Pages

Monday, September 26, 2022

Cyber rules on the way to fight Optus hack fraudsters

If this hacker is real, then it appears that a further two million accounts have been compromised, bringing the number to a total of 11.2 million. 

The breaches date as far back as 2017.

 Optus data breach: Hacker demands $1.5 million ransom, customer info leaked on dark web


“It is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years’ imprisonment.”
~Greg Monahan - They thought their payments were untraceable. They couldn’t have been more wrong. The untold story of the case that shredded the myth of Bitcoin’s anonymity.


Cyber  rules on the way to fight Optus hack fraudsters

Share

Cybersecurity Minister Clare O’Neil plans to reveal reforms this week forcing businesses to alert banks quickly about breaches of customer data to limit the likelihood of money being fraudulently taken from their accounts.

The policy reforms, which have not been finalised, are a reaction to the breach of systems at telecoms giant Optus, which has notified millions of customers their personal details were stolen and may be for sale online.

Cyber Security Minister Clare O’Neil is responding to citizens’ concerns about the implications of the Optus data breach. James Brickwood

Ms O’Neil believes banks being alerted to customers’ exposure to data breaches would enable them to apply greater scrutiny to activity on their accounts, and could help customers dispute transactions in the event of theft.

Optus chief executive Kelly Bayer Rosmarin, meanwhile, is likely to meet with the telco’s owner, Singaporean tech giant Singtel. Its chief executive, Kuan Moon Yuen, and chief corporate officer, Cheng Cheng Lim, flew into Sydney on Friday for an annual two-day board meeting and are expected to discuss the breach on Monday morning.

While it is believed internally that no one person is to blame for the breach, customer frustration grew at the weekend as an anonymous user claimed on a hacking forum to have the data of 11.2 million people. Optus said last week that 9.8 million would be affected in a “worst-case scenario”.


“Optus if you are reading! Price for us to not sale data is 1,000,000$US we give you 1 week to decide,” the post, which demanded the payment be made in the monero cryptocurrency, said.

The Australian Financial Review has seen a sample of the apparent breach data and contacted the user.

While multiple cybersecurity experts say the data might be legitimate, there is no certainty. Hacking forums often post fake claims to trick companies into paying a ransom for data a poster does not have.

‘Insider’ theory

The purported hacker reportedly got into Optus’ systems via an unprotected application programming interface – a tool that facilitates communication between apps and services. The user told the Bank Info Security website the API was accessible by any web user and did not require authentication. If the report is true, that would mean Optus had effectively left a door to its virtual data warehouse unlocked.

Others, such as cyber threat intelligence firm Kela and partner Colab82, have theorised that hackers may have recruited Optus employees to facilitate the breach as an inside job.


“[Threat actors] were looking in June and July 2022 for ‘insiders’ of Optus and other companies, to get sensitive information about the company,” it said in an analysis note obtained by the Financial Review.

Kela identified three posters on notable hacking forums that were looking for insiders earlier this year.

It also “found more than 55,000 leaked credentials pertaining to the Optus domain that may be used by threat actors for social engineering campaigns” and “3000 bots containing Optus-related resources – some of which seem to be sensitive portals designated for company personnel” on illicit markets.

Optus confirmed it had had no contact with the hacker, and the hacker had not contacted the telco before the post about the data on the breach forum.

Optus declined to comment on the authenticity of the data sample.

“Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings,” the company said.

“Once again, we apologise. We will provide further updates as new information comes to hand.”

The Financial Review has cross-referenced some of the alleged data with breaches listed on HaveIBeenPwned.com, a site that helps users check if their data has been part of a breach that has been made public.

Of the handful of email addresses from the sample tested by the Financial Review, most appeared to have been part of a previous, unrelated data breach collated on the website. However, some had not, indicating that the data could be legitimate because they were newly exposed addresses. The Financial Reviewcannot verify whether the data posted is real.

“The data for sale online is of real people. But we need Optus to verify it’s from them,” Internet 2.0 co-chief executive Robert Potter said.

The Australian Federal Police said it was aware of reports the stolen data was being sold “through a number of forums, including the dark web”.

“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” a spokeswoman said.


“It is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years’ imprisonment.”

Lucas Baird is a journalist based in The Australian Financial Review's Sydney office. Connect with Lucason Twitter. Email Lucas at lucas.baird@afr.com
Paul Smith edits the technology coverage and has been a leading writer on the sector for 20 years. He covers big tech, business use of tech, the fast-growing Australian tech industry and start-ups, telecommunications and national innovation policy.Connect with Paul on Twitter. Email Paul at psmith@afr.com
Max Mason covers courts, insolvency, regulation, financial crime, cybercrime and corporate wrongdoing. He joined the masthead in 2013 and has held a number of roles, including media editor and telecommunications reporter. He is based in Sydney.Connect with Max on Twitter. Email Max at max.mason@afr.com

The PUblic SErvice has too many chiefs ELs SESs are very few Genuine Public serVants who actually can think and innovate … O’Neil added that Australia is about a decade behind where it needs to be on “privacy protections” and five years behind on “cyber protections”.


Every Bitcoin payment is captured in its blockchain, a permanent, unchangeable, and entirely public record of every transaction in the Bitcoin network. The blockchain ensures that coins can’t be forged or spent more than once. But it does so by making everyone in the Bitcoin economy a witness to every transaction. Every criminal payment is, in some sense, a smoking gun in broad daylight.

Within a few years of Bitcoin’s arrival, academic security researchers—and then companies like Chainalysis—began to tear gaping holes in the masks separating Bitcoin users’ addresses and their real-world identities. They could follow bitcoins on the blockchain as they moved from address to address until they reached one that could be tied to a known identity. In some cases, an investigator could learn someone’s Bitcoin addresses by transacting with them, the way an undercover narcotics agent might conduct a buy-and-bust. In other cases, they could trace a target’s coins to an account at a cryptocurrency exchange where financial regulations required users to prove their identity. A quick subpoena to the exchange from one of Chainalysis’ customers in law enforcement was then enough to strip away any illusion of Bitcoin’s anonymity.

Chainalysis had combined these techniques for de-anonymizing Bitcoin users with methods that allowed it to “cluster” addresses, showing that anywhere from dozens to millions of addresses sometimes belonged to a single person or organization. When coins from two or more addresses were spent in a single transaction, for instance, it revealed that whoever created that “multi-input” transaction must have control of both spender addresses, allowing Chainalysis to lump them into a single identity. In other cases, Chainalysis and its users could follow a “peel chain”—a process analogous to tracking a single wad of cash as a user repeatedly pulled it out, peeled off a few bills, and put it back in a different pocket. In those peel chains, bitcoins would be moved out of one address as a fraction was paid to a recipient and then the remainder returned to the spender at a “change” address. Distinguishing those change addresses could allow an investigator to follow a sum of money as it hopped from one address to the next, charting its path through the noise of Bitcoin’s blockchain. …


CHRIS JANCZEWSKI SAYS the full impact of the Welcome to Video case didn’t hit him until the day in October 2019 when it was finally announced in public and a seizure notice was posted to the site’s home-page. That morning, Janczewski received an unexpected call from the IRS commissioner himself, Charles Rettig.

Rettig told Janczewski that the case was “this generation’s Al Capone”—perhaps the highest compliment that can be bestowed within IRS-CI, where the story of Capone’s takedown for tax evasion holds almost mythical status.


That same day, the Justice Department held a press conference to announce the investigation’s results. US attorney Jessie Liu gave a speech to a crowd of reporters about what the case represented—how following the money had allowed agents to score a victory against “one of the worst forms of evil imaginable.”

Chainalysis’ Jonathan Levin sat in the audience. Afterward, an IRS official named Greg Monahan, who had supervised Gambaryan and Janczewski, came over to thank Levin for his role in the case. It had all started, after all, with Levin’s tip to two bored IRS agents in the Bangkok airport. Monahan told Levin that it was the most important investigation of his career, that he could now retire knowing he had worked on something truly worthwhile.

Levin shook the IRS-CI supervisor’s hand. Neither he nor Monahan could know, at that time, of the cases still to come: that IRS-CI and Chainalysis would together go on to disrupt North Korean hackers, terrorism financing campaigns, and two of the largest bitcoin-laundering services in the world. Or that they would track down close to 70,000 bitcoins stolen from the Silk Road and another 120,000 stolen from the exchange Bitfinex, totaling to a value of more than $7.5 billion at today’s exchange rates, the largest financial seizures—crypto or otherwise—in the Department of Justice’s history.

Following the Virtual Money



This story is excerpted from the bookTracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrencyavailable November 15, 2022, from Doubleday.


ROSS WAS PADDLING through the break, lining up for a set. The beach at Bondi, just south of Sydney, sloped down to a gorgeous waterline. For Ross, the waves were among the many advantages of leaving Austin in late 2011 to spend some time in Australia with his older sister, Cally. He quickly made friends there, a lively group that went out drinking, invited him to warehouse parties, and met up to go surfing.

Ross had worked that morning but was in the water by afternoon. It was nice, the portable life. And it was made possible by his flourishing online drug bazaar. Silk Road’s usage had exploded in June of that year, after a story on Gawker brought the site mainstream attention. After that, traffic grew so fast that Ross needed technical support to maintain the site, deal with transactions, and add features like automatic payments and a better feedback system.

Untold Story of Silk Road Dark Met


  • IRS Special Agent Gary Alford has revealed how he discovered the real life identity of Dread Pirate Roberts.
  • Alford was able to identify the founder of Silk Road where the FBI, DEA and Homeland Security failed.
  • Alford says crime is a human problem, not one of technology.

How Investigator Got Inside the Mind of Silk Road Founder Ross Ulbricht