Categories
Security

Poly Network hacker gave back more than $600 million in stolen crypto

The hacker that stole around $600 million worth of crypto coins from Poly Network has now finished returning them after starting the process nearly two weeks ago (via CNBC). Poly Network says in a blog post that it’s now beginning the process of returning the stolen assets, which include Ethereum, Binance tokens, and Dogecoin, to their rightful owners. Poly Network says that there’s still work for it to do — it’s working on getting approximately $33 million worth of assets unfrozen and is continuing to restore the functionality of its Poly Bridge service, which lets users transfer crypto between blockchains.

After the attack, the hacker said that he’d stolen the funds to keep them safe, saying that putting the coins in a “trusted account” was a way to highlight the bug without giving someone else the opportunity to make away with them. He’s had a somewhat continuous banter with Poly Network, who even took to calling him “Mr. White Hat” in their series of update notes. Poly Network also invited the hacker to act as the company’s chief security advisor, which the hacker has (seemingly cheekily) acknowledged, signing off a message to the company with “your chief security advisor.” Chainalysis points out that the transparency of blockchain tech can make it difficult to get away with spending stolen funds.

After the hack occurred earlier this month, there was speculation about how the hacker had carried it out, with some analysts suggesting that he had even been able to obtain Poly Network’s private keys. Further analysis seems to show that this wasn’t the case — instead, the hacker was able to exploit a security flaw in the Poly Network that allowed him to execute transactions that he shouldn’t have been able to.

Embedded in one of the final transactions from the hacker is a long note, in which he apologizes for the inconvenience he’s caused, calls the hack and process of returning the funds a “wild adventure,” and promises to return more money than he originally stole (which he requests be distributed to “survivors,” seemingly referring to those who had their money stolen). According to the hacker’s note, the extra funds come from the $500,000 bounty that Poly Network paid him for finding the security flaw, as well as from the stream of donations that he’s received since the hack (and is still receiving, according to his wallet’s transaction records).

Poly Network said in another blog post that it would start a $500,000 bug bounty program to encourage researchers to find (and responsibly disclose) other vulnerabilities in its software. Currently, the company’s bug bounty listing on Immunefi says that the maximum bounty is $100,000.

As for when Poly Network’s users will actually see the returned funds hit their wallets, the company says it’s working on returning them “within the shortest time frame possible.”



Repost: Original Source and Author Link

Categories
Tech News

How Apple reportedly gave up control of iCloud for business growth in China

China is one of the biggest markets in the world for Apple’s products. In its recent quarterly results, the company registered a whopping $17.7 billion in iPhone sales in the region.

However, this stellar business performance comes at a cost of user privacy and ceding control over its own ecosystem. According to a new report from The New York Times, Apple gave in to China’s multiple demands, including custom hardware for iCloud and app removals.

The report noted that Tim Cook caved in to China’s demand of storing iCloud data of China-based customers in the country —Apple wanted to keep that data in the US. While storing user data locally is a common practice across the globe, Apple allegedly handed over iCloud’s encryption key to China and made it easier to retrieve user data.

This is unlike Apple in the US, where it has constantly battled with authorities to keep their hands off iPhone users’ data. The NYT report noted that the iPhone maker created a special loophole to give the government access to data: it partnered with a government-affiliated Guizhou-Cloud Big Data as a service provider. Plus, it made changes to the iCloud service agreement that included the clause, “Apple and GCBD will have access to all data that you store on this service.”

Categories
Security

The Pentagon reportedly gave a small company control of its IP addresses to find security issues

As part of an apparent effort to find holes in its network, the US Department of Defense has given a tiny Florida company control over about 175 million of its IP addresses, The Washington Post reported.

Global Resource Systems began managing the IP addresses on January 20th, part of what a Pentagon spokesperson told the Post was a “pilot effort” to “identify potential vulnerabilities” and “prevent unauthorized use of DoD IP address space.”

The Department of Defense still owns the IP addresses. Global Resource Systems was founded in September, according to the Post, which was not able to find any other federal contracts for the company or any public-facing website.

The initiative is apparently being run by a group within the Pentagon called Defense Digital Service, which solves problems and does technology experiments for the military. The group reports directly to the secretary of defense.

What exactly Global Resource Systems has been tasked with doing for the DoD isn’t known, but the Post found it sent a “fire house of internet traffic” at the DoD IP addresses. One security expert speculated that it may give the DoD information about how attackers operate online, and any possibly misconfigurations that need to be repaired.

Repost: Original Source and Author Link