead to a full time post fairly quickly.
If either of these gigs sound like you or somebody you know, get in touch with me or have them get in touch with me.