Weekly Axis Of Easy #54
This week’s quote: “There are only two kinds of languages: the ones people complain about and the ones nobody uses” —by ????
Last Week’s Quote was “Sooner or later, everybody sits down to a banquet of consequences” by Robert Louis Stephenson. Winner: Ivan Petrovic
HOWEVER – Tony King points out that this quote is somewhere been apocryphal and highly distorted, he took a prize for his research.
THE RULES: No Googling the answer, must be posted [to the blog][URL:______BLOG LINK]
The Prize: First person to post get their next domain or hosting renewal is on us.
In this issue:
- ICANN vs GDPR, Round 2 begins
- Apple to close security hole police use to crack locked devices
- Apple announces mandatory Certificate Transparency coming this fall
- BabaYaga WordPress malware mitigates other malware
- Jira bug exposes private keys to Amazon AWS instances
- Various crypto blackmail spams targeting Internet users
- Dark web vendor captured after his bitcoin transactions traced
- Why you need to learn to love DNSSEC
We reported last week that ICANN’s injunction against German-based EPAG, who has ceased collecting domain Whois details in order to comply with new EU GDPR laws was denied. ICANN is now appealing the decision to a higher court in Germany and asking for a referral to the European Court of Justice. I think ICANN may get the referral but I don’t see them winning the appeal. Time will tell.
After the Apple vs FBI episode in 2016 where Apple refused to unlock the iPhone of the San Bernadino shooter, the FBI ended up going to a third-party vendor who hacked the phone for them. Apparently that has become more commonplace among law enforcement since then, circumventing Apple altogether by hiring security firms who exploit a known weakness in the iPhone to gain access for LEA. That will come to an end, at least for now, as Apple is about to close the security weakness these firms use to gain access.
Also from Apple, an announcement following the 2018 WWDC con that starting this fall, Oct 15 to be precise, all Apple devices will require Certificate Transparency. CT is a Google developed specification that publicly logs the issuance of SSL/TLS certificates. This enables logging and analysis of who exactly is issuing certificates for what entities – this is actually a good thing as it facilitates faster detection of fake and phishing websites using bogus-named TLS certs. Google Chrome already requires CT.
Wordfence reports on a new malware that infects WordPress sites, injecting the standard fare spam links and redirections that plague unprotected WP sites (point of fact is we install the Wordfence module by default on all easyPress – our managed WordPress service – installations), it’s relatively difficult to detect and, what makes it particularly novel is that it removes other malware in order to keep an infected site to itself.
As reported via Zdnet, a bug “found in Atlassian software like Jira and Confluence, lets anyone easily obtain the secret access keys to the Amazon Web Services (AWS) instance that the software is hosted on.” It has affected “a major TV network, a UK cell giant” and at least one US government agency.
I may have to do a longer blog post on this, there are so many variations. From “Armada Group” DDoS-blackmails aimed at businesses (pay us bitcoin or we’ll DDoS you, sometimes preceded by an actual small “demo” DDoS), to various “I know what you did online” blackmails. The most recent subject line “I will destroy your life” emails purport to have infected your computer with malware that will reveal your online indiscretions with all of your contacts unless you pay them bitcoin. These are all spams, constantly mutating and should be ignored. Also, it goes without saying that neither Revenue Canada nor the IRS will fine you or collect back taxes via bitcoin. (These are distinct from ransomware, which really do encrypt your computers and servers that require a bitcoin payment to decrypt. In those cases you should restore from backup, or your backup backups, which you maintain, right? easyBackup is almost here, hit me up if you want advance access)
36 year-old Guy Vallerius, a.k.a “Oxymonster” has pleaded guilty in the US and faces 20 years imprisonment for selling cocaine, fentanyl, meth, LSD and of course, oxycodone on various dark markets such as Hansa, AlphaBay, Traderoute and Evolution. He was captured after transactions to his bitcoin tipjar on the dark markets were traced to wallets used under his real name on LocalBitcoins.
Last week we announced the beta release of our easyDNSSEC “Set-and-forget DNSSEC” (TM) system. We were already in the process of coding a ground-up rewrite of our DNSSEC implementation when the Myetherwallet/Amazon Route 53 BGP hijack happened. My belief after that episode was that attack heralded a turning point in DNSSEC relevance, a belief which has only intensified given subsequent events. I wrote a separate blog post on why I think this is the case, and why anybody who operates a mission critical domain now needs to enable DNSSEC for their zones. It doesn’t have to happen right this minute, but it’s time to start thinking about it and making a plan toward signing your key domains.
As previously reported in #AxisOfEasy an internet entrepreneur in Iowa was confronted by a man wearing a stocking over his head and brandishing a gun, demanding he transfer a domain name to his account. A struggle ensued in which the victim gained control of the gun and shot his assailant in the chest several times and called the police. The assailant survived, and will receive a 20 year sentence as part of a plea deal.
(Admittedly, DNSSEC wouldn’t have helped much in this situation).