Information Technology

Image: Shutterstock
Losses related to cryptocurrency investment scams made up over a quarter of the total scams reported to the Australian Competition and Consumer Commission (ACCC) from the start of the year to the end of August. In a response to a question on notice from the Senate Select Committee on Australia as a Technology and Financial Centre, the ACCC revealed it received 3,007 reports that totalled losses of AU$53.2 million. This represented 55% of all losses due to investment scams, and 48% of all investment scam reports. Broken down by state, New South Wales had 860 reports for AU$20.6 million in losses, Victoria had 563 reports for AU$12.6 million in losses, Queenslanders lost AU$8.2 million and made 485 reports, while Western Australia made 268 reports on AU$3.8 million in losses. By age, those in the 55-64 bracket lost over AU$12.6 million and made 365 reports, those over 65 accounted for AU$10.7 million in losses and filed 356 reports, while those aged 44-54 made 352 reports and lost AU$8.7 million. As age decreased, so did the losses, with those aged 35-44 making 627 reports for losses of AU$7.6 million. 25-34-year olds lost AU$7 million and made 570 reports. Beyond cryptoscams, those labelled “traditional scams” — such as pre-IPO, share, and foreign exchange scams — accounted for AU$21 million in losses from 411 reports, the other category had 2,590 reports for AU$11.7 million in losses, and ponzi schemes had 110 reports for only AU$239,000 lost. The grand total lost to all investment scams to August 31 was AU$96.6 million. Broken down by state, New South Wales had 1,864 reports for AU$33 million in losses, Victoria had 1,316 reports for just shy of AU$23 million in losses, Queenslanders lost AU$20 million and made 1,060 reports, with Western Australia making 580 reports on AU$7.7 million in losses. On Monday, the ACCC said from the start of 2021 to September 19, Australian losses to all scams had passed AU$175 million.

“While the proportion of reports involving a financial loss has dropped this year, the people who do lose money are losing bigger amounts. The average loss so far this year is about AU$11,000 compared to AU$7,000 for the same period in 2020,” ACCC deputy chair Delia Rickard said. The ACCC said it had seen a 261% increase in phishing scams, 144% involving remote access, and 234% in identity theft. The consumer watchdog said it had been passing scammer phone numbers onto Australian carriers, and working with banks to “raise awareness with their customers” who could have been hit by Android malware known as Flubot. Related Coverage More

Eftpos has become the first accredited non-government operator of a digital identity exchange under the federal government’s Trusted Digital Identity Framework (TDIF).By becoming an accredited operator, Eftpos connectID can now facilitate online transactions requiring a digital identity from Australians. Eftpos sent connectID live in June as a fully-owned subsidiary of the organisation and as a standalone fintech company. It’s been set up to act as “broker” between identity service providers and merchants or government agencies that require identity verification, such as proof of age, address details, or bank account information.It has been designed to work within the federal government’s Trusted Digital Identity Framework (TDIF) and the banking industry’s TrustID framework.Although the Australian government has its own digital identity solution with myGovID, Eftpos has previously said its solution could provide a “smoother, faster, and more secure onboarding experience, including for government services”.Eftpos has also assured that connectID does not store any identity data.”A safe, thriving digital economy is the best way we can grow the Australian economy. A safe, thriving digital economy is not possible without digital identity — that is, a safe, secure, and convenient way for Australians to prove their identity online,” Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.

“Through accreditation, we make sure Australians and Australian businesses can have trust and confidence that their personal information is safe and secure.”As an accredited provider, Eftpos has demonstrated that connectID is trustworthy, safe, and secure and has met strict usability and accessibility requirements. I congratulate Eftpos for being the first private identity exchange to be accredited under the TDIF.”Eftpos applied for accreditation in May. The federal government’s myGovID was the first to be granted a TDIF accreditation, followed by Australia Post’s Digital ID. Last month, OCR Labs became the first accredited non-government operator to provide digital identity services to the private sector.”TDIF accreditation is a big step forward for Eftpos and industry to help bring the benefits of digital identity to more sectors of the economy. It is a significant and tangible milestone in the rollout of Australia’s digital identity ecosystem and comes after months of rigorous assurance evaluations and privacy and security testing,” Eftpos CEO Stephen Benton said. Since last year, Eftpos has been piloting connectID with 20 “well-known” Australian brands, including Australia Post and Yoti.According to Eftpos digital identity managing director Andrew Black, the company is looking to use connectID to help businesses address issues in areas such as commerce onboarding, recruitment, responsible gaming, anti-money laundering and identity verification.The news follows Mastercard and the Digital Transformation Agency (DTA) announcing plans to scope out how the former’s digital identity service could enable Australians to digitally verify their age and identity.Mastercard is also seeking accreditation under the TDIF. If granted, Mastercard said it would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In June, the Australian government published a consultation paper on digital identity that indicated legislation would enter Parliament later this year to allow non-government entities to provide digital identification services to Australians.Under the TDIF, the set of rules can only be applied to Australian government entities — it can’t be applied to states and territories, or to the private sector – which is why legislation is required.The Digital Identity Legislation is hoping to ensure privacy safeguards are in place, such as limiting access to biometric information, but it will include the ability for users to consent to their biometric information being accessed for fraud or security investigations.RELATED COVERAGE More

Image: Apple
For most of 2021, a security researcher going by the name of illusionofchaos has been engaged in an unfruitful conversation with Apple to fix a number of vulnerabilities that allow apps to make API calls to pull down user information that they should not be able to. On Friday, the researcher went public with their findings, which contained one vulnerability fixed in iOS 14.7 and three unpatched vulnerabilities. The fixed bugs involved Analyticsd and allowed apps to access logs containing medical information, device usage information, application crashes, and information on device accessories. The unpatched vulnerabilities included the gamed service not properly checking game-center permission and allowing access to the Core Duet database that contains all contacts from Mail, SMS, iMessages, and some attachments; Apple ID email, full name, and authentication tokens allowing access to access at least one apple.com endpoint; and read access to speed dial database and address book.  A vulnerability in Nehelper allowed for an app to check whether any other app was installed, and another Nehelper bug allowed for unauthorised access to Wi-Fi information. The researcher said when Apple fixed the Analyticsd issue, they were not credited, with Apple saying in July that credit was forthcoming. By September, the researcher was still waiting. For each vulnerability, the researcher published proof-of-concept code on GitHub.

On Saturday, the researcher received a response from Apple, which said it had seen the blog post and apologised for the delay. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance,” Apple said. ZDNet asked Apple for comment on Friday, but we are still awaiting a response. Over the weekend, a blind developer complained that Apple had labelled as spam an update to make an accessible version of Hangman run on iOS 15. “My app is made for the blind and that all the other hangman games I have seen on the app store are half playable and … this is a bugfix update and already existing users who have paid for the app are unable to play using iOS 15,” Oriol Gómez sentís wrote. “To my horror, they replied saying that yes, ‘we understand that your app has voiceover’, hello? My app has voiceover? But unfortunately the rejection is still in place.” By the early hours of Monday morning, the developer said Apple had approved the update, but the app remained in violation of App Store guidelines. Related Coverage More

AU$6.1 million worth of seized cash.
Image: Australian Federal Police
Australian Federal Police (AFP) has so far seized over AU$31 million of assets through Operation Ironside, the message decryption sting operation that was labelled as the country’s “most significant operation in policing history”.The update was provided as part of an AFP announcement that it made its first multi-million cash forfeiture as part of the sting operation, confiscating AU$6 million of cash from a Western Australian man. The man, who was a member of a criminal syndicate, has pleaded guilty to various criminal offences and will face five years of imprisonment.The AU$6 million in cash will be redistributed from the confiscated assets account by Home Affairs Minister Karen Andrews to support crime prevention, law enforcement, and related community initiatives, the AFP said.The operation, dubbed as Project TrojanShield by the Federal Bureau of Investigation (FBI), is a global sting operation that was commenced by the US agency after it recruited a confidential human source to provide access to the Anom platform, an encrypted communications product used by transnational criminal organisations. Read more: How the FBI and AFP accessed encrypted messages in TrojanShield investigationThe AFP contributes to the sting operation by providing its “technical capability” in decrypting those messages. In Australia, intelligence and law enforcement agencies can request or demand assistance from communications providers to access encrypted communications. Europol is also involved in the operation.

The AU$31 million figure only accounts for the assets confiscated by the AFP, and does not include those seized by law enforcement agencies outside of Australia.When the global investigation was first unveiled in June, the FBI, AFP, and Europol jointly said the operation at the time led to 525 search warrants, 224 individuals being charged, 525 charges in total, six clandestine labs being taken down, and 21 threats to kill being averted. It also said at the time that 3.7 tonnes of drugs, 104 firearms and weapons, and over AU$45 million in assets had been seized.RELATED COVERAGE More

Image: Getty Images
Huawei CFO Meng Wanzhou’s extradition lawsuit wrapped up over the weekend, ending a near three-year saga that saw her placed under house arrest for almost the entirety of that period. On the same day, two Canadians who were detained in China for over 1,000 days were similarly released and returned to Canada. Meng was allowed to return to China after she reached an agreement with United States prosecutors to admit to misleading global financial institutions. “In entering into the deferred prosecution agreement, Meng has taken responsibility for her principal role in perpetrating a scheme to defraud a global financial institution,” Eastern District of New York Acting Attorney-General Nicole Boeckmann said in a statement. “Her admissions in the statement of facts confirm that, while acting as the chief financial officer for Huawei, Meng made multiple material misrepresentations to a senior executive of a financial institution regarding Huawei’s business operations in Iran in an effort to preserve Huawei’s banking relationship with the financial institution.” The admission entails agreeing to a four-page statement of facts accepting that she knowingly communicated false statements to financial institutions. In January 2019, the United States government unsealed a pair of indictments against Huawei, with the first being against the company and Meng, and the second alleging Huawei conspired to steal intellectual property from T-Mobile and subsequently obstructed justice. For the indictment issued against Meng, she was accused of misrepresenting Huawei’s ownership and control of Iranian affiliate Skycom to banks to launder money via the international banking system, which breached United Nations, United States, and European Union sanctions. Meng was detained and arrested by Canadian authorities on the United States’ behalf just prior to the charges being unsealed.

By making those allegations, the United States wanted to extradite Meng to the United States to face those charges locally. This led to an extradition battle within Canada to determine whether Canadian authorities should pass Meng to the United States. Throughout the extradition proceedings, Meng was released on bail and placed under house arrest in Vancouver. Meanwhile, the Chinese government detained two Canadian citizens, Michael Kovrig and Michael Spavor, shortly after Meng’s arrest, accusing them of spying and stealing state secret secrets from China. By entering into the agreement, Meng admitted only to misleading global financial institutions, and did not plead guilty to the various fraud charges imposed against her. Huawei in a statement said it was happy to see “Meng Wanzhou returning home safely to be reunited with her family”. The company also continued to deny the allegations made by the United States in the statement, saying it would continue to defend itself in court as the indictments are still ongoing. China’s Foreign Ministry spokesperson Hua Chunying said the allegations were “political persecution against a Chinese citizen and its aim is to suppress Chinese high-tech companies”, according to a Chinese state media outlet. Meng and the two Canadians arrived back in their respective countries on Saturday, with Canadian Prime Minister Justin Trudeau posting pictures of Kovrig and Spavor’s return on Twitter. “Welcome home, Michael Kovrig and Michael Spavor. You’ve shown incredible strength, resilience, and perseverance. Know that Canadians across the country will continue to be here for you, just as they have been,” he tweeted. Huawei looking to fill $40 billion hole in revenue from handset businessSpeaking on Friday, Huawei rotating chair Eric Xu said other areas of the business have not compensated for the loss of revenue due to the company being added to the US Entity List in 2019.When a company is on the Entity list, US companies are banned from transferring technology to them unless the US company has received licence approval from the US government.In its latest yearly financial results, Huawei posted net profit of 64.6 billion yuan, but its growth in markets outside of China grounded to a halt. The company sold off its Honor business at the end of 2020, and has been focusing on increasing the use of 5G in areas such as mining.”Other areas [are] certainly not compensate for the revenue loss of the handset business. Not just in one year, even those revenues throughput 10 years combined cannot compensate for the decline in revenue,” Xu said through an interpreter.”It will take a rather long time for us to compensate for the $30-40 billion loss applying 5G and other technologies to other industry sectors.”Related Coverage More

Mastercard and the Digital Transformation Agency (DTA) are working together to see how the former’s digital identity service could enable Australians to digitally verify their age and identity.As part of the collaboration, Mastercard said it would work with the DTA to examine a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.”Australians are increasingly expecting no disruptions between their online and physical lives, and identity is an area that must keep pace with those expectations. Public-private pilots have the potential to make it easier to use these verified identities securely, everywhere they travel,” Mastercard Australasia division president Richard Wormald said.Last year, Mastercard announced the quiet expansion of the trial for its digital identification service, following the successful completion of phase one with partners Deakin University and Australia Post.Announced in December, the three parties kicked off two trials: The first for an identity verification process of student registration and digital exams at Deakin’s Burwood and Geelong campuses in Victoria, and the second integrating Mastercard’s digital ID solution with the one the postal service has been working on.The pilot saw students create a digital identity in Australia Post’s Digital ID app and use it to gain access to Deakin University’s exam portal. Mastercard said the ID successfully orchestrated the sharing of verified identity data between the two parties, sending only the specific personal information required to permit entry using its network.The three organisations expanded the trial to verify students taking exams online.

The second phase of the trial built on work to integrate the Mastercard and Australia Post services, connecting with other third-party platforms to “extend the value and use of the service” to more providers and partner organisations in Mastercard’s ID network.A partnership with Optus was also launched around the same time. Under that trial, Optus customers could use Mastercard’s ID service to prove their identity online and in-store. “Connecting with trusted third-party digital identity platforms is key to scaling digital identity more broadly. Without interoperability, it’s very hard to build beyond local deployments,” Wormald said.”This is why Mastercard continues to collaborate with like-minded organisations, giving citizens new ways to verify their identity without having to hand over any physical documents or surplus information.”Additionally, Mastercard announced it has applied for accreditation under the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity in Australia. If granted, Mastercard said it would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In June, the Australian government published a consultation paper on digital identity that indicated legislation would enter Parliament later this year to allow non-government entities to provide digital identification services to Australians.Under the TDIF, the set of rules can only be applied to Australian government entities — it can’t be applied to states and territories, or to the private sector – which is why legislation is required.The Digital Identity Legislation is hoping to ensure privacy safeguards are in place, such as limiting access to biometric information, but it will include the ability for users to consent to their biometric information being accessed for fraud or security investigations.Related Coverage More

Just got a new iPhone 13 and that new iPhone smell is still on it? Well, it might be new but that doesn’t mean that you don’t need to update it.Yes, it’s running iOS 15, but not the latest iOS 15.Yes, the update treadmill starts on day one.According to Apple, “[t]his update provides important security updates and fixes an issue where widgets may revert to their default settings after restoring from a backup.”It’s already time to update your brand new iPhone 13!Given that this is not only a bug fix, but the update also contains security updates, I’d recommend downloading this update as soon as possible. More

This week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. Hundreds of organizations were affected by the Kaseya attack, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. Washington Post reporters Ellen Nakashima and Rachel Lerman wrote this week that the FBI managed to obtain the decryption keys because they accessed the servers of REvil, the Russia-based criminal gang that was behind the massive attack.

Kaseya attack

REvil demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. Despite the large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil’s infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.The FBI also claimed “the harm was not as severe as initially feared” according to The Washington Post. The FBI attack on REvil never happened because of REvil’s disappearance, officials told the newspaper. The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. 

Another law enforcement source eventually shared the decryption keys with Bitdefender, which released a universal decryptor earlier this month for all victims infected before July 13, 2021. More than 265 REvil victims have used the decryptor, a Bitdefender representative told The Washington Post. During his testimony in front of Congress on Tuesday, FBI Director Christopher Wray laid blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  “We make the decisions as a group, not unilaterally. These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. The revelation caused considerable debate among security experts, many of whom defended the FBI’s decision to leave victims struggling to recover from the attack for weeks. Critical Insight CISO Mike Hamilton — who dealt with a particularly thorny situation where a Kaseya victim was left in the lurch after paying a ransom right before REvil disappeared — said being careful about disclosing methods is a staple of the law enforcement and intelligence communities. “There is a ‘tell’ though, that we’ve confirmed ourselves. The FBI is quoted as saying that the damage wasn’t as bad as they thought and that provided some time to work with. This is because the event wasn’t a typical stealth infiltration, followed by pivoting through the network to find the key resources and backups. From all indications the only servers that were encrypted by the ransomware were the ones with the Kaseya agent installed; this was a smash-and-grab attack,” Hamilton said. “If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”Sean Nikkel, senior threat intel analyst at Digital Shadows, said the FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in just one attack. Because of REvil’s increasing scale of attacks and extortion demands, a quickly-developing situation requiring an equally fast response likely preempted a more measured response to the Kaseya victims, Nikkel explained, adding that it is easy to judge the decision now that we have more information but that it must have been a tough call at the time. “Quietly reaching out directly to victims may have been a prudent step, but attackers seeing victims decrypting files or dropping out of negotiations en masse may have revealed the FBI’s ploy for countermeasures,” Nikkel told ZDNet. “Attackers then may have taken down infrastructure or otherwise changed tactics. There’s also the problem of the anonymous soundbite about decryption making its way into public media, which could also tip off attackers. Criminal groups pay attention to security news as much as researchers do, often with their own social media presence.” Nikkel suggested that a better approach may have been to open backchannel communications with incident response firms involved to better coordinate resources and response, but he noted that the FBI may have already done this. BreachQuest CTO Jake Williams called the situation a classic case of an intelligence gain/loss assessment. Like Nikkel, he said it’s easy for people to play “monday morning quarterback” and blame the FBI for not releasing the keys after the fact. But Williams did note that the direct financial damage was almost certainly more widespread than the FBI believed as it withheld the key to protect its operation. “On the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations. On balance, I do think the FBI made the wrong decision in withholding the key,” Williams said. “However, I also have the convenience of saying this now, after the situation played itself out. Given a similar situation again, I believe the FBI will release the keys unless a disruption operation is imminent (hours to days away). Because organizations aren’t required to report ransomware attacks, the FBI lacked the full context required to make the best decision in this case. I expect this will be used as a case study to justify reporting requirements.”John Bambenek, principal threat hunter at Netenrich, said critics need to remember that first and foremost, the FBI is a law enforcement agency that will always act in a way that optimizes law enforcement outcomes. “While it may be frustrating for businesses that could have been helped sooner, law enforcement takes time and sometimes things don’t work out as planned,” Bambenek said. “The long term benefit of successful law enforcement operations is more important than individual ransomware victims.” More