Monthly Archives: January 2018

Hackers steal around $400M from Cryptocurrency System ICOs

ICOs are risky, possibly quite lucrative, and also a top target for threat actors looking to cash in.

Anti piracy button on  keyboard.

Cyberattackers have managed to line their pockets with almost $400 million in cryptocurrency by targeting ICOs, a new report states.

According to a new research report (.PDF) by Ernst & Young, over 10 percent of all funds changing hands during these events have been lost or stolen.

This equates to roughly $400 million in cryptocurrency from $3.7 billion in funding between 2015 and 2017.

Initial Coin Offerings (ICOs), or token sale events, have garnered the interest of investors in recent years. The events are an opportunity to fund cryptocurrency or Blockchain-related projects and companies and can prove lucrative in the long term

ICOs have been popular enough to outstrip venture capital investments in Blockchain projects in recent years, despite the potential risks.

These events may be of interest to investors, but they are also a red flag for threat actors looking to cash in fraudulently.

Ethereum marketplace Enigma was gearing up for its ICO when a phishing campaign scammed $500,000 out of investors, while ICOs launched by CoinDash, Veritaserum, and EtherParty were all compromised by attackers a year ago.

These are only the most high-profile names to be targeted through ICOs, however, as the report found a total of 372 ICOs have been attacked in the last two years.

Hackers have been able to steal an average of $1.5 million per month through ICOs, and the report suggests that attackers “are attracted by the rush, absence of a centralized authority, blockchain transaction irreversibility and information chaos” of such events.

“Project founders focus on attracting investors and security is often not prioritized,” the report says. “Hackers successfully take advantage — the more hyped and large-scale the ICO, the more attractive it is for attacks.”

The most common attacks are the substitution of wallet addresses at the time of the event — as we saw with CoinDash — the unauthorized access of private keys and the theft of funds from both wallets and exchanges.

The most common attack vector is phishing, then also by Distributed Denial-of-Service (DDoS) attacks, direct website compromise, employee attacks, and exchange hacking.

Calls have been made for more regulation and tighter security surrounding ICOs, with regulators worldwide now thrashing out methods to legislate these events and protect investor funds.

“As ICOs continue to gain popularity and leading players emerge globally, there is a risk of having the market swamped with quantity over quality of investments,” said Paul Brody, EY Global Innovation Blockchain Leader. “These high-risk investments and the complexity of ICOs need to be managed to ensure their credibility as a means of raising capital for companies, entrepreneurs and investors alike.”

Read also: Venezuela asks other countries to adopt oil-backed cryptocurrency

On Monday, US Securities and Exchange Commission (SEC) regulator Jay Clayton warned businesses not to jump on the Blockchain bandwagon or offer ICOs without the expertise and regulatory support & backing.

The US agency has added ICOs and companies which have changed their name to something Blockchain or cryptocurrency-related without cause to their watch lists in the face of market disruption and surge share pricing due to the trend.

www.scamsfakes.com

ooo

Henry Sapiecha

Australia takes over Solomon Islands under water communications internet fibreoptic cable amid spies’ concerns about China

Australia’s spy agencies were so concerned about the security and strategic risks posed by a plan for Chinese firm Huawei to build an internet cable linking the Solomon Islands to Sydney that the Turnbull government will now largely pay for the project itself.

The Department of Foreign Affairs has confirmed it has taken responsibility for the undersea fibreoptic cable, including paying for the bulk of the project – which will cost tens of millions of dollars – through the overseas aid program.

The cable will provide fast and reliable internet to the small Pacific island nation, which now relies on satellites.

The step is highly significant as it shows the lengths to which the Turnbull government was willing to go to ensure the cable project could go ahead without Huawei’s involvement.

The Solomon Islands under former prime minister Manasseh Sogavare signed up Huawei Marine to lay the cable connecting to Sydney. But Australia made it clear to Honiara that it had security concerns about the Chinese telco plugging into Australia’s internet backbone, with Nick Warner, the head of spy agency ASIS, personally warning Mr Sogavare last June.

Huawei has previously been banned on the advice of Australian security agency ASIO from being involved in the National Broadband Network.

Mr Sogavare was replaced as prime minister in November by Rick Hou, a former senior World Bank adviser who is well respected in Australia. Mr Hou had been highly critical of the circumstances in which Huawei Marine was awarded the contract under his predecessor.

A spokeswoman for the Department of Foreign Affairs told Fairfax Media the government has entered into a contract with the Australian telecommunications firm Vocus to commence the initial work.

“They will undertake a scoping study and identify potential solutions to bring high-speed telecommunications to the Solomon Islands,” she said.

“The bulk of the funding for this project will come from Australia’s Official Development Assistance program.”

She said the Solomons project would be consolidated with a project to lay a new cable connecting Papua New Guinea with Australia, creating “significant efficiencies on cost”. The cost of the Solomons project alone has previously been estimated at $86 million.

According to the federal government’s AusTender website, Vocus is being paid $2.8 million for the scoping study for both the Solomon Islands and PNG. The department spokeswoman said that this study would more accurately define the final cost.

Fairfax Media understands Australia was concerned about the security implications of Huawei being involved in connecting to Australia’s critical infrastructure, but also more broadly about a Chinese firm – even a private sector one – extending Chinese influence into the Pacific through the cable project.

The Solomons originally identified a British-American company to do the work and had secured backing from the Asian Development Bank. But the previous government abruptly switched to Huawei, prompting the ADB to pull out, saying that the “Huawei contract was developed outside of ADB procurement processes”.

A Huawei spokesman said: “We’ve been advised by the Solomon Islands Submarine Cable Company that Chinese development has been contracted to undertake a scoping study but that’s all they have said to us.”

Jonathan Pryke, a Pacific islands expert at the Lowy Institute, applauded Australia’s move, saying that it made strategic and security sense while also providing much-needed development.

“There’s clearly a strategic objective to this project. It’s to make sure there’s no opportunity for third players like China or a Chinese company like Huawei to swoop in and provide a cable to PNG or the Solomons that could affect strategic interests and compromise Australia’s security.”

He said Chinese development would be welcome in the Pacific if it were more transparent and added there had been concerns in the Solomon Islands about the opaqueness of the Sogavare government’s deal with Huawei Marine.

The cable company’s CEO, Keir Preedy, was not available for comment. Mr Hou’s office did not respond to email requests for comment.

Henry Sapiecha

Notifiable Data Breaches initiative: Preparing to disclose a data breach in Australia

Australia’s Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

WHAT IS THE NOTIFIABLE DATA BREACHES SCHEME?

Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.

In addition to notifying individuals affected, under the scheme, organisations must provide advices on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.

“The NDB scheme formalises an existing community expectation for transparency when a data breach occurs,” Pilgrim told ZDNet. “Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm.”

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, health service providers, and political parties are exempt from the NDB.

Read more: Former ASIO head questions why political parties are exempt from breach disclosure

WHAT CONSTITUTES A DATA BREACH?

In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.

The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.

An enforcement body — such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission — does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.

Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.

See also: Privacy Commissioner to probe Australian government agencies on compliance

If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.

In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.

Read more: OAIC received 114 voluntary data breach notifications in 2016-17

DETERMINING SERIOUS HARM

As the NDB dictates an objective benchmark in that the scheme requires a “reasonable person” to conclude that the access or disclosure is “likely to result in serious harm”, Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term “likely” to mean more probable than not — as opposed to merely possible.

“Serious harm” is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Information about an individual’s health; documents commonly used for identity fraud including a Medicare card, driver’s licence, and passport details; financial information; and a combination of types of personal information — rather than a single piece of personal information — that allows more to be known about an individuals can cause serious harm.

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.

THE NOTIFICATION PROCESS

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a “reasonable and expeditious assessment” based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.

If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.

Organisations disclosing a breach must complete the Notifiable Data Breach statement — Form which can be found here.

The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

Those affected are to be notified within 30 days of the breach’s discovery, during which time the entity can conduct its own investigation on the breach. 30 days is the absolute maximum.

The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify — including notifying individuals whose data has been somewhat exposed.

See also: Privacy Commissioner finds Australia more confident in reporting breaches to police

FAILING TO DISCLOSE A BREACH

Failure to comply with the NDB scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences.

Gilbert + Tobin’s Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.

If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.

“Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation’s bottom line of consumer trust in an organisation’s data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches,” Fai added.

“The effects of the data breach on Equifax last year and its response are a case in point.”

See also: Massive Equifax data breach exposes as many as 143 million customers

THE ROLE OF THE INFORMATION COMMISSIONER AND THE OAIC

The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.

HOW DID THE NDB COME ABOUT?

The federal government finally passed the data breach notification laws at its third attempt in February 2017.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia’s mandatory data-retention laws being implemented.

HOW TO GET READY

According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.

Read more: NetApp warns privacy is not synonymous with security

Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.

“This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people — such as from IT, legal, cybersecurity, public relations, management, and HR — together to respond effectively,” Fai told ZDNet.

It wouldn’t hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.

“It is also important that an organisation’s personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next,” Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.

DOES YOUR BUSINESS HAVE A EUROPEAN CONNECTION?

From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

See more: How Europe’s GDPR will affect Australian organisations

The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.

Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

“In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes — although the two regimes contain different requirements, they are not mutually exclusive,” Fai added. “However, when it comes to data breaches, the high watermark of compliance is complying with the European regime.”

Read also: What is GDPR? Everything you need to know about the new general data protection regulations

HOW TO PREVENT A DATA BREACH

Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.

“When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn’t possible,” Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.

“The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist.”

Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.

“Most organisations don’t have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event,” he explained.

“Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.

Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.

“The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed,” Pilgrim added. “By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place.”

PREVIOUS DATA BREACHES IN AUSTRALIA

Henry Sapiecha

The Many Tactics Used By The Secret Service 2 VIDEOS

VIDEOS SHOW THE SECRET SERVICE AT WORK IN THE USA

PRESIDENTS-WEAPONS-COUNTERFEITING & MORE

USA SECRET SERVICE HAS SECRET PROTECTION TACTICS

Henry Sapiecha

Amazon gives record amount of client data to US law enforcement

The company’s fifth transparency report reveals more customer data was handed to US law enforcement in the first-half of last year than ever before.

Law enforcement requests for Amazon’s cloud customers has gone up, but the company still won’t say if Echo has been wiretapped. (Image: CNET/CBS Interactive)

Amazon has turned over a record amount of customer data to the US government in the first-half of last year in response to demands by law enforcement.

The retail and cloud giant quietly posted its latest transparency report on Dec. 29 without notice — as it has with previous reports — detailing the latest figures for the first six months of 2017.

The report, which focuses solely on its Amazon Web Services cloud business, revealed 1,936 different requests between January and June 2017, a rise from the previous bi-annual report.

The company received:

  • 1,618 subpoenas, of which the company fully complied with 42 percent;
  • 229 search warrants, of which the company fully complied with 44 percent;
  • 89 other court orders, of which the company fully complied with 52 percent.

It’s not clear why there was a spike in requests during the half-year period. An Amazon spokesperson declined to comment.

Amazon also confirmed it had 75 requests from outside the US through a mutual legal assistance process, in which it partially complied with two cases. The remaining cases were rejected. But the company didn’t say which countries made the requests.

Amazon said it did not receive any content removal orders during the period.

As in previous reports, the company refused to say if it had received a national security brief during the period. Tech companies are barred from disclosing exactly how many of these letters they receive, but companies can under their First Amendment right to freedom of speech say if they have not received one.

Amazon instead preferred to say it had received between zero and 249 national security requests.

The company’s transparency reports do not take into account any other data-related business units, such as if authorities have obtained data wiretapped or submitted through its Amazon’s Echo products.

Law enforcement has, since Echo’s inception, looked at ways to obtain data from the voice-activated assistant. Amazon has largely resisted efforts by police to obtain data from the always-listening product, but acquiesced in one homicide investigation after the suspect did not object to the turning over of his Echo data.

Henry Sapiecha

Facial recognition powering forward.Is it going too far too fast?

“We watch over you. Every single one of you,” says big brother

This ensures a “safe and secure environment”, the narrator adds.

These aren’t lines from a dystopian novel, but rather a video advertisement boasting about tech giant NEC’s advanced, real-time facial-recognition technology capabilities, being shown to an audience at its recent iEXPO2017 conference in Tokyo, Japan.

Already facial-recognition technology is being used at Crown Casino in Melbourne to identify VIPs and banned players & people. Australian state and federal policing agencies are also embracing it, with South Australia Police using it to ID criminals and in search of missing persons.

The state also plans to use it to compliment its existing CCTV network “by extracting faces in real-time and instantaneously matching them against a watch list of individuals”, according to its former police minister, Peter Malinauskas. Already police there have access to Adelaide Oval’s 400 CCTV cameras, granted in time for the Ashes cricket series.

Meanwhile, the Northern Territory Police Force is employing facial-recognition technology for not only identifying people who have stolen goods or unlawfully trespassed but also to identify unconscious people admitted to hospitals and those who suffer from Alzheimer’s.

Also banking icon Westpac is making use of it, combining it with artificial intelligence in order to identify the mood of staff so that managers can intervene if necessary.

Shopping Centres Westfield uses it too, to estimate the age, gender and mood of shoppers in its malls. But it says it can only “find & read” faces, not “recognise” them.

Now the Australian federal government is experimenting with it, to catch not only terrorists but other people as well. Through its National Facial Biometric Matching Capability, known as “The Capability”, law-enforcement agencies will soon be able to share more easily identity photographs they have in possession.

In October, state and territory governments agreed to hand over to the federal government access to driver’s licence photographs, allowing for much easier www.intelagencies inter-agency sharing. In The Capability, these will be added to a searchable collection of passport and visa photographs.

While the majority of people initially took the initiative to mean that the federal government would in real-time be able to track any person entering sports arenas and malls, this won’t be part of The Capability – at least for the moment. The current plan is to use it in a retrospective capacity, for looking back over CCTV to ID suspects.

This is not the case in the Russian Republic though, which recently announced that it was adding facial-recognition technology to its network of 170,000 surveillance cameras in a move to identify criminals in real-time. While only select districts will have the technology installed, a recent two-month trial already resulted in six wanted people being identified from a federal “wanted” list and detained, Bloomberg News reported.

China too has been working on a facial-recognition system since 2015 to identify any member of its 1.3 billion citizens in 3 seconds but has been confronting a few technical issues.

NEC’s “NeoFace” technology can identify a person from a database of almost 2 million people in 0.3 seconds. In one independent test, it displayed a matching accuracy of 99.2 per cent. NeoFace measures the distance between the eyes, the width of the nose, depth of the eye sockets, shape of the cheekbones, and length of the jawline in order to make a positive match.

Not only can NEC’s facial-recognition technology recognise faces – it can also see which direction your eyes are looking at and whether your facial expression mood is sad or happy.

“We are proving a technology that can be used in so many different ways,” NEC Australia chief operation officer Mike Barber said in an interview. “It’s not up for us to decide how that’s to be utilized.”

“This technology is not all about watching people,” he added.

“It’s got so many other applications. We don’t [yet] know what all those applications are.”

While it was “introducing moral, ethical, and social aspects”, safety was top of the list, he stated.

“From my point of view, [when] you start looking at safety versus let’s not have any of this, then what would the general population really need?” he said

Facial-recognition technology doesn’t always work accurately though, as was discovered by London’s Met Cop squad recently, where civil liberties and human rights group Liberty’s senior advocate officer Silkie Carlo observed its use at London’s Notting Hill Carnival in August of 2017.

According to Carlo, it couldn’t tell the difference between a young woman and a balding man and falsely matched 35 people, five of which were pursued with interventions, meaning innocent members of the public were stopped who had, police later discovered, been falsely identified.

“What does real-time facial recognition mean for our rights?” Carlo asked.

“What are the risks? Does it have a place in a democracy at all?

“The answer is no. It is the stuff of dystopian literature for a reason.”

She added that the prospect of biometric checkpoints “overshadowing” public spaces was “plainly unacceptable and frankly frightening”.

“Like GPS surveillance, if facial recognition were rolled out across the country, the state would potentially have a biometric record of who goes where, when and with whom,” Carlo said.

“The technology isn’t there yet … but the risk to our freedom posed … is current and real.”

Tender documents reveal technology companies NEC, Daon, Cognitec and Unisys are regular suppliers of facial-recognition technology to the Australian Federal Police, Australian Crime Commission, Department of Immigration and Border Protection, and Department of Foreign Affairs and Trade. Contracts in the multi-millions have been awarded.

“The AFP confirms it utilises third-party facial recognition software,” an AFP spokesperson said. “Although the products are commercial off the shelf, we would not discuss the specific detail of the operational implementation of the capability, as that transgresses into security and law enforcement methodology.”

Meanwhile, the Department of Immigration and Border Protection, now housed within the newly formed Department of Home Affairs, said it used NEC’s NeoFace technology in its departures SmartGates, which are located at all Australian international airports.

The author travelled iEXPO2017 in Tokyo as a guest of NEC.

Henry Sapiecha