Researchers launched a Proof-of-Concept attack on two Android mobile phones and an embedded system board.
Researchers have developed a proof-of-concept side-channel attack that allows them to pull encryption keys from a single decryption for a modern version of OpenSSL. The attack impacts mobile devices — without physical access to the handsets.
A group of researchers at Georgia Tech were able to retrieve the encryption keys from mobile device analog signals unintentionally produced by processors – within seconds and without physical access to the devices. The private RSA encryption keys are pulled from encryption software program OpenSSL (specifically version 1.1.0g).
“The approach is demonstrated using electromagnetic emanations on two mobile phones and an embedded system, and after only one decryption in a fixed-window RSA implementation, it recovers enough bits of the secret exponents to enable very efficient (within seconds) reconstruction of the full private RSA key,” researchers said in a research paper presented at USENIX.
Side-channel attacks extract sensitive information, such as cryptographic keys, from signals created by electronic activity within computing devices as they carry out computation. There are an array of techniques to launch side-channel attacks, including using caches, branch predictors or analog signals.
In this instance, researchers launched the PoC attack on two Android mobile phones and an embedded system board, all packing ARM processors with high frequencies between 800MHz to 1.1GHz.
These frequencies are included in the signal capture capabilities of compact commercially available sub-$1,000 software-defined radio (SDR) receivers, such as the Ettus B200-mini, researchers said. The researchers placed receivers “very close” but without physical contact with the unopened phone cases (and for the embedded systems board they placed the probes about eight inches away); from there, they were able to capture the electromagnetic signals from the processors.
“The attack recovers the exponent’s bits during modular exponentiation from analog signals that are unintentionally produced by the processor as it executes the constant-time code that constructs the value of each ‘window’ in the exponent, rather than the signals that correspond to squaring/multiplication operations and/or cache behavior during multiplication and table lookup operations,” researchers explained.
Researchers said their technique correctly recovered between 95.7 to 99.6 percent (depending on the target system) of the secret exponents’ bits from the signals.
The issue can be mitigated when the bits of the exponent are only obtained from an exponent in integer-sized groups (tens of bits) rather than obtaining them one bit at a time.
“This mitigation is effective because it forces the attacker to attempt recovery of tens of bits from a single brief snippet of signal, rather than having a separate signal snippet for each individual bit,” researchers said.
Researchers said they submitted the mitigation to OpenSSL and a patch for integration was merged into the “master” branch of OpenSSL’s source code on May 20. Implementations will need to update their code accordingly.
The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.
The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights’ director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.
We started at the Hidden Wiki, a South Korean page that bookmarks other sites in the dark web all over the world. “It’s been live for a few years, and is being maintained on a regular basis,” explained Kozuch. The page is organized in sections and even provides an ‘editor’s choice’ selection. It provides links to whatever the existing or budding hacker or underworld character might be looking for: bank accounts, card details, advice, drugs, porn, fake passports and IDs, UK driving licenses, firearms and more.
“It’s a good place to start a foray into the dark web,” said Kozuch. Despite this expansive index onto blacker parts of the dark web, the IntSights report, “At the moment, there are no significant threat actors that operate out of South Korea.”
Our next stop was deeper into the dark web: Mushroom, a Chinese black-market site specializing in the sale of drugs. “The most important feature for the researcher,” continued Kozuch, “are the prices. They are all in Chinese Yuan, not as we usually see in dark websites, bitcoin or other cryptocurrency.” This is because cryptocurrencies are forbidden in China and the site primarily serves Chinese nationals — although it does offer advice on how to obtain bitcoin and is willing to ship produce outside of China. The price is also 30% to 40% lower than is typically found in western black markets.
From there we moved to Japan. The Japanese dark web has one major difference to other parts: it is remarkably polite. “Many Japanese users view it as an alternate universe,” says the report, “where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web.” It is more about obtaining things, such as drugs and porn, than about facilitating hacking. One even asks the visitor to suggest a price for the products.
We visited the Japanese branch of Anonymous, which is a bit of an exception. “Its primary purpose is protest against the Japanese government on environmental issues,” explained Kozuch. Two current ops are Hope Japan and Hope Fukushima. “Anonymous accuses the Japanese government of hiding information about what really happened in the nuclear plant, and the extent of pollution in the seas around Japan.” The website directly calls for attacks against Japanese government websites, and Anonymous is willing to provide what is necessary — methodologies for DDoS, SQLi, XSS and other attack vectors.
We then visited another Japanese language site that is a bit different — a site that buys and sells information, focusing on military intelligence, documents, protocols, science, and technology, “What’s really remarkable,” added Kozuch, “is that this site is not typically Japanese in flavor. Japanese sites usually handle drugs and porn. After analyzing the style and content, “We came to the conclusion that this is not a Japanese website at all. The Japanese would never be so direct and forthright. We suspect that the people behind it are North Korean, which has its problems with Japan.” The report adds that it may be a North Korean (or Chinese) group “that is attempting to gather intelligence for some attack on or operation in Japan).”
We also visited another Anonymous site in Thailand (this one is offering a free database of 30,000 FBI and DHS officers stolen in 2016); and a hacking forum/black market in Indonesia (providing free downloads of malware and exploits).
The main focus, however, was on China, and we visited three more websites. Surprisingly, none of these are onion sites. They are dark sites to anybody outside of China because of the Chinese firewall, but in the clear web to Chinese nationals. The first offers DDoS as a packaged service — a fairly unique offering selling different options of strength and duration. “The largest offering,” Kozuch pointed out, “is for a 500 Gb attack with unlimited connections.”
The second, known as QQ, is a hacking forum designed as a combination of different social media platforms and providing communication tools such as QQ groups, QQ forums and private chatrooms.
The last was Hack80, a hacking forum more in line with the better known Russian underground forums. “It offers everything you might find in the traditional Russian hacking forums,” said Kozuch: “bitcoin mining tutorials, hacker toolkits, malware and so on. You can ask about and get almost anything — if you’re Chinese, of course. You cannot ask questions or get answers in English.” This isn’t surprising since the site is in the clear web, and thus only visible to Chinese nationals (IntSights was using a very specific VPN for the research and this tour).
Kozuch believes it is time for the West to take the Chinese dark web more seriously. “We usually like to look at the North Koreans and the Russians as the primary attackers; but I believe that the Chinese offer is more sophisticated with more capability than we have realized. Many of the next threats that we are going to see will come from China.”
The fact that so many dark Chinese sites are on the Chinese clear web raises the question of collusion between the hackers and the government. Kozuch does not believe that the existence of hacking sites in the clear web automatically means they are permitted by the government, or that the hackers work for the government. It is perfectly feasible for these sites to hide in plain sight given the size of the Chinese internet.
“I think there is a big element of private cybercrime groups that operate from China that we were simply not aware of,” he told SecurityWeek. “It is more comfortable to blame the APT groups we already know about, but I think this research shows how much knowledge and how much capability that private groups have, and how they communicate and what kind of tools they are using.”
He suspects that we often automatically blame APT groups simply because the attack comes from China; but the perpetrator may well be an unknown private group. “Usually, APT groups (with the exception of North Korea) are not after money — they’re after intelligence or to steal intellectual property. I believe that in some cases there are Chinese threat actors that we simply aren’t aware of.” As in Russia, many of the Chinese threat actors will focus on targets outside of China so as not to draw the attention — and ire — of the local police.
But this doesn’t mean there is no collusion at all between the criminal groups and the Chinese government. “I haven’t found any evidence that private groups are sub-contracting for the government,” he continued, “but I really believe that it is happening — like in many other places around the world. Sometimes the government doesn’t have all the capabilities it needs, so it uses sub-contractors who will deliver the skills provided the government allows them to continue their own operations outside of China. There are examples of known Chinese hackers that are now running their own security firms. Nobody turns from crime life to become whitehats for no reason and without any consequences. I really believe that there are all kinds of groups that enjoy government protection because they provide services to the government when it needs it. Give and take rules.”
“The Asian dark web,” concludes the IntSights research, “is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn’t mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher.”
Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018; bringing the total capital raised by the firm to $41.3 million. IntSights was founded in 2015 by Alon Arvatz, Gal Ben David, Guy Nizan.
Sites on the Dark Web Have Several Motivations to Unmask Their Visitors
So, there you are, finally on the private sections of a dark market. You have established reputation and credibility with your targets. Suddenly, you get exposed as a “rat” and banned for life. They grab your escrowed cryptocurrency, and you are back at square one with a foe who is even more alert than before… How did this happen?
The dark web is an active area for online investigations and research. Because you need to use the Tor anonymity service to access dark web sites, also known as Tor hidden services, many people assume that makes them robustly anonymous. Unfortunately, there are still many ways you can be exposed and have your activities compromised if you don’t take the right precautions.
Sites on the dark web have several motivations to unmask their visitors. Obviously, they want to spot any members of law enforcement who might be visiting. Additionally, they might want to gain some sort of leverage over their visitors, who may be using the site for a number of questionable activities.
There are several known attacks against the Tor network and other similar low-latency anonymity networks. One class of attacks, called traffic confirmation attacks, is based on having control of a significant fraction of the most popular Tor nodes. If the attacker controls the first hop in a chain (the guard node) as well as the last (the exit node), then creates a pattern in the data at one end of the chain, it can be recognized coming out at the other. Fortunately, it is not easy for an attacker to get control of enough nodes to carry out this type of attack, likely because there are thousands of active nodes a given user could choose.
The situation is different with a dark web site. If the site wants to identify a visitor, the site owner only needs to have you use a guard node they control. Because they control the web servers, they always have the ability to inject patterns of activity. Requiring only a single controlled Tor node makes the odds of this attack working much higher.
Bitcoin provides another method of identity exposure. Contrary to popular belief, Bitcoin is not anonymous at all. Every single Bitcoin transaction is recorded in the public blockchain and can be seen and analyzed by anyone. Bitcoin is a dominant payment mechanism on dark web marketplaces. When you buy or sell something on these sites it creates an opportunity for tracking and identification. All coins that were mined by the same server or purchased into the same wallet can be followed. This can easily tie investigations together and reveal odd patterns of activity. With access to information in the bitcoin exchanges, it can even lead to real names or IP addresses.
Dark web sites are also a likely source of malware that can unmask you. Unless your entire operating environment is isolated from your real desktop, the malware may leak your real IP address and other identifies. Of course, it can also directly steal data off your computer and do all the other things malware normally does.
Non-technical errors can trip you up as well. While not specific to exposure on the dark web, things like your writing style and choice of account names can reveal your true identity. Site operators can also pass you beacons and canary traps. Beacons are active content that try to phone home with identification when they are opened. Viewing these documents and files on a normal desktop will immediately expose you. Canary traps are more subtle. A website can provide slightly different versions of certain content to each visitor. Any time that content shows up somewhere else, the site knows who shared it.
The rate at which dark web markets are being compromised, in one way or another, has gotten high enough that much of the online criminal activity has moved to new platforms. Rather than communicating in forums on dark web sites, there has been a shift toward one-to-one communication applications that provide end-to-end encryption. This may make investigations more difficult, because there is no central location for discussions. Establishing trust and communication will be much more difficult.
Hiding your true identity is always important whenever you are conducting investigations online. The fact that you are visiting a Tor hidden service / dark web site does not mean you are safe or hidden. It is critical to take additional steps to protect yourself when conducting these operations.
Interest in blockchain technology is waning, research firm Gartner said in its latest “Hype Cycle for Emerging Technologies” report.
Gartner included blockchain, along with four other emerging technologies, as one of five trends that can blur the lines between humans and machines, according to a news release on August 20. Blockchain technology is at the edge of the “trough of disillusionment” phase in the cycle, though it predicts that the technology may reach the “plateau of productivity” within the next decade.
The “trough of disillusionment” means that “interest [in the technology] wanes as experiments and implementations fail to deliver. Producers of the technology shake out or fail. Investments continue only if the surviving providers improve their products to the satisfaction of early adopters,” as explained on Gartner’s website.
Mike Walker, research vice president at Gartner, said in a news release that “digitalized ecosystem technologies are making their way to the Hype Cycle fast,” adding:
“Blockchain and [internet of things] platforms have crossed the peak by now, and we believe that they will reach maturity in the next five to 10 years, with digital twins and knowledge graphs on their heels.”
The “shift from compartmentalized technical infrastructure to ecosystem-enabling platforms,” as written in the news release, is building the fundamentals for unique business models as the technology stabilizes in the future.
In addition to blockchain technology, which is part of the “digitalized ecosystems,” four other distinct emerging technology trends that are listed on the hype cycle are:
“democratized AI”
“do-it-yourself biohacking”
“transparently immersive experiences”
“ubiquitous infrastructure”
according to the release.
The Hype Cycle for Emerging Technologies report is the longest-running annual Gartner Hype Cycle, according to Gartner’s website, and it serves to provide a cross-industry perspective on the technologies and trends.
Blockchain and AI technology company Seven Stars Cloud Group has scored a $24 billion deal to help finance large-scale electric bus upgrades for China’s biggest full-service operator.
According to a press release published Monday, under an exclusive contract made with the National Transportation Capacity Co Ltd (NTS), Seven Stars Cloud will issue fixed income lease financing-based products through its regulatory complaint blockchain ecosystem, including one campaign based in China and the other open to the global markets.
More specifically, through the China-based and international funding campaigns, Seven Stars Cloud – a public company traded on Nasdaq – plans to raise estimated $8.75 billion and $15 billion over the three-year time period, respectively. While, for the China-based financing, SSC will focus on the sale of fixed income products, for the international markets, SSC will provide both fixed income and asset digitization products.
NTS is China’s largest full-service operator for electric buses, according to the release. It also offers sales, lease financing, a charging station network, and real-time data services.
Bruno Wu, chairman and CEO of SSC, said that such a large-scaled and asset-backed contract is “groundbreaking” for blockchain-backed fintech companies around the globe.
He added:
“It will serve as a window to the world on how asset value and liquidity can be unlocked by traditional industries as we take fixed income products into the digital era.”
The partnership comes amid China’s plan to replace all buses with electric buses by 2021. The market size for the replacements and upgrades to achieve fully-electric bus operations in China is estimated in the announcement at about $145 billion.
You’re scrolling through an online electronic store, when a new drone catches your eye.
Eager to fly it for real, you enter a string of numbers to submit your payment. You’re not thinking at all about how, behind the scenes, it’s bitcoin that makes the impulse purchase possible.
Far-fetched today? Maybe, but that’s the sort of easy user experience the bitcoin developers at Chaincode Labs think is missing from the world of cryptocurrency, even now that a much-anticipated technology layer known as the Lightning Network is in beta. While it’s perhaps bitcoin’s best shot at reaching mainstream adoption, it’s not exactly easy to use today, or as easy as developers envision it could be.
That’s why the group, led by veterans Alex Morcos and Matt Corallo, has held similar coding programs focused exclusively on bitcoin. Developers from around the world travel to New York to learn about the intricate details of the protocol and its most essential code.
However, announced Monday, Chaincode is launching a new “residency” in New York from October 22 to 26, one that will focus on helping developers build their own Lightning Network apps.
The goal, according to Chaincode engineer and bitcoin software maintainer Marco Falke, is for the program to create tech “for normal people on the street, not just weird developers.” In short, they’re looking for some fresh blood. Any and all experienced web developers are welcome to apply – no bitcoin expertise required.
Falke told continued:
“There aren’t many apps and you can’t go into a shop and pay with bitcoin. There’s all this missing infrastructure. We thought it would be great to get some app developers involved that have experience building websites, but don’t have to have any background in bitcoin or lightning.”
Though, it’s worth noting a few lightning apps have already sprung up showing how bitcoin and lightning can be paired to improve online payments. Even so, the developers at Chaincode hope the one-week bootcamp will spur even more apps.
Teachers will include some of the more well-known lightning developers in the space, including Blockstream engineer Christian Decker and Cornell professor Elaine Shi.
What the residency’s about
But while Chaincode calls the program a “residency,” its program sounds similar to a coding bootcamp, an increasingly common way of teaching coding skills in a short period of time.
This bootcamp is traditional in some ways, of course, as the team will take applications until they “reach capacity” of roughly 12 students. However, from there, the class will focus on lightning specifically.
The six instructors will each give a presentation on the protocol. But they’ll also be around for the full residency, helping out students as they have questions. That’s because for most of the residency, participants will have time to work on an app of their choosing.
The app can be anything they want – a fun game like Satoshis.place, where users fight over pixel drawings, or something more serious, like an app allowing users to pay for monthly bills.
At the end of the week, participants will demo what they’ve made to the rest of the group.
Soon after the residency the Chaincode team will release recordings of all the presentations, for those who can’t make it out to New York City for the bootcamp.
App focus
Though a small program, for the industry, it perhaps sends a stronger signal, as Lightning developers have been mostly focused on getting the underlying lightning protocol off the ground to date.
But Chaincode’s developers believe that maybe the ecosystem could use more application developers now that there’s an increasing emphasis on the code’s usability.
“Personally, I think every day we wait for lightning applications will delay lightning and bitcoin. It’s really important to do this app development thing as soon as possible,” Falke continued.
Chaincode engineer James O’Beirne went so far as to argue that the applications could be key to shifting public perception of bitcoin, which has largely been on its speculative value of late.
“A lot of people outside of bitcoin don’t understand it’s capabilities, including lightning. By facilitating app development we’re spreading awareness of what bitcoin is actually capable of,” O’Beirne said. “People have turned to other smart contract platforms because they don’t understand how powerful bitcoin can be.”
Falke nodded in agreement: “Some people don’t think lightning is a real thing.”
That’s why they’re inviting all sorts of developers to participate, especially those who aren’t “bitcoin experts.”
Falke concluded:
“They should have interest. But that’s pretty much it”
Food safety firm ZEGO is using blockchain to test products for residue of a deadly chemical tied to a recent $289 million Monsanto lawsuit, according to a press release published August 16.
Earlier this month, Monsanto was fined $289 million in damages after a court ruled in favor of a plaintiff’s claims that the company’s use of a herbicide containing glyphosate had caused his cancer.
ZEGO reportedly has a patent-pending blockchain system that would allow companies to test foodstuffs for glyphosate. The company says it had initially developed the solution to enable consumers to make better informed choices about the presence of allergens and gluten in various goods.
According to ZEGO, glyphosate testing can further be used as a means of verifying suppliers’ purported organic and non-GMO certifications, which it implies can often be fraudulent. As the press release notes:
“Glyphosate has been the subject of thousands of lawsuits and studies alleging correlation to cancer and celiac-like symptoms. This has prompted debates over how much exposure is safe. But the argument over safety thresholds is academic … because consumers have no idea how much they are ingesting. Most … companies do not test for glyphosate, even though numerous studies have measured surprisingly high amounts of it in some packaged [and] even organic foods.”
Last month, the UK’s Food Standard Agency (FSA) successfully completed a pilot using blockchain as a regulatory tool to ensure compliance in the food sector, noting at the time that the tech’s full potential to improve standards would only be realized if an “industry-led” initiative were to take off.
U.S. Customs and Border Protection (CBP) plans to trial blockchain technology to verify North American Free Trade Agreement (NAFTA) and Central American Free Trade Agreement (CAFTA) certificates.
CBP Division of Business Transformation and Innovation head Vincent Annunziato said the agency was beginning a “live fire testing” of a blockchain platform to certify that imported products originated where they claim during CBP’s 2018 Trade Symposium in Atlanta, according to the American Shipper.
The new system, which will launch in September, is going to help CBP verify information about imported goods and check how foreign suppliers act toward American importers, he said. The system can also be used to authenticate trademarks and check on an item’s physical properties.
“I can even go in and say, ‘hey, I need a little information on the stitching,’ or, ‘I need information on what colors are viable,'” Annunziato said.
Annunziato said the blockchain system could be used in a mobile app, which would replace a paper-based manual process for verifying such information, thereby streamlining the agency’s work.
He also provided an update to the agency’s work with the Commercial Customs Operations Advisory Committee (COAC). As previously reported by CoinDesk, COAC formed a special group advising the Secretaries of Treasury and Homeland Security on the agency’s commercial operations last November. The body was said to focus on emerging technologies in general and on blockchain in particular.
This week, Annunziato confirmed that the committee was working to develop a proof-of-concept blockchain platform to verify intellectual property by confirming the relationship between licensees and licensors. The technology could ultimately eliminate paper processes, manuals and databases, CPB hopes.
The CBP press office did not respond to a request for comment by press time.
China has been on the verge of blockchain adoption as of late. The technology, in fact, has become part of the country’s national, president-signed program. The latest advancement in the field relates to the country’s old corruption staple — fake invoices used to embezzle corporate and state funds.
To understand the nature of the latest blockchain solutions for China’s invoicing system, its general context should be explained first. Essentially, it revolves around the concept of the so-called ‘fapiaos’ (the Chinese word for an official invoice), which is a legal receipt that serves as proof of purchase for goods and services.
Fapiaos are issued by the Chinese Tax Bureau — but provided by the seller — for any goods or services purchased within the country. The Chinese government uses these invoices to track tax payments and forestall tax evasion. Individuals need fapiaos to reclaim business expenses, while companies are obliged to record their transactions on a fapiao — failing to do so violates the law.
However, the fapiao system, which was established back in the 1980s, is largely corrupt. As a New York Times article suggests, those tax invoices are openly sold on the streets, which are either original ones that weren’t claimed in the first place or high-quality replicas. Buyers use them to evade taxes and cheat employers: Essentially, a Chinese individual can obtain any kind of fake receipt — from travel receipts to value-added tax (VAT) receipts. Finding them does not necessarily require having deep connections to the black market, as promotions for counterfeit fapiaos are sent via text messages or even advertised on Taobao.com, where sellers offer special discounts and same-day delivery of those documents, as NYT article reveals.
Even the state-run agencies are involved in the grand scheme. In 2010, for instance, the National Audit Office claimed that it detected central government departments embezzling as much as $21 million through the use of fake invoices. Wang Yuhua, an assistant professor of political science at the University of Pennsylvania and the author of a study on corruption in China, told New York Times:
“Their salaries are relatively low. So they supplement a lot of it with reimbursements. This is hard to monitor.”
Tax evasion is a serious crime in China — sometimes punishable by death — but that doesn’t seem to hinder the counterfeit fapiao industry. Although state authorities boast impressive statistics on the matter (in 2009 alone, they reported detaining 5,134 people and closing 1,045 fake receipt production sites), the system is alive, and fapiaos are sold even in hotel gift shops. However, there is a technology that might finally tackle the system with some effect.
Blockchain versus corruption: Tax authorities and Tencent’s collaboration
While Bitcoin and other cryptocurrencies are often blamed for cultivating corruption — this remains to be one of the most commonly used arguments for conservative politicians and businessmen who are skeptical about the prospects of crypto — its underlying technology represents an efficient tool for fighting it. Blockchain, being an immutable, decentralized and encrypted ledger, can provide a clear record of any transaction that took place on it, any time of the day, thereby solving the problems of over-reporting, false-reporting and other true-false inconsistencies in the process of invoice circulation.
Hence, the prospect of applying blockchain to fight the fapioas might seem especially attractive for Chinese authorities. It became possible after the Shenzhen National Taxation Bureau teamed up with local internet titan Tencent — the developer of the one billion-user social media app WeChat — to fight tax evasion back in May. In the vein of their collaboration, they formed an “Intelligent Tax” innovation lab that aims to promote a technological approach to the field of tax, including the use cloud computing, artificial intelligence, blockchain and Big Data, the press release argued.
The release also explicitly outlined the first aim of the collaboration, as Li Wei, deputy director of the Shenzhen Municipal Bureau of State Taxation, claimed that Tencent’s success in the application of blockchain for invoicing would help to fight the issue of fake fapioas and “improve the invoice supervision process.”
First results: “A frictionless link between consumer scenarios and tax services”
On Aug. 10, local news platform EEO reported that China’s first digital invoice on the blockchain was issued in the city of Shenzhen, where the aforementioned collaboration was announced.
Thus, Tencent has created a pilot blockchain ecosystem for invoices designed for comprehensive use by consumers, merchants and tax authorities, according to local publication. The debut invoice was issued by a local restaurant, while several other Shenzhen businesses have already been granted access to the system, including a parking lot, auto repair shop and cafe.
Cai Yunge, the general manager of blockchain at Tencent, was quoted by EEO as saying that the new system achieves “a frictionless link between consumer scenarios and tax services.” Consumer payments are facilitated through Tencent’s WeChat, and an invoice suitable for further inspection and management by tax authorities is reportedly generated in “one click.”
Conversely, processing a traditional invoice takes multiple steps and requires a lot of time: When a consumer completes a transaction, they must wait for the merchant to generate the invoice, file it away safely, complete a returns form in the Finance Department, wait for the documents to be processed and then finally receive their returns.
As EEO explains, a blockchain-backed e-invoice only requires the customer to perform one click on the WeChat app during the checkout. After that, they just have to wait and track their reimbursement status in real time via the app. The process leaves no room for forging or over-reporting. Moreover, the technology also has the advantage of improving data privacy through encryption and of providing an overall cost-effective streamlining of processes, as multiple reviewing parties have been excluded from the process.
More blocks on the chain: State-owned aerospace firm joins the new scheme
The next player to adapt blockchain for fighting invoices-induced corruption is the state-owned China Aerospace Science and Industry Corporation Ltd.
According to an article in the official state newspaper, People’s Daily, that was republished by the State Administration of Science, Technology and Industry for National Defence, blockchain will help innovate the supervision of invoices for tax purposes nationwide.
As the article suggests, electronic invoices are on the rise in China: In 2017, there were around 1.31 billion electronic invoices in circulation, and by 2022, the number is expected to hit 54.55 billion, as the projected average annual growth rate constitutes over 100 percent.
China Aerospace, in turn, uses electronic invoice services that are end-to-end, covering issuance, delivery, filing, inspection and reimbursement for the country’s taxpayers and authorities. It has already issued some 2.5 billion invoices to date, as per the People’s Daily article.
However, such an e-invoice system, like the traditional one, is not safe from over-reporting, false-reporting and traceability issues. Hence, China Aerospace has now created a blockchain system to allow for authenticated and “credible” invoice issuance, traceable circulation, and efficient and cost-effective oversight by tax authorities — just like in Shenzhen.
China Aerospace’s representatives are confident about fighting the fapiao corruption at its root with blockchain technology. As a company representative told People’s Daily, the technology will finally resolve the industry’s “pain points.”
JD.com Rolls Out Blockchain Platform With Its First App
Chinese e-commerce giant JD.com has launched a blockchain-as-a-service platform alongside its first app – one that digitally tracks corporate invoices for one of the largest publicly traded insurers in China.
According to a release on Friday, JD.com said the application moves invoice data for Pacific Insurance onto a distributed network at each step of the issuance cycle, automating the process and making it visible to all participants.
Invoices, or more commonly known as “Fapiao” in China, play an important role among businesses in the country both as a reference for bookkeeping and for taxation purposes.
The goal of the app, as explained by the e-commerce giant, is to boost issuance efficiency and to streamline the accounting process by keeping the invoice data updated on a distributed ledger.
The application comes as the first use case for JD.com’s Blockchain Open Platform which was also announced today.
The blockchain-as-a-service product – rolled out months after the firm announced its plan for the project in April – is designed to aid enterprises wanting to develop their own blockchain applications, including those for tracking supply chain information, charity donations, certificate authentication and property assessment.
JD.com has previously announced several blockchain trial programs within its own business divisions.
In March, the firm partnered with an Australian beef producer to track the supply chain information of beef import on its platform using blockchain technology. CoinDesk also reported in June that JD’s financial services arm planned to issue its asset-backed securities on a blockchain in partnership with a local bank and brokerage firm.
Officers from the Ministry of Public Security looked over bundles of fake receipts seized during raids in Beijing and Hebei. Credit: Ministry of Public Security
SHANGHAI — To begin to comprehend China’s vast underground economy, one need only visit this city’s major transportation depots and watch as peddlers openly hawk fake receipts.
“Receipts! Receipts!” calls out a woman in her 30s to passers-by as her two children play near the city’s south train station. “We sell all types of receipts.”
Buyers use them to evade taxes and defraud employers. And in a country rife with corruption, they are the grease for schemes to bribe officials and business partners. Making them and using them is illegal in China. Some people have been executed for the crime. But demand is so strong that a surprising amount of deal-making takes place out in public.
It is so pervasive that auditors at multinational corporations are also being duped. The British pharmaceutical company GlaxoSmithKline is still trying to figure out how four senior executives at its China operation were able to submit fake receipts to embezzle millions of dollars over the last six years. Police officials say that some of the cash was used to create a slush fund to bribe doctors, hospitals and government officials.
Signs posted throughout this city advertise all kinds of fake receipts: travel receipts, lease receipts, waste material receipts and value-added tax receipts. Promotions for counterfeit “fapiao” (the Chinese word for an official invoice) are sent by fax and through mobile phone text messages. On China’s popular e-commerce Web site, Taobao.com, sellers even promise special discounts and same-day delivery of forged receipts.
“We charge by percentage if you are looking for invoices written for a large amount of money,” said one seller in an interview, quoting 2 percent of the face value of the receipt as his fee. Another seller boasted, “I once printed invoices totaling $16 million for a construction project!”
Detecting fake or doctored receipts is a challenge for tax collectors, small businesses and China’s state-run enterprises. While there are no reliable estimates of how much money is involved in the trade, as China’s economy has mushroomed and grown more sophisticated, so has the ability to falsify receipts.
With considerable tax revenue at stake, the Chinese government has announced periodic crackdowns. In 2009, the authorities said they detained 5,134 people and closed 1,045 fake invoice production sites. A year later, they said they “smashed” 1,593 criminal gangs and raided 74,833 enterprises that had filed false invoices with the government.
In one of the biggest cases this year, a businessman in Zhejiang province was jailed for helping 315 companies evade millions of dollars in taxes by issuing fake invoices, a crime sometimes punishable by death.
That could be the fate of Liu Baolu, a government official from northwest China’s Gansu province. In February, he was sentenced to death with a two-year reprieve for using fake receipts to embezzle millions of dollars.
As harsh as the crackdowns sound, experts say they are often ineffective. One reason, analysts say, is that even government officials take part in black market activity. In 2010, for instance, the National Audit Office said it caught central government departments embezzling $21 million with fake invoices.
And state employees, whether they work for government agencies or state-owned enterprises, seem as eager as anyone else to bolster their compensation by filing fake invoices.
“Their salaries are relatively low,” said Wang Yuhua, an assistant professor of political science at the University of Pennsylvania and the author of a study on bribery and corruption in China. “So they supplement a lot of it with reimbursements. This is hard to monitor.”
A scalper mumbles, “Fapiao, fapiao,” or receipts, at the Shanghai Railway Station. The trade in receipts is more or less open. Credit: Qilai Shen for The New York Times
China’s fapiao system took root in the late 1980s and early 1990s, when the government began requiring companies to use official receipts issued by the tax authorities for every business transaction. The receipts usually come with a number and government seal.
But the tax receipt system was quickly exploited. Gangs began producing high-quality imitations of the official invoices using specially designed printers with markings that bore a striking likeness to red government seals.
And at many companies, rogue employees started colluding with advertising, consulting and travel agencies to forge or falsify receipts for the purpose of embezzling corporate funds.
So widespread is receipt fraud that clerks at many hotel gift shops agree to falsify receipts so they show up as room charges. And at least one mutual fund company in Shanghai asks its employees to turn in fake receipts every month to claim half their salary — an accounting fraud that reduces tax liability for the company and the employee.
In the Glaxo case, Chinese investigators say the drugmaker’s top Chinese executives worked closely in recent years with a Shanghai travel agency to falsify documents. For instance, airline ticket receipts were filed for trips that never took place and when executives listed 100 guests at a conference, perhaps only 80 showed up, making it possible to file false inflated receipts and thus embezzle from Glaxo’s London headquarters.
Six other global drug companies, including Merck, Novartis and Roche, acknowledge that they used the same travel agency in the last three years, though none of those companies said their executives did anything improper.
Travel agency schemes in China are not new. A few years ago, the Securities and Exchange Commission filed complaints against several other big companies for doing essentially the same thing in China.
In one complaint, the S.E.C. said that from as early as 2004 to the beginning of 2009, I.B.M.’s employees in China created “slush funds” with its travel agencies and business partners, partly to “provide cash payments and imported gifts, such as cameras and laptop computers to Chinese government officials.”
In a separate complaint, the S.E.C. said that between 2005 and 2010, Wyeth, a division of the drug company Pfizer, had “submitted false or inflated invoices for organizing large-scale consumer education events.”
In a 2013 report, “Doing Business and Investing in China,” the consulting firm PricewaterhouseCoopers said the “use of fake fapiao and supporting documentation is the most common mechanism to extract cash from firms, either as fraud to enrich employees or as a means to fund bribes.”
“Some private travel agencies in China are small mom-and-pop companies that go under the radar,” said Susan Munro, a lawyer in Beijing for Steptoe & Johnson.
Despite its ubiquity, it is remarkably hard to catch. Analysts say the cost of monitoring is high and would involve the tedious work of verifying millions of receipts by calling hotels, airlines and office supply stores and scrutinizing countless transactions for signs of fraud.
Another challenge is that many of the receipts sold are official receipts that, for example, no one claimed from a hotel. The unused receipts are then resold to dealers and enter the black market.
It happens here in Shanghai, where companies that advertise by fax that they sell receipts also offer, with some specificity, to buy unused receipts.
“Due to our diverse accounting service for other companies, we now need invoices from various industries (13% or 17% VAT),” one ad sent out last week by the Shanghai Fangyuan Accounting Agency reads, referring to the value-added tax receipts. “If your company has leftovers of 13% or 17% VAT invoices, we can offer good rates to buy them.”
WeChat’s Fapiao Helper’: A User’s Guide for this Helpful App
By China Briefing Editor: Jake Liddle
From July 1, 2017, the State Administration of Taxation (SAT) has mandated that corporate tax identification numbers will be required in addition to company name in order to issue general fapiao or special VAT fapiao.
In reaction to the new requirements for fapiao issuance, WeChat has launched a new function that allows users to input relevant corporate tax information, and present it to service providers to issue fapiao.
Tammy Tian, Corporate Accounting Services Manager at Dezan Shira & Associate’s Beijing office says: “We advise all of our clients to familiarize themselves with this mini app, it’s a great way to save time when asking for a fapiao.”
WeChat’s new function, titled ‘My Receipt Payee Title’, can be found under the ‘Me’→‘My profile’ section of the instant messaging app, where corporate tax information can be input and stored for future use.
The following fields are required to be filled out:
Company name*;
Tax identification code;
Company address*;
Mobile phone number;
Registered bank branch*;
Bank account number. * Please note these fields must be provided in Chinese.
Once the relevant information is filled out, a QR code is generated and included on a ‘card’, which can be scanned by service providers to quickly and efficiently issue a fapiao with the correct information.
What’s more, once completed, the tax information ‘card’ can be shared with colleagues and saved into their personal information section for further use. This can be done by going to the ‘Discover’ section of WeChat, entering the ‘Mini Programs’ manager, and selecting the ‘Fapiao Helper’ (‘发票小助手’) program. Inside, the tax information is listed, and in the top right hand corner, from the drop down menu, the information can be forwarded to individual WeChat contacts or groups.
The WeChat’s Fapiao Helper function makes for a quicker and more effective transaction when requesting a fapiao, removing human error arising from manual input of tax information, which leads to invalid fapiao.
“Tax and accounting teams should consider sharing this app with their colleagues; it will remove some of the guesswork from the new fapiao requirements.” Tian added.
This article was first published on China Briefing. Since its establishment in 1992, Dezan Shira & Associates has been guiding foreign clients through Asia’s complex regulatory environment and assisting them with all aspects of legal, accounting, tax, internal control, HR, payroll, and audit matters. As a full-service consultancy with operational offices across China, Hong Kong, India, and ASEAN, we are your reliable partner for business expansion in this region and beyond.
For inquiries, please email us at info@dezshira.com. Further information about our firm can be found at: www.dezshira.com
The South Korea government will invest over $880 million next year in order to boost the development of innovative technologies including blockchain.
According to a government release on Tuesday, South Korea’s deputy prime minister Kim Dong Yeon hosted a ministerial meeting on Aug. 13 to address the administration’s investment plan for innovation growth in the next five years.
Data disclosed on the website of the Ministry of Economy and Finance shows that the government is set to allocate 1 trillion won, or about $880 million in 2019 – an 80 percent growth compared to that in 2018 – to invest in technologies including blockchain, big data and AI.
Further, the authority said it will invest a total of $8 – 9 billion in the area in the coming five years. The goal is to “focus on promoting big data and AI, developing blockchain technology to ensure data management security and boosting the sharing economy,” according to the statement.
While the high-level investment plan offers little detail on how much exactly will be budged for blockchain-related projects, the effort follows previous news that the Ministry of ICT said it will allocate $9 million in 2019 for blockchain startups.
CoinDesk reported in June that the Ministry of ICT is working with other government agencies to develop six pilot programs that will adopt blockchain in major public services.
The Foreshadow vulnerability is a good example of why not to put SGX at the cornerstone of a cryptocurrency project: because Intel has a backdoor into all SGX devices, it’s long been a controversial tech avenue for cryptocurrency projects, anyway. “Though even *if* it had been somehow perfect, it was never a good idea to root the security of bitcoin in a chip vendor’s secret sauce technology.” — Bitcoin Core maintainer Wladimir van der Laan
Yet another dire security flaw was unveiled Tuesday with potential ripple effects across the tech world, including for cryptocurrency projects seeking to leverage certain hardware devices.
Following a pair of bugs unveiled earlier this year, the Foreshadow vulnerability impacts all Intel’s Software Guard Extensions (SGX) enclaves, a special, supposedly extra-secure region of chip often used for storing sensitive data.
In short, while the enclave is supposed to be tamper-proof, a group of researchers found a way for an attacker to steal the information it stores.
For many, Meltdown and Spectre were spooky enough. The bugs impacted every single Intel chip, the hardware powering most of the world’s computers. But, since it wasn’t so easy to execute, there weren’t many real-world attacks.
Foreshadow might not sound as bad because it impacts a more specific type of Intel hardware: SGX. However, since many cryptocurrency projects plan to use this technology, Foreshadow could have even worse ramifications for the cryptocurrency world.
Perhaps most notably, Signal creator Moxie Marlinspike is in the process of advising a new, allegedly greener coin called MobileCoin that puts SGX at the center, even raising $30 million to do so.
As a result, these projects will have to do some restructuring before launching for real.
“The findings released today absolutely have a broad impact on cryptocurrency projects,” Cornell University security researcher Phil Daian told CoinDesk.
The good news, though, is that the researchers followed the security world’s “responsible disclosure process” for revealing bugs, alerting Intel before showing it off so the tech giant could come up with a fix (which deployed a few months ago).
But the security world is making a lot of noise because that still might not be enough.
“It is likely that, because many of these systems are slow to upgrade and because many of these fixes require either involved or hardware upgrades, infrastructure will remain vulnerable to this class of attack for a long time,” Daian said, adding:
“It would be surprising if at some point this flavor of attack is not used to steal cryptocurrency.”
The good and the bad
But there’s both good and bad news.
For one, it appears as though none of the high-profile SGX projects in cryptocurrency are yet being used to secure real money. “To my knowledge, there is no SGX system in production or widespread use in the space today,” Daian said.
The bad news is there are a plenty of projects that want to use SGX, and maybe even have plans to do so soon. And the ideas are pretty cool.
MobileCoin is perhaps the most ambitious since the project’s developers want to replace miners, a crucial part of securing any cryptocurrency, with these enclaves to build a more energy-efficient cryptocurrency.
But there are plenty of others that want to use SGX for its security and privacy gains.
“The SGX attack is devastating,” Kings College London assistant professor Patrick McCorry told CoinDesk, adding that research groups have long been discussing how it can be deployed to add extra security to data.
“It can potentially undermine the integrity – and privacy – for any application that is reliant upon trusted hardware. A lot of companies in the cryptocurrency space rely on SGX to support multi-party protocols, but this attack allows any participant to cheat,” he added.
“In my opinion, good SGX research and systems should assume hardware can always be broken at some cost, and should, as always, design defensively and include layered security,” Daian said.
He went on to give some advice to companies that plan to launch soon.
“Projects planning to launch soon that rely on SGX should evaluate the vulnerabilities and any updates from Intel with caution for implications to the security of their systems, and should publish such investigations along with their code,” he said.
The other bad news, though, is it’s possible for hackers to find a new variant of the bug, similarly impacting all SGX chips.
“But as foreshadow demonstrates, attacks only get better,” McCorry remarked.
Sweet vindication
Meanwhile, the bug is leaving some developers feeling vindicated.
Because Intel has a backdoor into all SGX devices, it’s long been a controversial tech avenue for cryptocurrency projects, with enthusiasts often arguing that using the technology puts too much power or trust in one company’s hands.
Simply put, in their minds, the Foreshadow vulnerability is a good example of why not to put SGX at the cornerstone of a cryptocurrency project.
“Good thing we didn’t adopt a certain professor’s SGX-based bitcoin scaling solution!” tweeted pseudonymous bitcoin enthusiast Grubles.
“Though even *if* it had been somehow perfect, it was never a good idea to root the security of bitcoin in a chip vendor’s secret sauce technology,” Bitcoin Core maintainer Wladimir van der Laan responded.
But again, most projects using SGX haven’t actually launched in production.
Some researchers went as far as to argue most cryptocurrency projects exploring SGX haven’t actually used them on real money because Intel has such a bad reputation. The industry has been experimenting with the technology – but is too cautious to actually launch go through with it.
Some security researchers advise to continue on this trend – to not use SGX.
But other researchers are more optimistic that SGX, or something like it, could one day play a big role in cryptocurrency, seeing Foreshadow as a positive sign trusted hardware is being battle-tested.
“SGX will need to be repeatedly tested and broken by adversarial researchers until it can claim a strong degree of security, which will take years,” Daian said, going on to add that he believes trusted hardware along the lines of SGX may one day play a big (and positive) role in cryptocurrency.
In short, it might just take some time, he argued, adding:
“Realizing such a technology certainly holds great promise for trust minimization and scalable privacy protection in cryptocurrency and beyond.”
By continuing to use this site, you agree to the use of cookies. Please be aware this site uses Google Analytics to measure traffic. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
