The U.S. Department of Justice (DOJ) has arrested two individuals for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange. According to the DOJ, the cryptocurrency that was seized is presently valued at $4.5 billion. Law enforcement has seized over $3.6 billion in cryptocurrency linked to the Bitfinex hack.
“Today’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals,” said Deputy Attorney General Lisa O. Monaco. “In a futile effort to maintain digital anonymity, the defendants laundered stolen funds through a labyrinth of cryptocurrency transactions. Thanks to the meticulous work of law enforcement, the department once again showed how it can and will follow the money, no matter what form it takes.”
The Wall Street Journal reported that the two people were both arrested without incident Tuesday morning in Manhattan. They have promoted themselves on social media as entrepreneurs with deep knowledge of tech and a love of travel.
According to The Wall Street Journal, at the couple’s appearance in Manhattan court, U.S. Magistrate Judge Debra Freeman set bond at $5 million for Mr. Lichtenstein and $3 million for Ms. Morgan, requiring that their parent’s homes be posted as security. The judge also ordered that they not have devices with internet access and prohibited them from conducting cryptocurrency transactions.
The two are facing charges related to conspiracy to commit money laundering and conspiracy to defraud the U.S. They were not charged with the hack of Bitfinex.
IBM explains that the blockchain has an immutable record of transactions. No participant can change or tamper with a transaction after it’s been recorded to the shared ledger. Transactions are recorded only once, eliminating the duplication of efforts that’s typical of traditional business records.
In short, the couple who allegedly attempted to launder a large amount of cryptocurrency left a trail of transactions that the Department of Justice used to discover the scheme. I’ve seen people on social media suggest that the blockchain is private and untraceable. However, the DOJ was very able to find the information they needed.
A few years ago, a hacker decided to be a jerk right around Christmas time. He launched DDoS attacks against several gaming companies. The purpose seemed to be to prevent children (and adults) who received new video games and/or consoles as gifts from being able to use them. This mean-spirited hacker has now been sentenced to 27 months in prison.
Information about this case was posted on the U.S. Department of Justice website (more specifically, on the part for the U.S. Attorneys Southern District of California). The information was posted on July 2, 2019.
Austin Thompson of Utah was sentenced in federal court today to 27 months in prison for carrying out a series of so-called denial-of-service computer hacking attacks against multiple victims between 2013 and 2014. The defendant was also ordered to pay $95,000 in restitution to one of the victims – Daybreak Games, formerly Sony Online Entertainment.
Austin Thompson is free on bond, and must surrender to authorities on August 23, 2019.
ZDNet reported that Austin Thompson is 23 years old, and used the name @DerpTrolling on Twitter. He used that Twitter account to announce attacks and also to take requests for services that other Twitter users wanted him to take down.
According to ZDNet, Austin Thompson launched DDoS attacks against Sony’s PlayStation Network, Valve’s Steam, Microsoft’s Xbox, EA, Riot Games, Nintendo, Quake Live, DOTA2, and League of Legends Servers, among others.
Hopefully, this will be a warning to other “trolls” who think it would be funny to launch DDoS attacks “for the lulz”. There is now legal precedent that launching a DDoS attack can result in a huge fine and prison time.
Given that George Orwell was English, one might think the British would be all too aware of the dangers of a police state. Despite being one of the most surveilled countries in the world with one security camera for every eleven people, politicians in the UK have put forward plans to record the online activities of people in the UK and force companies like Google and Apple to break the encryption on gadgets and apps. It’s clear from both Snowden’s revelations and other sources that the UK’s security services have been routinely collecting large quantities of phone data with little legislative oversight.
As expected, the powers-that-be trot out the usual scaremongering tactics from terrorists to paedophiles, and while politicians aren’t known for their intelligence, the current proposals around encryption seem particularly stupid and at odds with experts in the fields of security and mathematics.
Encryption isn’t always that easy to understand, so this video shows a very simple but secure method for encrypting and decrypting messages using nothing more than paper and pencil. The process is a bit laborious but it illustrates how easy it is to be secure even without a computer and that any attempt to put a back door into digital encryption will only compromise the integrity of the internet for everyone.
The BBC’s “In Our Time” radio programme tackles “P v NP” this week and part of the discourse involves prime numbers and their role in encryption. It’s available as a podcast so it’s recommended listening too.
Be seeing you!
In the latest cyber moves by the Dept of Homeland Security against a Canadian on-line gambling outfit, it’s been confirmed that if it’s a .com domain, it falls under US jurisdiction, regardless of where the servers are, where the company is incorporated or who the domain registrar is.
Strangely for the “Land of the Free”, Americans aren’t allowed to gamble on-line but this didn’t stop Bodog, a Canadian-based on-line gambling site with the domain bodog.com, from aggressively marketing its services to US citizens. As a result, Bodog’s four owners have been indicted (pdf) on various internet gambling charges.
Almost everything to do with this organisation was out of harm’s way in Canada – the company, the owners, the servers, the domain registrar – so the DHS took the step of forcing Verisign into doing the dirty work. Verisign manages the .com infrastructure and they removed (pdf) some of the key linking records to the bodog.com domain, thus putting the domain off the net.
In this instance, it can be hard to feel any particular sympathy with Bodog as it appears that they did what they did knowing that it was illegal. Regardless, though the point is now made that a .com can be taken off the internet pretty much because the US doesn’t like it. Selling holidays to Cuba – you’re gone. Trading with Iran – you’re off-line. Evolution is a fact – you’re history.
If you or your organisation has a .com, you’re now under US jurisdiction, and if you think this is bad, imagine what it would have been like if SOPA had been enacted.
The theft of mobile electronic devices has become increasingly attractive as the value of gadgets rises and the economy falls. A particularly easy way to steal is to simply open likely-looking backpacks and rucksacks while they’re being worn and remove the gadgetry without the owner noticing. Sometimes the pack can be unzipped quietly, other times it’s cut open with a knife or scissors. A skilled thief can do this while someone is walking along but more commonly it happens on trains and buses.
To defend against this thievery, Canadian firm Vivick will debut their new line of anti-theft backpacks at CES in January, comprising three bags constructed from an anti-slash military-grade gauge nylon with a combination lock built into the zipper tab. Each model is designed to look good while being sturdy and durable, and the carry straps are also strengthened.
Rifling through my satchel this morning, I found a laptop, a tablet, an MP3 player and a somewhat old smartphone (Palm Treo Pro). Even with this last item, the total value of the technology exceeds £1000 (or $1500), so this isn’t a purely theoretical risk.
Vivick is known for its professional electronic designs, having worked for Apple, Sony, Samsung and Dell to create accessories for their own product lines. Vivick has also worked with Aston Martin and Ferrari on interior automotive accessories. Based on these credentials, I’ll be very interested to see what they come up with at CES.
The murder trial of Jo Yeates is front page news throughout the UK – a neighbour Vincent Tabak is accused of killing her. At the moment, the prosecution is presenting its case and a couple of interesting things have emerged as evidence.
In particular, the prosecution has alleged that the defendant:
- looked at Wikipedia for the definitions of murder and manslaughter.
- searched for the maximum penalty for manslaughter, i.e. how many years in jail.
- looked up definitions for sexual assault and sexual conduct.
- searched maps showing the area where the body was later found.
- searched on CCTV cameras in street where both the defendent and victim lived.
- use Google StreetView to view the same area.
- researched criminal forensics, fingerprinting and DNA evidence.
- read news stories on the investigation into the disappearance of the victim.
Of course, it will be up to the jury to decide whether these are good indicators of guilt, but regardless it’s clear that if someone is accused of a crime then there’s a pretty thorough examination of one’s computers and on-line behaviour. Obviously this case is about a very serious crime but it’s almost a gift to the prosecution when put together like this: can you think of any good reason to access this material at the time of the disappearance? However, this is circumstantial evidence and needs to be weighed as such.
On a related note, Google has announced that if you are signed-in to Google when you search, you will automatically use https://www.google.com/, the secure version of Google Search. While this will prevent casual snooping on your search, Google will be keeping hold of your search information so that it can better serve you adverts. And how long does Google keep the search information? Indefinitely or until you remove it. So while on the face of it encrypted search is a good thing, it comes at the price of Google knowing yet more about you.
I suspect that in the current murder trial, all the computer forensics team had to do was look back through the defendant’s browser history. Easy if there’s only one computer, but more difficult if the person has a home computer, work laptop, smartphone and so on. If you’re tied into Google everywhere, all they’ll have to do is subpoena information from Google and get your search data in one tidy little bundle. Nice.
As the fall-out from the News of the World scandal continues, many sources continue to inaccurately refer to “mobile phone hacking”. The truth (as far as is known) was that it was the voicemail of the mobile phone that was hacked rather than the phone itself. There are two ways to do this – the first is to simply guess the PIN of the voicemail and the second is to use Caller ID spoofing.
In the mid-2000s, most mobile phone voicemail systems were poorly protected as they typically came with a default PIN which was often easily guessed and only varied according to the mobile phone company. Most users didn’t bother to change the PIN. Say the phone was on Orange, then the default PIN was 1234. If it was Vodafone, then 0000. Typically, the villain then makes two simultaneous calls to the victim. One will be picked up, the other will go to voicemail. By then pressing “*” or “#” while listening to the voicemail prompts, the individual can gain access to the voicemail system using the default PIN. Computeractive has article covering this scenario and how, in theory, it would be harder (but not impossible) to take this approach today.
As for Caller ID spoofing, this technique makes a call look like it’s coming from a different number than it actually is. It can be used legally to make someone calling from a mobile to actually appear to be coming from a company office, so that the person’s mobile number is not divulged. However, in some instances it has been used to gain access to voicemail boxes as many voicemail systems do not ask for further identification if the system recognises the inbound Caller ID as one of its own. PC Mag and c|net have short articles on how this is done and worryingly, this is still a threat. The Wall Street Journal covered the problem in 2010 before the current scandal broke.
It would appear that the best protection to both these attacks is (a) to change your PIN on your voicemail and (b) require your PIN even when calling from your own mobile phone. That way, even if your Caller ID is spoofed, the caller can’t get in without knowing your PIN.