Weekly Axis Of Easy #71
This week’s quote: “The essence of strategy is choosing what not to do” by ….????? (Hint, it wasn’t Elon Musk)
Last Week’s Quote was “The secret of happiness is freedom. The secret of freedom is courage.” …by Thucydides. Solved by Gus.
THE RULES: No searching up the answer, must be posted to the comments below.
The Prize: First person to post get their next domain or hosting renewal is on us.
In this issue:
- What spammers can do with all that breached Facebook data
- What to do about all those “you’ve been hacked, pay me bitcoin” email spams
- Gartner: Digital ethics and privacy to be major theme of 2019
- The current state of user tracking technology
- Libssh authentication bypass bug allows remote access
- jQuery 0-day impacts a lot of websites
- Supreme Court to hear case that impacts whether social media companies can censor
In case you were wondering what your exposure is to all these data breaches, this article via Wired takes you through how spammers (or even hackers) could use that data to craft more targeted email spams or hone better looking phishing attacks.
In a similar vein, you may be wondering about the several dozen email spams you’ve received lately along the theme “I’ve hacked your computer, pay me Bitcoin or else”. The spam includes an old password you once used (hopefully not any more) and threatens to release embarrassing info about you unless you comply. We first covered this back in #AxisOfEasy Issue 58 but over the past couple weeks the volume of these emails have spiked dramatically. So much so we’ve done an in-depth write up on this over on the blog:
Where all of this is leading is that privacy and digital ethics finally looks to be emerging as a strong area of public concern over the coming year. The Gartner Group released a report positing that this will be one of the top 10 strategic technology trends of 2019.
A good overview by Amit Sethi via Dark Reading covers the various tracking vectors we all face in our day-to-day lives: web searching, mobile app tracking, voice activated on-device keyword spotting (yes, it’s as creepy as it sounds and once you realize what Siri and Alexa are doing you may want to think twice about using them), videos and photo sharing and IoT devices.
If you haven’t checked this out already, you need to stop what you’re doing and go look if anything within your network is using libssh below 0.8.4 and 0.7.6. If so, your devices are vulnerable to an unfathomably trivial authentication bypass which enabled remote access without logging in to any afflicted devices. My understanding is that most servers use libssh2, which is completely different, but routers and mobile devices may be using libssh. Check anyway if you haven’t yet.
Also be aware of a jQuery 0-day which is reputed to affect “possibly thousands of projects”. It’s a bug with the jQuery File Upload plugin which has been incorporated in numerous packages: “[it] works with a broad range of server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.” The exploit works by being able to upload a web shell into web server’s root path and thus run commands on the servers. This is already being exploited in the wild.
The Supreme Court of the United States has accepted the case 17-702: Manhattan Community Access Corp. v. Hallec. “It centres on whether a private operator of a public access television station is considered a state actor which can be sued for first amendment violations.” Observers think the case could have ramifications for the likes of Facebook, Twitter and Google’s ability to control content or censor accounts, which they seem to be doing a lot of lately….
(As I write this week’s edition I can’t help but notice that Twitter suspended SeekingAlpha, the investment site, over the weekend and moments ago Facebook shut down the Liberty Memes page, with over 400,000 followers).
P.S We’re doing a sponsorship where we’re offering a free domain with any new easyWEB hosting package – we also upped the disk quota and file transfers to like a billion mega-hertz or something like that, so we’re offering you the same deal: https://easydns.com/entry/freedomain