Infosec Round-Up Oct 1st
Payment Flaw, Crypto Crackdown & NK Arrest
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
Contactless Payment Flaw
Researchers have discovered an iPhone flaw which could allow payments of £1,000 to be made from a locked device.
Discovered by researchers from the Computer Science departments of Birmingham and Surrey Universities, the flaw pertains to Visa cards setup in ‘Express Transit’ mode within Apple Pay; Express Transit being a feature which enables commuters to make quick contactless payments without unlocking their phones.
Despite the exploit being demonstrated to BBC journalists, there is currently no evidence the flaw has been exploited by criminals.
With Visa responding that this type of attack was “impractical” outside of a lab, Dr Andreea Radu, of the University of Birmingham stated: “It has some technical complexity - but I feel the rewards from doing the attack are quite high”. Adding that if unaddressed "in a few years these [flaws] might become a real issue”.
China’s Crypto Crackdown
Continuing its crackdown on cryptocurrency, China’s central bank has announced that all transactions of crypto are illegal and that “virtual currency-related business activities are illegal”.
Warning that such transactions “seriously endanger the safety of people’s assets”, the trading of virtual currencies has been officially banned since 2019, though this announcement marks an escalation in the Chinese government’s crackdown.
In June of this year, the government told banks and other payment platforms to stop facilitating transactions, and banned the mining of such currencies, though this new announcement makes it clear that those involved are committing a crime and will be prosecuted.
Luisa Kinzius, a director at China-focussed consultancy Sinolytics, noted on the matter: “The announcement is also targeting any Chinese citizen working for crypto-related companies abroad, declaring their work as illegal and putting them at risk of being legally investigated.”
Adding, “China is very hesitant towards pure financial speculation due to financial stability concerns – and of course, cryptocurrency is very much driven by speculation.”
Ethereum Researcher Pleads Guilty
Virgil Griffin, a former special projects developer and researcher for the Ethereum Foundation, has this week pled guilty to charges of assisting North Korea in evading U.S sanctions.
Having travelled to North Korea in 2019 to attend the Pyongyang Blockchain and Cryptocurrency Conference, the crypto expert was arrested seven months later when re-entering the US for, what prosecutors describe as “[participating in] discussions regarding using cryptocurrency technologies to evade sanctions and launder money”.
Facing a maximum sentence of 20 years in prison, Griffin had been denied permission to travel to North Korea by the US Department of State and according to court documents, sought to obscure his activities from authorities.
U.S. Attorney Audrey Strauss stated on the case: “Griffin worked with others to provide cryptocurrency services to North Korea.” Adding, “In the process, Griffin jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.