Information Technology

US prosecutors have charged a Greek national for offering insider trading services to clients through the Dark Web.

According to both the US Department of Justice (DoJ) and the Securities and Exchange Commission (SEC), Apostolos Trovias is facing criminal charges “in connection with his scheme to solicit and sell stock trading tips and pre-release earnings and deal information regarding public companies.” The charges were unsealed in Manhattan federal court last week. The 30-year-old, operating under the name “TheBull,” has allegedly operated an insider trading business since at least 2016 through the Dark Web and encrypted messaging services, through to early 2021.  Trovias reportedly both obtained and monetized insider information, offering clients data including stock tips based on confidential trading records and pre-release earnings reports.  While the alleged trader began his career on AlphaBay, once the underground marketplace was seized and closed down by law enforcement in 2017, he switched to selling information directly. Tips could be purchased on a pay-as-you-go or subscription basis and Trovias secured approximately 100 clients willing to subscribe to the ‘service.’  According to the SEC, Trovias claimed that order-book data for sale was obtained from an employee of a securities trading firm. One pre-earnings report, for example, was allegedly sold for roughly $5,000 in the Bitcoin (BTC) cryptocurrency. 

In 2020, he also allegedly attempted to create a marketplace dedicated to the sale and exchange of insider information called the “Inside Information Auction Site.”  Trovias is being charged with one count of securities fraud and another count of money laundering. The US takes allegations of insider trading seriously, and so the securities fraud count represents up to 25 years behind bars, whereas money laundering carries a penalty of up to 20 years.  Separately, the SEC has charged the alleged trader with violating antifraud legislation in federal securities laws, and the agency is seeking injunctions, disgorgement, and penalties.  “Behind the veil of the Dark Web, using encrypted messaging applications and emails, Trovias created a business model in which he sold — for profit — proprietary information from other companies, stock trading tips, pre-release earnings, and other inside information, as we allege,” commented FBI Assistant Director William Sweeney Jr. “The FBI operates within the Dark Web too, and as Trovias learned today, we don’t stop enforcing the law just because you commit federal crimes from behind a router with your keyboard.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

SBU
Thousands of PlayStation 4 gaming consoles have been seized after their discovery in an old warehouse, used to illicitly mine for cryptocurrency.

Ukraine’s Security Service said last week that in the city of Vinnytsia, located along the Southern Bug river, there was an abandoned warehouse in its industrial area that once belonged to an electricity company, JSC Vinnytsiaoblenergo.  Upon entry, law enforcement found what it has called the country’s “largest underground cryptocurrency farm.” In total, roughly 3,800 gaming consoles were rigged together and stored on metal racks — and over 500 graphics cards and 50 processors were also found.  The hardware was allegedly used to facilitate cryptocurrency mining, while those apparently responsible stole the electricity required from the city.  Current estimates suggest that the electricity stolen amounts from between $186,200 to $259,300 per month.  Raids took place at the cryptocurrency farm and Ukrainian police also say that searches took place at the “offender’s residences,” where draft notes on electricity usage, notebooks, handsets, and USB storage devices were also seized. 

In a statement (translated), JSC Vinnytsiaoblenergo said that “our company has nothing to do with any illegal activity,” and “cryptocurrency mining equipment has never operated in the premises owned by our company.” The utility company also added that there was no evidence of the theft of electricity. The investigation was conducted by Ukrainian law enforcement agencies under the supervision of the Prosecutor General’s Office.  In a separate but notable cryptocurrency farm plot, back in 2019, Chinese law enforcement uncovered cables hidden in fish ponds that were used to connect to an oil rig’s electrical grid. Active Bitcoin (BTC) rigs were found hidden in a shed after drones were deployed to track down the perpetrator.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Mozilla
Firefox 90 appeared from Mozilla this week, and one of the new features that arrived was better support for logging in using Facebook credentials when the browser is in strict tracker blocking mode, or a private window. SmartBlock first appeared in Firefox 87, released in March, and it provided local stand-ins for blocked third-party tracking scripts. “These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact,” Mozilla said at the time. One area where SmartBlock failed though, was supporting Facebook login buttons across the web. In a blog post, Mozilla explained it was due to Facebook trackers being included on the list of tracker provided by its partner, but the updated SmartBlock 2.0 should fix this. “Prior to Firefox 90, if you were using a private browsing window, when you clicked on the ‘Continue with Facebook’ button to sign in, the ‘sign in’ would fail to proceed because the third-party Facebook script required had been blocked by Firefox,” the blog states. “Now, SmartBlock 2.0 in Firefox 90 eliminates this login problem. Initially, Facebook scripts are all blocked, just as before, ensuring your privacy is preserved. But when you click on the ‘Continue with Facebook’ button to sign in, SmartBlock reacts by quickly unblocking the Facebook login script just in time for the sign-in to proceed smoothly.” Mozilla said the new functionality worked on “numerous websites”, and Firefox would continue blocking Facebook trackers on all sites where a user has not logged in.

Users on Windows will now have Firefox updated in the background, with Firefox 90 checking every 7 hours for a new version. To enable background updating, users need to allow for updates to be automatically installed and tick a “When Firefox is not running” checkbox. The feature only works when the browser has been installed from its installer, rather than decompressed from a zip file, and does not have a language pack installed. Although Mozilla said it would gradually roll out the feature, a napp.update.background.scheduling.enabled flag exists for users to turn it on now. Firefox on Windows will also gain an about:third-party page that lists modules, such as anti-virus, that have been injected into the browser and could cause issues. Firefox 90 will also support Fetch Metadata Request Headers to allow web apps to defend against some cross-site attacks. “The HTTP request header Sec-Fetch-Site allows the web application server to distinguish between a same-origin request from the corresponding web application and a cross-origin request from an attacker-controlled website,” Mozilla said. “Inspecting Sec-Fetch-* Headers ultimately allows the web application server to reject or also ignore malicious requests because of the additional context provided by the Sec-Fetch-* header family. In total there are four different Sec-Fetch-* headers: Dest, Mode, Site, and User which together allow web applications to protect themselves and their end users against [cross-site attacks].” The latest edition of Firefox finally marks the end of support for FTP in the browser, and most users who do not have hardware-accelerated WebRender will use software WebRender instead. Related Coverage More

Image: Affindi
Affinidi CEO Glenn Gore says he is optimistic that digital verification certificates will enable air travel to resume safely and securely.While speaking during the virtual Amazon Innovation Day on Wednesday, Gore pointed out that Singapore’s Changi Airport is proof that such a system could work. He noted that Affinidi’s Universal Verifier solution is currently being used by the airport to digitally authenticate travellers arriving in the country have had tested negative to COVID-19, as well as any other required health credentials. “This solution is already live now. Actually, if you visit Singapore and pass through Changi Airport, we’ll be going through the Affinidi’s Universal Verifier with immigration,” he said. “We recognise 15 different global standards today, so that the immigration officer doesn’t matter what country you’re coming from, [and has] a consistent presentation of that information in a safe and secure way to allow free passage.”He explained that using a self-sovereign identity verifiable solution helps remove the need for immigration to “deal with complex sets of information of different pathology reports from around the world”, while also enable individuals to own and control who they share their health data with. “Using verifiable credentials, the passenger experience starts with us, booking our ticket online, just like we normally do. At the completion of purchasing that ticket, the airline is actually going to send me some instructions as to this new requirement where I need to go and visit a clinic, and take a COVID swab test … the clinic is going to issue me a COVID test result. In that test result will be a QR code that I can look at, along with the printed details,” Gore said.  “I can head to the airport and the first experience I’m going to have is talking to the checking agent, as I go to check in for my flight. They’re going to ask to see my credential, so that’s already on my device, that airline agent is able to use universal verification to check the data that’s on my device safely and securely; they can see that it hasn’t been tampered with, that it’s not fraudulent, and apply this against rules engines and have all the rules for the source and destination countries that we go to,” Gore added.

“Ultimately, they’re doing this to issue me a green tick saying I meet all of the entry requirements, so they can issue a boarding pass and I can get on that flight.”When I arrive, I need to do an international border crossing, and again the immigration officer is going to want to see proof … so again, I’m going to use exactly the same QR code, the immigration officer is going to scan that apply it to the exactly same rules engine.”In addition to using it for flights, Gore believes the system could be used for a range of other domestic scenarios including checking into a hotel, to entering large scale sporting events and concerts, and “all the things we enjoyed before COVID”. Related Coverage More

Image: Macquarie Telecom
Macquarie Telecom has announced it is building what it is calling its “largest ever” data centre to be based in the company’s existing Macquarie Park data centre campus in Sydney.According to Macquarie Telecom, it will invest an initial AU$78 million to build the core and shell of the new 32-megawatt Intellicentre 3 (IC3) Super West facility. The facility will be based in the Sydney North Zone at the company’s existing Macquarie Park Data Centre Campus and help bring the company’s total IT load at the campus to 50 megawatts. It will also be designed to connect with the IC3 East facility.The new facility will also be home to a new Sovereign Cyber Security Centre of Excellence, which according to the company, will be responsible for monitoring and managing cybersecurity events around the clock. An initial 31 cyber specialists are expected to run and operate the centre by 2024. “This global scale data centre will be one of the most certified facilities in the region,” Macquarie Data Centres group executive David Hirst said, pointing out IC3 Super West will be designed to adhere to a range of standards including ISO 27001, PCI DSS 3.2, ISO 45001, and ISO 14001.”Data is growing exponentially, and we have demonstrated time and time again our ability to deliver infrastructure to meet that growth. Our data centres are sovereign, secure and certified to manage Australia’s most important data and drive the digital economy,” Hirst added.Subject to being granted permission by the board in early 2022, construction of phase 1 of IC3 Super West is expected to be completed by the second half of calendar year 2023.

Plans for the IC3 Super West facility follows Macquarie completing the build of its IC5 Bunker facility in Canberra, and Phase 1 of the IC3 East at its Macquarie Park Data Centre Campus.In June, Macquarie Telecom’s Canberra Campus was one of three providers certified by the Australian government to store sensitive data locally. The Digital Transformation Agency said the campus was certified against the requirements defined in the Hosting Certification Framework, which it has administered since March 2019.Related Coverage More

(Image: Apple)On June 23, Apple unleashed messaging to explain why users should only install Apple-approved apps through its App Store on iOS. This is an extension of the US District Court case between Apple and Epic, where Apple positioned “sideloading,” the practice of installing apps outside its App Store, as dangerous. While it is true that Apple has led the industry in privacy — in particular making it difficult for businesses and rogue apps to obtain unnecessary personal information — connecting this messaging to non-Apple installs seems a bit of an overreach. Moreover, it sets up a challenging dichotomy for developers: Do you promise choice or reassurance as your app’s key marketing message? 

Smartphone As A “Pattern-Of-Life” Device Apple has cited at least one study saying,”[…] devices that run on Android had 15 times more infections from malicious software than iPhone.” In a June 16 interview, Tim Cook said that Android has 47 times more malware than iOS does. These are interesting numbers, given the relative sizes of the Android and iOS markets. Android has almost 73% market share worldwide, while iOS sits at just under 27%. As with the PC and Mac markets, it makes sense that the prime targets are those with the largest market share. However, this also brings up an interesting conundrum — there are billions of PCs and, pointedly, Macs in the world, and they don’t have locked ecosystems. Apple further makes the argument that smart devices are carried with you all day, so they can gather more “pattern-of-life” details than traditional computers. But how well does this apply to iPads, which are just as mobile as iPhones, and that Apple is also positioning as traditional laptop replacements? What This Means For The Mobile Developer Regardless of messaging, Apple’s tactics have an impact on app developers. Small development shops may suffer remembering the hoops they jumped through to sign an iOS app before Xcode 8. Even today, some developers hold their breath when submitting to the App Store. In 2020, Apple says it rejected almost a million new apps. Of those, about half were misleading, violated privacy guidelines, contained undocumented features, or had fraudulent violations. Regardless, as an iOS developer, you have two basic choices: Ship using the App Store or not. If you are a smaller developer and want to monetize to any reasonable degree, you must use the Store. However, let’s say you’re not as worried about monetization — perhaps you are a larger organization with different needs. What options do you have to distribute your app outside the App Store? Use the web. Despite the limitations that Apple has put on web APIs, you can still do a lot with JavaScript on Safari. Creating a progressive web app allows you to “install” it. You’ll have to walk your users through adding your icon to the home screen, but if you can live without push notifications, geofences, Bluetooth, serial connections, magnetometers, light sensors, NFC, and battery life (among other things), you can create code that runs in Safari. Microsoft recently did this to allow cloud streaming of Xbox games. The good news for web developers: Biometric ID support was added in Safari 14 (PublicKey.isUserVerifyingPlatformAuthenticatorAvailable), and camera and microphone APIs were added in Safari 11 (MediaDevices.getUserMedia). Geolocation has been around since Safari 3 (Geolocation.getCurrentPosition).Join the Apple Developer Enterprise Program. If your app is meant for employees of your company and you work with more than 100 employees, your company can apply to enter the Apple Developer Enterprise Program. This will permit you to ship your app to employees without going through the App Store. In the past, enterprise certificates were used to distribute apps outside an organization; now, Apple has said it reserves the right to review apps distributed via enterprise certificates. Use ad hoc distribution. If you have a small number of high-value customers, you can distribute your app as a .ipa file that you generate and make available for download. Installation can be tricky: You will need to get the UDID of each device (up to 100) and entitle the devices in your account on developer.apple.com. Some developers point users to http://whatsmyudid.com/ to walk them through the process. You’ll also have to manage revoking and readding UDIDs and reissuing provisioning profiles on your own if your users switch devices. Ship the source. Since 2015, Xcode has allowed you to build software for iOS devices without a developer account. Telling users how to download and install the Xcode binaries, and possibly the Xcode command line binaries, if you want to automate an install is not trivial. However, it does allow you to deploy your software to customer devices — if those customers have a Mac with a version of macOS that supports the Xcode version you want to use. Since users have your source, they are free to change it. You can package your code into a framework or library to reduce what users can modify. Require a jailbroken device. This is extreme and limits your user base to those who have the technical skill to hack their device. There’s also the obvious concern of taking advantage of security defects to run arbitrary code, and there may not be exploits for all iOS devices. However, your more technical users may have already jailbroken. Jailbreaking requires a Mac, and some jailbreaks require that the phone remain tethered to a computer while booting. Once jailbroken, a user can install your app from a third-party app store — Cydia is a commonly used one. Of course, there’s also a sixth option, which we don’t recommend: Give up on Apple. Given that Android apps will run not just on Android devices but now Windows 11 desktops and laptops, that is an option for those who want to make their own decisions about security, privacy, and what they install. 

Really, it comes down to use case. For consumer-facing or information-worker apps, you likely have to abide by Apple’s sideloading philosophy. However, for task worker apps, where enterprises provision the device to employees or even business partners, sideloading flexibility has some value. If you are supporting franchisees or an extended network of suppliers, you have the option of preferring Android rather than navigating Apple’s restrictions. This post was written by Senior Analyst Andrew Cornwall, and it originally appeared here.  More

Cybersecurity companies and organizations are banding together to create a cybersecurity first responder credentialing program designed to support both large and small organizations dealing with cyber incidents. The ISA Global Cybersecurity Alliance is working with CISA on the effort alongside the Incident Command System for Industrial Control Systems (ICS4ICS) and more than 50 other cybersecurity companies, universities and corporations. The groups will be incorporating FEMA’s Incident Command System framework for response structure, roles, and interoperability, according to a statement from ISA. Deloitte, Dragos, Ford Motor Company, Fortinet, Honeywell, Johnson Controls, KPMG, Nozomi Networks, Pfizer, Tenable, CyberOwl and Idaho State University are just a few of the organizations involved in the ISA Global Cybersecurity Alliance. “For many years, we’ve needed ICS4ICS, to enable collectively organized cyber and physical responses in a unified way. Credentialing cybersecurity first responders is an important milestone in this valuable public-private partnership,” said ISAGCA Advisory Board chairperson Megan Samford, Samford, who is also chief product security officer of Schneider Electric’s energy management business, said the groups have “developed an adjudication process and certified our first four responders.”The first round of credentials were given to Samford, CISA branch chief of cyber defense coordination Mark Bristow, FireEye senior manager of industrial control systems Neal Gay and the US Army Reserve’s Brian Wisniewski. 

“I’m proud to be one of them and stand ready to help companies recover from cyber incidents,” Samford added. FEMA’s Incident Command System framework is currently used in response to natural disasters, industrial accidents and other incidents while the ICS4ICS’ methods are used by organizations to identify incidents, assess any damage, address immediate challenges, communicate with stakeholders and eventually resume operations. 

“The framework applies traditional Incident Command Systems best practices to cybersecurity incidents, ensuring common terminology and enabling diverse incident management and support entities to work together,” the groups said in a statement.  “ICS4ICS provides clearly defined command structures, including standard roles needed in a response, and the framework can scale to support small or extremely large-scale incidents that impact many organizations.”A committee within ICS4ICS will manage the adjudication process, which the organization said will involve applications and candidate evaluations by a panel of incident command system subject matter experts. “The proven approach is vetted by industry companies and subject matter experts and the program has significant value for small to medium sized entities that do not have the time, finances, or personnel to assign a full-time cyber response unit, but still need to develop plans and train employees accordingly,” the groups said.  More

Did you know that that handy video your Ring doorbell takes of anyone coming by your door isn’t private? If you get a Ring Protect Plan, not only are your videos kept in the Amazon Web Services (AWS) cloud, it’s transmitted in the clear. A sufficiently motivated hacker, or your local police force, can easily watch who’s walking by your door. Until now. Starting today in the US (and soon, throughout the world), you’ll be able to encrypt your video stream to keep it private.

This is done with Amazon’s Video End-to-End Encryption (E2EE). If you decide to install this optional privacy feature, you’ll need to install a new version of the Ring application on your smartphone. Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring’s servers (at rest). Law enforcement doesn’t have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer’s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device.In addition, you’ll need to opt into using E2EE. It doesn’t turn on automatically with the software update. You’ll also need to set a passphrase, which you must remember. AWS doesn’t keep a copy. If you lose it, you’re out of luck.  Before using E2EE, you should know AWS hasn’t integrated E2EE fully into the Ring’s feature set. In other words, there are many features — such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline — that you won’t be able to use. E2EE also won’t work with many Ring devices. In particular, E2EE won’t run on Ring’s most popular, least expensive, battery-powered Ring doorbells. Even with E2EE security, the police can ask for or demand your video and audio content. As Matthew Guariglia, an Electronic Freedom Foundation (EFF) policy analyst, has pointed out: “If your town’s police department has a partnership with Ring, you can also anticipate getting email requests from them asking for footage from your camera any time a suspected crime occurs nearby.”

According to a Ring representative, Ring’s E2EE is designed so that even the company cannot decrypt your end-to-end encrypted video. That includes law enforcement officers because the private keys required to decrypt the videos are only stored on customer’s enrolled mobile devices.Until recently, by default, police could send automatic bulk email requests to individual Ring users in an area of interest of up to a square half-mile. Now, police can publicly post their requests to Ring’s Neighbors app. Guariglia also observed, “Ring’s default setup is primed to instill paranoia: Ring doorbells send you an alert whenever the motion activation is triggered, which means that your phone will buzz every time a squirrel, falling snow, a dog walker, or a delivery person set off the Ring.” For example, many people now believe that violent crime is worse than ever in the US. That’s simply not true.Privacy, on the other hand, is under siege. If you value your privacy, and you still like the convenience of Ring, I encourage you to use E2EE. I will be.Related Stories: More