Information Technology

A sophisticated fraud scheme using compromised emails and advance-payment fraud has been uncovered by authorities. The fraud was run by what Europol describes as a “sophisticated” organised crime group which created fake websites and fake email addresses similar to legitimate ones run by retailers and suppliers. Using these fake accounts, the criminals tricked victims into placing orders for goods and requested payment in advance.However, there never were any goods, so deliveries never took place – instead the stolen money was laundered through Romanian bank accounts controlled by the criminals before being withdrawn at ATMs. The 23 suspects have been charged following simultaneous raids by police in the Netherlands, Romania and Ireland. They’re believed to have defrauded companies in at least 20 countries across Europe and Asia out of a total of €1 million. The group is suspected to have been running for several years, offering fictitious items for sale, such as wooden pellets. But last year the group switched how it operated and offered fictional items relating to the COVID-19 pandemic, including protective equipment. SEE: A winning strategy for cybersecurity (ZDNet special report) Europol’s European Cybercrime Centre (EC3) aided national investigators in the Netherlands, Romania and Ireland, as well as deploying cyber crime experts to help with raids. 

Business Email Compromise attacks are one of the most lucrative forms of cyber crime for internet fraudsters – in 2019, the FBI listed BEC as the cyber crime with the highest amount of reported losses, accounting for $1.77 billion. Overall, it costs businesses much more than ransomware. To help prevent falling victim to Business Email Compromise attacks, Europol recommends that people should be wary of unsolicited contact from a seemingly senior official, or requests which don’t follow the usual company procedures – especially if the request is supposedly urgent or confidential. Organisations can also create barriers against falling victim to BEC by ensuring that wire transfers are subject to approval from multiple people to help increase the chance of fraud being spotted. MORE ON CYBERSECURITY More

Yesterday the Poly Network, which specialises in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchains, announced that it had been attacked and assets transferred to hackers.It tweeted: Important Notice: We are sorry to announce that #PolyNetwork was attacked on @BinanceChain, @ethereum and @0xPolygonAssets had been transferred to hacker’s following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 and BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71. It asked miners of affected blockchain and crypto exchanges such as Binance, HuobiGlobal, OKEx, Tether, BitGo, Uniswap and Circle Pay, amongst others, to blacklist tokens coming from these addresses. Poly Network said that the hacker had “exploited a vulnerability between contract calls” — where a contract can modify the keeper of a contract and execute a transaction. Estimates of funds held in wallets say that the loss was in excess of $600 million.Twitter user @kelvinfichter explained how the hack actually worked. Blockchain ecosystem security company Slow Mist tweeted that a total of over $610 million US was transferred to three addresses. It considers that the attack was likely to be “long-planned, organized and prepared”.

The Poly Network later broadcast an open message to the hacker saying ” The amount of money you hacked is the biggest on in the defi (decentralised finance) history”.

It added, “Law enforcement in any country will regard this as a major economic crime, and you will be punished”. Decentralised Finance (DeFi) aims to cut out third parties such as brokerages or exchanges. Poly Network has asked for the return of the funds and tweeted the addresses that the funds are to be returned to. Paolo Ardoino tweeted that Tether had frozen $33 million as part of the hack.Today Poly Network indicated that cash might be returning. It tweeted a screenshot of a transaction with a comment for the alleged hacker.Update: you can view the entire conversation and refund update in this Google doc linked from @LX2025This is not the first time that hackers have allegedly stolen Bitcoin. In February, legal proceedings began against Bitcoin developers after the theft of Bitcoin in 2020. As legal processes ramp up across the world and lawyers aim to recover different lost or stolen assets, there seem to be fewer places for hackers to hide as new legislation is adopted.The Bitcoin SV network, which recently tweeted that gigabyte blocks were mined on the public blockchain, was subjected to a series of block-reorganisation attempts in July and early August that attempted to double-spend BSV coins. The network recommended that node operators mark the chain as invalid to “lock the attacker’s fraudulent chain out.”The EU proposal that addresses improved detection of money laundering and terrorism financing in the Union will require ‘digital currency service providers to apply for licences, and anonymous digital currency asset accounts will be banned.’ The US’ Infrastructure Bill proposal requires ‘brokers’ in the digital currency industry to collect information on and report customers’ tax obligations to the government.So is any version of Bitcoin safe? With potential cross-chain vulnerabilities occurring as relay chains and cross-chain bridges make it easier to move assets across blockchain, penetration testing and checking become ever more important. Hacks like this in an Ethereum contract demonstrate how vulnerable smart contracts can be. Miners running smaller nodes — the very ethos of DeFi — become more exposed to vulnerabilities like this, whereas miners running large mining nodes clusters have the resources and budget to carry out extensive testing and mitigation when potential hacks occur. Will this be the largest hack ever, or will other vulnerabilities expose even larger amounts of money being moved to other blocks before being transferred out of blockchain currency exchanges? Hopefully, this wake-up call will have developers making sure that their code is impenetrable — whichever version of the contract is used. More

Following the July discovery of Windows 10 PrintNightmare bugs, Microsoft has released an update that changes the default behavior in the operating system and prevents some end-users from installing print drivers. The key change in this month’s Patch Tuesday update for the bug CVE-2021-34481 aka PrintNightmare is that users will need admin rights to install print drivers. The bug, stemming from a flaw in the Windows Print Spooler service, allows a local attacker to escalate privileges to the level of ‘system’ — an outcome that lets them install malware and create new accounts on Windows 10 machines. The patch arrived with Microsoft’s August 2021 Patch Tuesday update, which included a patch for CVE-2021-36936, a distinct Windows Print Spooler remote code execution vulnerability. But Microsoft has also provided more information about the impact of the patch.”The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service,” the Microsoft Security Response Center (MSRC) said.   “This change will take effect with the installation of the security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.”The problem with the update is that it may affect organizations with networked printers, placing additional workloads on admins who previously could let end-users install printer driver updates from a remote server. Microsoft however believes security benefits outweigh the costs in time. 

“This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change,” MSRC said. Microsoft has outlined a way to disable this mitigation with a registry key, but it has advised against doing so. It outlines the steps in the knowledge base article KB5005652 where it explains it changes the default behaviors, even in devices that don’t use Point and Print or print functionality. After installing the August 10 updates, users who don’t have admin privileges can’t install new printers using drivers on a remote computer or service, nor update existing printer drivers using drivers from a remote computer or server. “If you are not using Point and Print, you should not be affected by this change and will be protected by default after installing updates released August 10, 2021 or later,” Microsoft adds. Microsoft warns that changing the new default will expose the organization to publicly available threats. “Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service and we recommend administrators assess their security needs before assuming this risk,” MSRC notes.  More

A hacker has apparently exploited a vulnerability to steal $600 million from a blockchain finance platform in what could be one of largest cryptocurrency thefts to date.  The makers of Poly Network, a “DeFi” or decentralized finance platform that works across blockchains, said on Tuesday that an attacker stole about $600 million in cryptocurrencies. 

The team behind Poly Network appealed to the hackers to “return the hacked assets”.  “The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursed. It is very unwise for you to do any further transactions. The money stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution,” the Poly Network team said.  Also: The best crypto credit cards: Get your rewards in cryptocurrency Poly Network works across blockchains for Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain. Poly Network listed three addresses the assets were transferred to. 

“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” the team pleaded.  And it appears that at least a small amount of the funds have been returned. Poly Network posted on Twitter “you are moving things to the right direction” and said that it had received more than $1m back.   A little later it posted again saying: “So far, we have received a total value of $4,772,297.675 assets returned by the hacker. ETH address: $2,654,946.051 BSC address: $1,107,870.815 Polygon address: $1,009,480.809.” According to Poly Network, “the hacker exploited a vulnerability between contract calls, exploit was not caused by the single keeper as rumored.” Per Wall Street Journal’s MarketWatch, the CTO of stablecoin company Tether, Paolo Ardoino, said the company froze $33 million of its tokens lost in the Poly Network attack.  The hackers stole about $267m of Ether, $252m of Binance coins, and $85 million in USDC tokens.  SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analysts Changpeng Zhao “CZ”, chief of the giant Binance crypto-exchange, said on Twitter that it was aware of the Poly Network attack and noted that there was not much the company could do about it.  “While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can,” he wrote.  More

CQ implemented a quantum-safe security layer to LACChain that has made the system secure from future quantum computers.  
Image: Shutterstock
It might be only a matter of time before quantum computers crack the cryptography keys that support sensitive data and cryptocurrencies on blockchain networks. Now quantum software company Cambridge Quantum (CQ) says it has developed a “quantum-safe” method that could future-proof any blockchain by making the system invulnerable to quantum attacks. 

Quantum Computing

CQ partnered with the Inter-American Development Bank (IDB) and its innovation laboratory IDB Lab, which has been actively investing in blockchain technology to support social and economic applications in Latin America and the Caribbean.  Specifically, IDB Lab has developed LACChain, a blockchain platform leveraged by more than 50 organizations in the region for use cases ranging from cross-border e-money payments to exchanging data between different countries’ customs administrations. SEE: What is quantum computing? Everything you need to know about the strange world of quantum computersCQ implemented a quantum-safe security layer to LACChain that has made the system secure from future quantum computers.To do so, CQ deployed its own commercially available platform to protect against quantum threats, called IronBridge, to LACChain. Blockchain’s vulnerability to quantum computers comes from its extensive reliance on cryptography. 

The technology, also called a distributed ledger, is essentially a computational system in which information is securely logged, shared and synchronized among a network of participants. The system is dynamically updated through messages called transactions, and each participant can have a verified copy of the system’s current state and of its entire transaction history. For this type of decentralized data-sharing system to work requires strict security protocols – not only to protect the information and communications in the blockchain, which are often sensitive, but also to confirm the identity of participants, for example thanks to digital signatures. These protocols, for now, rely on classical cryptography keys, which transform information into an unreadable mush for anyone but the intended recipients. Cryptography keys are used to encrypt data – data that can in turn only be read by someone who owns the right key to decode the message. The strength of encryption, therefore, depends on how difficult it is for a malicious actor to decode the key; and to make life harder for hackers, security protocols currently rely on algorithms such as RSA or the digital signature algorithm to generate cryptography keys that are as complex as possible. Those keys, in principle, can only be cracked by crunching through huge amounts of numbers.  This is why most current cryptography protocols are too hard to decode – at least with a classical computer. But quantum computers, which are expected to one day possess exponential compute power, could eventually crack all of the security keys that are generated by the most established classical algorithms. Quantum computers are still an emergent technology, and they are nowhere near mature enough to reveal any secrets just yet. But scientists have already identified some quantum algorithms, namely Shor’s algorithm, which have the potential to eventually break existing security protocols. SEE: Supercomputers are becoming another cloud service. Here’s what it meansAlexander Lvovsky, professor at the department of physics at the University of Oxford, says that quantum computers, therefore, pose a threat to blockchain security processes like digital signatures. “By using Shor’s algorithm, a quantum attacker is able to calculate the private key of a user on the basis of their signed message, which is impossible to do with classical computers, and in this way, impersonate any party they want,” Lvovsky tells ZDNet.Quantum computers in the hands of a hacker could have dramatic consequences for the critical information that is currently stored. For example, hundreds of billions of dollars denominated in cryptocurrencies rely on blockchain ledgers, and the World Economic Forum estimates that 10% of GDP may be stored in blockchains by 2027. This could one day be at risk from quantum attacks. Recent analysis by Deloitte estimates that a quarter of all bitcoins could be stolen with a quantum attack, which currently represents over $40 billion.CQ and IDB, therefore, teamed up in an effort to deploy what is known as “post-quantum cryptography” to the blockchain – a form of cryptography that is adapted to a world in which quantum computers are no longer a thing of the future. There are various ways to address post-quantum cryptography, but all approaches essentially consist of making cryptography keys harder to crack, even for quantum computers. To do so requires an extra dose of randomness, or entropy. A key that is generated purely randomly, indeed, is much harder to decode than one that is the product of a mathematical operation – which can be reverse-engineered by a powerful computer. And while classical algorithms rely on mathematics, quantum computers can harness a special, non-deterministic property of quantum mechanics to generate this true randomness. CQ has leveraged this to create the IronBridge platform, which taps those quantum processes to create random numbers and make extra secure cryptography keys. 

IronBridge was successfully used in LACChain to protect communications as well as to secure digital signatures. “LACChain blockchain was an ideal target for keys generated by our IronBridge platform,” says Duncan Jones, head of quantum cybersecurity at CQ. “Only keys generated from certified quantum entropy can be resistant to the threat of quantum computing.” SEE: Bigger quantum computers, faster: This new idea could be the quickest route to real world appsCQ deployed IronBridge as a “layer-two” service, meaning that it comes on top of the original architecture of the LACChain blockchain and could, therefore, be adapted to other systems. Even if large-scale quantum computers are still some way off, the announcement is likely to address the concerns of blockchain users. Whether it is in five, 10 or 15 years, a quantum computer could crack the security protocols that are protecting information now – meaning that sensitive information that is currently being stored on the blockchain is still at risk from future hacking. “The security currently used in most blockchains is vulnerable to quantum attack,” Itan Barmes, quantum specialist at Deloitte, tells ZDNet. “No one knows when these attacks are going to become feasible. Estimates range between five and 30 years. On the other hand, migrating to a quantum-safe solution is also expected to take years, so ignoring the problem is taking an unnecessary risk.”Blockchain is not alone in helping to prepare for the future of cryptography. Governments around the world are also rushing to develop post-cryptography protocols, as concern mounts that information about defense and national security might one day be revealed by quantum computers. The UK’s National Cyber Security Centre has been saying for many years that reliance on classical cryptography needs to end, for example; while in the US, the National Security Agency is currently investigating a number of algorithms that could improve the resilience of cryptography keys.  More

With over 1.7 million packages stolen or lost every day in the US, it is not surprising that most of us are wary of leaving packages on the porch for more than a few minutes. Provo, UT-based home security systems company Vivint surveyed 1013 people about their experiences with purchases that have been sent to their homes. Porch piracy is a huge issue in the US, and getting refunds is difficult. Only 54% of porch prate victims were refunded when reporting a package as stolen.The survey showed that an average of 29% of Americans reported having had a package stolen from their porch, front door or mailbox. In urban areas, over two in five (41%) reported having a package stolen. One in five (20%) had packages stolen from their house, and 44% had packages stolen from their apartment. The most stolen items were clothing (33%), followed by books, toys and games (23%), and health or personal care products (22%). Monday was the most common day for package theft, with 34% of packages stolen on that day. Almost two in three packages (56%) were stolen in the afternoons.

Due to its dominance in the market, over 52% of packages stolen were Amazon Prime packages, followed by USPS (43%). These stolen packages tended to be high-value items, with an average value of $106 of packages left unattended in a typical month. So how do you protect your parcels? Well, the obvious answer seems to be — be at home when the package is dropped off. But as many delivery drivers seem to put the package at the front door, take a photo of the image to prove it was left there, and then get back into their van to get to their next drop off, how can you ensure you get the package you ordered?
Vivint
If you know when your package is scheduled to arrive, then you will stand a better chance of being around when the package is delivered. Around one-third of us subscribe to delivery alerts. Giving instructions on where to drop the package off or get the delivery driver to leave it in a safe place is the favoured option for 23% of respondents. Almost one in nine (13%) have the packages sent to their workplace, and one in five (22%) install an outdoor security camera or video doorbell. If you are not going to be around, get your package sent to an Amazon Hub locker, and collect your packages when it is convenient to you, or get a work-from-home friend to take the package n for you.Stopping boundary bandits from cruising the neighbourhood looking for packages to steal will benefit the vendors who try to fulfil your order and keep you satisfied with the goods you want arriving on time. Get a security camera, work from home if you can, and make sure your package is delivered to your safe location at a time you choose. It will cost you less in the long run. More

Census 2021 has been deemed a “success”, with the Australian Bureau of Statistics (ABS) confirming it received an estimate of 6.2 million Census forms by Wednesday 8am AEST.Of the total, ABS reported that 6.1 million forms were submitted online through the Census digital service and the remainder was via post.The peak period online was at 8.06pm when the ABS received about 141 submissions per second. No interruptions, excessive wait times, or security breaches were reported by the ABS, according to Assistant Treasurer Michael Sukkar.”I want to thank the millions of Australians who have played their part in making the 2021 Census a success so far, and we want to continue to see the numbers ticking up and the forms coming in,” he said.”It is also important to remind Australians that it is not too late to submit your Census form. The Australian Bureau of Statistics continues to collect Census forms. Please visit the Census website or contact by phone if you need any further information on how to complete your Census.”I also want to thank the work of the Australian Bureau of Statistics, the Australian Cyber Security Centre, the Digital Transformation Agency and all the government agencies and their employees involved in making the 2021 Census a seamless process.”The ABS has been focused on preparations for the 2021 Census to avoid an embarrassing repeat of what occurred during Census 2016, when the ABS experienced a series of small denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated which resulted in the Census website being shut down and citizens unable to complete their online submissions.

The Census was run on on-premises infrastructure procured from tech giant IBM.The 2021 Census, however, was built using the Amazon Web Services cloud through a contract awarded to PwC Australia.In March, Deputy Australian statistician Teresa Dickinson told Senate Estimates that preparations for Census 2021 was well on-track, while confirming the agency was working over 50 suppliers and partners on the Census. “Census day is the 10th of August, and we are on track. In our metrics, where we measure progress against the Census, many of the sub programs of work are ‘green’, there are a few that remain ‘amber’, and the reason is that we still have some testing and defect remediation to do on our technical work,” Dickinson said at the time. “But we are on track to do that, by the time the form goes live.”In response to the omnishambles that was the 2016 Census, there have been three reviews that made 36 recommendations, 29 of which were directed at the ABS and agreed upon. There was also a report prepared by the Australian National Audit Office (ANAO).ANAO in November labelled the preparation for the 2021 Census by the ABS as “partly effective”.It said generally appropriate frameworks have been established to cover the Census IT systems and data handling, and the procurement of IT suppliers, but that the ABS has not put in place arrangements for ensuring improvements to its architecture framework, change management processes, and cybersecurity measures will be implemented ahead of the 2021 Census.”The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations, and ensuring timely delivery of the 2021 Census,” the auditor added. “Further management attention is required on the implementation and assessment of risk controls.”LATEST FROM CANBERRA More

Image: Mozilla
Mozilla released Firefox 91 on Tuesday, with a pair of new privacy features and one offering increased Windows integration. When users use a private window in Firefox, the connection to the requested domain will now default to HTTPS even if a user manually enters the HTTP protocol. An HTTPS-first request will also be made if a user clicks on an HTTP link. The browser maker warned that HTTPS by default only allows to the page itself, and not necessarily all images, CSS, or JavaScript files loaded by the page. “However, loading a page over HTTPS will, in the majority of cases, also cause those in-page components to load over HTTPS,” Mozilla said. “We expect that HTTPS by Default will expand beyond Private Windows in the coming months.” In November with Firefox 83, Mozilla enabled users to switch on HTTPS-Only mode, which has the same functionality as HTTPS by default. The second privacy feature is dubbed enhanced cookie clearing. When a user asks Firefox to delete cookie data from a site, not only will Firefox remove cookies from that site, it will blast away any tracking cookies placed on the site as well.

The functionality is built on total cookie protection that appeared in Firefox in February, and separates cookies on a per website basis — meaning supercookies such as those placed by Facebook were restricted to one container. “When you decide to tell Firefox to forget about a website, Firefox will automatically throw away all cookies, supercookies and other data stored in that website’s ‘cookie jar’. This Enhanced Cookie Clearing makes it easy to delete all traces of a website in your browser without the possibility of sneaky third-party cookies sticking around,” Mozilla explained. “Before Enhanced Cookie Clearing, Firefox cleared data only for the domain that was specified by the user. That meant that if you were to clear storage for comfypants.com, Firefox deleted the storage of comfypants.com and left the storage of any sites embedded on it (facebook.com) behind. Keeping the embedded storage of facebook.com meant that it could identify and track you again the next time you visited comfypants.com.” Now when users head to settings to manage cookie data, users will see a listing of jars rather than domains. Users can also right-click on “Forget About This Site” in the history menu to remove cookies and cache related to the site, as well remove from the browser history and delete any data Firefox has stored about the site, such as permissions. In order to use enhanced cookie clearing, users needs to have strict tracking protection enabled. Firefox 91 also arrived with single sign-on integration with Windows for Microsoft, work, and school accounts. This feature can be enabled from the privacy and security section of Firefox settings. The browser also gained support for Scots locale in its latest release.
Image: Mozilla
Related Coverage More