Weekly Axis Of Easy #127
Last Week’s Quote was “Every plane crash makes the next one less likely, every bank crash makes the next one more likely.” …was Nassim Taleb, winner was Joseph Shipman
This Week’s Quote: “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.” ..by ????
THE RULES: No searching up the answer, must be posted to the blog
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
- New Caller ID laws come into effect in the US
- Millions of Facebook users phone numbers exposed online
- CRISPR Baby doc gets three years in prison
- China’s Fentanyl export empire
- UN passes new China/Russia backed convention on cybercrime
- Amazon and Ring hit with Federal lawsuit over hacks
- Data Breaches over the holidays:
- IoT vendor Wyze smart cameras hacked
- Lifelabs: medical testing patient data
- Wawa, all locations
- IT provider Synoptek hit with ransomware attack
- Mysterious drones spotted over two US states
- Saudi Arabia sentences 5 patsies to death in Khashoggi execution
- ToTok app isn’t a chat app, it’s a spying tool
- Your smartphone may be recording everything you say
- Russia tests stand-alone internet
- SEC opens probes into listings of tech unicorns
- Future Fibre / Future Tools and Yak Shaving
On January 1st the TRACED Act took effect in the US. That is the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act which prioritizes enhanced caller-ID frameworks like SHAKEN/STIR (which we first reported on back in #AxisOfEasy 74)
The act imposes stiff fines on parties that spoof fake caller IDs in unsolicited marketing robocalls, and extends the timeframe that the FCC can impose penalties from one year after the incident to up to four.
Oddly, I am having a hard time finding detailed coverage of it in the MSM, which is confining coverage to the penalties against robocalls but not really talking about the technical framework that will be the basis. My third-party VOIP provider is in Canada (voip.ms) and is adapting SHAKEN/STIR in concert with the new US law.
The above item was of particular interest to me as the volume of inbound robocalls to my cell phone over the holiday season reached a fevered pitch, at one point I was receiving multiple calls per hour. I simply stopped answering calls from non-contacts. I probably won’t resume answering them.
How did all these robots get my personal cell phone number to begin with? Perhaps it was because Facebook had another data breach, in which a security researcher found yet another web accessible data dump that could be accessed with no authentication. Bob Diachenko (again) found a dump with names, emails, phone numbers and user ids of 267 million Facebook users.
As I type this I thought we may have already reported on this, but no, it’s just that Diachenko seems to have a penchant for finding wide open data dumps. He’s previously found data troves of Adobe, a multi-platform 4TB data dump spanning LinkedIn, Facebook and Twitter, and 275 million Indian citizens.
The common factor in all these? Wide open MongoDB databases. They’re not hard to find. You just need to know what to look for on Shodan.
Also a h/t is in order to a reader who sent me this one but I neglected to note who that was at the time and cannot find the email since, so thank-you, whoever you are…. Keep ‘em coming.
The Chinese doctor who created the world’s first gene-edited babies, a pair of twin girls who are supposed to be immune to HIV, (only they may not actually be), has been handed a prison term of three years by Chinese authorities.
Immediately after the announcement last January, Dr He Jiankui was fired from his position from Shenzhen-based Southern University of Science and Technology and an investigation was initiated into his activities. At one point he disappeared for a few months, but then resurfaced. The court found that Jiankui had forged documents and concealed the true nature of his experiments.
TheNation ran a long piece that traces the complex web of dynamics around the opioid and fentanyl crisis. Now that Purdue Pharmaceutical a.k.a “the drug company that addicted America” (see Beth Macy’s “Dopesick” Amazon link is gone), the vacuum is being filled by multiple entrants spanning the Dark Web and, significantly, China.
Dan Kolitz’s article looks through Ben Westhoff’s “Fentanyl Inc.” which chronicles how “Rogue chemists are creating the deadliest wave of the opioid epidemic”. Amazon Link
Over the holidays the United Nations passed a resolution for a new convention on cybercrime. It will pave the way “to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes”. The bill was sponsored by Russia and China and has human rights watchdogs concerned that the convention will be used as a basis to squelch political dissent.
The US and many Euro nations opposed the bill echoing said concerns and that the pre-existing Budapest Convention of 2001 already provides a framework for addressing cybercrime internationally. The new resolution would obsolete the Budapest Convention.
Note: I’m a little confused when this passed exactly, the WaPo article is dated December 4th, the SCMP and NYtimes are dated Dec 28th, saying “it passed on Friday”. In any case, work is scheduled to commence drafting the new convention in August 2021. Also, I can’t figure out how Canada voted on it.
The last AxisOfEasy (number 126) before we knocked off for Christmas reported on a hacker gang that had cracked into Amazon Ring cameras and taunted families in their homes through the breached devices, while podcasting it live via their Discord channel. At least one US federal lawsuit has been filed by an Alabama resident, who alleges that hackers broke into his Ring cams and started talking to his children as they played basketball in front of their home.
The lawsuit focuses on Amazon and Ring’s negligence in allowing their cameras to be hacked. My understanding is that the hacks were executing by brute forcing them with previously leaked password databases, so in that sense, reusing passwords is at least part of the problem. Not having brute force dampening would be another, I guess.
Data Breaches of the Holidays:
It was a busy holiday season for data breaches…. In no particular order:
Wyze products include: web cams, “smart lightbulbs”, and smart door locks confirmed that account details on 2.4 million customers was exposed for 22 days:
Not to be outdone, Lifelabs, Canada’s largest medical testing company, disclosed in an open letter to customers that they suffered a breach affecting 15 million patients. The company apparently paid a ransom to cyber-attackers to “recover” the data. I don’t really know what “recover the data” in this context actually means. Did they pay the hackers not to expose it? It’s unclear.
WaWa CEO disclosed that “potentially all locations” suffered a breach when the company’s payment servers were attacked and infected with malware. The compromise began on March 4, 2019 until it was discovered on December 10, 2019, and contained on December 12, 2019. That’s one long infection time.
…sorry to anyone we missed
Christmas was canceled for Irvine, California based IT provider Synoptek, who provides cloud-based IT services for thousands of businesses across the country in sectors ranging from financial services, healthcare, manufacturing and local government. News broke via /r/syadmin on Reddit Christmas Eve that they were hit with a ransomware attack. The company reportedly paid the ransom in order to restore services as soon as possible.
Continuing a theme, ZDnet reports on how a new ransomware strain called Zeppelin, steals the subject data first before encrypting it and holding the owners up for a ransom. It’s not the first to do so, it’s part of an emerging trend with ransomware, making me wonder if it’s the sort of thing that happened with the aforementioned Lifelock hack.
From the Not-Rudolf-Dept: media reports began to spread Dec 23 of large, co-ordinated, nighttime drone formations making maneuvers over Denver, Colorado and parts of Nebraska. Formations of at least 17 drones appears to be flying in squares of approximately 25 miles. The flights start around 7pm and end around 10pm. Authorities do not know the source of the flights and the FAA is investigating.
A court in Saudi Arabia has sentenced 5 patsies to death over the outcry surrounding the murder of journalist and critic of the Kingdom Jamal Khashoggi. The court said it didn’t have enough evidence to incriminate two officials closest to the Saudi Crown Prince Mohammed Bin Salman, and further concluded that the assassination wasn’t premeditated. What the court is saying is that luring Khashoggi to the Saudi consulate in Turkey under false pretences, and then restraining him, murdering him, before dismembering his body into pieces and smuggling it out of the embassy for disposal was a spur-of-the-moment thing that just, kinda…happened. Just a fluke, really.
One of the hottest emerging chat apps out there, ToTok, bills itself as a secure alternative to WhatsApp and Skype. But according to a report via the NYTimes who consulted with US intelligence officials, it’s actually a spyware app that the government of the United Arab Emirates is using to eavesdrop on everybody who installs it. The investigation determined that the firm behind ToTok, which has been downloaded millions of times within the past few months, is most likely a front company affiliated with Dark Matter, who in addition to being under an FBI investigation is also “an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work.”
ToTok is not to be confused with TikTok, another social media app that is sweeping the nation. Metaviews’ Jesse Hirsh recently took an in-depth look at TikTok.
I first noticed this on a physical level in 2012, when after walking past Trump Towers in downtown Toronto with my map application open (I was headed to a meeting off Bay St), I was subsequently targeted with ads for the Trump Hotel in downtown Toronto in my web travels. I wrote about it at the time in a post that garnered absolutely zero reaction whatsoever.
Maybe it seemed too “out there” at the time and now that it’s the norm and ubiquitous and unavoidable, it’s news. The New York Times just ran what they’re calling an opinion piece about the smart phone location tracking industry based on a data set they obtained containing 12 million cellphone users movements.
Back in #AxisOfEasy 28 we reported on how Russia was proposing the creation of a separate DNS root for the BRIC nations in response to increasingly loggerheads with the US-led internet. Over the holidays Forbes reported that Russia announced their intention to test their stand-alone internet on December 23.
That’s the last I’ve heard of it, not sure how that test went.
The WSJ reported the news that the US SEC has opened an investigation into various issuers on the NYSE regarding activity around the first day of trading. Targets of the investigation include Slack and other so-called “unicorns”. It is not known exactly what kind of activity the SEC is targeting, but it could involve electronic trading firm Citadel Securities LLC which handles some of the issues.
The morning Slack’s IPO opened: “Citadel Securities indicated that Slack would open between $30 and $34. Just over half an hour later, the firm adjusted its indication to a range of $32 to $34.
Following a half-dozen more adjustments, the stock opened at $38.50, in a giant trade shortly after noon in which $1.75 billion worth of Slack shares changed hands. The stock has since fallen, closing Friday at $21.51.”
Future Fibre / Future Tools and Yak Shaving
A few of the items we put out over the holidays include a couple of Metaviews pieces by Jesse Hirsh:
- Wireless.farm – A look at a rural micro-ISP in Eramosa, near Guelph, Ontario:
- Democracy.earth – what better time than in a US election year to look at digital democracy and the rise of quadratic voting
- Beware the techno-doom loop: wherein your author is educated in the meaning of the jargon file’s “Yak Shaving”