Information Technology

Scam artists have taken advantage of a contract migration initiative to swindle NFTs out of users in an opportunistic phishing attack.

Last week, NFT marketplace OpenSea announced the rollout of contract migrations and an upgrade to make sure inactive, old NFT listings on Ethereum expire safely and to allow OpenSea to “offer new safety features in the future.”The contract migration timeline was set from February 18 to February 25.  NFT holders are required to make the change, and OpenSea published a guide to assist them. After the deadline, any listings that were not migrated would expire, although they could be re-listed after this window without further fees.  However, an attacker saw an opportunity to cash in. Check Point Research has suggested that phishing emails were sent to users, linking them to fraudulent websites. “Some hackers took advantage of the upgrade process and decided to scam NFT users by using the same email from OpenSea and resending it to the OpenSea victims,” the researchers said. Also: How the initial access broker market leads to ransomware attacks

Marketplace users were reportedly urged to click a link and sign a malicious transaction that was crafted to look like a legitimate OpenSea request.  According to the researchers, the attacker created their contract prior to the transition and made use of atomicMatch_, a form of request “capable of stealing all victim NFTS in one transaction.”The wallet connected to the phishing attack held over two million dollars after some of the stolen NFTs were sold, CPR noted, although, at the time of writing, just over $8,000 is left in the account. In total, there have been over 350 transactions from this wallet address, including deposits and withdrawals.  Originally, it was believed that 32 users had their NFTs stolen after falling prey to the phishing attack. “The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours,” OpenSea CEO Devin Finzer said on February 20. “Some of the NFTs have been returned. […] We are not aware of any recent phishing emails that have been sent to users, but at this time, we do not know which website was tricking users into maliciously signing messages.” In an update, OpenSea said its team has been working “around the clock” to investigate, and this number of suspected victims has been narrowed down to 17. “Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack,” OpenSea said.  It has now been over 22 hours since the last fraudulent transaction made in the attacker’s wallet.  Nadav Hollander, OpenSea CTO, published a Twitter thread containing the organization’s current understanding of the attack, which the firm does not believe originated from OpenSea.  “All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time,” Hollander said. “However, none of these orders were broadcasted to OpenSea at the time of signing.” In addition, the orders were not executed against the new Wyvern 2.3 contract.  Hollander commented: “32 users [note: now estimated to be 17] had NFTs stolen over a relatively short time period. This is extremely unfortunate but suggests a targeted attack as opposed to a systemic issue. This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the 2.2 contract given the impending invalidation of these collected malicious orders. Even though it appears the attack was made from outside OpenSea, we are actively helping affected users and discussing ways to provide them additional assistance.” Cybersecurity expert Dan Guido also highlighted the inherent security issues with wallets and their exposure to phishing campaigns.  OpenSea continues to investigate.  In other recent NFT news, Fortinet researchers have warned that cyberattackers are jumping on the NFT hype to spread BitRAT malware. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Not a week goes by that I don’t hear from someone who has lost access to their Apple ID. It can be pretty traumatic — you can lose access to a lot of different features and services.And Apple has several ways for users to get themselves out of a jam.

It’s just they’re all a bit of a hassle.A far easier way is to plan in advance and set up an account recovery contact (or contacts!).What is an account recovery contact?If you lose access to your Apple ID, you can follow the steps on your device to share the onscreen instructions with your recovery contact and request a six-digit code that will allow you to reset your Apple ID password.Oh, and don’t worry. Your account contacts don’t get access to any of your data.

On the iPhone or the iPad, you must be running iOS 15 or later:Tap on Settings and then on your name at the top of the screenTap Password & Security, then Account RecoveryTap on Add Recovery Contact (you’ll need to authenticate with Face ID or Touch ID), and then you can choose your contact (those in your Family Sharing group are added automatically, whereas any other contact will need to accept your request first)It’s that simple.You can also do the same on the Mac, but you must be running macOS Monterey or later:Click on the Apple menu, then go to System PreferencesClick on Apple IDClick Password & SecurityNext to Account Recovery, click on ManageClick on + and then Add Recovery Contact (you will need to authenticate with Touch ID or your password), and then you can choose your contact (those in your Family Sharing group are added automatically, whereas any other contact will need to accept your request first)Again, it’s all quite straightforward.Apple has detailed information on how to set this up, along with information for those who are set as account recovery contacts.I recommend you set up a recovery contact today because having one — or several, you can have up to five — set up can save you a lot of grief down the line. More

Smartphones like the

iPhone

 are home to so much information.

Texts, emails, financial, medical. Then on top of that, smartphones can be used to track our movements and what we do online.It’s vital to keep them secured.But what do you do if someone has figured out a way into your iPhone? How do you even know if someone has found a way into your iPhone?Yeah, scary, isn’t it.Over the past few weeks, I’ve been assisting someone in this exact position. Someone that they trusted turned out not to be worthy of that trust and The first reaction of most people is to change their passcode, but that’s not where I’d start.Note: If someone does have access to your iPhone, either because they’ve guessed your passcode, or by another means, remember that making changes to revoke that access will be noticeable to them.

Here’s the process that I follow for securing an iPhone that someone might have gained access to:#1: RebootThere’s a reason we start with a reboot. Bottom line, if someone has compromised an iPhone using a jailbreak or some other exploit, a simple reboot should get rid of it. Instruction on how to reboot your iPhone can be found here. A regular reboot will also help to keep your iPhone running swiftly and smoothly, and it’s something that I do once a week.#2: Change your passcodeIt has to be done. Make it a secure one because this is the key to everything on your phone: birthdays, pet names, names of children, these all such as passcode.Apple has information here on how to change the passcode for versions of iOS ranging from iOS 12 to iOS 15.Also: iOS 15.3.1: A pleasant surprise after the chaos#3: Check for rogue Face ID or fingerprints.You can have more than one face, and set of fingerprints enrolled in your iPhone. To check if someone has added their face to Face ID, tap Settings > Face ID & Passcode and enter your passcode.If you see the option to Set Up an Alternative Appearance, then there’s only one face enrolled, and you’re OK.However, if that option is not visible, there are two faces enrolled (or perhaps you enrolled your face twice). If this is that case, and you’ve not set up your device so someone else can access it, tap on Reset Face ID and go through the enrollment process again (it takes seconds).If your iPhone users the Touch ID fingerprint reader, I recommend deleting all the stored fingerprints and adding them again.Go to Settings > Touch ID & Passcode, then tap on each fingerprint and then tap Delete Fingerprint to remove it.#4: Run an anti-spyware scanIt might be overkill, but it’s better to be on the safe side. My favorite is Certo AntiSpy, and you can get more information about it here. A lower-cost solution that you can run is iVerify. This app is great because it is packed with awesome hints, tips, and tricks on how to secure your iPhone.
#5: Don’t hand your phone to other peopleIt can be hard to set certain boundaries in life, but the one of not passing your unlocked iPhone over to someone else is probably a good one to build. A smartphone is packed with personal information, and it’s OK to want to keep that private. 

More iPhone More

Akamai CEO Tom Leighton touted the company’s expansion this week on the heels of a Q4 earnings report that saw the company bring in a revenue of $905 million for the quarter and $3.5 billion for the full fiscal year. Akamai announced on Tuesday that it is acquiring infrastructure-as-a-service (IaaS) platform provider Linode for about $900 million. Leighton said Linode is a very developer-friendly IaaS provider that makes it very easy to spin up a virtual machine or a container to build and run applications. “By combining that with Akamai, we’re the world’s leaders in content delivery and web security. We make your applications really fast and we protect them from all sorts of attacks. We have the world’s most distributed edge computing platform for applications that need to be scaled up instantly on a global basis to respond to demand and various geographies in a serverless way,” Leighton told ZDNet in an interview. “Putting them together is a very powerful combination because now developers and enterprises will be able to much more easily do the whole thing on Akamai. They can build the apps on Akamai, run them there, deliver them from Akamai and have them be secured as part of Akamai. Akamai becomes the world’s most distributed cloud services provider, all the way from the cloud to the edge, and we’ll make it really easy to build, run and secure your applications online.”He went on to explain that Linode has great customer support and is already in 11 locations, which Akamai is going to “dramatically” expand. Linode does not have much of a sales force today, so Akamai will help them build that out, Leighton said. Akamai will be integrating in more than 250 employees from Linode’s headquarters in Philadelphia, which will bring them to well over 9,000 employees globally. Leighton also noted the September 2021 acquisition of Israel-based Guardicore, a cybersecurity company that offers a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and meet compliance standards.

Leighton said the two acquisitions are the largest they have done in the last 20 years and noted that since closing the Guardicore deal, they have nearly doubled their initial projections of $30 million to $35 million in revenue for the company. “The micro-segmentation that they do is really important for stopping the impact of ransomware. Ransomware is a huge problem today and the visibility it gives our customers into what’s going on in their internal networks is really important,” he explained.  “When you put it all together, Akamai is now positioned as the most distributed cloud services provider, with three market-leading capabilities and pillars to support growth. That’s a pretty exciting place to be.” Akamai saw significant growth throughout 2021 in their security services, which contributed to revenue increases of 25% year over year and growth in their edge application services, which was up 30% year over year. According to Leighton, the company is expecting the cloud compute category — which includes edge applications, its net storage business and Linode — to reach “well over half a billion dollars in 2023.”While the company has seen growth in overall revenue, their earnings per share may grow a bit less than usual due to the acquisitions. But Leighton predicted the EPS would bounce back next year. “We generate a ton of cash so we’re in a position to make acquisitions that would benefit our customers and shareholders. I’m really excited about the future. We have a great history of innovation in the internet, beginning with the invention of content delivery and then bringing high quality streaming online, application acceleration, and of course, web security,” he said. “We were pioneers in edge computing and now we’re taking a big step forward in cloud computing with Linode.”

Tech Earnings More

There’s a lot of FUD about how Linux is being shown recently to be less secure than proprietary systems. That’s nonsense. But, now there are hard facts from Google’s Project Zero, Google’s security research team, showing Linux’s developers do a faster job of fixing security bugs than anyone else, including Google.

Project Zero looked at fixed bugs that had been reported between January 2019 and December 2021. The researchers found that open-source programmers fixed Linux issues in an average of only 25 days. In addition, Linux’s developers have been improving their speed in patching security holes from 32 days in 2019 to just 15 in 2021. Its competition didn’t do nearly as well. For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days. By Project Zero’s count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days. Generally, everyone’s getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple’s web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit’s programmers take an average of over 72 days to fix bugs.Project Zero gives developers 90-days to fix security problems. Besides the average now being well below the 90-day deadline, the team has also seen a dropoff in vendors missing the deadline or the additional 14-day grace period. 

Last year, only a single bug, a Google Android security problem, exceeded its fix deadline, though 14% of bugs required the extra two weeks. Still, everyone’s doing a much better job of fixing security bugs than they’ve been doing in years past. Why? The Project Zero crew suspects it’s because “responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines.” Companies have also been learning best practices from each other with the increase in transparency. I credit much of this to the growth of open-source development methods. People are realizing that it’s to everyone’s advantage to fix bugs together. Related Stories: More

Google has expanded plans to limit data tracking on its Chrome browser by extending that coverage to apps running on Android devices. The Privacy Sandbox project aims to limit the amount of user data that advertisers can gather from browsing and app usage.

But details are scant, and it’s not happening just yet.Google will begin by allowing developers to review initial design proposals and share feedback. Over the year, Google plans to release developer previews, with a beta being available by the end of the year.And it’s clear that Google is worried that by making changes too quickly, it could upend its app ecosystem.”Currently over 90 percent of the apps on Google Play are free,” writes Anthony Chavez, VP of Product Management, Android Security & Privacy at Google, “providing access to valuable content and services to billions of users. Digital advertising plays a key role in making this possible. But in order to ensure a healthy app ecosystem — benefiting users, developers and businesses — the industry must continue to evolve how digital advertising works to improve user privacy.”It seems that right out of the gate, Google is worried that making apps more private could scare off developers from making free apps (although where they might go is unclear).

“We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.” Google also took the opportunity to take a pop at Apple at its App Tracking Transparency feature: “We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers. We believe that — without first providing a privacy-preserving alternative path — such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses.”One of those businesses is Meta (Facebook), which estimates the changes that Apple made will cost it $10 billion this year alone.Problem is, Apple’s path has been effective for the people that matter — the users. And users, when given a choice as to whether they want apps to track them or not, have overwhelmingly chosen to retain their privacy. Apple also paved the way for greater transparency by forcing app developers to outline how data collected by apps would be used.It’s clear that Google feels it needs to make some positive sounds with regards to privacy, but it’s also clear that simply handing the reigns of control to users isn’t what Google wants to do, and instead, the company wants to come up with a solution that’s more within its control.What does this mean for users? It means that if you want privacy on a mobile device, the choice is clear — you should be ditching Android and buying an iPhone.

ZDNet Recommends More

Cybersecurity labels could convey a software product’s or connected gadget’s cybersecurity status. But would these labels be useful, and what is a software product anyway in connected cars and consumer appliances? The idea of cybersecurity labels for Internet of Things (IoT) and consumer software has been kicked around for years, and has recently been looked at more seriously in the EU, Australia, UK and elsewhere. In October, Singapore and Finland agreed to recognize each other’s cybersecurity labels for IoT devices.But labels were required to be seriously considered in the US as part of president President Biden’s May 2021 cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity”. Biden signed the EO shortly after the massive SolarWinds software supply chain attack and a spate of ransomware attacks on critical infrastructure. Part of the order required the US National Institute of Standards and Technology (NIST) to consider product labelling for IoT devices and software development practices for consumer software, in order to boost cybersecurity education. NIST only makes guidelines for a US cybersecurity labelling scheme, which would more likely be enforced by the Federal Trade Commission (FTC), given its existing oversight of consumer protection and data privacy laws.NIST released its guidelines for such labels on February 4, and now its two leads for consumer software and IoT have shared their views on the pros and cons of cybersecurity labels.As they point out, there are working examples of labels for food safety, device performance, and the electrical safety of appliances. These help consumers make informed choices and provide incentives to improve product safety and quality. But software is different.

Michael Ogata, NIST Computer Scientist, says that developing the recommended criteria for consumer software labelling was a “nerve-wracking experience”, in part because of the difficulties in defining where software begins and ends today. “What is consumer software? Is the firmware in your car consumer software? What about an online service like an office suite or email client? Certainly, a video game counts as consumer software, but do you measure a mobile game, a console game, and a PC game in the same ways?,” he writes.A definition of consumer software eventually emerged as: “software normally used for personal, family, or household purposes.”One of NIST’s key recommendations for labels, whichever scheme runs it, is that they’re “binary”, in that the product either 1) does meet the criteria at a given time or 2) does not. Additionally, they should not be “bogging down” non-technical consumers with jargon.  Another complication in labelling software can be seen in soda cans that list the number of calories per serve. Is the tool used to measure calories accurate? So there’s an explicit and implicit claim being made on soda cans. NIST recommended software labels should cover both explicit and implicit claims.These include both descriptive claims and security software development claims. Descriptive claims cover whether the labelled software is still receiving security patches and how these are delivered to consumers. Also, what body stands behind the claims, and when the claim was made.On the secure development side, NIST leaned on its own NIST Secure Software Development Framework (SSDF) as the basis for industry best practice. It’s a non-prescriptive document, but it “identifies common practices that are represented in, and mapped to, existing formalized industry guidance.”      “Our recommendations encourage scheme owners to express development requirements by way of the SSDF while also identifying specific elements that signal that industry best practices have been employed,” explains Ogata. Katerina Megas, a program manager for NIST’s Cybersecurity for IoT program, offers a snapshot on how complicated it would be to create cybersecurity labels for IoT devices. After surveying other labelling schemes around the world, Megan says her team was reassured that there seemed to be a developing “general consensus” that IoT products include not just the device but also its supporting software, such as a smartphone app or hardware such as a controller device.Megas says the group took a risk-based view of the question of baseline security with “risk being both contextual (based on specific use) as well as on the unique nature of IoT products being capable of interacting with the physical world by collecting data or effecting changes without human intervention.” NIST guidelines also acknowledged “no-one-size-fits-all when it comes to IoT.” NIST appears to prefer the market leads in creating a baseline rather than having hard rules handed down to manufacturers.  “Allowing for a marketplace of standards, programs, and schemes to evolve would permit the market to drive how best to achieve the desired outcomes and offer the flexibility to suit a variety of stakeholders’ needs. Doing so also would accommodate, and not hinder, a rapidly evolving technology landscape,” writes Megas. More

Cybercriminals are getting spooked by the sudden disappearance of a number of prominent dark web marketplaces, leading some to wonder if time is up on their illegal, underground activities.Cybersecurity researchers at Digital Shadows have analysed activity on carding forums – dark web marketplaces where criminals buy and sell stolen credit card information and other personal data – and discovered that clients are despondent, following a series seizures and forums going dark.This comes at a time when some ransomware affiliates have been getting worried after action targeting REvil and other ransomware groups.On January 2022, a message appeared on a prominent carding forum stating that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation”. In a joint cooperation with US agencies, Russia’s Federal Security Service (FSB) identified alleged members of hacking group “The Infraud Organization,” including someone who served as administrator for the forum.A few days later, it was announced that six more suspects had been arrested on charges linked to selling stolen credit card information, and the same seizure notice appeared on more carding forums.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedOther forums appear to have voluntarily gone on a temporary hiatus in what could be an effort to avoid being targeted. “Due to recent events, we are going on vacation for 2 weeks,” said the admins of one carding site, adding: “Thank you for understanding! We’ll be back soon, so don’t worry!” The marketplace hasn’t returned and the ability to get refunds has been cancelled.

One prominent dark web carding market that had been active for almost a decade has also recently shut down – in this case, the operators claimed they were retiring, having made enough money.But the shutdowns and disappearances appear to be having an impact on some users, who are starting to get worried.One described it as “most scary moment in the carding history” and a “nightmare for people involved in this business”. Another suggested that “at this tempo there won’t be a Russian darknet by the end of the year.” Others are more confident that the string of shutdowns is a temporary blip and that, as previously, other marketplaces will rise up to fill the void. “Some partial restore will happen in some days or weeks,” said one user. Others suggest that the future of carding will move to other platforms, like Telegram – although not all users trust the instant messaging service.The shutdowns have led to discussions about operational security, as some forum members fear they could also be arrested. “Hard times have come. Take care of yourself and remember your safety,” said one user. “EVERYTHING has changed, go on vacation!” warned another.Shutdowns and takedowns make engaging in cybercriminal activity more difficult, but there’s likely always to be some who will continue on, viewing the risk as worthwhile because of the money that can be made.”It seems unlikely that cybercriminals will do as some forum users joked and go to work in the ‘factories,'” Digital Shadows researchers said. “We saw one threat actor commenting that, although now would be a ‘great time’ if ‘someone has long wanted to retire,’ the carding world would ‘be ok for the rest of the hard workers.'”MORE ON CYBERSECURITY More