2021 Had Six Different Cryptocurrency Heists Over $100 Million

More than 20 different times in the last 12 months, at least $10 million was stolen from a cryptocurrency exchange or project, reports NBC News.

“In at least six cases, hackers stole more than $100 million…”

By comparison, bank robberies netted perpetrators an average of less than $5,000 per heist last year, according to the FBI’s annual crime statistics… “If you hack a Fortune 500 company today, you might steal some usernames and passwords,” said Esteban Castaño, the CEO and co-founder of TRM Labs, a company that builds tools for companies to track digital assets. “If you hack a cryptocurrency exchange, you may have millions of dollars in cryptocurrency….”

[W]hile a handful of countries have strict regulations in place, it’s relatively easy for tech entrepreneurs to set up an exchange nearly anywhere in the world and run it however they like. Cryptocurrencies generally offer a certain amount of security — taking their name, in part, from “encryption.” But the exchanges that manage them, especially new ones building their businesses from scratch, often start with a tiny staff, which means few if any full-time cybersecurity professionals. Their developers may work frantically to make the code work, sometimes accidentally leaving flaws that give hackers a foothold. Combined with the fact that a volatile market often leaves them suddenly holding a fortune, exchanges are a particularly ripe target for criminal hackers….

The problem is exacerbated because many cryptocurrency projects, intent on avoiding government regulations, set up in countries whose law enforcement agencies don’t have much power to go after transnational hackers. Or if they are hacked, they tend to be less likely to call for government help on ideological grounds, said Beth Bisbee, head of U.S. investigations at Chainalysis, a company that tracks cryptocurrency transactions for both private companies and government agencies. Some developers “want to be anti-bank and anti-oversight,” Bisbee said. “So when something like that happens, they’re not necessarily wanting to work with law enforcement, even though they’d be considered to be a victim and it’d be valuable for them to.”
Ultimately the article points out that “Most exchange hackers are not caught.” (Although in at least one case part of the stolen money was voluntarily returned.)

But what happens after the breach, NBC News asked Dave Jevans, the founder of CipherTrace, a company that tracks theft and fraud in cryptocurrencies.

If an exchange is wealthy enough and plans ahead to have an emergency fund, it can compensate its customers if its operation is hacked, Jevans said. If not, they often goes out of business. “Not every exchange is so wealthy or has so much foresight. It just goes, pop, ‘We’re out of business. Sorry, you’re all screwed,'” he said.

Read more of this story at Slashdot.

RadioShack Announces Ambitious New Cryptocurrency Exchange

RadioShack.com is now showing visitors a new message: “Bringing cryptocurrency to the mainstream…”

With a 100-year-old brand, “we are going to lead the way for blockchain tech to reach mainstream adoption by other large brands.”

The RadioShack home page says they’ll start with a “symbiosis” with Atlas USV, a community-driven project to build a universal, decentralized/widely accessible DeFi base layer. Atlas USV’s “Barter” mechanism lets users purchase third-party tokens and transfer them to Atlas USV’s treasury in return for discounted USV tokens. “The Atlas USV treasury can accumulate any crypto asset of its choice with this dynamic…
“Once the liquidity pool surpasses other exchanges’ liquidity level in any token pair, our swap efficiency will be unbeatable for that pair…

“Other decentralized exchanges margins on swap fees are our opportunity…. ”

Or, as they explain on a more detailed web page, “We intend RadioShack to be the first protocol to pass over into mainstream usage in the history of DeFI,” promising that RadioShack DeFi “will become the first to market with a 100 year old brand name that’s recognized in virtually all 190+ countries in the world…”

“RadioShack has one objective: Distribution and usage by millions of individuals but possibly more important, by hundreds of blue-chip, large corporations as their gateway into becoming blockchain companies.”

Currently there’s a sign-up form for a notification when “RADIO token” launches (as well as links to their channels on Discord and Telegram).

Their “Fundamentals” page explains that “It is our hypothesis that the best way for crypto to be more mainstream is for an established brand name in the tech space to lead the way.”

The RadioShack brand was purchased In November of 2020 by e-commerce rehabilitator REV, now listed as a collaborator on RadioShack’s home page. (Ironically, the “Fundamentals” page also includes RadioShack’s Super Bowl ad where there store is taken back by the 1980s.)

The official Twitter feed of Radio Shack now also has the same new tagline: “Bringing Cryptocurrency To The Mainstream.”

Read more of this story at Slashdot.

Who’s Paying to Fix Open Source Software?

The Log4Shell exploit “exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization,” writes VentureBeat. But the incident also raises some questions:
Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?

Long-time Slashdot reader frank_adrian314159 shares a related article from a programming author on Dev.To, who’d read hot takes like “Open source needs to grow the hell up.” and “Open source’ is broken”.

[T]he log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves…?

It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license — that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things…
In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations.

The log4j exploit was first reported by an engineer at Alibaba — a corporation with a market capitalization of $348 billion — so the article wonders what would happen if log4j’s team had sent back a bill for the time they’d spend fixing the bug.

Some additional opinions (via the “This Week in Programming” column):

PuTTY maintainer Andrew Ducker: “The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable.”
Filippo Valsorda, a Go team member at Google: “The role of Open Source maintainer has failed to mature from a hobby into a proper profession… The status quo is unsustainable…. GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure.”
Valsorda hopes to eventually see “a whole career path with an onramp for junior maintainers, including training, like a real profession.”

Read more of this story at Slashdot.

Forget Dogs: These Rats Could Be the Future of Search and Rescue

Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

wiredmikey shares a report from SecurityWeek: Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations. If that makes you scratch your head, that was exactly the reaction from Google’s premier security research team after disassembling the so-called FORCEDENTRY iMessage zero-click exploit used to plant NSO Group’s Pegasus surveillance tool on iPhones.

“We assess this to be one of the most technically sophisticated exploits we’ve ever seen,” Google’s Ian Beer and Samuel Grob wrote in a technical deep-dive into the remote code execution exploit that was captured during an in-the-wild attack on an activist in Saudi Arabia. In its breakdown, Project Zero said the exploit effectively created “a weapon against which there is no defense,” noting that zero-click exploits work silently in the background and does not even require the target to click on a link or surf to a malicious website. “Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the research team said.

The researchers confirmed the initial entry point for Pegasus was Apple’s proprietary iMessage that ships by default on iPhones, iPads and macOS devices. By targeting iMessage, the NSO Group hackers needed only a phone number of an AppleID username to take aim and fire eavesdropping implants. Because iMessage has native support for GIF images (especially those that loop endlessly), Project Zero’s researchers found that this expanded the attack surface and ended up being abused in an exploit cocktail that targeted a security defect in Apple’s CoreGraphics PDF parser. Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white. Describing the exploit as “pretty terrifying,” Google said the NSO Group hackers effectively booby-trapped a PDF file, masquerading as a GIF image, with an encoded virtual CPU to start and run the exploit. Apple patched the exploit in September and filed a lawsuit seeking to hold NSO Group accountable.

Read more of this story at Slashdot.

Apple Delays Corporate Return To Offices Indefinitely

Long-time Slashdot reader ttyler shares a tweet from NBC News tech reporter Zoe Schiffer: Tim Cook just sent out an email delaying Apple’s return to work to a date ‘yet to be determined. He also said the company is giving every corporate employee $1,000 to spend on home office equipment. MacRumors adds: There is no word on when employees will be expected to go back to work, and for now, those who are able to do so will continue to work from home. The delay will be welcome news to Apple employees who have been dreading the return to corporate offices, but Apple does plan to have employees come back at some point. Apple executives have made it clear since the beginning of the pandemic that employees will eventually need to return work. “Video conference calling has narrowed the distance between us, to be sure, but there are things it simply cannot replicate,” Cook said back in June.

When it is safe for employees to return to the office, Apple is planning for a hybrid work schedule. Employees will be expected to be in the office three days a week, but will have the option of working from home for two days a week. Apple also plans to allow employees to work remotely for up to one month per year, giving them more time to travel and be closer to loved ones. Because employees will need to continue to work from home, Cook said that Apple is giving every corporate employee $1,000 to spend on home office equipment.

Read more of this story at Slashdot.

Apple Removes All References To Controversial CSAM Scanning Feature From Its Child Safety Webpage

Apple has quietly nixed all mentions of CSAM from its Child Safety webpage, suggesting its controversial plan to detect child sexual abuse images on iPhones and iPads may hang in the balance following significant criticism of its methods. From a report: Apple in August announced a planned suite of new child safety features, including scanning users’ iCloud Photos libraries for Child Sexual Abuse Material (CSAM), Communication Safety to warn children and their parents when receiving or sending sexually explicit photos, and expanded CSAM guidance in Siri and Search. Following their announcement, the features were criticized by a wide range of individuals and organizations, including security researchers, the privacy whistleblower Edward Snowden, the Electronic Frontier Foundation (EFF), Facebook’s former security chief, politicians, policy groups, university researchers, and even some Apple employees.

Read more of this story at Slashdot.

USPS Built and Secretly Tested a Blockchain-Based Mobile Voting System Before 2020

An anonymous reader quotes a report from The Washington Post: The U.S. Postal Service pursued a project to build and secretly test a blockchain-based mobile phone voting system before the 2020 election (Warning: may be paywalled; alternative source), experimenting with a technology that the government’s own cybersecurity agency says can’t be trusted to securely handle ballots. The system was never deployed in a live election and was abandoned in 2019, Postal Service spokesman David Partenheimer said. That was after cybersecurity researchers at the University of Colorado at Colorado Springs conducted a test of the system during a mock election and found numerous ways that it was vulnerable to hacking.

The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system. The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system.

The Postal Service system allowed people to cast votes on an Internet-connected mobile app similar to how they might add items to an online shopping cart or fill out an online survey. The votes were designed to be anonymous and to be recorded in multiple digital locations simultaneously. The idea is that each of those digital records would act as a check to verify the accuracy of the other records. This is essentially the same method that cryptocurrencies such as bitcoin use to ensure transactions are accurately recorded. But the system didn’t protect against the numerous ways hackers might fake or corrupt votes, the University of Colorado researchers said. Those include impersonating voters, attacking the blockchain system itself so votes can’t be trusted, flooding the system with information so it becomes too overwhelmed to function, and using techniques that undermine voters’ privacy and the secrecy of the ballot. The researchers were able to successfully perform all those hacks during a mock election held on campus. “The Postal Service was awarded a public patent for the concept in August 2020, but had not previously revealed that it built a prototype system or tested it,” the report notes.

Read more of this story at Slashdot.

Two US Senators Urge Federal Investigations Into Facebook About Safety – and Ad Reach

Two leading U.S. Senators “are urging federal regulators to investigate Facebook over allegations the company misled advertisers, investors and the public about public safety and ad reach on its platform,” reports CNBC:

On Thursday, Senator Warren urged the heads of the Department of Justice and Securities and Exchange Commission to open criminal and civil investigations into Facebook or its executives to determine if they violated U.S. wire fraud and securities laws. A day earlier, Senator Cantwell, chair of the Senate Commerce Committee, encouraged the Federal Trade Commission to investigate whether Facebook, now called Meta, violated the agency’s law against unfair or deceptive business practices. Cantwell’s letter was made public on Thursday…

In her letter to the FTC, Cantwell focused on Facebook’s claims about the safety of its products, in addition to the allegedly inflated ad projections… She suggested the agency investigate Facebook and, depending what the evidence shows, pursue monetary relief for advertisers and disgorgement of allegedly ill-gotten gains.
Senator Warren points to a whistleblower’s recent allegations that Facebook misled both investors and advertising customers about their ad reach, according to the article. But Warren’s letter also argued the possibility Facebook violated securities law with “breathtakingly illegal conduct by one of the world’s largest social media companies,” according to the article.

And in addition, Warren “wrote that evidence increasingly suggests executives were aware the metric ‘was meaningfully and consistently inflated.'”

Bloomberg adds this quote from Senator Cantwell’s letter:
“A thorough investigation by the Commission and other enforcement agencies is paramount, not only because Facebook and its executives may have violated federal law, but because members of the public and businesses are entitled to know the facts regarding Facebook’s conduct as they make their decisions about using the platform.”

Read more of this story at Slashdot.

‘When a Newspaper Publishes an Unsolvable Puzzle’

Slashdot reader DevNull127 writes: It’s a newspaper puzzle that’s like Sudoku, except it’s impossible. [Sort of…] They call it “The Challenger” puzzle — but when the newspaper leaves out a crucial instruction, you can end up searching forever for a unique solution which doesn’t exist!

“If you’re thinking ‘This could be a 9 or an 8….’ — you’re right!” complains Lou Cabron. “Everyone’s a winner today! Just start scribbling in numbers! And you’d be a fool to try to keep narrowing them down by, say, using your math and logic skills. A fool like me…” (Albeit a fool who once solved a Sudoku puzzle entirely in his head.) But two hours of frustration later — and one night of bad dreams — he’s stumbled onto the web page of Dr. Robert J. Lopez, an emeritus math professor in Indiana, who’s calculated that in fact Challenger puzzles can have up to 190 solutions… and there’s more than one solution for more than 97% of them!

At the end of the day, it becomes an appreciation for the local newspaper, and the puzzles they run next to the funnies. But with a friendly reminder “that they ought to honor and respect that love — by always providing the complete instructions.”