Archives for : SECURITY

Fraudsters steal $50,000 from Queensland university

Fraudsters have stolen tens of thousands of dollars from a Queensland university, prompting a warning from the state’s auditor general Brendan Worrall.

The Queensland Audit Office revealed there had been an increase in external attempts to divert employee and supplier payments to illegitimate bank accounts across the sector.

Universities have been warned about increasing attempts to switch bank account details to gain access to employee and supplier payments.Credit:Reuters

In one case, Griffith University did not adhere to processes to independently verify requests to change existing supplier bank account details, resulting in a “small fraudulent payment” last year, an Audit Office report revealed.

A fraudulent request was made by an external source to change an existing supplier’s bank account details and divert payments to an illegitimate bank account.

Griffith University vice-president of corporate services Peter Bryant said an external supplier was hacked, resulting in a $52,000 loss last financial year.

“Griffith University takes fraud prevention very seriously,” he said.

“Last year, the university commissioned an expert review and adopted all recommendations to strengthen fraud prevention measures.

“New measures include improved staff training, business processes and additional bank account checks.”

The Queensland Audit Office recommended universities verify bank account detail changes for suppliers and employees through an independent source, not the person who requested the change.

In addition, the Audit Office found electronic funds transfer (EFT) files were not appropriately secured at Griffith University and the University of Southern Queensland.

Henry Sapiecha

Over 746,000 NHS phishing emails blocked in a 30 day period

The National Cyber Security Centre blocked more than 746,000 NHS phishing emails in one month in 2017


More than 746,000 phishing emails pretending to be from the NHS were blocked in just one month in 2017, the National Cyber Security Centre says.

A report on the first year of the GCHQ unit’s cyber-defence programme found that it removed 121,479 phishing sites hosted in the UK.

This reduced the UK’s share of global phishing attacks from 5.3% to 3.1%.

Three-quarters of UK government-related phishing sites were taken down in 24 hours.

Phishing emails trick users into visiting websites that impersonate known brands and ask the user to log in to their account.

This enables attackers to gather confidential login details or financial information.

Phishing emails are also used to trick people into opening malicious email attachments that install malware on their computers.

The methods of reducing phishing involved using various security scanning systems to perform millions of tests on government websites and emails being sent in and out of government networks.

‘Simple things’

“What they’ve done is not brain surgery – the technology’s been around for a while, but they’ve managed to persuade various government departments to do the simple things to reduce cyber-security threats dramatically,” cyber-security expert Prof Alan Woodward, from Surrey University, told the BBC.

“Phishing emails from HM Revenue and Customs (HMRC) used to be the most common emails you’d see, but they got the HMRC to put the technology in place, and the spoofing emails dropped to zero in a matter of days.”

Cyber-security expert Graham Cluley said that technologies used were not new, but the NCSC’s efforts had produced “impressive results”.

“Of course they won’t have caught every phishing attempt, but they will have helped stamp out many of the most convincing attacks,” he told the BBC.

Martyn Thomas, Gresham College’s professor of IT, agreed: “I think their success rate on stopping really legitimate-looking spam is really high and they are to be congratulated.”

While Prof Thomas felt that the NCSC would benefit from having a “longer-term vision” when it came to cybersecurity, he felt the fact that the government agency could gain intelligence from GCHQ on potential cyber-attacks gave it an edge over commercial cybersecurity contractors.

NHS targeted

Prof Woodward said the NCSC’s work was “an important development” because the organisation was able to close down the opportunity for people to pretend to be from within the NHS, which would help to prevent future attacks.

“The biggest problem is people pretending to be within,” he said. “Whenever you receive something that seems to come from your own network, you inherently trust it.”


Henry Sapiecha

Smart label helping beat counterfeiters

China-based company WaliMai has developed RFID-based anti-counterfeit labels that are fixed to a product to let consumers know for certain that it is genuine. Matthew Stock reports.

Smart label helping beat counterfeiters

STORY: Counterfeiting in China is big business. Knock-off goods range from designer handbags and cosmetics, to food and medicines. The 2008 tainted milk scandal caused domestic consumers to be wary of made-in-China milk products, leading to a rise in imports from the West. Those imports became a prime target for counterfeiters. The WaliMai anti-counterfeit label aims to help parents know for sure their baby formula is genuine. SOUNDBITE (English) ALEXANDER BUSAROV, CO-FOUNDER & CEO OF WALIMAI, SAYING: “The way it works for the consumer is that they come to the shop, they take their mobile phone, they touch the label with their mobile phone. It takes about 2 seconds for the confirmation and re-writing of the codes. And then the first piece of information that they get is that it’s actually authentic. Then to add on to that there’s all the information on the logistic supply chain so they can see where the product was produced, where it was packed, where it entered the country that they’re in – in our case it’s China – when it was checked in our warehouse, and also they can see their own scan.” WaliMai says they have ‘banking-level’ security inside. The embedded RFID chip has a re-writable memory, changing with every scan. They say this makes it virtually impossible to counterfeit. Each label is single use; and is destroyed when the product is opened. SOUNDBITE (English) ALEXANDER BUSAROV, CO-FOUNDER & CEO OF WALIMAI, SAYING: “There’s an antenna within the label which gets torn and it’s very difficult to put it back together; you basically need a lab for that which acts as a deterrent for a counterfeiter to actually deal with it.” WaliMai’s smart label will soon be used on bottles of alcohol – another sector battling Chinese counterfeiters. The company hopes the technology could one day help tackle the huge global problem of counterfeit pharmaceuticals.


Henry Sapiecha

How to Keep Your Bitcoin Safe and Secure from scammers & hackers so Watch These Videos


Owning cryptocurrency isn’t quite the Wild West experience it was at the beginning of the decade, but investors still face plenty of instability and risk. The threats aren’t just abstract or theoretical; new scams crop up, and old ones resurge, all the time. Whether it’s a fake wallet set up to trick users, a phishing attempt to steal private cryptographic keys, or even fake cryptocurrency schemes, there’s something to watch out for at every turn.

Cryptocurrencies can feel secure, because they decentralize and often anonymize digital transactions. They also validate everything on public, tamper-resistant blockchains. But those measures don’t make cryptocurrencies any less susceptible to the types of simple, time-honored scams grifters have relied on in other venues. Just this week, scams have arisen that divert funds from users’ mining rigs to malicious wallets, because victims forgot to change default login credentials. Search engine phishing scams that tout malicious trading sites over legitimate exchanges have also spiked. And a trojan called CryptoShuffler has stolen thousands of dollars by lurking on computers, and spying on Bitcoin wallet addresses that land in copy/paste clipboards.

A few simple steps, though, can help cryptocurrency proponents—be it Bitcoin or Monero or anything between—guard against a swath of common attacks. Just as you might keep your cash out of plain sight, or stash your jewelry in a safe deposit box, it pays to put a little effort into how you manage your cryptocurrency. The following won’t defend against every conceivable attack on your digital doubloons, but it’s a good place to start.

Cold, Hard (Digital) Cash

A key step to protecting your cryptocurrency is to store anything of significant value in a hardware wallet—a physical device, like a USB drive, that stores your private keys and currency locally, and isn’t connected to the internet. Experts caution against storing large amounts of coins through cryptocurrency exchanges, or in digital wallet apps on your smartphone or computer. The public-facing internet offers an attacker too many inroads to attempt to infiltrate your wallet, or trick you into giving them access.

Secure hardware wallets like Trezor or the Ledger Nano S cost about $100 or less and have a straightforward setup. You just choose a PIN number and a recovery “seed” (usually a set of words and numbers) in case you forget your PIN, or your wallet malfunctions. It’s pretty robust security, so make sure you keep copies of your PIN and seed somewhere accessible to you, but not to home intruders. Recovering currency stored on a hardware wallet after losing both the PIN and the seed is a whole thing. Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University, goes so far as to suggest that you should “keep a backup of the seed key in a fireproof safe.” This stuff is for real.

Your setup also doesn’t have to be fancy; you can store backups of your coins on any external storage device, like a portable hard drive. Just make sure to encrypt the data in case the device is lost or stolen. You might even consider making a backup to leave in a safe deposit box.

Big Spender

The downside to a hardware wallet is that it makes approving transactions a bit cumbersome. If you want more fluid access to your cryptocurrency, experts suggest storing a small amount in a wallet app to facilitate low-value transactions. The key here: Only keep an amount you would be willing to lose in the app, and never give anyone your private key.

Apps like Mycelium Wallet that are interoperable with popular hardware wallets can make your setup more seamless. And some app-based options like Samourai Wallet are working to prioritize robust encryption and privacy features. Still, don’t trust any app with too much cryptocash right now.


Additionally, consider where you store your private keys, the secret part of the public-private key set that lets you authorize revisions to a blockchain. Always keep them encrypted, and try to avoid leaving them lying around on devices that you use all the time for a lot of different tasks, like your personal PC.

Also consider your transactions carefully. There are tons of established, reliable institutions, but gimmicky new cryptocurrencies crop up all the time, as well as questionable Initial Coin Offerings that could have nothing behind them but scammers on the move. When the cryptocurrency OneCoin, marketed as a Bitcoin competitor, launched this year people bought about $350 million-worth of the coins—which has since drawn comparisons to a Ponzi scheme. And people are even being scammed during legitimate ICOs when attackers launch phishing attacks around the events, or trick would-be investors into sending money to fake wallets. (The Securities and Exchange Commission is poking hard on this.)

Nail the Basics

It’s also important to remember that all the small things you’re already doing (right?) to protect your general digital life help defend your cryptocurrency as well. “We encourage all customers to take a few foundational, and free, actions to put them on a much more stable security footing,” says Philip Martin, director of security at the cryptocurrency exchange platform Coinbase. “Use a password manager, use two-factor authentication, leverage enhanced security protocols for your email address.”

For the especially concerned, Martin even suggests turning on Gmail’s new Advanced Protection feature, and/or adding defenses like a PIN or password to your phone number to make it harder for attackers to grab control of your accounts by transferring your SIM to their own device.

All of these suggestions bolster your general digital security hygiene, but they are particularly helpful for reducing your exposure to the most simple (sometimes impressively so) cryptocurrency scams that can take advantage of small things, like a reused password and no second authentication requirement, to walk in the front door of one of your accounts.

Take that CryptoShuffler trojan, which originally emerged more than a year ago and has been making the rounds again this week. It shows just how basic cryptocurrency scams can be. The malware works by lurking silently on a victim’s computer and passively monitoring their clipboard, waiting for the victim to copy a Bitcoin wallet address. When it sees a string of numbers that looks right, CryptoShuffler simply starts swapping the wallet ID the victim copied for its own malicious wallet address in payment fields. If the victim doesn’t spot the change, the transaction goes through and the coins go to the crooks.

The best way to defend against an attack like that (if your malware scanner doesn’t detect the intrusion) is simply watching all transactions carefully, and taking steps to safeguard your assets so you know your data hasn’t been exposed.

And once you have the basics in place, make sure your friends adopt the same mindset. The more secure the ecosystem, the less attractive a target it is to bad actors. “Help newcomers to crypto with their security,” Cornell’s Sirer says. “The area is new and we need to support the people who are just finding their way in.”

Luckily, you don’t need to be a cryptography expert to take the basic security steps that will protect you against the majority of attacks. And seriously, if nothing else, don’t lose that wallet seed.