Information Technology

Image: Microsoft
Microsoft has warned that Nobelium is currently conducting a phishing campaign after the Russian-backed group managed to take control of the account used by USAID on the email marketing platform Constant Contact. The phishing campaign has targeted around 3,000 accounts linked to government agencies, think tanks, consultants, and non-governmental organisations, Microsoft said. The US had received most of the malicious email, but it had reached 24 countries at a minimum. “Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID,” Microsoft corporate vice president of customer security and trust Tom Burt said. “From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.” Burt added that many of the emails were blocked, and there is no reason to think the attacks involve any vulnerability in Microsoft products. The campaign was discovered in February, and Microsoft observed how Nobelium was changing its approach to getting its malicious code onto victim computers, a post from the Microsoft Threat Intelligence Center (MTIC) said. In one instance, if a Nobelium-controlled server detected an Apple iOS device, it served up a WebKit universal cross site scripting vulnerability. Apple said on Wednesday it was aware of the vulnerability being actively exploited.

“In the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID, while having an authentic sender email address that matches the standard Constant Contact service,” MTIC said. “This address (which varies for each recipient) ends in @in.constantcontact.com … and a Reply-To address of was observed.” Once the link is clicked, a malicious ISO is delivered that contains a decoy document, a shortcut, and a malicious DLL with a Cobalt Strike Beacon loader that Microsoft has named NativeZone. If the shortcut is run, the DLL is executed and Nobelium is off to the races. “The successful deployment of these payloads enables Nobelium to achieve persistent access to compromised machines,” MTIC said. “Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.” MTIC added the Cobalt Strike Beacons use port 443 to call out to command and control infrastructure, and provided an indicators of compromise list in its post.”It’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” Burt said. “This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organisations.” Burt called for rules related to how nations operating online, and for there to be consequences for violations. “Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace,” he said. Nobelium has been best known for the SolarWinds supply chain hack that saw a backdoor planted in thousands of organisations before cherrypicking nine US federal agencies and about 100 US companies to actually compromise and steal information from. Microsoft has previously called out pieces of malware used by the group. Mimecast said in March some of its source code and customer records was taken as part of the SolarWinds attack. Related Coverage More

Image: Getty Images/iStockphoto

Australian Budget 2021

The Australian eSafety Commissioner was handed AU$21 million in the 2021-22 Budget earlier this month, with the funding to be spread across software, more staff, and continuing its work on technology-facilitated abuse involving children.With Prime Minister Scott Morrison parading the recent Budget as “supporting Australian women”, eSafety’s funding falls under this umbrella.A “women’s online package” includes AU$15 million over two years for eSafety to increase its investigations capability — the hiring of 20 more staff in line with anticipated passage of the Online Safety Act — and AU$3 million for a software pilot.During Senate Estimates on Thursday, eSafety Commissioner Julie Inman Grant was grilled over the funding amount and was asked to provide specifics on a piece of tech that was not yet scoped, given the Budget announcement was only made a few weeks prior.”AU$3 million has been dedicated to a pilot … this has been something we’ve been thinking about since 2017. In some of the most egregious cases we’ve seen, we’ve had people come to us with 400 different URLs — if you’ve got a very determined predator, they can put it on multiple websites, image boards, rogue porn sites,” she explained before being interrupted.”First of all, we’re going to need to scope a number of things, in terms of legality, and asking consent, and how long we might trawl the web, how we would construct the tool. “We haven’t said we’re going to spend this much — we might decide to build the technology from scratch, if we don’t find any commercial version of AI … we would want to make sure that any technology we were using, and it might not just be a software tool, it may be infrastructure that’s required, so I’m not prepared to say how much we would pay for the technology per se, because there is a lot of work that would need to go around it.”

The existing Olympus investigative system eSafety currently uses was built from the ground up using some commercial products, by a lot of the agency’s own developers, she added.”This is the first time that we’ve been granted funding to be able to properly scope this,” she said.Inman Grant is set to receive sweeping powers with the passage of the Online Safety Bill 2021. Among other things, the Bill extends the cyber takedown function currently in place for children to adults.See also: Bill establishing cyber abuse takedown scheme for adults enters ParliamentThe agency has received 3,600 adult cyber abuse-related requests since it began taking them informally in 2017.Only 72 of them, however, eSafety considered as reaching the threshold for “real harm”. One of them, Inman Grant said, was “horrific”, and a few of them involved domestic violence and stalking. “We’ve leveraged our relationships with social media platforms to help remove material in 72 of the most serious cases,” eSafety head of investigations Toby Dagg added.If eSafety had formal powers, that 72 figure would be higher.”Because [we] don’t have formal powers in this area and there’s no scheme to apply, they have represented the most serious matters that have warranted us coordinating with platforms to have that material removed,” Dagg said.”There is no power, so we’re actually relying on the goodwill of the platforms to act when we think people are at risk of serious harm,” Inman Grant added.”We’re not trying to use the sledgehammer every single time … we’re not asserting any legal authority, we are telling them that’s someone who we believe is at risk and who is experiencing extreme distress due to content that’s on their site.”About 70% of the adult cyber abuse cases eSafety has held informally possessed an element of defamation to them. IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527MUST READProtecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse.Three women in tech keeping the gender conversation goingIt’s not enough to just talk about gender equality and move on — it needs to be an ongoing movement. More

The FBI issued a flash alert on Thursday after a local government office was attacked through Fortinet vulnerabilities earlier this month. The release said an “APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.” “The APT actors likely created an account with the username ‘elie’ to further enable malicious activity on the network,” according to the white flash alert. The FBI did not say which local government was attacked, but the latest release follows multiple warnings about cyberattackers exploiting vulnerabilities related to Fortinet. “As of at least May 2021, an the FBI and the CISA previously warned in April 2021 that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591,” the FBI said. By breaking into systems through Fortinet vulnerabilities, cybercriminals or nation states can “conduct data exfiltration, data encryption, or other malicious activity.” The release noted that from their investigations, it seems that the actors behind the attack are focused on exploiting this specific vulnerability as opposed to attacking specific targets or industries. All of the vulnerabilities listed relate to Fortinet FortiOS, an operating system that is the backbone of Fortinet Security Fabric. The company said it was designed to offer better enterprise security, cloud deployments, and centralized networks. But despite the warnings, it appears APT groups are still able to leverage the vulnerabilities. 

Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, noted that all of the vulnerabilities listed in the notice are at least one year old, spotlighting the need for government institutions to improve patch management. “It’s good to get a reminder because it’s not just Fortinet threat actors are targeting. Using least privilege principles, performing regular updates and patching, using network segmentation, using backups, and strengthening login processes all go a long way to securing the estate,” Nikkel said. “It’s safe to say most criminal groups and APTs are counting on enterprises not being great at doing all of these things, and their continued success only highlights that fact.” More

The question isn’t “Does someone have your user IDs and passwords?” I guarantee you someone has. Don’t believe me? Check for yourself at Have I Been Pwned (HIBP). I’ll wait. Now, do you believe me? 

Open Source

People check the free HIBP site at a rate of almost 1 billion requests per month. It collects data from all the many personal security breaches that happen every week or two. Last year alone we saw dozens of data breaches. Moving forward, HIBP will now also receive compromised passwords discovered in the course of FBI investigations. Why is the FBI getting involved? Because Bryan A. Vorndran, the FBI’s Assistant Director, Cyber Division, said, “We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime.” The FBI passwords will be provided in SHA-1 and NTLM hash pairs; HIBP doesn’t need them in plain text. They’ll be fed into the system as they’re made available by the Bureau. To do that, HIBP is adding on a new, open-source program, Pwned Passwords, to let the data flow easily into HIBP.  HIBP founder Troy Hunt, security expert and Microsoft Regional Director, explained he’s open-sourcing the code because “The philosophy of HIBP has always been to support the community, now I want the community to help support HIBP.” HIBP is written in .NET and runs on Azure. With a billion searches a month, I’m sure Hunt can use all the help he can get. He started planning to open-source HIBP in August 2020.  Hunt quickly discovered this wasn’t easy. He wrote: I knew it wouldn’t be easy, but I also knew it was the right thing to do for the longevity of the project. What I didn’t know is how non-trivial it would be for all sorts of reasons you can imagine and a whole heap of others that aren’t immediately obvious. One of the key reasons is that there’s a heap of effort involved in picking something up that’s run as a one-person pet project for years and moving it into the public domain. I had no idea how to manage an open-source project, establish the licensing model, coordinate where the community invests effort, take contributions, redesign the release process, and all sorts of other things I’m sure I haven’t even thought of yet. This is where the .NET Foundation comes in. The .NET Foundation isn’t part of Microsoft. It’s an open-source independent 501(c) non-profit organization. 

Hunt’s starting with the Pwned Password code because it’s relatively easy. The reasons for this include: It’s a very simple codebase consisting of Azure Storage, a single Azure Function, and a Cloudflare worker. It has its own domain, Cloudflare account, and Azure services so it can easily be picked up and open-sourced independently to the rest of HIBP. It’s entirely non-commercial without any API costs or Enterprise services like other parts of HIBP (I want community efforts to remain in the community). The data that drives Pwned Passwords is already freely available in the public domain via the downloadable hash sets. Thus, Hunt could “proverbially ‘lift and shift’ Pwned Passwords into open-source land in a pretty straightforward fashion which makes it the obvious place to start. It’s also great timing because as I said earlier, it’s now an important part of many online services and this move ensures that anybody can run their own Pwned Passwords instance if they so choose.” Hunt hopes “that this encourages greater adoption of the service both due to the transparency that opening the code base brings with it and the confidence that people can always ‘roll their own’ if they choose. Maybe they don’t want the hosted API dependency, maybe they just want a fallback position should I ever meet an early demise in an unfortunate jet ski accident. This gives people choices.” At one time Hunt had considered selling HIBP. With this open-source move, this no longer appears to be the case.  The HIBP code is being kept on GitHub. It’s licensed under the BSD 3-Clause license.  The overall plan is: There’s an authenticated endpoint that’ll receive SHA-1 and NTLM hash pairs of passwords. The hash pair will also be accompanied by a prevalence indicating how many times it has been seen in the corpus that led to its disclosure.  Upon receipt of the passwords, the SHA-1 hashes need to be extracted into the existing Azure Blob Storage construct. This is nothing more than 16^5 different text files (because each SHA-1 hash is queried by a 5 character prefix), each containing the 35-byte SHA-1 hash suffix of each password previously seen and the number of times it’s been seen. “Extracted into” means either adding a new SHA-1 hash and its prevalence or updating the prevalence where the hash has been seen before. Both the SHA-1 and NTLM hashes must be added to a downloadable corpus of data for use offline and as per the previous point, this will mean creating some new entries and updating the counts on existing entries. Due to the potential frequency of new passwords and the size of the downloadable corpora (up to 12.5GB zipped at present), my thinking is to make this a monthly process. After either the file in blob storage or the entire downloadable corpus is modified, the corresponding Cloudflare cache item must be invalidated. This is going to impact the cache hit ratio which then impacts performance and the cost of the services on the origin at Azure. We may need to limit the impact of this by defining a rate at which cache invalidation can occur (i.e. not more than once per day for any given cache item). That said, as Hunt admits, this is very much a work in progress: “I don’t have all the answers on how things will proceed from here.” But, with the help of you, the FBI, and the .NET Foundation, HIBP promises to be more useful than ever. Related Stories: More

The Department of Homeland Security’s Transportation Security Administration released new cybersecurity guidelines for pipeline owners and operators following the ransomware attack on Colonial Pipeline that left thousands of people in the US scrambling for gas for about a week.Colonial has faced backlash in recent weeks for how they responded to the attack and for admitting they paid the attackers almost $5 million for tools to restore their systems. The tools they got in return did not help, and the federal government had to step in to help the company get back online as gas prices on the East Coast spiked. The new DHS directive, which was first reported by The Washington Post earlier this week, forces pipeline owners to report any cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency and requires all pipelines to have a Cybersecurity Coordinator who can be on call 24/7. All pipeline operators will also have to send CISA and TSA a report in 30 days about “their current practices as well as to identify any gaps and related remediation measures.” In addition to the new measures, TSA is considering other mandatory measures for pipelines and in a statement, DHS said the security directive would allow them to “better identify, protect against, and respond to threats” directed at the country’s pipelines. Secretary of Homeland Security Alejandro Mayorkas said the department had no choice but to adapt to the “new and emerging threats” that continue to evolve. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security,” Mayorkas said. “DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”The Washington Post noted that the attack on Colonial caused the pipeline to shut down for 11 days and left federal officials shellshocked considering the devastating effects to the airline, transit and chemical industries if the shutdown went on for much longer.

The first set of cybersecurity guidelines for pipelines were issued in 2010 and updated in 2018 by TSA but have faced backlash for being voluntary and lackluster considering the evolution of cyberattack capabilities. If any of the new regulations are violated, pipelines will face financial penalties, according to DHS officials who spoke to The Washington Post.  The US currently has more than 3,000 pipeline companies managing nearly three million miles of pipeline in the country. The government has faced criticism in Congress and from pipeline operators for having a TSA office staffed with just six people watching the cybersecurity of all oil and gas pipelines. There has also been significant debate over which government agency would be better suited to protecting the cybersecurity of the country’s pipelines, with some in the House Energy and Commerce Committee arguing that the Energy Department is more experienced in the field than TSA. Cybersecurity experts had mixed responses to the new regulations. Some said they did not do enough to force pipeline operators to take cybersecurity seriously while others worried that the burden was being put on victims to protect themselves. Jim Gogolinski, vice president at iboss, said the directive is likely being modeled after the existing NERC CIP standards that are designed to prevent and mitigate attacks against critical electrical infrastructure. “Reporting is obviously a key part of that but so are security protocols, system management, and personnel training. The NERC CIP standards are followed closely because fines for not complying can reach as high as $1 million per day per violation,” Gogolinski said. “If the new pipeline directive includes similar fines, we would expect to see swift efforts by the industry to come into compliance.”Nozomi Networks CEO Edgard Capdevielle said his company works with oil and gas enterprises around the world and noted that like most critical infrastructure sectors in the US, the oil and gas industry did not have mandatory cyber standards until now. The mandatory breach reporting requirement would allow for more collaboration between pipeline operators, security vendors and the government, Capdevielle said, adding that an open approach to information sharing will play a big part in building a more mature cyber defense.”The distributed nature of the oil and gas sector makes this extra challenging. It requires many different forms of connectivity and can be more difficult to secure. These environments are distributed and physically remote,” Capdevielle said.  “No two operators are alike in terms of the exact processes and systems they’re using, which makes it harder to establish one set of cybersecurity requirements that will work effectively for all. While there’s a place for regulated security requirements, we need to be careful not to put all the burden on the victims. Tax incentives, and government-funded centers of excellence will help ensure critical infrastructure operators can build and maintain effective cybersecurity programs over time.” Other experts, like Coalfire cyber executive Joseph Neumann, were far less excited about the new rules, telling ZDNet that regulations “have never helped a company improve its security posture.” The mandatory reporting requirements does not help the industry or anyone in any way, he said, explaining that mandatory external audits and security assessments would be better requirements to force companies to improve their overall security. “The power generation sectors like this frequently lag behind in security posture with aging infrastructure and legacy systems that have been in place for decades. These organizations over the years have slowly blended their corporate and Operational Technology networks together creating a nasty opportunity for bad things to occur as we have seen in the Colonial Pipeline incident,” Neumann said. “The Federal Government itself is struggling to keep its systems secure as seen from the recent SolarWinds breaches and rush mitigations pushed down by the Department of Homeland Security.”John Bambenek, threat intelligence advisor at Netenrich, said that while the mandatory notification rule will get the most press, the protective regulations are far more important.”The facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached,” Bambenek said. “A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing future incidents.”

more coverage More

Singapore is sending out drones to monitor water quality and activities at its reservoirs. It hopes this will reduce the number of hours currently needed to perform such tasks by 5,000 man-hours. Officers currently spend 7,200 man-hours a year carrying out various duties at these water catchment areas across the island. These include daily patrols to identify excessive growth of aquatic plants and algal blooms, which could affect water quality. Data also is collected on water activities, such as fishing and paddling, in and along the edge of the reservoir to ensure these are carried out safely.Singapore’s water agency PUB said in a statement Thursday it would deploy Beyond Visual Line of Sight drones to initially monitor two reservoirs–MacRitchie and Marina–before another another four to the roster later this year. These would include Serangoon, Kranji, Lower Seletar, and Lower Peirce. 

Singapore puts budget focus on transformation, innovation

After tilting last year’s budget towards ’emergency support’ in light of the global pandemic, Singapore’s government will spend SG$24 billion ($18.1 billion) over the next three years to help local businesses innovate and build capabilities needed to take them through the next phase of transformation.

Read More

The drones would be equipped with remote sensing systems and a camera to facilitate near real-time video analytics. They had been designed specifically to monitor water quality and activities, said PUB, a statutory board that is responsible for Singapore’s water supply and catchment as well as used water. Drone flights at Marina and MacRitchie would be deployed four days a week, at regular intervals throughout the day. These would run at a lower frequency, of one to two days weekly, at the other four reservoirs.Tapping a network of rivers, canals, and drains, rainwater on two-thirds of the city-state’s land area is redirected to 17 reservoirs and harvested for potable consumption.According to PUB, the drones would be able to survey large areas of the reservoir and collect “comprehensive data”. They also would send out alerts when certain activities were detected, such as illegal fishing. 

Local vendor ST Engineering had been contracted to deploy its drone operating system DroNet, which had been further customised to cater to PUB’s needs. Trials were conducted at the reservoirs last year. The drones would be stored at an automated pod, from which it would take off and land autonomously. Each would fly on pre-programmed flight plans within the reservoir compound and remotely monitored by an operator.  The drone’s remote sensing technology would analyse the water for turbidity and algae concentration, which would provide indications of water quality. Where necessary, PUB officers would visit the site to collect water sample for laboratory analysis.Video analytics algorithm also had been developed, and tested, to identify aquatic plant overgrowth in the reservoir using live video feed from the drone’s camera. PUB officers would monitor the video feed as well as data via an online dashboard. When illegal water activities were detected, near real-time alerts would be sent to a dedicated Telegram channel, which officers could access via their mobile phones. The agency said cameras on the drones would not gather personal data including facial recognition. Their flight plans also would not be near residential areas. Noting that Singapore’s reservoirs were an important source of water supply for the population, PUB’s director of catchment and waterways Yeo Keng Soon said it was challenging in terms of manpower to effectively monitor what went on at each reservoir and ensure the reservoirs remained in optimal condition. “Our use of drones is in line with PUB’s commitment to leverage technology as part of the SMART PUB roadmap to improve our operations and meet future needs,” Yeo said. “With the drones, we can channel manpower to more critical works, such as the inspection and maintenance of reservoir gates, as well as pump and valve operations. The drones also act as an early warning system that enhances our response time to the myriad of issues that our officers grapple with on a daily basis.”RELATED COVERAGE More

A prolific phishing campaign is attempting to trick people into believing they’ve subscribed to a movie-streaming service to coerce them into calling a phone number to cancel – where someone will guide them through a procedure that infects their computer with BazaLoader malware.BazaLoader creates a backdoor onto Windows machines that can be used as an initial access vector for delivering additional malware attacks – including ransomware. The notorious Ryuk ransomware is commonly delivered via BazaLoader, meaning a successful compromise by cyber criminals could have extremely damaging consequences.

The latest BazaLoader campaign is based around human interaction and an intricate attack chain that decreases the chance of the malware being detected.SEE: Network security policy (TechRepublic Premium)Detailed by cybersecurity researchers at Proofpoint, the first stage of the campaign involves the distribution of tens of thousands of phishing emails claiming to come from ‘BravoMovies’ – a fake video-streaming service made-up by cyber criminals.The website looks convincing and those behind it have even made fake movie posters by using open-source images available online – although the way the website contains various spelling errors could hint that something isn’t right if the visitor looks carefully.The email claims the victim signed up for a trial period and they’ll be charged $39.99 a month – but that supposed subscription can be cancelled if they call a support line.

If the user calls the number they’re connected to ‘customer service’ representative who’ll claim to guide them through the process of unsubscribing – but what they’re actually doing is telling the unwitting victim how to install BazaLoader on their computer.They do this by guiding the caller to a “Subscribtion” page, where part of the process encourages them to click a link that downloads a Microsoft Excel spreadsheet. This document contains macros, which if enabled, will secretly download BazaLoader onto the machine, infecting the victim’s PC with malware.While this takes more hands-on effort by the attackers, directing users towards a payload away from the initial phishing email makes the malware more difficult to detect during the download and installation process.”Malicious attachments are often blocked by threat detection software. By directing people to phone the call centre as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet.”However, doing so significantly lowers the likelihood of a victim engaging with the content and takes more time and effort on the part of the threat actors.”SEE: This malware has been rewritten in the Rust programming language to make it harder to spotBut for the attackers, it could be that the lower risk of the attack being discovered makes the extra effort worth it in the end.”Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take an action to complete the attack chain and get the malware on the target’s machine,” said DeGrippo.To help protect users – and the wider organisation – from phishing attacks and social engineering, information security teams should train users to spot and report malicious emails. It’s also worth noting that while receiving an email that claims your credit card will be charged if you don’t respond is startling, creating a sense of urgency like this is a common technique used in phishing campaigns in order to trick the user into letting their guard down and following instructions.MORE ON CYBERSECURITY More

The irresponsible libertarian rationale for all manner of bad behavior – popular in Silicon Valley – has found its greatest expression in cryptocurrencies like Bitcoin and its ilk. The anonymity of cryptocurrencies had made ransomware a global criminal enterprise.

Digital mirageCurrencies are traditionally a medium of exchange, a store of value, and a unit of account. Cryptocurrencies are bad at all three.Yes, they are a medium of exchange, but try to buy a house with one. Painful.As a store of value they are extremely unstable, since there is no underlying asset, such as the full faith and credit of a nation. Which directly reflects on the third use of currency – a unit of account – how do you maintain a set of books with a currency whose value is ever shifting?If you own a cryptocurrency and aren’t a criminal, you’re a speculator. To see how that ends, check out Tulip Mania.Anonymity is the problem todayGood arguments can be made for a digital global currency, although that has serious problems too, as the Euro has demonstrated. The real problem is the anonymity that enables criminals to collect multi-million dollar ransoms without fear of being tracked down and brought to justice. How is that a good thing?The bigger problem

Suppose you are a billionaire. You’ve gotten comfortable with evaluating risks, knowing that you can deploy a phalanx of Ivy league lawyers at $1,000 an hour to make your case and hold off the law. Gosh. Untraceable digital money. No more paying mules to haul cash across national borders. Pay foreign law firms to create shell companies to hide assets – private island, superyacht, arms dealing, drugs, sex trafficking – with untraceable cash. Yum!

Yeah, the local tax authorities might get lucky and figure out what you’ve done, but really, they don’t have the expertise. Unregulated digital currencies are empowering a whole new level of criminal.Plus, they’ve been hackedMuch of the technical interest in cryptocurrencies is due to the blockchain data structure, a supposedly unhackable storage technology that preserves, forever, the history of a particular coin. But as we’ve seen repeatedly, the blockchain may not be hackable, but the supporting infrastructure surely is. Beyond that, one of these days quantum computing will leave computer science labs and enable the decryption – and rewriting – of cryptographically protected blockchains. Sorry, Mr. Boris owns your Bitcoin, not you. It says so right here.The TakeI’ve been watching cryptocurrencies for years. I get the attraction. But it’s now clear — the Colonial pipe line shutdown is only the latest example — that they need policing. Anonymity, at least, must end.I suspect that with policing, much of the attraction will disappear. Oh well. It doesn’t matter how much technobabble surrounds a bad idea. It’s still a bad idea.Comments welcome. If you think cryptocurrencies are wonderful, please tell me, in as few words as you can manage, why. I’m listening.See also: More