Russians charged for $16.8m crypto-coin heist, but traders warned their cash is only as safe as their security is tight

Plus: Lazarus Group joins the big league, ex-Aussie PM doxxed, new flaw found in Bluetooth, and more

4 Reg comments Got Tips?

In brief A pair from Russia have been indicted for stealing nearly $17m worth of cryptocurrency.

US prosecutors allege that Dmitrii Karasavid and Danil Potekhin did everything from phishing and spoofing to price manipulation to make off with $16.8m in internet scrip.

Prosecutors claim that the pair would use phishing emails and fake logins to steal the passwords of currency owners. After breaking into the wallets and making off with the cryptocurrency, it is said they and their unnamed co-conspirators also inflated the value of the currencies, allowing them to cash out at a higher rate.

Of course, being that they are both in Russia, it's anyone's guess if they will ever actually be arrested and extradited to the US to face trial.

In commenting on the case, US attorney David Anderson also reminded cryptocurrency traders that they're not exactly dealing in the safest of markets.

"My warning to internet fraudsters is that we will prosecute internet frauds against US citizens regardless of where those frauds originate," Anderson said.

"My warning to the public is that digital currency exchanges are not like banks. The security of digital currency exchanges is only as good as your own vigilance. While law enforcement will do everything within our power to protect you, you must also protect yourself."

North Korea's Lazarus crew gets by with a little help from its (Russian) friends

How could the North Korean Lazarus Group become any more of a threat to the rest of the internet? We're glad you asked.

The crew at Intel471 did a bit of recon and confirmed that the DPRK hacking crew has called in some help from "top-tier" Russian hackers.

Black hats from the likes of TrickBot, TA505, and Dridex have all been linked to campaigns with Lazarus. Interestingly, Intel471 believes this might be an acknowledgement that Lazarus has arrived among the heavyweights in cybercrime. After years of work, they are getting respect (and cooperation) from the big names in Russia.

"Participation and entry into the underground at the bottom tiers is easy," explained CEO Mark Arena.

"Becoming trusted, verified and achieving a good underground reputation takes years of work."

Hackeroo pulls up passport info on former Aussie PM

A slouch-hat hacker from down under has posted an interesting yarn about how they were able to get the passport number of one of the country's former prime ministers.

Alex Hope showed how, armed with little more than a brag-shot of a boarding pass, it's possible to pull the personal information of anyone. In this case, it was former Aussie-in-chief Tony Abbott.

Hope explained that the booking number on a boarding pass can be used to log in to the airline's website, and then Hope showed how with a bit of digging through the airline site and its HTML, anyone who had that number (ie, people who look at Instagram) could pull up the flyer's passport number.

Hope's full write-up is here [PDF], and very much worth the read.

Apple's big release comes with security updates

Sure, you've heard all about iOS 14, but how about the security updates?

Granted, there weren't a ton of critical fixes to land with the latest edition of the iPhone and iPad firmware, as well as the new Safari, but they're definitely worth taking the time to download and install.

For example, in Safari there are three different bugs (CVE-2020-9948, CVE-2020-9951, CVE-2020-9983) that would allow for remote code execution.

It's nothing earth-shattering, but keep in mind that these sort of overlooked, "not too bad" bugs are the ones that end up becoming reliable exploits, especially when chained together. Read the bulletins, patch your gear.

Bluetooth busted yet again

Uni researchers have found a new vulnerability in Bluetooth gear.

Dubbed BLESA, the flaw preys on security holes in the Bluetooth Low Energy (BLE) protocol to force a reconnection and spoof data to a nearby piece of kit.

Now, while these could be nasty attacks, they do require being in range of the vulnerable gear, meaning the actual threat scenario is pretty limited. The bad guy has to more or less be in the room.

That said, it is going to be an absolute pain to patch, billions of devices will need updates, many of which don't often check for updates. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020