Information Technology

A number of websites and services reported issues on Thursday thanks to the expiration of a root certificate provided by Let’s Encrypt, one of the largest providers of HTTPS certificates. At around 10 am ET, IdentTrust DST Root CA X3 expired according to Scott Helme, founder of Security Headers. He has been tracking the issue and explained millions of websites rely on Let’s Encrypt services and without them, some older devices will no longer be able to verify certain certificates. Let’s Encrypt operates as a free non-profit that makes sure the connections between your device and the internet are secure and encrypted. Despite advance warning that the expiration date would would be on September 30, when the deadline hit, dozens of users reported issues with a variety of services and websites.Helme told ZDNet that he confirmed issues with Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify and Cloudflare Pages, but noted that there may be more. “There are a couple of ways to solve this depending on what the exact problem is but it boils down to: The service/website needs to update the certificate chain they are serving to clients or, the client talking to the website/service needs an update,” Helme explained.”For the affected companies it’s not like everything is down, but they’re certainly having service issues and have incidents open with staff working to resolve. In many ways I’ve been talking about this for over a year since it last happened, but it’s a difficult problem to identify. it’s like looking for something that could cause a fire: it’s really obvious when you can see the smoke!”

Some sites posted notices on their website about potential issues and many have resolved the issues. Shopify posted a note on its incident page that by about 3:30 pm, merchant and company partners who were struggling to login had their services restored. Merchant authentication for Support interactions have also been restored, the company said. Fortinet told ZDNet they were aware of and have investigated the issue relating to the expired root CA certificate provided by Lets Encrypt.   “We are communicating directly with customers and have provided a temporary workaround. Additionally, we are working on a longer-term solution to address this edge case issue directly within our product,” the company said in a statement. Digital certificates expert Tim Callan said all modern digital systems depend on certificates for their continued operation, including those that secure our cyber and physical environments. “If software depends on an expired root to validate the trust chain for a certificate, then the certificate’s trust will fail and in most cases the software will cease to function correctly. The consequences of that are as broad and varied as our individual systems are, and many times cascading failures or ‘downstream’ failures will lead to problems with entirely different systems than the one with the original certificate trust problem,” Callan said. “IT systems that enforce or monitor security policies can stop working. Alerting and reporting systems can fail. Or, if the processes that humans depend on to do our work stop functioning, often those people will find “workarounds” that are fundamentally insecure.”Callan added that outages can occur when developers embedded in lines of business operations or other skunkworks projects “obtain certificates” without the knowledge of central IT and then move on to new tasks or otherwise fail to monitor the lifecycle of these certificates. He noted that most systems will be able to weather a root expiration because of modern root chaining capabilities that allow another root to establish trust. “However, legacy systems or those with previously unaddressed (or unknown) certificate handling bugs are at risk for failures like these to occur. In the event of a commonly used root from a popular CA, the risk of these failures goes up considerably,” Callan explained.TechCrunch reported that devices that may face issues include older macOS 2016 and Windows XP (with Service Pack 3) as well as older versions of Playstations and any tools relying on OpenSSL 1.0.2 or earlier. Other experts said PlayStations 4s or earlier devices that have not had their firmware upgraded will not be able to access the Internet. Devices like Android 7.1.1 or earlier will also be affected.According to Callan, most modern software allows the use of sophisticated trust chains that allow root transitions without requiring the replacement of production certificates. But those that are old or poorly designed or containing trust chain handling bugs may not handle this transition correctly, leading to various potential failures. As many of the affected companies have since done, Callan suggested enterprises take an inventory of the systems using certificates and the actual certificates in use before ensuring that software has the latest root certificates in its root store.”By identifying where potential failure points occur, IT departments can investigate these systems ahead of time to identify problem areas and implement fixes. If you can set up a version of the system in a sandbox environment, then it’s easy to test expected behaviour once the root expiration occurs,” Callan said. “Just set the client system clock forward to a date after the expiration date to ensure certificate chaining will work correctly. Alternately, you can manually uninstall or distrust the root that is set to expire (in the sandbox environment, of course) to assure yourself that systems are only using the newer roots.”He added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs, while radically decreasing their average lifespan.”That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal,” he said. Digital Shadows senior cyber threat analyst Sean Nikkel told ZDNet that Let’s Encrypt put everyone on notice back in May about the expiration of the Root CA today and offered alternatives and workarounds to ensure that devices would not be affected during the changeover. They have also kept a running forum thread open on this issue with fairly quick responses, Nikkel added.”A not-great practice that’s been floated already as a workaround to the problem is allowing untrusted or invalid certificates. Users should be cautious about making a move that potentially opens the door to attackers using compromised certificates,” Nikkel said.  “Some users have recommended settings allowing for expired certificates from trusted issuers; however, these can also have malicious uses. In any case, administrators should examine the best solution for them but also understand the risks to any workarounds. Alternatively, administrators can look at alternate trust paths by using the intermediate certificate that Let’s Encrypt has set up or following suggested configurations from their May bulletin.” More

A massive fraud operation slamming e-commerce merchants in account takeover attacks has been revealed by researchers.

On Thursday, fraud prevention company Sift said the ring, dubbed Proxy Phantom, is using over 1.5 million sets of stolen account credentials in automated credential stuffing attacks against online merchants.  Credential stuffing attacks generally rely on a database of stolen credentials — potentially sourced from data breaches or data dumps leaked and sold online — to slam a domain with login requests.  Many of us use the same username and password combinations across different services — although we shouldn’t — and so a data breach at one company could lead to account compromise at another.  Estimates suggest that only 0.1% of credential stuffing attacks are successful. However, once you consider that thousands of account combinations could be tried at the same time, despite the low success rate, these attacks can still be worthwhile — especially when they are used against merchants or financial services.  According to Sift’s Q3 2021 Digital Trust & Safety Index, Proxy Phantom “flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second.”  Connected, rotating IP addresses were also used to make the requests appear to stem from different geographical locations and primarily targeted e-commerce platforms and online services.  

The IP clusters doubled between April and June 2021. “As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of “whack-a-mole,” with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace,” Sift said. In addition, the report states that account takeover attacks detected by the company increased by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services.  Earlier this month, Netacea published an index documenting the activities of scalper bots. These types of automated systems are built to beat online queues for high-ticket items such as concert tickets and gaming consoles in order to resell and generate a profit for their operators.  In the past few months, the PlayStation 5, cryptocurrency mining cards, and Nvidia RTX 3000 series chips are highly sought by scalpers.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

This year’s Amazon hardware event was quite a doozy. The Seattle-based company showcased an updated health band with a nutritionally-guided personalized shopping service, a flying security drone, more indoor and outdoor cameras, and an autonomous sentry robot.  All of which are powered in some way by AWS machine learning and left me thinking about one word: privacy.

Do I really want all of these products in my own home and as part of my life? Admittedly, there is a certain appeal to Amazon’s pitch of having their technology live in the background, transparently, to enable our real-world experiences better. The best user interface is the effectively invisible one, like the ever-watchful and ready-to-talk computers on shows like Star Trek. They’re benevolent AIs that always look out for us, keeping us out of harm’s way while accepting our queries and commands. Granted, I’ve already accepted a lot of these devices into my life. I have five Alexa-compatible smart speakers positioned in different parts of the house, so I have full coverage to deal with home automation issues. I also have a Google Home in the kitchen, plus multiple Siri-enabled mobile devices (Watch, iPhone, iPad, Mac, Apple TV). And of course, I have webcams for doing Zoom calls and the like on my Mac workstation and on my iPad and iPhone — all of which aren’t on unless I want them to be, presumably. But so far, I have resisted the notion of having cameras all over the place, peering inside the home’s interior spaces. Sure, I have some Ring devices guarding the front of the house, but there’s nothing recording inside. Part of this stems from the fact that I have no children, so I do not need to check up on them. I also rarely travel for extended periods away from my home. Besides my wife, my two miniature poodles are the only other residents of Chateau Perleaux. I live in a gated community with only one way in and out, and I’m alerted immediately if someone should be let through if they aren’t on my regular list.  Would I want cameras inside if I had young children? I honestly don’t know. I can tell you that I see very little value from doing it now, and quite frankly, my lifestyle tends to border on the, shall we say, bohemian. I live in a warm-weather state, and if I don’t have guests over, full clothing is optional, especially when using my pool and spa during hot afternoons and humid evenings, which is a big part of living in Florida. So I have no desire for Ring, Blink, or Astro to be capturing my spouse or me in various states of undress. I don’t need something that chases me around my house like an attention-deprived puppy, constantly scanning everything around it. I have no idea where that video is going and if a human will ever review it for improving machine-learning purposes.

This is not to say I might not come around to the idea of having a robot, eventually. But besides being an Echo Show on wheels, Astro doesn’t do anything except act as a constant sentry. Unlike the Tesla Bot, which doesn’t even exist in demos yet, it doesn’t have arms to manipulate things and perform general-purpose tasks.

It’s not just the cameras, though. It’s this constant desire by Amazon to suck up and process data created by its customers using its products so it can further monetize it. And that’s the big difference I see between Amazon and its industry peers like Apple. This is especially true when we see things like the new Nutrition service attached to their Halo band, automatically formulating a meal plan and ordering groceries from Whole Foods based on your health data. I’m not sure I like the idea of Amazon telling me what I should eat, either. With Apple products, such as the Watch, that collect a lot of personalized data from its sensors, all of the metrics can be reviewed by the end-user and easily erased. They have tools within iOS to adjust permissions of Health data and which applications have access to it. Amazon doesn’t have this level of user control for everything that goes into its cloud, or at least it isn’t easy to get to or isn’t centralized under a single console.  I can get to my voice command history, detect sounds on Alexa (for its opt-in Guard service), and set expirations for three months, 18 months, or until I delete it. Still, I have no idea what other noises are detected or recorded — and if humans ever review them. I also can’t hear the captured sounds and voices in the UX; I can only view a log that it was recorded and be given the option to delete it. With Ring, I can view the video recordings stored in the cloud. Do users have full control over what Astro or their flying Ring drone uploads to AWS? Besides law enforcement, what humans can view these video recordings, besides customer-chosen third-parties, for its newly announced security service? I have no idea. Amazon needs to do a better job detailing and disclosing what data is recorded, where it goes, who can review it, and providing better tools to manage this recorded information. Otherwise, I’m not sure any of us will ever feel fully comfortable having these devices in our homes.

Amazon event More

Computer networks are being aggressively bombarded with billions of password-guessing attacks as cyber criminals attempt to exploit the growth in remote desktop protocol (RDP) and other cloud services in corporate environments. Cybersecurity researchers at ESET detected 55 billion new attempts at brute-force attacks between May and August 2021 alone – more than double the 27 billion attacks detected between January and April. 

ZDNet Recommends

Successfully guessing passwords can provide cyber criminals with an easy route into networks and an avenue they can use to launch further attacks, including delivering ransomware or other malware. Once in a network, they’ll attempt to use that access to gain additional permissions and manipulate the network, performing actions like turning off security services so they can go about their activities more easily. SEE: A winning strategy for cybersecurity (ZDNet special report) One of the most popular targets for brute-force password-guessing attacks are RDP services. The rise in remote working has led to an increase in people needing to use remote-desktop services. Many of these are public-facing services, providing cyber criminals with an opportunity to break into networks – and it’s an opportunity they’re eager to exploit. The sheer number of attacks means most will be automated, but if accounts are secured with simple-to-guess or common passwords – and many are – then they can make easy pickings for attackers. Once a password has been successfully breached, it’s likely an attacker will take a more hands-on approach to reach their end goal. “With the number of attacks being in the billions, this is impossible to do manually – so these attack attempts are automated. Of course, there is always a manual aspect when cybercriminals are setting up or adjusting the attack infrastructure and specifying what types of targets are in their crosshairs,” Ondrej Kubovič, security awareness specialist at ESET, told ZDNet. 

In addition to targeting RDP services, cyber criminals are also going after public-facing SQL and SMB services. These services will often be secured with default passwords that attackers can take advantage of. 

One of the reasons why brute-force attacks are successful is because so many accounts are secured with simple, one-word passwords. Requiring passwords to be more complex could go a long way to preventing the accounts from being breached in brute-force attacks. The National Cyber Security Centre suggests users use three memorable words as a password – something that’s far more robust against brute-force attacks than a single word. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesOrganisations can also provide an additional layer of protection against brute-force password-guessing attacks – and other campaigns – by deploying multi-factor authentication (MFA). Using MFA means that, even if the attackers know the correct password, there’s an extra barrier to prevent them from automatically being able to access the network.  MORE ON CYBERSECURITY More

A recent investigation into how Pegasus spyware is being used to monitor civil rights agencies, journalists, and government figures worldwide is being abused in a new wave of cyberattacks. 

Pegasus is a surveillance system offered by the NSO Group. While advertised as software for fighting crime and terrorism, a probe into the spyware led to allegations that it is being used against innocents, including human rights activists, political activists, lawyers, journalists, and politicians worldwide.  Israel-based NSO Group denied the findings of the investigation, conducted by Amnesty International, Forbidden Stories, and numerous media outlets.  Apple has since patched a zero-day vulnerability utilized by Pegasus, a discovery made together with Citizen Lab.  Now, cybercriminals unconnected to Pegasus are attempting to capitalize on the damning report by promising individuals a way to ‘protect’ themselves against such surveillance — but are secretly deploying their own brands of malware, instead.   On Thursday, researchers from Cisco Talos said that threat actors are masquerading as Amnesty International and have set up a fake domain designed to impersonate the organization’s legitimate website. This points to an ‘antivirus’ tool, “AVPegasus,” that promises to protect PCs from the spyware. 
Cisco Talos

However, according to Talos researchers Vitor Ventura and Arnaud Zobec, the software contains the Sarwent Remote Access Trojan (RAT).The domains associated with the campaign are amnestyinternationalantipegasus[.]com, amnestyvspegasus[.]com, and antipegasusamnesty[.]com. Written in Delphi, Sarwent installs a backdoor onto machines when executed and is also able to leverage a remote desktop protocol (RDP) to connect to an attacker-controlled command-and-control (C2) server.  The malware will attempt to exfiltrate credentials and is also able to download and execute further malicious payloads.  The UK, US, Russia, India, Ukraine, the Czech Republic, Romania, and Colombia are the most targeted countries to date. Talos believes the cyberattacker behind this campaign is a Russian speaker who has operated other Sarwent-based attacks over 2021.  “The campaign targets people who might be concerned that they are targeted by the Pegasus spyware,” Talos says. “This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination there. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals using a ransomware-as-a-service scheme have been spotted complaining that the group they rent the malware from could be using a hidden backdoor to grab ransom payments for themselves.REvil is one of the most notorious and most common forms of ransomware around and has been responsible for several major incidents. The group behind REvil lease their ransomware out to other crooks in exchange for a cut of the profits these affiliates make by extorting Bitcoin payments in exchange for the ransomware decryption keys that the victims need. 

ZDNet Recommends

But it seems that cut isn’t enough for those behind REvil: it was recently disclosed that there’s a secret backdoor coded into their product, which allows REvil to restore the encrypted files without the involvement of the affiliate.  SEE: A winning strategy for cybersecurity (ZDNet special report) This could allow REvil to takeover negotiations with victims, hijack the so-called “customer support” chats – and steal the ransom payments for themselves. Analysis of underground forums by cybersecurity researchers at Flashpoint suggests that the disclosure of the REvil backdoor hasn’t gone down well with affiliates. One forum user claimed to have had suspicions of REvil’s tactics, and said their own plans to extort $7 million from a victim was abruptly ended. They believe that one of the REvil authors took over the negotiations using the backdoor and made off with the money. 

Another user on the Russian-speaking forum complained they were tired of “lousy partner programs” used by ransomware groups “you cannot trust”,  but also suggested that the status of REvil as one of the most lucrative ransomware-as-a-service schemes means that wannabe ransomware crooks will still flock to become affiliates. That’s particuarly the case now the group is back in action after appearing to go on hiatus earlier in the summer. For those scammers who think they’ve been scammed, there’s not a lot they can do (and few would have sympathy for them). One forum user suggested any attempt at dealing with this situation would be as useless as trying to arbitrate “against Stalin”. Ransomware remains one of the key cybersecurity issues facing the world today. For victims of ransomware attacks, it ultimately doesn’t matter who is on the other end of the keyboard demanding payment for the decryption key – many will just opt to pay the ransom, percieving it as the best way to restore the network. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

But even if victims pay the ransom – which isn’t recommended because it encourages more ransomware attacks – restoring the network can still be a slow process and it can be weeks or months before services are fully restored. SEE: A cloud company asked security researchers to look over its systems. Here’s what they foundBe it REvil or any other ransomware gang, the best way to avoid the disruption of a ransomware attack is to prevent attacks in the first place. Some of the key ways organisations can help stop ransomware attacks is to make sure operating systems and software across the network is patched with the latest security updates, so cyber criminals can’t easily exploit known vulnerabilities to gain an initial foothold. Multi-factor authentication should also be applied to all users to provide a barrier to hands-on attackers being able to use stolen usernames and passwords to move around a compromised network. MORE ON CYBERSECURITY More

Image: Getty Images
Services Australia CEO Rebecca Skinner on Thursday said that Australia’s digital vaccination certificates for international travel would be ready in two to three weeks. Skinner, who appeared before Australia’s COVID-19 Select Committee, provided the update when explaining how the upcoming visible digital seal (VDS) would operate. The VDS is Australia’s answer for indicating a person’s COVID-19 vaccination status for international travel; it will link a person’s vaccination status with new digital vaccination certificates and border declarations.Skinner said her agency was working to make the VDS accessible to fully vaccinated people through the MedicareExpress Plus app. To access the VDS through the MedicareExpress Plus app, Skinner said users would need to provide additional passport details along with the consent to share their immunisation history with the Australian Passport Office. The data would then be sent to the Passport Office to determine whether the user is eligible to receive a VDS.The approval process performed by the passport office will be automated, Service Australia Health Programmes general manager Jarrod Howard said, and would entail the Passport Office checking whether the person is fully vaccinated.Due to the process being automated, Howard said people could re-apply for a VDS “in a matter of seconds” at the airport in the event there is an error with a VDS.Once approved, Howard said the VDS would be available on the Medicare Express Plus App and allow for verification on third-party apps.

Providing a timeline for when VDS would be ready, Skinner told the committee she expected it to be ready in the next two to three weeks, or before the end of October at the latest. While noting the digital vaccination certificate for international travel was coming soon, she adamantly refused to call the VDS a vaccine passport as an official passport is still required. Outgoing travellers from Australia will not be allowed to travel abroad without the VDS or another authorised digital vaccination certificate, however, even if they have a passport. Australia’s Trade Minister Dan Tehan earlier this month said the VDS system has already been sent to all of Australia’s overseas embassies in order to begin engagement with overseas posts and overseas countries regarding international travel.The Department of Foreign Affairs and Trade, meanwhile, has already put out a verification app, called the VDS-NC Checker, onto Apple’s App Store, which the department hopes will be used at airports to check people onto flights.International travel for fully vaccinated people living in Australia is currently expected by Christmas, with Tehan confirming that the official date would be when 80% of the country is fully vaccinated.Digital vaccination certificate for state check-in apps to undergo trialOn the domestic front, fully vaccinated Australians may soon be able to add digital vaccination certificates to state-based check-in apps, Skinner said. She said there would eventually be an additional feature on the MedicareExpress App that allows users to add their COVID-19 immunisation history to state-based check-in apps.The process for adding the digital vaccination certificate to state-based check-in apps will be similar to accessing the VDS, except users will not need to provide their passport details.Consent must first be provided for the data to be added to state-based apps, Skinner said.The consent provided by users will last for 12 months, with users needing to provide consent again in order for the immunisation information to continue to appear on the state-based apps.  Services Australia envisions this process occurring through a security token being passed to the relevant state authority once consent is provided. The security token will have data showing a person’s COVID-19 immunisation history and other information such as an individual health identifier.That data would be stored in the Australian Immunisation Register (AIR) database, which is maintained by Services Australia on behalf of the Department of Health.Currently, those fully vaccinated can only add their digital vaccination certificate to Apple Wallet or Google Pay. Those not eligible for Medicare who are fully vaccinated, meanwhile, can call the Australian Immunisation Register for a hard copy, or use the Individual Healthcare Identifiers service through myGov for a digital version.Trials to implement the COVID-19 digital certificate on state-based apps will start in New South Wales next week. Of Australia’s states and territories, only New South Wales has officially signed up to trial the new feature so far, however.”Our approach has been particularly for high volume venues to reduce friction on both staff in those venues and also friction for customers to leverage the current check-in apps that all of the jurisdictions currently have,” Services Australia Deputy CEO of Transformation Projects Charles McHardie said.When asked why Services Australia was not focusing on introducing the digital vaccination certificate through a national app, like COVIDSafe, McHardie explained that this was due to Australia’s public health orders being issued at a state level.McHardie conceded, however, that incoming travellers could potentially be required to install up to eight different apps to adhere to Australia’s various state check-in protocols.  Howard added that check-in apps from certain states and territories — ACT, Northern Territory, Queensland, and Tasmania — had interoperability with each other due to these apps using the same background technology.  According to DTA acting-CEO Peter Alexander, who also appeared before the committee, the bungled COVIDSafe app has cost AU$9.1 million as of last week. New South Wales and Victoria have been the only states to use information from the app. The AU$9.1 million figure is in line with the January update that the COVIDSafe app costs around AU$100,000 per month to run. At the end of January, total spend for the app was AU$6.7 million.   At the time of writing, around 11 million people living in Australia are fully vaccinated. Of those people, 6.3 million have downloaded a digital vaccination certificate.RELATED COVERAGE More

Image: Getty Images
YouTube has said it will remove content containing misinformation or disinformation on approved vaccines, as that content poses a “serious risk of egregious harm”. “Specifically, content that falsely alleges that approved vaccines are dangerous and cause chronic health effects, claims that vaccines do not reduce transmission or contraction of disease, or contains misinformation on the substances contained in vaccines will be removed,” the platform said in a blog post. “This would include content that falsely says that approved vaccines cause autism, cancer or infertility, or that substances in vaccines can track those who receive them. Our policies not only cover specific routine immunizations like for measles or Hepatitis B, but also apply to general statements about vaccines.” Exceptions to the rules do exist: Videos that discuss vaccine policies, new trials, historical success, and personal testimonials will be allowed, provided other rules are not violated, or the channel is not deemed to promote vaccine hesitancy. “YouTube may allow content that violates the misinformation policies … if that content includes additional context in the video, audio, title, or description. This is not a free pass to promote misinformation,” YouTube said. “Additional context may include countervailing views from local health authorities or medical experts. We may also make exceptions if the purpose of the content is to condemn, dispute, or satirise misinformation that violates our policies.” If a channel violates the policy three times in 90 days, YouTube said it will remove the channel.

The channel of one anti-vaccine pushing non-profit, the Children’s Health Defense that is chaired by Robert F. Kennedy Jr, was removed. Kennedy claimed the channel’s removal as a free speech issue. Meanwhile, the BBC reported that Russia threatened to ban YouTube after a pair of RT channels in German were banned for COVID misinformation. YouTube said when announcing its expanded policy, it has removed over 130,000 videos for violating its COVID-19 vaccine policies since last year. In August, the video platform said it removed over 1 million COVID-19 misinformation videos. Earlier this year, Twitter began automatically labelling tweets it regarded as having misleading information about COVID-19 and its vaccines, as well as introducing its own strike system that includes temporary account locks and can lead to permanent suspension. While the system has led to the repeated suspension of misinformation peddlers such as US congresswoman Marjorie Taylor Greene, the automated system cannot handle sarcasm from users attempting humour on the topics of COVID-19 and 5G. In April, the Australian Department of Health published a page attempting to dispel any link between vaccines and internet connectivity. “COVID-19 vaccines do not — and cannot — connect you to the internet,” it stated. “Some people believe that hydrogels are needed for electronic implants, which can connect to the internet. The Pfizer mRNA vaccine does not use hydrogels as a component.” Related Coverage More