Information Technology

T-Mobile is looking into allegations that a hacker stole 106GB of data containing the social security numbers, names, addresses and driver’s license information for more than 100 million people.

In a statement to ZDNet, T-Mobile said it is “aware of claims made in an underground forum and have been actively investigating their validity.” Teams at T-Mobile have been “working around the clock” to investigate the situation, a spokesperson told ZDNet, adding that they have hired digital forensic experts and contacted law enforcement. “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the spokesperson said. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others. We understand that customers will have questions and concerns, and resolving those is critically important to us.”A reporter at Motherboard spoke to the hacker, who said they had stolen it from T-Mobile servers and that the batch also included unique International Mobile Equipment Identity (IMEI) numbers. Motherboard confirmed that the data was from real T-Mobile customers. The hacker told Motherboard that T-Mobile has already kicked them out of the breached servers but noted that copies of the data had already been made. On an underground forum, the hacker is selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer. Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, also spoke to the hacker and wrote on Twitter that he was told about other motives for the attack.  

“The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the hacker allegedly told Gal. “We did it to harm US infrastructure.”Binns filed a lawsuit against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes, including participation in the Satori botnet conspiracy. He is a US citizen but lived in Izmir, Turkey and claimed he had been tortured and spied on for being an alleged member of the Islamic State militant group. He denied being a member of the group in his lawsuit.The unnamed hacker later spoke to Bleeping Computer to say that they gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” They also hacked into an Oracle database server that had customer data inside.To prove it was real, the attackers shared a screenshot of their SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.T-Mobile has been hacked multiple times over the last few years. In January they announced their fourth data breach in three years after incidents in August 2018, November 2019, and March 2020. More

[This article was first published in September 2020.]The more connected we become, the more data we will continue to share. Think about how often you access the internet and input or view sensitive information. From accessing health care information to paying bills online to even tagging your location on social media, you’re sharing information that can be collected.According to a recent study, 47% of Americans were not sure they understood what was done with their personal information and 59% were confused by the privacy policy presented by companies. In a time when our lives are so heavily entwined with the internet, knowing what’s done with the data you share is critical.Why it mattersLandmark security breaches remind us how vulnerable our data really is. Equifax, one of the top three credit reporting agencies, disclosed a data breach in September of 2017. Information like social security numbers, names, addresses, and driver’s license numbers were compromised for 147 million people, along with 209,000 customer credit card numbers. Given the severity and importance of the information leaked, the Equifax breach is regarded as unprecedented in impact. The settlement reached with the Federal Trade Commission amounted to $425 million to be paid out to help people who were affected.Facebook has experienced a series of security breaches, which has resulted in federal investigation. In 2019, the user data of 540 million Facebook users was exposed on Amazon’s cloud computing services. It was revealed that Facebook partnered with more than 150 companies to share personal information of the hundreds of millions of people who use the social media platform. Users were not aware of this exchange. In a focus group conducted by the Pew Research Center, people spoke negatively about the consequences of sharing data and cited that companies could have an ulterior motive for collecting their data.Federal LawsU.S. Privacy Act of 1974: This act established regulations on the collection, maintenance, use, and sharing of information. It requires that agencies obtain written consent from the individual before disclosing any of their information, unless it is part of the 12 statutory exceptions. Under this act, individuals are also able to request amendments to their records.Federal Trade Commission Act: This act gives the Federal Trade Commission the power to protect consumers from unfair or deceptive practices taken by companies and seek monetary compensation. They also have the right to enforce federal data and privacy protections.Children’s Online Privacy Protection Act (COPPA): COPPA prohibits the collection of data from anyone under the age of 13 without obtaining verifiable parental consent.Video Privacy Protection Act (VPPA): VPPA bans the disclosure of personal information or data unless the customer is aware and consents. This act includes streaming services.There is no single catch-all data privacy law. Instead, there are a mixture of federal and state laws that try to address the different aspects of data protection. The lack of federal laws pertaining to consumer privacy led individual states to pass their own laws protecting citizens. Even still, all-encompassing laws are not widely held. There is still a lot of ground that needs to be covered to ensure that American consumers are completely protected.Types of Data Privacy LawsConsumer privacyDo you ever wonder why things like Facebook or Instagram are free? You pay in privacy. These types of online services are free of monetary charge because they collect your data in exchange for their hosted services. However, 38% of surveyed Americans said that they were confused by the information presented in a privacy policy.

As of January 2020, the California Consumer Privacy Act addresses that exact issue. This law puts pressure on companies to be transparent with their practices and gives residents the right to know what personal information has been collected, shared, or sold. Additionally, consumers have the right to delete personal information that’s already been collected and the right to opt-out of the sale of personal information. The idea of trading your personal information for a free service is better accepted when the consumer has control.Children’s online privacyOne of the only inclusive data privacy laws is concerned with children’s online privacy. Children’s Online Privacy Protection Act (COPPA) is a federal law that prohibits the collection of data from children who are under 13 years old. This means that parents have control over the information the companies can have and can request that any collected data be deleted.In February 2019, TikTok paid $5.7 million to the FTC over concerns that the video app was in violation of COPPA. The largest children’s privacy civil penalty to date, TikTok was accused of illegally collecting personal information from children without parental consent. In addition to the substantial settlement, TikTok was required to update its practices and remove all videos that are made by children under the age of 13. TikTok is only one example, Google and YouTube have also been investigated by the FTC.E-readerThere are only a handful of states that have laws governing consumer privacy when it comes to e-readers. These laws prohibit entities from collecting or sharing information regarding the type of material being rented or bought using the e-reader. Within the states that have laws pertaining to e-readers, most have focused on information that can be gathered by public entities like libraries. However, efforts are being made to protect the privacy of the content people choose to read on their electronic devices. The Electronic Frontier Foundation took the time to comb through the popular e-book platforms’ privacy policies to give you the answers you’ve been searching for.Online servicesConsumers are seeing changes when it comes to online services and privacy data. Companies are now more transparent when it comes to their efforts in collecting information about your browsing habits, whether in a good-faith effort to keep their consumer’s trust or because of the laws that require it. Additionally, approximately 86% of internet users have taken steps to maintain their online privacy. Clearing cookies, using a virtual network and encrypting their email are some of the actions taken. Still, 61% say that they still would like to do more to protect themselves.Information sharing by businessWhile businesses collecting and sharing your information is nothing new, recent changes require that companies clearly inform you of what their intentions are when collecting that information. The reason why the company collects your data will vary, though generally companies use it to improve customer experience, assess their marketing strategy, or make money. The relationship around data privacy is a give and take between both consumers and data collectors. Businesses must be held accountable for the data privacy methods they have in place and be transparent about how they use the data they harvest. It’s also imperative that consumers know their rights and ability to impact how companies collect and use their information.Notice when recording phone callsGenerally, the biggest concern when recording phone calls is consent. Many states are one-party consent states, meaning that phone calls can be recorded as long as one person consents. But what is considered consent? Think about when you call a customer service line and hear the ever-identifiable “this call may be monitored or recorded…” message. When a caller continues with the call, many states take that as implied consent.There are 11 states that require both parties to consent to the recording: California, Delaware, Florida, Illinois, Maryland, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Sometimes regardless of which law the state follows, there are exceptions to the rules. Which include: police recordings, court orders, and emergency services.Breach notification lawsEvery single state has a data breach notification law in place, although some states were slower than others to adopt one. Still, many states are actively amending their laws and expanding the definitions they hold. States like New Jersey, New York, and Oregon have broadened the scope of what is protected and established what regulations they impose on companies. Breach notification laws require that companies notify consumers of any data breaches involving personal or otherwise identifying information. Each law has a specified time frame in which action needs to be taken.Data disposalData disposal laws are concerned with what happens to your information when the company no longer wants to store it. To prevent unauthorized access, both government and private agencies are required to destroy or make indecipherable information in consumer reports. The Federal Trade Commission has impressed a disposal rule that outlines what the rule applies to and what constitutes proper disposal. Proper disposal of consumer records should be a part of every company’s security program.Understandably, the mashup of federal and state laws can be hard to navigate. This table can help you break it down.StateTitleType of LawAlabamaSB318Data breach notificationAlaskaAlaska Stat. § 45.48.010Data breach notification#rowspan#Alaska Stat. § 45.48.500Data disposalArizonaAriz. Rev. Stat. § 41-151.22e-reader#rowspan#A.R.S. §§ 18-55Data breach notification#rowspan#Ariz. Rev. Stat. § 44-7601Data disposalArkansasArk. Code §§ 4-110-105Data breach notification#rowspan#Ark. Code §§ 4-110-104(b)Consumer data#rowspan#Ark. Code §§ 4-110-104(a)Data disposalCaliforniaCal. Civ. Code §§ 1798.100 et seq.Consumer data#rowspan#Cal. Bus. & Prof. Code § 22948.20Consumer data#rowspan#Cal. Civ. Code §§ 1798.81Data disposal#rowspan#Calif. Bus. & Prof. Code §§ 22580-22582Children’s online privacy#rowspan#Cal. Ed. Code § 99122Online services and websites#rowspan#Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A)Online services and websites#rowspan#Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)Online services and websites#rowspan#Calif. Bus. & Prof. Code § 22575Online services and websites#rowspan#Cal. Civ. Code §§ 1798.83 to .84Information sharingColoradoColo. Rev. Stat. § 6-1-716Data breach notification#rowspan#Colo. Rev. Stat. § 6-1-713:Data disposalConnecticutConn. Gen. Stat. § 42-471Data disposal#rowspan#Conn. Gen Stat. § 36a-701bData breach notificationDelawareDel. Code § 1204CChildren’s online privacy#rowspan#Del. Code tit. 6, § 1206Ce-reader#rowspan#Del. Code Tit. 6 § 205CInformation sharing#rowspan#Del. Code tit. 6 § 5002CData disposalFloridaFla. Stat. §§ 501.171(3)-(6)Data breach notification#rowspan#Fla. Stat. §§ 501.171(2)Consumer data#rowspan#Fla. Stat. §§ 501.171(8)Data disposalGeorgiaGa. Code §§ 10-1-910 et. seq.Data breach notification#rowspan#Ga. Code §§ 10-15-2(b)Data disposalHawaiiHaw. Rev. Stat. § 487N-2Data breach notification#rowspan#Haw. Rev. Stat. §§ 487R-2Consumer data and data disposalIdahoIdaho Code § 67-831 through § 67-833Data breach notificationIllinois20 ILCS § 450Consumer data#rowspan#815 ILCS § 530/45Consumer data#rowspan#815 ILCS §§ 530/1 to 530/25Data breach notification#rowspan#815 ILCS § 530/30Data disposalIndianaInd. Code §§ 4-1-11 et. seqData breach notification#rowspan#Ind. Code §§ 24-4-14-8Data disposalIowaIowa Code §§ 71.C.1 – 715C.2Data breach notificationKansasKan. Stat. § 50-7a01 et seq.Data breach notificationKentuckyKRS § 365.732 and KRS § 61.931 to 61.934Data breach notification#rowspan#KRS § 365.725Data disposalLouisianaLa. Rev. Stat. §§ 51:3071 et seq.Data breach notificationMaine35-A MRSA § 9301(active 7/1/20)Online services and websites#rowspan#Me. Rev. Stat. tit. 10 § 1346 et seqData breach notificationMarylandMd. State Govt. Code § 10-624 (4)Information sharing#rowspan#Md. State Govt. Code §§ 10-1303Data disposal#rowspan#Md. Code Com. Law §§ 14-3504Data breach notificationMassachusettsMass. Gen. Laws § 93H-3Data breach notification#rowspan#Mass. Gen. Laws § 93H-2Consumer data#rowspan#Mass. Gen. Laws § 93I-2Data disposalMichiganMich. Comp. Laws §§ 445.72Data breach notification#rowspan#Mich. Comp. Laws §§ 445.72aData disposalMinnesotaMinn. Stat. §§ 325M.01 to .09Online services and websites#rowspan#Minn. Stat. §§ 325E.64Data breach notificationMississippiMiss. Code § 75-24-29Data breach notificationMissouriMo. Rev. Stat. §§ 182.815, 182.817e-reader#rowspan#Mo. Rev. Stat. § 407.1500Data breach notificationMontanaMont. Code §§ 30-14-1701 et seqData breach notification#rowspan#Mont. Code §§ 30-14-1703Data disposalNebraskaNeb. Rev. Stat. §§ 87-801 et seq.Data breach notification#rowspan#Neb. Stat. § 87-302(15)Inaccuracies in privacy policiesNevadaNRS § 603A.300Consumer data#rowspan#NRS § 603A.340Information sharing#rowspan#SB 220Online services and websites#rowspan#NRS § 205.498Online services and websitesNew HampshireN.H. Rev. Stat. §§ 359-CConsumer data, information sharing, data breach notification, data disposalNew JerseyN.J. Rev. Stat. §§ 56:8-163Data breach notification#rowspan#N.J. Rev. Stat. §§ 56:8-162Data disposalNew Mexico2017 H.B. 15, Chap. 36, Section 6Data breach notification#rowspan#2017 H.B. 15, Chap. 36, Section 3Data disposal#rowspan#2017 H.B. 15, Chap. 36, Section 4Consumer dataNew YorkS5575BConsumer data#rowspan#N.Y. Gen. Bus. Law § 399-HData disposal#rowspan#23 NYCRR 500Data breach notificationOregonORS § 646.607Information sharing#rowspan#SB684Data breach notificationsNorth CarolinaN.C. Gen. Stat. § 75-65Data breach notifications#rowspan#N.C. Gen. Stat. § 75-65Data disposalNorth DakotaN.D. Cent. Code §§ 51-30-01 et seqData breach notificationsOhioOhio Rev. Code §§ 1347.12 and Ohio Rev. Code §§ 1349.19 et seqData breach notificationsOklahoma24 OK Stat § 24-163 (2016)Data breach notificationsOregonOregon Rev. Stat. § 646A.604Data breach notifications#rowspan#Oregon Rev. Stat. § 646A.622Data disposalPennsylvania18 Pa. C.S.A. § 4107(a)(10)Inaccuracies in privacy policies#rowspan#73 P.S. §§201-1 – 201-9.2Consumer dataRhode IslandR. I. Gen. Laws §§ 11-49.3-1 to .3-6Data breach notification#rowspan#R. I. Gen. Laws § 6-52-2Data disposalSouth CarolinaS.C. Code Ann. § 30-2-40 and S.C. Code Section 30-2-20Consumer data#rowspan#S.C. Code SECTION 39-1-90Data breach notification#rowspan#S.C. Code Section 37-2-190Data disposalSouth DakotaSD SB62Data breach notificationTennesseeTenn. Code §§ 47-18-2107Consumer data#rowspan#Tenn Code §§ 8-4-119Data breach notification#rowspan#Tenn Code § 39-14-150(g)Data disposalTexasTex. Bus. & Com. Code § 521.053Data breach notifications#rowspan#Tex. Bus. & Com. Code § 521.052(a)Consumer data#rowspan#Tex. Bus. & Com. Code § 521.052(b)Data disposalUtahUtah Code §§ 13-37-201 to -203Information sharing#rowspan#Utah Code § 13-44-201(1)(a)Consumer data#rowspan#Utah Code § 13-44-202Data breach notifications#rowspan#Utah Code § 13-44-201(1)(b)Data disposalVermontNRS § 603A.300Consumer dataVirginiaVa. Code §§ 18.2-186.6.Data breach notifications#rowspan#Va. Code § 59.1-442Information sharingWashingtonWash. Rev. Code §§ 19.255.010Data breach notifications#rowspan#Wash. Rev. Code §§ 19.215.030Data disposalWest VirginiaW.V. Code §§ 46A-2A-101Data breach notificationsWisconsinWis. Stat. § 134.98Data breach notifications#rowspan#Wis. Stat. § 134.97Data disposalWyomingWyo. Stat. §§ 40-12-501 et seq.Data breach notificationDistrict of ColumbiaD.C. Code §§ 28-3851 et seq.Data breach notificationPuerto Rico10 L.P.R.A. § 4051Consumer data and data breach notificationQuick Tips to Protect Data at HomePossible security breaches and companies collecting your information are only one facet of data safety. Your data is also susceptible to being stolen or compromised by hackers. Thankfully, there are a number of things you can do at home to combat them. You don’t need advanced tech skills or world-class equipment; these are things you can do on your home computer.Security softwareInstalling security software on your computer is one of the first steps you should take. Security software keeps your computer healthy and your information safe from attacks or computer viruses. Make sure you stay up to date with any and all updates of your software. It’s easy to close out the persistent pop-up box that reminds you to update, but don’t ignore it! Security software is especially important if you are regularly connected to public WiFi networks. While most in-home routers are encrypted, there is no way to know if the internet you are connecting to is safe.Use a password managerUsing the same password for everything leaves you vulnerable to potentially giving someone access to all of your information. But remembering a gaggle of passwords is no easy feat. Using a password manager is an easy way to ease the burden. Password managers are designed to generate long and complicated passwords that are less likely to be compromised. Your passwords are encrypted and can only be accessed through the master password you create. Depending on the password manager, it may offer an automatic fill feature that kicks in when you go to a page you have a saved password for.Backup your dataIn the event that your information is lost, compromised or stolen, backing up your data is a way to make sure all of your hard work and cherished memories are not lost. When you back up your data, you’re making a copy that is not stored on your computer. Whether you use a local storage option or the cloud, the point is to make your files unavailable to anyone else except you.Data encryptionData encryption is an essential way to keep your personal information safe. It works by taking readable text from an email or document and scrambling it into an unreadable cipher text. Encrypting your data will secure it not only on your computer, but also when it is transmitted over the internet. For the information to revert back to its original form, both the sender and recipient have to have the encryption key.What to do After a Data BreachSo you’ve heard on the news or received an email that there has been a breach and your data may have been affected. A security breach does not automatically mean someone is going to steal your identity. Before you panic, use these steps to help you through the process.1. Confirm if you were affected by the security breachBeware of scammers attempting to coax more information out of you with fake emails. If you receive an email that a breach has occurred, contact the company directly to confirm. Do not reply to the email.2. Find out what information was compromisedWhat you do after a security breach may vary slightly depending on the type of company that was breached. You should tailor your response to the circumstances and to what information was stolen. If you find that you are the victim of the security breach, don’t pass up the company’s offer to help.3. Change your passwordsThe next important step to take is to address your personal security. Update your login information and security questions for all of your sensitive accounts – not just the ones affected by the breach. Take this time to enact two-factor authentication into your login process to add another layer of security to your accounts.4. Contact a credit reporting bureau to reportTo make sure you aren’t the victim of identity theft, call any of the major credit reporting bureaus and have them file a fraud alert on your name. This alert makes it harder for someone to open new accounts under your name and lasts for one year. Additionally, you may also consider putting a credit freeze on your report, which will restrict access to your credit report. Bear in mind this will require you to manually lock and unlock your credit report when filing for new lines of credit, like a rewards card or a house.5. Monitor all accounts closelyFinally, after you’ve changed your passwords and placed a fraud alert in your name, the last thing to do is closely monitor your account for any suspicious activity. A fraud alert and credit freeze will make it harder for thieves to open new accounts, though it does not guarantee safety to the accounts they may already have access to. More

StackCommerce
Don’t wait for New Year’s Day to start making major changes to your life when you can train at your own pace for an exciting, well-paid career of your choice. StackSkills Unlimited + Infosec4TC Platinum Cyber Security Lifetime Bundle offers two modules filled with over 1,000 courses, so you are sure to find at least one that clicks. But remember, there’s no law saying you can only do one thing, multiple revenue streams are a plus.

The StackSkills Unlimited Online Courses will teach you skills from blockchain technology to marketing, design, business, finance, and much, much more. The courses cover all levels, from beginning to advanced. And not only do you get access to the pre-selected library of over 1,000 courses, but more than 50 new classes are also added every month.Best of all, they are taught by over 350 of the top instructors online. They are highly-rated elite experts in their fields, so they can tell you what led them to success and warn you about the factors that caused their failures. You can get certifications to pump up your resume and premium customer support.StackSkills Unlimited Online Courses delivers engaging content you can use for changing careers or making extra cash. Their impressive rating of 4.5 out of 5 stars says it all.The second part of the bundle is for anyone interested in cybersecurity. In a survey less than a year ago, “…cybersecurity skills cited as the most in-demand skill by more than a third (35%) of the 4,200 IT professionals surveyed.” With phishing, ransomware, and other threats becoming stronger and more frequent every day, that situation isn’t likely to change any time soon. So training at your own pace for a cybersecurity career will probably be a good use of your time.That’s why the Infosec4TC Cyber Security Training: Platinum Membership is such a great deal. If you need certifications to turbocharge your resume, Infosec4TC has the highest rate of students passing the exams. But if you’re looking to change careers or move up in your current job, you will get mentoring until you achieve your goal. With this Platinum Membership, you get lifetime access to over 90 existing courses and all future ones, the latest exam questions, extra materials and so much more.Don’t miss this chance to grab the StackSkills Unlimited + Infosec4TC Platinum Cyber Security Lifetime Bundle while it’s on sale for just $79.99.

ZDNet Recommends More

A new button and add-on for Microsoft 365/Office 365 accounts and Outlook allows employees to report scam emails directly to the UK’s National Cyber Security Centre (NCSC). The button is an upgrade to the NCSC’s existing Suspicious Email Reporting Service (SERS), which has received over 6.6 million reports since launching in April 2020. As of 30 June, NCSC had removed over 50,500 scams and 97,500 URLs.

ZDNet Recommends

While email filtering systems can stop some phishing attacks reaching staff inboxes, scammers are always looking for ways to bypass filters — for example, by hosting scams on Google cloud services, creating Office 365 phishing pages, or compromised SharePoint sites to trick victims into entering their work account credentials. SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsThe ‘typical’ phishing URLs that NCSC handles include tricking staff to click a link that downloads malware on a work computer, creating cloned login pages, and email with fake alerts about work software such as Microsoft Teams.”Opportunistic scams during the pandemic have demonstrated how cyber criminals constantly find new ways to target us,” said NCSC technical director Ian Levy. “The good news is that you can help protect your workplace by forwarding suspected scam emails to the Suspicious Email Reporting Service (SERS) from your work email account at the click of a button.”

NCSC has provided guidance for admins to enable the Office 365 ‘Report Phishing’ add-in for Outlook.The Report Phishing tool is actually made by Microsoft and can be installed from Microsoft’s AppSource site. After installing the add-in, admins need to create a mail flow rule to report phishing instances to SERS. After it’s enabled, a new Report Phishing button appears in main Outlook toolbar. For Outlook on the web, the Report Phishing button appears in the sidebar. “The NCSC’s Suspicious Email Reporting Service (SERS) enables the public to report suspicious emails by sending them to report@phishing.gov.uk. The SERS analyses the emails and where found to contain links to malicious sites, seeks to remove those sites from the internet to prevent the harm from spreading,” NCSC notes. SEE: Malware developers turn to ‘exotic’ programming languages to thwart researchersThe reports are sent to both Microsoft and the NCSC. For organizations that cannot install the Report Phishing button for Outlook, NCSC is still encouraging businesses to forward or attach scam emails to send to report@phishing.gov.uk. More

Fuelled by the COVID-19 pandemic, 67% of personal investors in Singapore say they have expanded their cryptocurrency portfolio, which is more likely to include Ethereum. Some 33% in the country, though, have yet to invest in cryptocurrency, with more than half citing a lack of knowledge as the key reason. Amongst those who held cryptocurrencies, 78% said they owned Ethereum while 69% had Bitcoin and 40% carried Cardano, according a survey released Monday that polled 4,348 respondents in Singapore, including 2,862 who said their investment portfolio currently included cryptocurrencies. The study was conducted by cryptocurrency platform Gemini, financial platform Seedly, and cryptocurrency price-monitoring site CoinMarketCap.  Respondents were aged between 18 and 65, with an average household income of SG$$51,968 ($38,467). Half of those who owned cryptocurrencies 25 to 34 years old, while 19.8% were 35 and above.  

Some 67% of respondents who owned personal investment products said they had cryptocurrency in their portfolio. Amongst the remaining 33% who did not, 69% pointed to a lack of knowledge and understanding of digital assets as a barrier. Another 52% cited the market’s volatility as an obstacle, while 29% said they were uncertain how to invest in cryptocurrencies. However, 34% said they planned to purchase their first cryptocurrency in the next year. Some 76.2% would do so if the price was attractive, while 58.6% would buy cryptocurrency if it provided better investor protection.The majority of those who had invested in cryptocurrency, at 81%, said they did so as a long-term investment. Another 58% said they traded cryptocurrencies for profits and 43% tapped such deposits for interest gains. Across all respondents, 59% expressed interest in cryptocurrency investment as a form of decentralised finance, while 41% were keen on its potential for hedging against inflation. 

Some 64% of those who owned cryptocurrencies had at least 5% in their investment portfolio. This portfolio mix increased to more than half amongst 20% of cryptocurrency holders aged between 18 and 24. Another half of respondents between 35 and 44 years owned cryptocurrencies worth at least SG$10,000 ($7,402).In choosing a cryptocurrency exchange, 55% prioritised security while 23% said a regulated exchange or platform were their deciding factors. Another 20% assessed such decisions based on the platform’s service fees. Gemini’s Asia-Pacific managing director Jeremy Ng said: “Similar to the growing momentum in the cryptocurrency industry across the world, we are seeing a growing level of investor interest in Singapore, which is encouraging. This study has underscored that barriers to entry for potential investors still remain. Engagement with, and education of, both the crypto-curious and current investors will be key to tackling the knowledge gap and ensuring that cryptocurrency is accessible to everyone in Singapore.”Seedly’s co-founder and CEO Kenneth Lou also pointed to growing demand for financial literacy in such investments, as cryptocurrency increasingly was “a recognised investment channel”. Australian cryptocurrency exchange, Independent Reserve, early this month said it received an “in-principle approval” letter from Singapore’s industry regulator Monetary Authority of Singapore (MAS) to operate as a licensed provider of digital payment token services, which included cryptocurrencies. Independent Reserve, which established its Singapore operations last year, said it was required to implement controls to ensure “proper due diligence, suitable solicitation, and adequate risk disclosure” to secure the licence as a virtual asset service provider. The exchange has more than 200,000 customers in Singapore, Australia, and New Zealand, and processes Ethereum and Bitcoin amongst other cryptocurrencies on its trading platform. MAS in 2019 said it was assessing plans to allow payment token derivatives, such as Bitcoin and Ethereum, to be traded on local exchanges and for such activities to be regulated. The move was aimed to address international investor interest in cryptocurrencies, it said.The Singapore regulator then had cautioned that payment tokens and their derivatives were not suitable for most retail investors as these tokens typically offered little or no intrinsic value, were difficult to value, and were subjected to high price volatility. It advised retail investors to “exercise extreme caution” when trading in payment tokens and their derivatives.In a written response to parliament in April 2021, Singapore’s Senior Minister and Minister-in-charge of MAS Tharman Shanmugaratnam reiterated that cryptocurrencies were highly volatile because their value typically was not tied to economic fundamentals and, hence, were “highly risky as investment products”. Tharman noted that the risks differed when cryptocurrencies were used for payment purposes, as opposed to securities tokens, and the government’s regulatory approach would be applied accordingly. In another written response to parliament in July 2021, Tharman said MAS was in the “final stages of review” for several licence applications to operate as digital payment token service providers. Assessment criteria included the applicant’s understanding of risks relating to money laundering and financing of terrorism, he said. MAS in 2018 warned eight cryptocurrency exchanges against engaging in unauthorised trading, specifically, those involving securities or futures contracts. It also had repeatedly cautioned the public about the risks of cryptocurrencies and to understand the environment before investing in digital tokens, stressing that these were not recognised as legal tender and functioned in an unregulated environment.RELATED COVERAGE More

Image: Apple
When Apple announced its plans to tackle child abuse material on its operating systems last week, it said the threshold it set for false positives account disabling would be one in a trillion per year.Some of the workings of how Apple arrived at that number was revealed in a document [PDF] that provided more detail about the system. The most contentious component of Cupertino’s plans was its on-device child sexual abuse material (CSAM) detection system. It will involve Apple devices matching images on the device against a list of known CSAM image hashes provided by the US National Center for Missing and Exploited Children (NCMEC) and other child safety organisations before an image is stored in iCloud. When a reporting threshold is reached, Apple will inspect metadata uploaded alongside the encrypted images in iCloud, and if the company determines it is CSAM, the user’s account will be disabled and the content handed to NCMEC in the US. The document states that the CSAM hashes Apple used would be the intersection of two collections from two child safety organisations operating in different countries. “Any perceptual hashes appearing in only one participating child safety organization’s database, or only in databases from multiple agencies in a single sovereign jurisdiction, are discarded by this process, and not included in the encrypted CSAM database that Apple includes in the operating system,” the document states. After running the hashes against 100 million non-CSAM images, Apple found three false positives, and zero when run against a collection of adult pornography. The company said assuming a “worst-case” error rate of one in one million, it wanted a reporting threshold to ensure its one-in-a-trillion false positive disabling threshold.

“Building in an additional safety margin by assuming that every iCloud Photo library is larger than the actual largest one, we expect to choose an initial match threshold of 30 images,” it said. “Since this initial threshold contains a drastic safety margin reflecting a worst-case assumption about real-world performance, we may change the threshold after continued empirical evaluation of NeuralHash false-positive rates — but the match threshold will never be lower than what is required to produce a one-in-one-trillion false positive rate for any given account.” To ensure Apple’s iCloud servers do not maintain a count of the number of positive CSAM images a user has, their device will also produce fake metadata, which Apple calls safety vouchers. Apple said its servers will not be able to distinguish real vouchers from the fake ones until the threshold is reached. “The on-device matching process will, with a certain probability, replace a real safety voucher that’s being generated with a synthetic voucher that only contains noise. This probability is calibrated to ensure the total number of synthetic vouchers is proportional to the match threshold,” Apple stated. “Crucially, these synthetic vouchers are a property of each account, not of the system as a whole. For accounts below the match threshold, only the user’s device knows which vouchers are synthetic; Apple’s servers do not and cannot determine this number, and therefore cannot count the number of true positive matches.” Apple also confirmed the metadata would contain a low-resolution copy of the images for human inspection, and these copies are also run against the CSAM hashes. “This independent hash is chosen to reject the unlikely possibility that the match threshold was exceeded due to non-CSAM images that were adversarially perturbed to cause false NeuralHash matches against the on-device encrypted CSAM database,” Apple said. “If the CSAM finding is confirmed by this independent hash, the visual derivatives are provided to Apple human reviewers for final confirmation.” Cupertino said the system was designed so that a user does not need to trust Apple to know the system is “functioning as advertised”. “The threat model relies on the technical properties of the system to guard against the unlikely possibility of malicious or coerced reviewers, and in turn relies on the reviewers to guard against the possibility of technical or human errors earlier in the system,” Apple said. The company maintained that the human inspection process would ensure that if non-CSAM hashes were added into the reporting set, that the material would not be passed onwards out of Apple. “The reviewers are confirming one thing only: That for an account that exceeded the match threshold, the positively-matching images have visual derivatives that are CSAM,” it said. “This means that if non-CSAM images were ever inserted into the on-device perceptual CSAM hash database — inadvertently, or through coercion — there would be no effect unless Apple’s human reviewers were also informed what specific non-CSAM images they should flag (for accounts that exceed the match threshold), and were then coerced to do so.” The company reiterated it would refuse requests to add non-CSAM images to the dataset. “Apple will also refuse all requests to instruct human reviewers to file reports for anything other than CSAM materials for accounts that exceed the match threshold,” it stated. When it made the initial announcement, Apple also announced machine learning would be used within iMessage to alert parents using family sharing when child accounts have viewed or sent sexually explicit images, as well as provide warnings to the child. “For child accounts age 12 and younger, each instance of a sexually explicit image sent or received will warn the child that if they continue to view or send the image, their parents will be sent a notification. Only if the child proceeds with sending or viewing an image after this warning will the notification be sent,” Apple previously said. “For child accounts age 13-17, the child is still warned and asked if they wish to view or share a sexually explicit image, but parents are not notified.” In its document, Apple said the feature cannot be enabled for adult accounts, and is not enabled by default. On the issue of false positives, it said in the case of children aged between 13 to 17, if an image is miscategorised, and a child views it, they would see something that is not explicit. For those under 13, it could involve parental inspection. “For a child under the age of 13 whose account is opted in to the feature, and whose parents chose to receive notifications for the feature, sending the child an adversarial image or one that benignly triggers a false positive classification means that, should they decide to proceed through both warnings, they will see something that’s not sexually explicit, and a notification will be sent to their parents,” Apple said. “Because the photo that triggered the notification is preserved on the child’s device, their parents can confirm that the image was not sexually explicit.” Apple also said it has considered the issue of an adult being forced onto an account as a child under 13, but did not provide a resolution other than to state that not viewing the images would not make alerts be sent. “If the feature were enabled surreptitiously or maliciously — for example, in the Intimate Partner Surveillance threat model, by coercing a user to join Family Sharing with an account that is configured as belonging to a child under the age of 13 — the user would receive a warning when trying to view or send a sexually explicit image,” it said. “If they chose to proceed, they would be given a second warning letting them know that viewing the image will result in a notification being sent, and giving them another choice about whether to proceed. If they declined to proceed, neither the fact that the warnings were presented, nor the user’s decision to cancel, are sent to anyone.” Related Coverage More

Image: ACT Policing
The Australian Federal Police (AFP) has plans to enhance and upgrade its Law Enforcement Monitoring Facility (LEMF), with a big part of the process requiring a new telecommunication interception and surveillance device monitoring and collection platform.LEMF, the AFP explained, is an international term used to denote the transmission destination for lawfully intercepted communications and call-associated data. “Whilst the term ‘facility’ extends to the site where monitoring/recording equipment is located, this generally consists of computer infrastructure that will accept, acknowledge, store, process, and present intercepted products in compliance with international interception data exchange and standards protocols,” the AFP wrote in a statement of requirement (SOR).”The rapid advance of communications in IP networks has enabled multiple means of communication via SMS, email, messaging apps, and social media platforms. “Many of these platforms provide encrypted communication meaning that the content is not readily intelligible.”The AFP said in addition, data and metadata collected from sources such as surveillance devices (SD) and open-source intelligence (OSINT) could be combined with telecommunication interception (TI) products to “provide a more complete picture for intelligence and investigation teams”. “These additional data sources bring further challenges for TI monitors and other AFP teams due to the large volume of data available,” it said. “Additional capabilities such as advanced searching algorithms and AI tools (including object detection, facial and automated transcription and translation) provide an opportunity to enrich data to aid monitors and investigators.”LEMF architecture (TI & SD) current state
Image: AFP

The current LEMF architecture, the SOR explains, has several limitations, such as limited access to the LEMF data layer. It said APIs are provided by the current platform but do not provide a full range of access to functionality of the platform. There is also a lack of integration with the AFP’s internal compliance systems and multiple points of entry for configuration of TI product and historical telecommunications data and stored communications are collected and managed in separate processes and need to be manually ingested into the LEMF.The AFP said video surveillance and operational surveillance data are stored in siloed systems and are not transferred to the LEMF and there is a lack of common process for producing TI and SD evidentiary material. The next-generation LEMF (NG-LEMF), the AFP said, will enable “end-to-end lifecycle management” for TI and surveillance device-collected data such as audio, video, location data, SMS, intercept related information, IP data and associated metadata, and a framework to deliver advanced monitoring and data visualisation.The AFP expects it will also ingest additional product types such as video and historical telecommunications metadata into the underpinning data layer to allow linking with collected TI and SD product.The SOR, however, is just for the TI collection capability and the front-end applications used by monitors and investigators to view and analyse TI and SD product.”In summary, the desired future state is for a loosely-coupled solution consisting of modular components that interact via well-defined interfaces. The benefit of this approach is that UI components, data enrichment services, and applications can be upgraded/replaced relatively easily,” the AFP wrote. “It also de-couples the TI and SD product and other data sources from the end-user applications and services. The AFP’s intent is that the solution will be an open platform that is able to be integrated into the future state as part of the overall modular approach to delivering the NG-LEMF.”The new solution, due to be awarded in December, is required to ingest large amounts of TI and SD product from carriage service providers, technical and electronic surveillance devices, and OSINT.The platform, either cloud-based or on-premise, should also allow API integration with the upgraded Electronic Surveillance Warrants and Authorisations Management System to support compliance by reducing manual entry and process duplication, the SOR explains. “The solution should make use of open-source software where possible and be able to be modified to satisfy additional requirements without changing core design,” the AFP adds. “It is essential that the data handling aspects of the solution can demonstrate and enforce compliance with legislative requirements.”See also: Ombudsman finds unlawful metadata access by ACT cops on 1,704 occasionsThe AFP said the successful vendor should assume there are two agencies using the solution, with the AFP given the discretion to add further “partners”.The SOR lists 117 user interface requirements, such as the platform being capable of identifying a user’s social media and messaging use, such as Facebook, Instagram, Twitter, Messenger, WhatsApp, LinkedIn, Tumbler, and Pinterest from intercepted IP data. The AFP has also published a second tender, this time to replace the existing secure internet gateway service due to end of life considerations. The AFP has a current gateway services contract, which provides services to AFP, ACIC, CDPP, FFMA, and Austrac, and under this arrangement, each agency has its own dedicated infrastructure and service requirements. It hopes the Future Secure Internet Gateway (FSIG) service will deliver a more innovative and agile solution than is currently in place.The telecommunication interception and surveillance device platform SOR closes 13 September 2021, while responses to the FSIG tender will be accepted until 9 September 2021. MORE FROM THE FEDS More

StackCommerce
With remote working so widespread, it’s never been more vital to have top-notch VPN protection on all of your devices, including your home network. Fortunately, a one-year subscription to top-of-the-line NordVPN happens to be on sale at the moment and you should grab it while you can. Here’s why.

Although there are lots of VPNs to choose from, they are far from equal. Not many of them offer a level of protection that is even close to what NordVPN provides. No matter where you are or what type of connection you have, you will have completely private and unrestricted internet access. Your identity, as well as all of your most confidential personal information, is hidden with the utmost secrecy, thanks to NordVPN’s private tunnels and double encryption.For the ultimate security, if you happen to become disconnected from NordVPN servers, then your internet connection will be automatically dropped. That prevents even a scrap of data being revealed accidentally. And you can be absolutely sure that your online activity is not recorded anywhere whatsoever because NordVPN has an extremely strict no-logging policy.Since you will have access to 5,400 server locations in nearly 60 countries around the world, you will also be able to anonymously slide right by all geographical restrictions that are placed on the content you might be interested in. So you can watch whatever you want, wherever you are, any time you please. Most importantly, NordVPN connections are lightning quick, which means you’ll see videos instantly, without any buffering.If there are any doubts about whether NordVPN is the best around, the reviews will quickly put them to rest. The service earned perfect 5-star ratings from CNET, TrustPilot, and more.Don’t pass up this opportunity to get bulletproof VPN protection. Get NordVPN: 1-Yr Subscription for $47.20 (reg. $286) with coupon code NORD20.

ZDNet Recommends More