(From the Register article) DeFi stands for decentralised finance. Protocols like Poly Network allow cryptocurrency traders to exchange digicash across various blockchains; they can be used to swap Bitcoin for Ethereum, for example.
First, the criminal needs to take efforts to conceal the bitcoin.
… Modern bitcoin tracing tools make [simple bitcoin] money laundering trick[s] ineffective. Instead, the modern criminal does something called “chain swaps.”
…
In a chain swap, the criminal transfers the bitcoin to a shady offshore cryptocurrency exchange.
…
Once on this alternate exchange, the criminal sells his bitcoin and buys some other cryptocurrency like Ethereum, Dogecoin, Tether, Monero, or one of dozens of others. They then transfer it to another shady offshore exchange and transfer it back into bitcoin. Voila — they now have “clean” bitcoin.
Dots connected… I thought this whole DeFi thing had a niff to it.
Thief hands back at least a third of $600m in crypto-coins stolen from Poly Network
[…]
Poly Network said the crook was able to interfere with the execution of smart contracts – typically, small programs that automatically run to fulfill agreements between parties – that are used by the platform to exchange people’s tokens and coins. Funds were not extracted directly from digital wallets.
You can find more technical detail here by security analysts Slowmist, and here by blockchain watchers Chainalysis.
I was offered $500k as a thank-you bounty for pilfering $600m from Poly Network, says crypto-thief
The mysterious miscreant who exploited a software vulnerability in Poly Network to drain $600m in crypto-assets, claims the Chinese blockchain company offered them $500,000 as a reward for discovering the weakness.
Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.
Um…
Not “reverse engineered” as such. It has been extracted from iOS 14.3, where it was already, unannounced, and put in a test harness. The investigators demonstrated two images, quite distinct, with the same hash, which means Bad Guys can launch DOS attacks by generating n → ∞ matching images and overloading the manual verification.
From the blog Comments:
One wonders if Apple’s client-side scanning isn’t ultimately intended for markets where false positives are even less of an issue than in the US and the technology is merely being labelled as anti-pedophilia for western consumption.
… well duh … there are major “markets” in jurisdictions where not having a back door would be considered “obstruction of justice”.
One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.
One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.
Further thought: it would be interesting to find out if any other Apple sub-systems send a quiet, probably well hashed, note to the Mother Ship when they encounter text of interest (the ghost, no doubt, of the old NSA Line Eater of days of yore).
I find the whole situation with state and commercial surveillance, NSO and friends, beyond egregious. We’re left trying to secure our lives and our businesses against an infrastructure fundamentally designed with the goal of making us vulnerable, be it to commercial suasion for profit, or to state oversight in the name of preventing Bad Things.
The few times I’ve talked to our Privacy Commissioner’s office, it appears there is little will to reign it all in. The idea that surveillance shouldn’t be a business model seems hard for them to swallow, probably in part because it is feeding (functionally sacrosanct) state surveillance, but also because it is employing a lot of people and there’s no political will to use that human potential in more useful ways.
Bumble fumble: Dude divines definitive location of dating app users despite disguised distances
Up until this year, dating app Bumble inadvertently provided a way to find the exact location of its internet lonely-hearts, much in the same way one could geo-locate Tinder users back in 2014.
In a blog post on Wednesday, Robert Heaton, a security engineer at payments biz Stripe, explained how he managed to bypass Bumble’s defenses and implement a system for finding the precise location of Bumblers.
“Revealing the exact location of Bumble users presents a grave danger to their safety, so I have filed this report with a severity of ‘High,’” he wrote in his bug report.
Azure’s now-fixed Cosmos DB flaw could have been exploited to read, write any database
Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.
Leaked Guntrader firearms data file shared. Worst case scenario? Criminals plot UK gun owners’ home addresses in Google Earth
The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.
As an exercise in amplifying a data theft to levels that endanger public safety, the latest evolution of the Guntrader database break-in is likely to become an infosec case study in how security breaches can become worse over time as stolen information is put to ever more intrusive uses.
Leaked online last week via an animal rights activist’s blog, the stolen reformatted Guntrader database was explicitly advertised as being importable into Google Earth so randomers could “contact as many [owners] as you can in your area and ask them if they are involved in shooting animals.”
Names, home addresses, postcodes, phone numbers, email addresses and IP addresses are included in the Google Drive-hosted CSV file – along with precise geographic coordinates for a large number of the 111,295 people listed in the breach.
If you want to see change, you need to incentivize change. For example, if you want to see Microsoft have a heart attack, talk about the idea of defining legal liability for bad code in a commercial product. If you want to give Facebook nightmares, talk about the idea of making it legally liable for any and all leaks of our personal records that a jury can be persuaded were unnecessarily collected. Imagine how quickly Mark Zuckerberg would start smashing the delete key.
Personally, I think private information storage in electronic form should be permitted only in support of a substantial commercial transaction or ongoing commercial relationship with a contract and significant payment involved. Otherwise, the system enabling surveillance for the legitimate will always turn into surveillance by criminals or by the enemy.
Zero-click … so if you get the text message, you’re hacked.
Starting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that circumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY , because of its ability to circumvent BlastDoor . Amnesty Tech also observed zero-click iMessage exploitation activity around the same time, and referred to the activity they observed as “Megalodon.”
Privacy Commissioner’s office, it appears there is little will to reign it all in. The idea that surveillance shouldn’t be a business model seems hard for them to swallow, probably in part because it is feeding (functionally sacrosanct) state surveillance, but also because it is employing a lot of people and there’s no political will to use that human potential in more useful ways.