[AxisOfEasy] Zoom 0-day: Up to 4 Million Mac Cameras Exposed To Remote Execution

Weekly Axis Of Easy #104

Last Week’s Quote was “Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.”, was Marcus Aurelius, winner Gary Henrichs, we also awarded a renewal to Rick Bernstein for some detective work on the quote itself (maybe not Marcus Aurelius as much as popularly attributed to him)

This Week’s Quote: “What a caterpillar calls the end of the world, a master calls a butterfly” … by ????

THE RULES: No searching up the answer, must be posted in the comments below:

The Prize: First person to post, gets their next domain or hosting renewal on us.


In this week’s issue:


  • Reporter uses Google for social engineering and it worked
  • Lawmaker: People who make fun of Congressmen should be prosecuted
  • Zoom 0-day: Up to 4 million Mac cameras exposed to remote execution
  • Even cybercriminals run affiliate programs
  • Over 1000 Android apps data mine your phone even after you block them
  • Many top VPNs secretly owned by Chinese companies
  • Massive Cloudflare outage hoses entire internet
  • Facebook usage in UK crashes by 1/3 in a year

Reporter uses Google for social engineering and it worked

This New York Times piece turned out to be somewhat of a rabbit-hole for me. I knew online ad targeting could get sophisticated, really sophisticated. Recall, I noticed ad retargeting crossing over into the real world a couple years before anybody cared.

But this article showed how the reporter used Google’s “ad redirect” methodology to social engineer people at key moments in their decision-making process and nudge them toward another course of action entirely.

In this reporter’s case, he decided to target people demonstrating suicidal impulses who were in proximity of the Golden Gate Bridge. It turns out that people have approximately 150 “micromoments” per day – an instant where you are about to make a decision, some small, some not so small, and in many cases when these micromoments hit, we look at our smartphones and we run a query. (Robert Caldini called this “the privileged moment” in his book ‘Pre-suasion’, the much anticipated follow-up to his landmark “Influence: The Psychology of Persuasion book, which every single marketer alive today has read and reread).

The reporter ran ads that prompted users, in response to certain queries (i.e. “I feel suicidal”) to call a national suicide prevention hotline. His campaign converted at 28% – not clickthroughs, calls to the hotline. 

He based his entire approach on Google incubated “Project Redirect” which created the methodology. They originally used it to attempt to deradicalize, or perhaps more accurately, prevent radicalization of targets displaying search engine behaviour indicating them to be at risk of gravitating toward ISIS.

They released publicly a detailed blueprint on how to create such a social engineering campaign. You can download the methodology here (PDF), and the blueprint here.

This is the world we live in now, so as I frequently tell my kid: Use your powers for good.


Lawmaker: People who make fun of Congressmen should be prosecuted

Congresswoman Frederica Wilson (D-FL) called for prosecutorial penalties against anybody making fun of a congress person online:

“Those people who are online making fun of members of Congress are a disgrace and there is no need for anyone to think that is unacceptable. We are going to shut them down and work with whoever it is to shut them down, and they should be prosecuted.”

Although “no need for anyone to think that is unacceptable” literally means that everybody should be ok with it. Wilson obviously isn’t, however, and her call-to-arms immediately unleashed a “savage”, well deserved, online taunting.

Zoom 0-day: Up to 4 million Mac cameras exposed to remote execution

Sometimes when we’re a day late putting out #AxisOfEasy it works in our favour because I only came across this story last night. It is disappointing, because I’ve been relentlessly nagging the team here to ditch Google Meeting for video meetings and switch to Zoom. Fortunately, they ignored me and switched to something else instead.

But it looks like a security researcher found a series of problems in Zoom: “This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”

There’s more, it can also be used as a Denial-of-Service attack by repeatedly attaching a user to a non-existent call.

But wait! That’s still not all! If you uninstall Zoom, it will leave behind the Zoom localhost mini-webserver that is used to join Zoom sessions, and it can be used to reinstall the Zoom client.

What makes this hard to take is that Zoom was advised of all this by the security researcher and they took their time in addressing the vulnerabilities, and then only did so in a band-aid fashion which the researcher says can still be circumvented.

(As we were going to press Tuesday night, news broke via Wired that Zoom has announced they will fix the bug. They were probably taking some heat for how they’ve handled this so far. Make sure you upgrade when that update drops).

Read: https://www.wired.com/story/zoom-flaw-web-server-fix/

Even cybercriminals run affiliate programs

I found this deep dive into the affiliate marketing program behind the most prolific ransomware campaign in existence to date, utterly fascinating, in a morbid curiosity kind of way:

The crooks behind GandCrab ransomware announced via the hacker forum Exploit In on May 31st that they were wrapping up the program after generating approximately 2 billion dollars in revenues over the space of a year. The funds now purportedly “cashed out and invested into legal instruments”. Who knows if they really did make that much money, but they did make a lot of it, and with the help of an array of affiliates recruited through the hacker forum that assisted by infecting as many machines as possible and being compensated for it in a revenue sharing scheme.

Brian Krebs did a lot of sleuthing on the network. One would hope that for that kind of money, they do ensure that law enforcement agencies will make it their business to get them, and succeed at some point.

(My wife frequently quips, after a song by the Barbadian singer Red Plastic Bag “anything you want, just not for as long you want”. It’s a phrase that describes an eventual karma’s a bitch-ness for people who seemingly make crime pay…for awhile.)


Over 1000 Android apps data mine your phone even after you block them

(Via Slashdot) cNet reports on how even if you restrict certain Android apps from being able to access your mobile device’s data, researchers from the International Computer Science Institute found over 1000 of them that will still go ahead and do just that, gathering geolocation data and phone identifiers despite your privacy settings.

Read: https://tech.slashdot.org/story/19/07/08/1557217/more-than-1000-android-apps-harvest-data-even-after-you-deny-permissions

Many top VPNs secretly owned by Chinese companies

VPNPro, an industry newsletter on the VPN space, put out a blog post last week detailing their findings that 29 of 97 VPN providers surveyed turned out to be owned by 6 Chinese companies. The top 97 companies surveyed are all owned by 23 companies in total, the rest of whom mostly operate out of countries with lax privacy laws.

The report emphasizes that they are not accusing any of the companies of doing anything untoward, but that the theoretical, not to mention political, possibility exists for the government of those countries to use their jurisdiction to access the data transiting those VPNs.


(Every time I dissuade myself from ever launching “easyVPN” I come across another article that makes me think about it seriously)

Massive Cloudflare outage hoses entire internet

Last week a large disturbance in the force was detected as a lot of websites suddenly began winking out and even certain DNS services went on the fritz, such as Firefox’s new default resolver. The reason? Cloudflare went down for about a half-hour. CEO Matt Prince was quick to come out with a tweet that the root cause was not a DDoS but in fact, some kind of code update gone bad.

(Recall, when Godaddy went off the air a few years ago, which also took millions of websites with it, they said it was an internal routing error).

All goes to further prove a point we’ve been making for over a decade: All providers (DNS providers especially) are a logical Single-Point-of-Failure unto themselves. No exceptions.

Plan for it.

Facebook usage in UK crashes by 1/3 in a year

As reported in the UK’s Telegraph, analytics firm Mixpanel has published a report asserting that Facebook use in the UK has dropped by one-third in the space of a year. The drop, coincident with various privacy related scandals endlessly emanating  out of FB (so many that our “Zuckerberg excuse checklist” had to be retired from being overused and stale within about a month of launching).

I mention this because it is another example of how even today’s incumbent behemoths are themselves vulnerable to decline, especially since many of them, like Twitter, for example, are incentivizing their own disruption. After a couple years of experiencing a type of “all-is-lost moment” angst, I have begun to catch glimmers of the end of the current social media incumbency, as hinted in George Gilder’s “Life After Google”.

Read: https://www.telegraph.co.uk/technology/2019/07/06/exclusive-britons-abandon-facebook-usage-plummets-third/ (free registration required)

4 thoughts on “[AxisOfEasy] Zoom 0-day: Up to 4 Million Mac Cameras Exposed To Remote Execution

  1. Well, WITHOUT using a search engine, I’d guess Vladimir Nabokov.- that famous lepidopterist. and sometimes writer of great literature. But NO Nobel prize FOR YOU! when you write about sex with a 13 year old girl.

Leave a Reply

Your email address will not be published. Required fields are marked *