Information Technology

DeFi protocol Grim Finance said about $30 million was stolen this weekend by hackers exploiting a vulnerability in their platform. In a statement posted to Twitter on Saturday, Grim Finance said “an advanced attack” was taking place and initially paused all vaults to prevent more attacks. 

“The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the company explained on Saturday night. “We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.”Solidity Finance, a DeFi auditing firm, released an apology for missing the vulnerability that led to the incident. They audited Grim Finance just four months ago. The company said the cause of the issue was “the ability of users to input arbitrary addresses and have them called within the depositFor function.” “Via reentrancy, the issue allowed users to falsely increase their shares in Grim’s vaults and subsequently withdraw more than they had deposited,” Solidity Finance wrote on their website before linking to a longer Twitter thread where they said a new analyst missed the vulnerability while their CTO was on vacation. “This audit was performed by an analyst who was new to the team… unfortunately this issue was not caught in our peer review process.”

The thread goes on to explain the technical details of the attack and said the code that was exploited was present in multiple vaults, resulting in a loss of funds across the platform’s vaults.Some DeFi security experts noted that having a before-after pattern without reentrancy guard “is a big no-no.” RugDoc.io explained that a “before-after pattern is a section of code that checks the vault balance before and after your deposit to figure out how much was actually received by the vault.”Also: Ransomware in 2022: We’re all screwed”This helps with transfer-tax tokens where the amount sent does not equal the amount received. However, what happens if we can do a second deposit while the first deposit is still ongoing?” RugDoc.io wrote, adding that Grim Finance did not have a “reentrancy guard on a pattern that absolutely needs it” and gave users more privilege than is necessary.  Solidity Finance said they regularly recommend fixing the issue but it “slipped through” their process while they were “overwhelmed and onboarding new analysts in August.”They have scanned all of their earlier audits and confirmed that Grim Finance had the only codebase where the vulnerability was present. Of the 900 audits they’ve done, Grim becomes the second exploit that they have missed, according to their records. The attack on Grim Finance adds to a whirlwind year for DeFi hacks. Last week, more than $77 million was stolen from AscendEX. Days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.Crypto trading platform BitMart suffered from a devastating attack that caused about $200 million in losses.Just last month, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. The Record and Comparitech keep running tallies of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, EasyFi, bZx, and many other platforms.  More

Gig workers are being denied access to their personal data outright and are unable to challenge the outcome of automated decision-making systems
Image: iStock/ Borislav
“Weakly enforced” data protection laws have resulted in “woefully inadequate levels of transparency” around the use of algorithmic surveillance and decision-making systems in the gig economy, according to a report.A study published by the Worker Info Exchange (WIE), a campaign group advocating workers’ rights to the data held on them by employers, warned that gig workers were being subjected to unfair profiling and discrimination by automated systems that aimed to “maintain exploitative power” over them.The report, titled Managed by Bots: Data-Driven Exploitation in the Gig Economy, found that gig workers were routinely denied access to personal data held on them by companies that use machine-learning tools to allocate work and manage employees.

Tech Jobs Explained

WIE also accused platform employers of withholding performance and surveillance data “behind the label of anti-fraud prevention” and exploiting current data protection laws to “rubber-stamp unfair machine-made decisions” – leaving gig workers powerless to challenge them.Platform companies are operating in a space where they believe they can make the rules said Bama Athreya, Fellow at the Open Society Foundations. “Unfortunately, this isn’t a game; virtual realities have harsh consequences for gig workers in real life.”WIE’s report comes on the back of growing concerns about the prevalence of algorithmic surveillance and decision-making technologies in the workplace, particularly since the start of the COVID pandemic.

A November 2021 study by workers union Prospect found that a third of employees reported being subjected to some form of monitoring by their employers. Electronic monitoring and surveillance systems were also the subjects of a report by the European Commission’s Joint Research Council (JRC), which warned of significant “psycho-social risks” to gig workers who were routinely subjected to automated decision-making and surveillance.See also: Remote-working job surveillance is on the rise. For some, the impact could be devastatingKirstie Ball, the University of St Andrews professor who authored the report, said excessive and intrusive monitoring also threatened to erode employer-employee relationships unless workers were granted greater insight into how their data was used and human agents played a greater role in overseeing machine-made decisions.WIE’s report said platform companies often used legal loopholes to excuse them from meeting certain employer obligations or paying tax or national insurance contributions. This has allowed many of these companies to become industry disruptors by enabling them to “rapidly scale and build competitive advantage from an excess supply of unpaid and underpaid workers who wait for work, while depressing their own wages.”Potential changes to the UK’s compliance with Europe’s general data protection regulation (GDPR), which would give employers more discretion over how they respond to data access requests and lessen their obligation to prepare data protection impact assessments around the processing of sensitive data, also present “a hammer-blow” to gig worker’s employment rights.”In the UK, these already weak digital rights for workers will be fatally compromised if the government’s proposals on GDPR divergence are passed into law,” said the report.”All of these problems are aggravated by the failure of platforms to respect the digital rights of workers. Our report shows woefully inadequate levels of transparency about the extent of algorithmic management and automated decision making workers are subject to in the gig economy.”Getting their cases through the courts presents another challenge to gig workers, the report said. As a result, wider recognition of the issues presented by the gig economy – specifically at government level – is lacking. “Even where worker rights have been asserted, such as in the UK, there has been no wider enforcement by the government. This leaves workers with few alternatives to litigation, if they have the resources to do so,” the report said.”That is why workers must improve their bargaining power through organising and collective action. The ability of workers therefore to access and pool their data is a powerful force in organising yet to be properly tapped.”

Artificial Intelligence More

Cryptocurrency-based scammers and cyber criminals netted a whopping $7.7 billion worth of cryptocurrency from victims in 2021, marking an 81% rise in losses compared to 2020, according to blockchain analysis firm, Chainalysis.  Some $1.1 billion of the $7.7 billion in losses were attributed to a single scheme which allegedly targeted Russia and Ukraine, it said. 

ZDNet Recommends

“As the largest form of cryptocurrency-based crime and one uniquely targeted toward new users, scamming poses one of the biggest threats to cryptocurrency’s continued adoption,” said Chainalysis.SEE: Hackers are turning to this simple technique to install their malware on PCsAt the same time though, the number of deposits to scam addresses fell from just under 10.7 million to 4.1 million, which it said could mean there were fewer individual scam victims – but they are losing more.A major source of rising cryptocurrency losses in 2021 were so-called “rug pulls”, where the developers of a new cryptocurrency vanish and take supporters’ funds with them. Rug pulls accounted for 37% of all cryptocurrency scam revenue in 2021, totaling $2.8 billion – up from just 1% in 2020. “Rug pulls are prevalent in DeFi because with the right technical know-how, it’s cheap and easy to create new tokens on the Ethereum blockchain or others and get them listed on decentralized exchanges (DEXes) without a code audit,” it warned. 

The characteristics of the investment scam networks are changing. Chainaylsis found that the number of active financial scams rose from 2,052 in 2020 to 3,300, while their individual lifespan has decreased from over 500 days in 2016 to 291 days in 2020 and just 70 days in 2021.     “Previously, these scams may have been able to continue operating for longer. As scammers become aware of these actions, they may feel more pressure to close up shop before drawing the attention of regulators and law enforcement,” it said.SEE: Dark web crooks are now teaching courses on how to build botnetsUnsurprisingly, scams also increase in line with the rise in value of popular cryptocurrencies such as Ethereum and Bitcoin, although that link may have been broken in the last year. Chainalysis notes: “The most important takeaway is to avoid new tokens that haven’t undergone a code audit. Code audits are a process through which a third-party firm analyzes the code of the smart contract behind a new token or other DeFi project, and publicly confirms that the contract’s governance rules are iron clad and contain no mechanisms that would allow for the developers to make off with investors’ funds.”It added: “Investors may also want to be wary of tokens that lack the public-facing materials one would expect from a legitimate project, such as a website or white paper, as well as tokens created by individuals not using their real names.” More

A demonstration of Cellebrite technology being used.
Image: Getty Images
Services Australia has rejected a senator’s request to disclose its contract with Cellebrite for the company to provide technology to help prevent criminal activity. Cellebrite, an Israeli digital intelligence company, is best known for its controversial phone-cracking technology, which it previously claimed could download most data from almost any device on behalf of government agencies. During Senate Estimates in October, Greens Senator Janet Rice had asked Services Australia various questions about the agency’s decision to procure vendor services from Cellebrite, with a request to see a copy of the Cellebrite contract being among them. Services Australia at the time took that request on notice. Rice had also asked about the scope of Services Australia’s usage of the Cellebrite technology, which Services Australia acting-deputy CEO of payments and integrity Chris Birrer said has only been used in fraud and identity theft cases, such as when people have falsely claimed the government disaster relief payments, uploaded false information to commit fraud, and stolen the identities of actual customers to hijack payments. Birrer added that his agency does not deploy these capabilities in relation to any general payment accuracy compliance activities. In providing a response to Rice’s request for the Cellebrite to be disclosed, Services Australia said disclosure of the requested documents would be contrary to the public interest as it would prejudice its criminal intelligence and investigation functions, and not be consistent with the agency’s commercial interests.

“Specifically, disclosure of the agency’s lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of breaches or evasions of the law would, or would be reasonably likely to, undermine the effectiveness of those methods or procedures,” Services Australia said in its response. “Disclosure would also reveal commercially sensitive information provided to the agency in confidence by Cellebrite, potentially causing the agency to be in breach of its contractual obligations, and commercially disadvantaging the Cellebrite in the marketplace.” Social Services hires Deloitte to assess Cashless Debit Card efficacyAs part of the responses to Senate Estimate questions taken on notice, Rice and Labor Senator Malarndirri McCarthy also received responses from the Department of Social Services about its progress in analysing the efficacy of the Cashless Debit Card program (CDC). The CDC, which kicked off in 2016 as a trial, governs how some individuals in receipt of welfare spend their money, with the idea behind the program being to both prevent the sale of alcohol, cigarettes, and some gift cards and block the funds from being used on activities such as gambling. The program has repeatedly been labelled as racist by the Opposition as it has disproportionately impacted Indigenous Australians. Labor Senators have also said there is no evidence that compulsory, broad-based income management actually works. In one of the responses, Social Services revealed most of its advertising of the CDC program in the Northern Territory, which is where most of the program trials have taken place, was put towards ads on 13 Indigenous radio stations, while only placed three regional and two national/metro radio stations received ads, respectively.To address concerns about the CDC’s efficacy, Social Services also revealed in responses to questions on notice that it has paid Deloitte AU$675,000 to undertake data repository services of the CDC program. This will entail analysing CDC data to provide a more complete evidence base of the program’s success and inform policy decisions for the future of the program. The department said the data that will be considered relates to changes in social harm and a range of data relating to social security, drug and alcohol use, gambling, financial management, child protection, police records relating to drug and alcohol-related crime, domestic violence hospital admissions, employment and training, and education data. The procurement of Deloitte’s services follows the Australian National Audit Office (ANAO) announcing last month it would commence a follow-up audit into the effectiveness of the CDC program. The federal auditor is conducting another audit as Social Services did not have an adequate program for monitoring and evaluation CDC program’s effectiveness, which meant it was difficult to conclude whether the program helped reduce social harm or whether the card was a lower cost welfare quarantining approach. At the moment, CDC card providers like Indue are being paid AU$1,100 per participant in the program. In total, the federal government has paid AU$70 million to Indue since the program commenced. Related Coverage More

Singapore has held emergency meetings with critical information infrastructure (CII) sectors to prepare them for potential threats stemming from the Log4j vulnerability. The country’s cybersecurity agency has issued alerts on the Apache Java logging library flaw and is “closely monitoring” developments.  The first alert had gone out on Dec 14, with Singapore’s Cyber Security Agency (CSA) warning that the “critical vulnerability”, when exploited successfully, could allow attackers to gain full control of affected servers. It noted that there was only a short window to deploy mitigation measures and organisations should do so quickly.  It said alerts were sent out to CII sector leads and businesses, instructing them to immediately patch their systems to the latest version. The government agency also was working with these CII representatives to roll out mitigation measures. 

more coverage

Singapore’s cybersecurity bill covers 11 critical information infrastructure (CII) sectors, which enables the relevant local authorities to take proactive measures to protect these CIIs. The bill outlines a regulatory framework that formalises the duties of CII providers in securing systems under their responsibility, including before and after a cybersecurity incident had occurred. These 11 “essential services” sectors include water, healthcare, energy, banking and finance, and aviation. No reports of Log4j-related breaches had been reported at the time when CSA issued its December 14 alert.  CSA on Friday issued another update, raising the alert on the security flaw. It noted that because Log4j was widely used by software developers, the vulnerability could have “very serious consequences”.  “The situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems,” the government agency said. “There have been two emergency meetings by CSA with all the CII sector leads to issue directions and technical details and heighten monitoring for unusual activities.”

A briefing session also was held on Friday with trade associations and chambers to highlight the severity of the Log4j vulnerability and urgency for all organisations, including small and midsize businesses (SMBs), to immediately deploy mitigation measures.  In its advisory on dealing with the library flaw, Singapore CERT cautioned that some previous stop-gap measures were no longer recommended as they were determined to be insufficient. These included configuring the system property to true or modifying the logging configuration to disable message lookups.   Users who were unable to upgrade to versions 2.16.0 or 2.12.2–or Java 8 and Java 7, respectively–should disable lookups by removing the jndiLookup class from the log4j-core jar file, SingCERT advised.  It added that users of products with Log4j should implement the latest patch, especially those using Apache Log4j with affected versions between 2.0 and 2.14.1. They also should beef up monitoring for unusual activities and review their system logs.  Software developers that tapped Log4j in their products should identify and develop patches for affected products as well as notify users of these products to prioritise the deployment of software updates.  CSA said it was in contact with other international agencies and computer emergency response teams (CERTs) of Asean member states, to share information on the latest developments on Log4j.  It urged organisations affected by the vulnerability to report to SingCERT should they uncover evidence of any compromise.  The US Cybersecurity and Infrastructure Security Agency on Friday also sent out an emergency directive, requiring federal civilian departments and agencies  to  immediately patch their internet-facing network assets for Apache Log4j vulnerabilities.  RELATED COVERAGE More

Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out on Tuesday. Apache said version 2.16 “does not always protect from infinite recursion in lookup evaluation” and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They said the severity is “high” and gave it a CVSS score of 7.5.”Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack,” Apache explained. They added that the latest issue was discovered by Akamai Technologies’ Hideki Okamoto and an anonymous vulnerability researcher.Mitigations include applying the 2.17.0 patch and replacing Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) in PatternLayout in the logging configuration. Apache also suggested removing references to Context Lookups in the the configuration like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.They noted that only the Log4j-core JAR file is impacted by CVE-2021-45105. On Friday, security researchers online began tweeting about potential issues with 2.16.0, with some identifying the denial of service vulnerability. 

Discussion about Log4j has dominated conversation all week. CISA released multiple advisories mandating federal civilian agencies in the US apply patches before Christmas while several major tech companies like IBM, Cisco and VMware have raced to address Log4j vulnerabilities in their products. Security company Blumira claims to have found a new Log4j attack vector that can be exploited through the path of a listening server on a machine or local network, potentially putting an end to the assumption that the problem was limited to exposed vulnerable servers.Other cybersecurity firms have found that major ransomware groups like Conti are exploring ways to take advantage of the vulnerability. Google released a security report on Friday where Open Source Insights Team members James Wetter and Nicky Ringland said they found that 35,863 of the available Java artifacts from Maven Central depend on the affected Log4j code. This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability, the two explained. “The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” Wetter and Ringland said. So far, nearly 5,000 artifacts have been patched, leaving more than 30,000 more. But the two noted that it will be difficult to address the issue because of how deep Log4j is embedded in some products. 
Google
“Most artifacts that depend on log4j do so indirectly. The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down),” Wetter and Ringland wrote.”These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”The two went on to say that after looking at all publicly disclosed critical advisories affecting Maven packages, they found less than half (48%) of the artifacts affected by a vulnerability have been fixed, meaning it may take years for the Log4j issue to be solved. More

Are you a career-focused professional searching for the best cybersecurity programs? Discover several of the top colleges and universities with affordable tuition and impressive academic reputations.Consider college and program-specific grants, scholarships, and work-study jobs as well as education awards and other financial aid resources.When selecting the best programs, research each school’s accreditation, recruitment and enrollment efforts, and full-time and part-time graduation and retention rates, along with online degree options.
Best cybersecurity schools and programsThe data for this list was collected from the Integrated Postsecondary Education Data System and College Scorecard datasets.While several schools achieved high rankings, the following list draws from a subset of top-rated, regionally accredited schools and historically Black colleges and universities. Rankings were based on many factors such as computer science scholarships, online cybersecurity degree options, and affordable tuition and fees.Several top-rated colleges and universities have been listed. The data is accurate as of time of publication. Prior to enrollment, prospective students are encouraged to check the school’s websites and terms and conditions.1.  Bentley University

Bentley University’s cybersecurity risk management certificate offers students and working professionals experience in information security. Prospective students can earn a CompTIA, ISACA, Cloud Security Alliance, or (ISC)2 certification. Students pay $9,900 for the certificate program and prepare for certification exams. The university ranks first for career services and promotes diversity-related initiatives.2.  Bowie State UniversityBowie State University offers a graduate certificate, bachelor’s, and advanced computer science degrees with a cybersecurity specialization. Students may earn a computer technology bachelor’s degree in alpha and beta testing, cloud computing, and other related specializations. The university is recognized as a National Center of Academic Excellence in Cyber Defense Education and a top five institution for African American technology graduates.
3.  Butler UniversityButler University offers students and working professionals a four-module cyber risk management certificate. This self-paced program is $1,995 and may be completed in 3 to 10 hours. Students will gain program-specific experience in understanding pure risk and cyber risk, identifying third party errors and omissions, and interpreting cyber risk insurance policies along with other relevant industry skills.4. Carroll CollegeCarroll College offers a free, online three-stage cyber fast track program in cybersecurity in which students gain in-depth, foundational knowledge of cybersecurity. Once mastered, students proceed with master forensics, intrusion detection, and security operations along with system and network penetration testing and application testing. The college awards three Women in Cybersecurity Scholarships to undergraduate and graduate students.5.  Champlain College OnlineChamplain College offers students an online cybersecurity bachelor’s degree. The program is 120 credit hours and entirely online. Students commit 10 to 17 hours of course study. The university is recognized as a National Center of Academic Excellence in Cyber Defense Education. The college has ranked among the most affordable online cybersecurity bachelor’s degrees.6.  Howard University Howard University offers a 15 credit hour cybersecurity graduate certificate. This program includes both computer science and engineering coursework. Students complete a year-long cybersecurity course, two technical courses, and a capstone project. Students may select database systems and security, wireless network security, or advanced operating systems and security to satisfy technical courses.7.  Kennesaw State UniversityKennesaw State University offers an online cybersecurity bachelor’s and master’s degree. The 30-credit cybersecurity master’s program can be completed within a year. This program is suitable for both career changers and working professionals seeking career advancement. In 2019, the university ranked in the top 50 and 60 for business and information technology and engineering.8.  North Carolina A&T State UniversityNorth Carolina A&T offers an online, 12-credit hour post-baccalaureate cybersecurity certificate. Prospective students are required to take information privacy and security or advanced security applications along with a computer system security or network security course. For technical courses, students may choose from software security testing, principles of computer networking, and related computer science and technology courses.9. University of Illinois at Urbana-ChampaignThe University of Illinois at Urbana-Champaign offers a three course certificate in cybersecurity. Prospective students may compete in an approved cybersecurity competition, serve as an undergraduate researcher, or participate in the Illinois Cyber Security Scholars Program to meet the extracurricular requirement. While completing the certificate program, students attend an Information Trust Institute certificate program meeting.10.  Virginia TechVirginia Tech offers an online, 12-week cyber bootcamp. Prospective students may enroll in the computer engineering bachelor’s program with a cyber operations track, cybersecurity management and analytics business degree, or computer engineering major in networks and cybersecurity program. The university offers a Cybercorps Scholarship for Service and master’s programs with cybersecurity tracks.  More

Researchers with security firm Advanced Intelligence have discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities. In a report on Friday, the security company said it discovered multiple members of Conti discussing ways to take advantage of the Log4j issue, making them the first sophisticated ransomware group spotted trying to weaponize the vulnerability. AdvIntel said the current exploitation “led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit.” “Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions,” the researchers said. They noted that their research of ransomware logs shows Conti made over $150 million in the last six months. AdvIntel laid out a timeline of events for Conti’s interest in Log4j starting on November 1, when the group sought to find new attack vectors. Throughout November, Conti redesigned its infrastructure as it sought to expand and by December 12, they identified Log4Shell as a possibility. By December 15, they began actively targeting vCenter networks for lateral movement. 
Advanced Intelligence
In a statement, VMware said it issued a security advisory containing fixes for the 40 products it sells that are vulnerable to the Log4J issue, including vCenter. In the advisory they confirm that exploitation attempts in the wild have been confirmed. 

“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” VMware said.AdvIntel added that it is only a matter of time until Conti and other groups will begin exploiting Log4j to its full capacity. Khonsari was the first ransomware group to begin targeting Log4j but was considered lower grade and did not even have a viable ransom note, leading some to consider it simply a wiper. Researchers in China have identified the TellYouThePass ransomware being used in attacks against Windows and Linux devices using the Log4j issue. Recorded Future ransomware expert Allan Liska said the most recent news about different ransomware groups exploring exploitation of Log4j lined up with what he is seeing.”IABs working with Conti have started scanning for Log4Shell and likely have exploited victims. BUT we have not seen any evidence of a successful ransomware attack resulting from these scans yet. Doesn’t mean it hasn’t happened, just we haven’t seen it,” Liska said.  More