Monthly Archives: May 2016

We should widen protection for whistleblowers, offer financial rewards say supporters

Whistleblowers have long suffered from limited protection.

The limitations of legislation, in Australia and overseas, have become more apparent in the wake of the the Panama Papers, Swiss Leaks and Lux Leaks. All were based on revelations of wrongdoing from individual whistleblowers, not tax authorities.

Bradley Birkenfeld, a former banker, received $104 million from the US Treasury for exposing a multi-billion dollar tax fraud by Swiss investment bank UBS and other institutions image (2)

Bradley Birkenfeld, a former banker, received $104 million from the US Treasury for exposing a multi-billion dollar tax fraud by Swiss investment bank UBS and other institutions.

In the May budget the Turnbull government, under public pressure to take a tougher stance against tax dodging, announced it would introduce whistleblower protection for people who disclose information about tax misconduct to the Australian Taxation Office.

The Corporations Act already has some protection for those who make disclosures to corporate watchdog ASIC, but it is limited and does not apply to tax misconduct information given to the ATO.

Panamanian law firm Mossack Fonseca,image

John Doe’, the anonymous source who handed German newspaper Süddeutsche Zeitung internal data belonging to the Panamanian law firm Mossack Fonseca, wants whistleblowers to have immunity from government retribution. 

“Whistleblowers will have their identity protected and will be protected from victimisation and civil and criminal action for disclosing information to the ATO,” the headline government announcement said, without offering detail about how such a scheme would work.

Those who speak out face threats

Transparency International says despite their critical role in uncovering corruption and other malpractice, “too often people who speak up in the public interest face threats, intimidation and lawsuits”.

‘John Doe’ – the anonymous source who handed German newspaper Süddeutsche Zeitung (and in turn the International Consortium of Investigative Journalists) internal data belonging to the Panamanian law firm Mossack Fonseca in a manifesto released earlier this year called for whistleblowers to be given immunity from government retribution.

“Until governments codify legal protections for whistleblowers into law, enforcement agencies will simply have to depend on their own resources or on-going global media coverage for documents,” he wrote.

Jeff Morris blew the whistle image CBA.

Jeff Morris blew the whistle at CBA. 

Bradley Birkenfeld, who was awarded $US104 million in September 2012 for information that lead to US authorities chasing down Swiss bank UBS and other banks facilitating tax evasion, has previously expressed similar sentiments.

Birkenfeld, who himself served prison time for his crimes, said: “If whistleblowers are afraid to bring information to the authorities for fear of prosecution, they will stay silent, bank secrecy will continue, and illegal offshore tax havens will operate free of scrutiny, taking money out of taxpayers’ pockets, and making the super-rich even wealthier.”

Antoine Deltour is now on trial for “stealing” and leaking documents about how Luxembourg granted secret “sweetheart” tax deals to multinationals including Apple and IKEA (the French journalist Edouard Perrin, who Deltour leaked to is also on trial), but at his trial he said it was a “necessary evil”.

Beefing up the Corporations Act

Closer to home there’s also been discussion about how to beef up the Corporations Act to improve protection for whistleblowers.

Too often people who speak up in the public interest face threats, intimidation and lawsuits

Transparency International

Jeff Morris who exposed the Commonwealth Financial Planning Limited scandal reported by Fairfax Media, told a recent Senate hearing that Australia needed a scheme, similar to the United States, where whistleblowers who disclose corporate misconduct get rewarded.

He says when he took the allegations against CBA to ASIC in 2010, he was told in as many words, ‘Thanks for sacrificing yourself.’ “[He was] just being frank’ about the limitations of the whistleblower protections,” Morris said. “The whistleblower protections basically, as he said, [are] not worth much.”

The Senate Economics References Committee has released a paper calling for greater protection for local whistleblowers, including protection for those who come forward anonymously. The government has noted its suggestions, but as yet, has not made any changes.

A.J. Brown, Griffith University’s leader for Public Integrity & Anti-Corruption in the Centre for Governance and Public Policy, who has worked with regulators including ASIC on how to improve protection for whistleblower, says that the level currently offered under the Corporations Act is inadequate.

He welcomes the budget announcement, but hopes it is not just a “thought bubble” that results in no useful policy. “The question the government should be asking is; ‘is there a way of doing this that encourages people to cover all types of information, not just tax misconduct,” he says.

Rewarding whistleblowers

He also wants financial rewards for whistleblowers who give information that leads to prosecutions. In the United States, under the Internal Revenue Code, a whistleblower can receive 15 per cent to 30 per cent of the amount collected by the IRS.

Maurice Blackburn lawyer Josh Bornstein says a reward system would increase the chance of people coming forward. “If we are to improve corporate culture, whistleblowers should be rewarded and seen to be rewarded,” he says.

Tax Justice Network spokesman Mark Zirnsak says since 2008 the IRS recovered $4 billion through whistleblowers exposing tax evasion. “Whistleblower protection and reward should also apply to other forms of corporate wrongdoing, such as bribery, fraud and embezzlement,” he says.

But not everyone is supportive of a reward system. Herbert Smith Freehills partner Andrew Eastwood says rewards leave a “real risk that you may in fact be rewarding people who were in some way involved in the misconduct”. But he does support greater protection for whistleblowers under the Corporations Act.

Chartered Accountant’s tax leader Michael Croker also warns “whistleblowers will not always have clean hands and immunity, or reduced sentences, become an issue in such cases”. Nevertheless, he says there’s elements of the US model, including specialist IRS teams that deal with whistleblowers, Australia may be able to adopt.

Professor A.J Brown says the government has a real opportunity to revamp legislation to give genuine protection to whistleblowers. “If it’s not done properly, it ends up being window-dressing. That’s what we need to avoid.”​


Henry Sapiecha

Philippines bank attack same as Bangladesh Bank heist group says Symantec

hooded-hacker at work image

Before hitting the Bangladesh Bank’s US Federal Reserve account for $81 million in February, the group responsible for the attack tried their luck on a Philippine institution, Symantec has said.

In a blog post, the security vendor said that similarities in the code used in the malware in both attacks led it to conclude the attacks were from the one source.

“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group,” it said.

The company said the attacks on the Philippine bank occurred from October last year, and represent the earlier known attacks from the group.

“The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region,” Symantec said.

Some of the code similarities mean the malware can be traced to Lazarus, a group linked with a trojan that was used in the attack on Sony Pictures.

Since the attack on the Bangladesh Bank came to light, the central messaging service between the world’s banks, SWIFT, has said it plans to launch a new security program.

“There will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident … this is a big deal. And it gets to the heart of banking,” SWIFT chief executive Gottfried Leibbrandt said earlier this week.

In February, the SWIFT system of the Bangladesh central bank was hacked into, with thieves sending messages to the Federal Reserve Bank of New York that allowed them to steal $81 million.

The attackers have also been blamed for a $12 million theft from an Ecuadorean bank last year, and an unsuccessful attack on Vietnam’s Tien Phong Bank.

Earlier this month, a trove of Symantec’s products were found to be vulnerable to a buffer overflow when parsing malformed portable-executable header files.

On Windows, thanks to Symantec’s scanning engine being loaded in to the kernel, the subsequent kernel memory corruption resulted in instant blue-screening. While on Linux, OS X, and other Unix-like systems, the buffer overflow resulted in a remote heap overflow as root in the Symantec or Norton process.

The attack could be invoked without any user interaction, and could occur via such events as receiving an email, downloading a document or application, or by visiting a malicious website.


Henry Sapiecha

10 things you should know about the Dark Web [Internet’s underbelly] but probably don’t

A basic overview guide to the Internet’s underbelly — the Dark Web

1…Deep or Dark?

black web keyboard operator image

There’s a difference between the “Deep Web” and “Dark Web.” While the “Clear Web” is the surface area which is indexed by search engines such as Google and Yahoo, the Deep Web is an area search engines can’t crawl for or index. Plunging in further, the Dark Web is a small area within the Deep Web which is intentionally hidden from discovery.

skull crossbones line

2…How do you access the Dark Web?


You can’t use standard access methods to gain entry into the Dark Web. The most common method is through the Tor network, an anonymous network created from nodes which disguise online activity. In order to use Tor, you need the Tor browser, and may also need to be issued an invitation to access certain .onion domains hidden within the Dark Web.

skull crossbones line

3…Wait, Onion domains?


An .onion address is the result of Onion networking — low-latency communication designed to resist traffic analysis and surveillance. The use of Onion networking is not a perfect solution to maintain anonymity, but it does help disguise who is communicating with whom.

skull crossbones line

4…It’s not just drugs


Many of us heard when the underground marketplace Silk Road, one of the largest hidden within the Tor network, was taken down following an investigation by US authorities. However, there are many more vendors peddling their wares within the Dark Web. While drugs are the most commonly-thought of when it comes to the secretive area, you can also purchase a plethora of other illegal goods. Weapons, porn, counterfeit money and fake identities, hacked accounts and even hitmen can be found if you have the cash. If someone annoys you, sending over a SWAT team as a “prank” is also possible.

skull crossbones line

5…It’s also something of an eBay for peculiar items.


A quick browse and I could buy lifetime membership passes to popular services such as Netflix, old consoles, clothing, emulators and DVDs, a car or two and bulk weight loss pills. Technology is also popular — there is a wealth of devices available — both counterfeit and apparently legitimate — if you know where to look.

skull crossbones line

6…The Dark Web is used for more than buying and selling.


So-called “ethical” hacking and political forums, archives of forbidden books, tips on how to care for your cat — there are potentially thousands of private .onion addresses hosted which go beyond marketplaces.

skull crossbones line

7…Trading is hardly safe or risk-free


Whether you take a risk with buying bargain designer clothes on the Clear Web or sink a few Bitcoins in purchasing illegal items through the Dark Web, neither is risk-free.

Vendors and sellers might be trying to avoid the eyes of legal enforcement in the darker side of the Internet, but this doesn’t stop scams from taking place. Scam vendors and quick grab-and-run schemes run rampant — especially as there is no way to follow up with failed sales down the legal route.

skull crossbones line

8…Buying and selling through the Dark Web


How do you trade without being linked to bank accounts? Virtual currency is the most common method, which includes “tumbling,” a laundering process which destroys the connection between a Bitcoin address which sends virtual currency and the recipient in the hopes of covering a user’s tracks. Some vendors offer escrow services which holds Bitcoin in trust until goods have been delivered and both parties are happy — although value fluctuations linked to Bitcoin use makes this move risky.

skull crossbones line

9…Avoiding spying eyes


Aside from using the Tor browser and VPNs, a number of buyers and sellers use “Tails,” free software which can be booted from flash storage to provide end-to-end encryption for your browsing sessions.

To further cover their tracks, vendors and sellers will often also use public Wi-Fi hotspots to conduct their business.

skull crossbones line

10…Reddit is used as a communication platform for Dark Web transactions


Although far from exhaustive, the best Clear Web resource to bounce around and learn a little about the darker, nastier aspects of the Internet is on Reddit. There are sub-forums in which Dark Web vendors and buyers exchange news, thoughts and seller reviews. Advice is also issued on how best to “clean house,” create safe “drop” zones to pick up packages ordered from the Dark Web and what to do if you think law enforcement is keeping an eye on you.

skull crossbones line
Henry Sapiecha


Speaker: Datagram

Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.


Henry Sapiecha

DEFCON 20: Anti-Forensics and Anti-Anti-Forensics Attacks VIDEO PRESENTATION

A video presentation on digital forensics & investigations


Henry Sapiecha

[DEFCON 20] Spy vs. Spy: Spying on Mobile Device Spyware VIDEO PRESENTATION

Michael Robinson – Consultant
Chris Taylor – Security Researcher

Commercial spyware is available for mobile devices, including iPhones, Android Smartphones, BlackBerries, and Nokias. Many of the vendors claim that their software and its operation is undetectable on the smartphones after setup is complete. Is this true? Is there a way to identify whether or not some jerk installed spyware on your mobile phone or are you destined to be PWN’d?

This presentation examines the operation and trails left by five different commercial spyware products for mobile devices. Research for both Android and iPhone 4S will be given. A list of results from physical dumps, file system captures, and user files will be presented to show how stealthy the spyware really was. The results from the analysis of the install files will also be presented. From this information a list of indicators will be presented to determine whether or not spyware is on your phone.

Michael Robinson a/k/a Flash, conducts forensic examinations of computers and mobile devices for consulting firm in the Washington, DC area. In addition to his day job, he teaches graduate level courses in computer forensics and mobile device forensics at Stevenson University and George Mason University. Prior to his current consulting gig, Flash conducted computer forensic examinations in support of federal law enforcement. He worked for the Department of Defense for a bunch of years doing IT and forensics work. Flash has been in school forever. Eventually he’ll get smart. He’s building on his Master’s in Computer Forensics with a Doctorate in the same field.

Chris Taylor is a security researcher and teacher that has been doing IT security, incident response, computer forensics, and mobile device forensics for the last 12 years. His experience comes from doing research, not reading research. Imagine that. He makes fun of his co-presenter constantly. He is also a staunch privacy advocate that hates writing bios.


Henry Sapiecha

DEF CON 22 – Zoltán Balázs – Bypass firewalls, application white lists… VIDEO HERE


Bypass firewalls, application white lists, secure remote desktops under 20 seconds
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.

I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.

Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including Hacker Halted USA, OHM, Hacktivity, Ethical Hacking, Defcamp.
He is a proud member of the team, 2nd runner up at global Cyberlympics 2012 hacking competition.


Henry Sapiecha

DEF CON 22 – Zoz – Don’t Fuck It Up! MUST WATCH VIDEO


Don’t Fuck It Up!
Online antics used to be all about the lulz; now they’re all about the pervasive surveillance. Whether you’re the director of a TLA just trying to make a booty call or an internet entrepreneur struggling to make your marketplace transactions as smooth as silk, getting up to any kind of mischief involving electronic communications now increasingly means going up against a nation-state adversary. And if even the people who most should know better keep fucking it up, what does that mean for the rest of us? What do the revelations about massive government eavesdropping and data ingestion mean for people who feel they have a right if not a duty to occasionally be disobedient?

It’s time for a rant. Analyzing what is currently known or speculated about the state of online spying through the prism of some spectacular fuckups, this talk offers an amusing introduction to how you can maximize your chances of enduring your freedom while not fucking it up. Learn how not to fuck up covering your tracks on the internet, using burner phones, collaborating with other dissidents and more. If you have anything to hide, and all of us do, pay attention and Don’t. Fuck. It. Up!

Zoz is a robotics engineer, prankster and general sneaky bastard. He has been pretty successful at pulling some cool subversive shit and not fucking it up and getting caught. He once faked a crop circle for the Discovery Channel and it was all uphill from there.


Henry Sapiecha