Hackers Steal $2 Million In Bitcoin

What happens when criminals make off with $2 million in cyber currency?  That is a good question.  The Bitcoin exchange Gatecoin, based in Hong Kong, detected the breach on May 13th.

If you put your money in the bank, those deposits are protected by Federal law in the case of fraudulent transactions and protected by FDIC deposit insurance in case the bank fails.

In the case of digital currency of any kind  – there is nothing special about Bitcoin – you are on your own.  There are no laws to protect you.  No government backed insurance to bail the depositors out.

In  this case, the Hong Kong based company says they are trying to raise additional capital to cover the losses.

Curiously, Gatecoin’s web site homepage says that they are a regulated and secure financial institution for blockchain assets.  Apparently not quite so secure.

On the bottom of the homepage, it says: High Risk Warning: Trading digital assets such as bitcoin and other cryptocurrencies carries a high level of risk, and may not be suitable for all investors.  If it is secure, why is it high risk.

Regarding being regulated, it says: Gatecoin Ltd. is a licensed Money Service Operator (MSO) subject to regulation by the Hong Kong Customs and Excise Department. The MSO licence covers Gatecoin’s fiat currency activities.  Fiat currency, of course, refers to currency issued by a government – which means it excluded Bitcoin deposits.

In my opinion, while the first statement about being regulated may be technically correct, it is, at the very least, very misleading.

As it also says this in the small print at the bottom of the homepage: The possibility exists that you could sustain a loss of some or all of your initial investment and therefore you should not invest using funds that you cannot afford to lose.  That is not a statement likely to inspire confidence, which is why it is in tiny print at the very bottom of the page.

My guess is that this is not the last time we will see this.  After all, it is based on software and we all know that writing secure, bug free software is easy.

So, while digital currencies are interesting, I don’t think they will replace government issued currencies any time soon.


Information for this post came from SC Magazine.

Hacks, Hacks, Everywhere A Hack

Back in 2012, LinkedIn told its users that  it had been hacked – to the tune of 6.5 million users.  Well, it turns out, that was a tad bit shy of the truth.  It turns out that the real number was 117 million email and password combinations.  – roughly 18 times the number that they had admitted to.  LinkedIn told the 6.5 million users to change their passwords, but not the other 110+ million users.  The Fortune article has links to other sources if you want more information, but my recommendation is that you change your LinkedIn Password.

Tumblr says that it just discovered that hackers stole 65 million user email/password combinations in 2013.  That is a long time to figure that out.  I assume that is because hackers are now trying to sell those passwords.  Since people reuse passwords on other sites and don’t change their passwords, it is likely that many of those passwords still work.  The good news is that the passwords were hashed and salted, making it a LOT of work to decode them – but not impossible.  This is a perfect example of companies being hacked and not even knowing about it.  The only reason they found out is that someone is trying to sell the data.

On the lighter side, Katy Perry’s Twitter account was apparently hacked – or else she was having a REALLY bad day.  Her 89 million followers were treated to a series of inappropriate hacks.  This reminds me of the recent (a couple of years ago) hack of the DoD Twitter account.  This just means that protecting your (Twitter or any other) account with just a password is likely not at all secure.

On the “Gees, that is a big hack” side, Myspace (remember them?) data is now coming up for sale.  The dataset includes 360 million records, but only 111 million had users names in them.  However, many of them had email addresses (which could also be a user name for another site if the user reused their password) and passwords.  The total number of passwords in the dataset was 427 million.  While I doubt anyone still uses Myspace, if that email/ password combination is used elsewhere …..

What is the take away from this?

  • Even though it is tempting, do not reuse passwords on any account that you care about, even in the least (From Amazon to Twitter, banking to Email)
  • Use two factor authentication on important accounts (such as banking or any account that stores your credit cards and allows the user to use them)
  • Change your passwords periodically.  Notice that most of the news above is about old hacks where the data is being resold now.  If people changed passwords regularly (at least annually), then that data would be useless.

There is a web site called HaveIBeenPwned.com that allows you to enter JUST an email address to see if in their database of over a half billion breach records, that email address comes up.  It is safe because all you enter is your email address.

Information for the LinkedIn hack came from Fortune.

Information for the Tumblr hack came from Motherboard.

Information for the Katy Perry Twitter hack came from Techcrunch.

Information for the Myspace hack came from Fortune.

When the Hackers Get Hacked

Nulled.io, a forum that sells compromised passwords, stolen bitcoins and other neat stuff was hacked recently, exposing email addresses of people buying and selling, purchase histories and messages between buyers and sellers for 500,000 members.

Here is what the website looks like today:


If you look at their “tag line” below their logo, it says EXPECT THE UNEXPECTED.  Perhaps they needed to heed their own advice.

This data was discovered by security analysis firm Risk Based Security and it is available to anyone who is interested can look at this data.  The size of data hacks that we are beginning to see is amazing.  This leak is almost 10 gigabytes in size.  No longer are we seeing people expose a database or a few email messages;  now they are dumping an entire website.

I ASSUME that two groups of people who might be interested are folks like law enforcement (FBI, Scotland Yard) and intelligence agencies (NSA, CIA, MI5, MI6).  One group is interested in who they can arrest and charge with a crime.  The other is interested in who they can turn and use for their own purposes.  In either case, there are likely some people who are going to get an unwanted visit from the men in black.

The private messages provide an insight into the minds of criminals including what can be bought and sold as well as the tech support requirements (the private messages act as a form of hacker help desk) as hackers try to get their hacks working.

In total, there are over 2 million posts, 800,00 messages, 5,000 purchases and 12,000 invoices.

How the site was hacked is unknown, but the software that the site runs on, Invision Power Services’ IPS Community Suite, was riddled with critical vulnerabilities according to Risk Based Security.

Maybe the hackers need to read the news and keep their software patched and up to date.  MAYBE, they should have done penetration testing.  I wonder if they know anyone who knows how to do that kind of stuff – like most of their members?

One possible scenario, and there certainly are a lot of possibilities, is that a disgruntled buyer decided to take out his or her frustration on the site.

In any case, it just goes to show that there IS no honor among thieves.


Information for this post came from Ars Technica and Risk Based Security.

5 Year Old Qualcomm Bug Leaves Many Phones Vulnerable

A 5 year old bug in a Qualcomm chipset used in many Android phones allows a hacker to elevate their privileges and read SMS and call history data, change system settings or disable the lock screen.

Hackers could exploit this bug by having physical access to an unlocked phone or by getting a user to install a malicious app.

The bug affects older versions of the Android OS, like version 4.3 and earlier, the most.  Since that software is likely not supported by anyone, those phones likely will never be patched.

The Android OS added something call Security Enhancements for Android in version 4.4 which reduces significantly but does not eliminate the problem.  This is the main reason why Apple tries really hard to force people to upgrade OS versions, even if it means that they have to trash their old phones.

Congress is now investigating the issue of OS support in old phones (yes – we’re from the government and we’re here to help you), however, that is unlikely to change anything any time soon.

Google released a patch for this bug on May 1, but given the carrier’s track record at releasing patches, it is likely going to be months before most users see that patch – if ever.  Google says that Nexus phones are not vulnerable to this – I assume this means that they do not use the Qualcomm chip that is at the heart of this problem,

For any given user, it would be difficult to figure out whether their particular phone is susceptible, but users running Lollipop (V5) and Marshmallow (V6) are likely least affected.

One more time, Apple beats Google because they control the supply chain end to end.  In a closed world, where one company makes the phones and the OS, they can force patches quickly.  In the Android world, Google can release patches and patch their Nexus phones, but have very little control over the  handset makers like LG and Samsung or the Carriers like AT&T or Sprint.

Congress could potentially have some impact here, but I am not counting on them doing anything smart.  They do not seem to have a good track record.


Information for this post came from Ars Technica.

Denial of Service Attack Meets Ransomware

Cloudflare, the denial of service prevention vendor, is reporting hearing of gangs who threaten denial of service attacks unless the victim pays a ransom in bitcoins.  Even though they have heard from over 100 customers, none have been attacked, whether they pay or not.

Here is the scam.  You use the name of a known DDoS group – in this case, the Armada Collective – and threaten people with being attacked.  The attacker may – or may not – have any relation to that group.

You set the payment level low for avoiding the attack – in this case, 10 bitcoins or about $4,000.

You threaten people that if they don’t pay they will be attacked and the fee to stop the attack will go up to 20 bitcoins and go up by 10 bitcoins a day.

You also tell people that you have a magic attack that bypasses anti-DDoS vendors like Cloudflare.

And then, you sit around and wait until some people pay up.

This is a whole lot simpler than actually having a way to launch a DDoS attack or having a way to bypass Cloudflare’s protections.

To date, according to a company that reviews the bitcoin blockchain, these attackers have received at least $100,000.  While that is not much, there may be other bitcoin accounts that they have not examined and  the attackers only cost is sending out a few emails.

While there certainly is no way to know if the attacker can launch an attack, at least so far, they do not seem to have either the ability or desire to do so.

The folks at Cloudflare have talked to other anti-DDoS vendors and they also have customers who have received the emails.

It is certainly possible that these attackers COULD have the capability to launch an attack – we just do not know.

One reason to doubt it is that they seem to be reusing bitcoin accounts between different targets.  Given bitcoin is anonymous, if they did, in fact, plan to attack someone, they would not have an easy way to figure out who has paid and who has not paid.

At the moment, Cloudflare seems to think this is an empty threat, but things do change.  Now that they have been outed on Cloudflare’s blog, they could decide to escalate.  OR, they could decide to fold for a while, wait for people to forget and try it again.

No one knows.

Information for this post came from Cloudflare.

Home Depot Still Dealing With The After Effects Of The Breach

In late 2014 Home Depot announced that hackers compromised their security and stole 50 million credit cards and another 50 million loyalty cards.  18 months later, there are still three class action lawsuits pending.  One is close to settling.  In a recent 10-K filing with the SEC, Home Depot said that they had spent over $150 million on the breach, net of what their insurance paid, which is reputed to be another $90-$100 million.

While I do not have any personal knowledge of the breach, industry reports suggest that their cyber hygiene was sub-standard, an issue that could affect the outcome of the three class actions still in play.

Some people say that the breach was not so bad.  They measure that by the stock price and that has held up.  Part of that may be that Home Depot did a better job of communicating, but it may be that investors know that the business will eventually recover.  If you assume that they spent $161 million so far and there are still lawsuits to settle, they could easily spend a quarter of a billion dollars – or more – before this is over.  That, I suggest, is bad.  It is money that would have otherwise flowed to shareholders or been reinvested in the business.  Now it will go to lawyers and plaintiffs.

The first lawsuit to be filed was by consumers and it is the least painful.  Since the banks make consumers whole, for the most part, the value of the damage is small. Currently, there is a preliminary settlement for this suit, which, if approved, would cost Home Depot another $20 million plus a requirement to enhance security – whatever that costs.

The second suit is from the banks.   They say they spent $150 million reissuing cards.  Fraud is on top of that.  Home Depot’s lawyers say that the banks don’t have standing to sue.  We shall see.  Home Depot’s story is that they don’t have a contract with YOUR bank – the one that reissued your card, only their bank.  This has been tried before without success, but you can’t blame a guy for trying.  Stay tuned.  This COULD cost Home Depot a lot of money, depending.

The third lawsuit is from the shareholders, who filed a derivative lawsuit against the company and 12 board members directly.  This is the one that could hurt.  So far, it has been next to impossible to succeed at suing Boards and Directors, but this is no ordinary breach, so stay tuned.  The suit says that the company and the Board breached their fiduciary duty by failing to make sure that the company took reasonable steps to protect consumer’s information.  What is unclear is what the damage is. If the stock price didn’t take a hit, were they damaged?  Of course, the company will spend $150-$250-$350 million dealing with the breach.  Maybe the company would be much better off if the executives could focus for 3 or 4 years on running the company rather than fending off lawsuits.  IF this suit prevails, it could open up the floodgates for similar shareholder lawsuits.

We do need to remember that the $161 million expense is pretax, so depending on their tax rate, it will be less.  Of course, that means that you and I get to pay again for Home Depot’s mismanagement – the first time in bank fees that the banks use to cover the breach cost and the second time in tax savings because breach costs are tax deductible.

All companies should be watching for the outcome of this case and checking out their cyber breach preparedness.  For small companies, suits like this are often fatal.

Information for this post came from JDSupra.