Category Archives: Safety

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather

Ohio Man Indicted For Spying on People for 13 Years

NOTE: THE CONTENTS OF THIS POST MAY NOT BE SUITABLE FOR YOUNGER READERS.

A 28 year old Ohio man has been indicted for creating and installing malware on hundreds of Apple Mac and Microsoft Windows computers.

The man, Phillip Durachinsky, used the software to spy on people.  This includes recording what the camera and microphone pick up in the same room as the computer.

In addition to capturing audio and video, the software that he created also stole passwords and used that to access third party sites.  He also used the software to steal tax, medical and banking records and also photos and private communications.

The 16 count federal indictment includes the production of child pornography, so it doesn’t take much to figure out if you kid had a Macbook in the bedroom and it was infected, this guy may have captured video of your kids doing whatever and, apparently, while naked – something that doesn’t seem completely unexpected in a bedroom, but which you and your kids certainly do not expect.  People expect to be safe and secure in their bedroom.

The software alerted him when the user used certain search terms, such as pornography.  People who watch porn might be doing certain things while naked, hence the charge of producing child porn. Kind of boggles the mind.

As an indication of how deranged this guy is, he is alleged to have kept regular, detailed notes.

Durachinsky, who is 28 now, has been spying on people for the last 13 years, according to the feds, so he must have created this software when he was around 14 or 15.  If it weren’t so warped, the skill would be pretty impressive.

What has not been revealed yet is the total number of computers infected or the number of people affected.  It is also not clear how much video exists and if the video has been published or if he was keeping it for himself.  Given that he was charged with PRODUCING child porn and not with DISTRIBUTING child porn, you might conclude that he was not selling or giving away the video that he captured.

The researcher who found the software, called Fruitfly, discovered it on at least 400 Macs, so it looks like the software was not widespread.

A simple way to protect yourself, at least in part, is to join the ranks of Facebook founder Mark Zuckerberg and former FBI Director James Comey and cover your laptop camera with a piece of opaque tape.  Many companies make small devices that you can slide back and forth or remove that are a little more elegant than black electrical tape.

For parents, have kids close the lid on their laptops when they are not using it and, of course, do not use your laptop when you are sans clothing.

It is a sad thing that you have to worry about such things.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

FBI Says Tech Industry Should Follow Financial Services in Saving Messages

FBI Director Christopher Wray suggested that the tech industry follow the model of the financial services industry.  Some of the big banks have created a messaging app with delete capability so to keep the regulators happy, they agreed to save a copy of each message for 7 years.

Lets apply that to the tech industry

Whatsapp currently serves up 55 billion messages plus 4.5 billion photos plus 1 billion videos a day.

iMessage serves up 40 billion messages a day.

Lets assume a message, with overhead is 1,000 bytes, a photo is 3 megabytes and a video is 20 megabytes AND lets ignore every other secure messaging platform.  The math is:

(95 billion x 1kB + 4.5 billion x 3mB + 1 billion x 20mB ) x 365 x 7

That equals 33,595,000 Billion bytes per day or

12,262,175,000 billion bytes per year or

85,835, 225,000 billion bytes in 7 years.

That would be 85,000,000,000,000,000,000 characters, if I did the math right.  Lets ignore compression for the moment since videos and photos don’t compress and they are the bulk of the disk space.

Assuming a 5 TB disk drive, that would only require 17,167, 045 disk drives to hold the data.

Double that if you would like just one backup copy.

That assumes zero growth during that time, which, as we know, growth is in the double digits per year.

That is a lot of disk drives for someone to buy.  And maintain.  And pay for the electric and people to keep them running.  Roughly the size and cost of the NSA’s Utah data center, which cost about $4 billion to build, estimates say and probably, a hundred million dollars a year to run.

Scale IS a problem here.  A big problem.

Lets say you scale that back and say that you only keep messages for a year.  Now you only need two and a half million disk drives, assuming zero growth.

If we assume that people don’t keep all their messages, someone else is going to have to and that will be VERY expensive.  Even if you build a back door into phones, if people delete their messages, that back door doesn’t help you.

I’m not saying there is no answer, but there is no simple or inexpensive or privacy protecting way.

And, of course, if you force Apple to build a back door into iMessage, some dude in Pakistan will build his own app that doesn’t have a backdoor.  Now you have to police every phone on the planet for a long list of apps that changes daily.  Again, possible, but not cheap or inexpensive.

NOTE: These numbers are only for examples.  They could be off by a factor of 10 in either direction – or more.

Information for this post came from The Washington Post.

 

Facebooktwitterredditlinkedinmailby feather

Researchers Find Directv Security Hole No One is Patching

Researchers tried to do this the right way with no luck so now they are seeing if bad publicity will get the job done.

AT&T Directv creates a private wireless network to transfer video, audio and the user interface between it’s wireless slave boxes  hanging off the back of your TVs and the DVR that they talk to.

According to researchers, the bug is trivial to exploit and will go undetected.

The wireless video bridge, as it is called, is running a web server and when the researcher decided to check it out, he discovered that the web server does not require you to log in to it.  After all, all that should be talking to it is a Genie slave unit.

Worse yet, the web server does not do any kind of input validation, so if you want to send it bogus data, you can own the box as ROOT, Linux’ super admin userid.

The good news is that this wireless bridge is not connected to the Internet, but if someone was able to compromise a PC on the network, then it would be trivial to use it to compromise the Directv box.

The first attack that the researchers considered is a Mirai botnet like attack where a couple of thousand AT&T Directv boxes are used to attack the Internet and take down Google or Microsoft or whomever.  Definitely possible.

The researchers notified AT&T 6 months ago and AT&T has gone completely dark, so they are announcing the  bug.  Maybe the fear of being on the front page of every newspaper in the country – after all, now millions of hackers are aware of how to break in – might get them off the dime.

From a user perspective, there are only a couple of things that you can do and #1 is to completely isolate your AT&T devices from the rest of your network.

Information for this post came from The Register.

 

Facebooktwitterredditlinkedinmailby feather

MOM – He’s WATCHING me!

In case you thought you were being paranoid, you were not.  Have you ever gone to a web site, wandered around but never clicked on anything and then closed the browser only to see an ad for whatever you were looking at show up on some other web site?

There is a reason for that and no, you are not imagining it.

Some web sites track every single keystroke and mouse click that you make, capture it and store it.  They can tell if you hover over an image (even if you don’t click on it) and how long you do that.

Hundreds of sites including Microsoft, Adobe and Godaddy capture every keystoke and mouse movement.  In many cases, that even includes passwords.  A study of 50,000 popular web sites found 482 of them did this.

Our course, without telling you.

These are called session replay scripts and can be used for many purposes from figuring out what part of their web sites are more trafficked to capturing data to send you spam and ads.

Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because they recorded all input including Social Security numbers, and dates of birth.

Here is a demo of the replay technology:

The research, conducted by Princeton’s Center for Information Technology Policy, only tested 50,000 web sites.  No one knows if the percentage (about 1 percent) would stay the same if the sample size increased.  Assuming that the percentage stays flat, that means of the one billion web sites, ten million are capturing your info, whether you want them to or not.

I guess the good news is that it is only one percent and not 70 percent.  But since these tools can capture credit card numbers and passwords and since the web site owners share the data with third parties, it makes me wonder how safe things are.

If you use two factor authentication to log on, that significantly negates the risk from some third party having your password, but since only a tiny percentage of folks do use two factor authentication, that won’t help most people.

Some web sites do “mask” sensitive data, but since they don’t even tell us that they are doing this, they certainly aren’t telling us if they are masking data or not.

Bottom line – assume everything that you are typing or clicking may be captured and shared with a third party.  AND, likely, AGGREGATED.

There are tools that can help you protect yourself but they complicate the world and slow things down.  Still, they may be worthwhile in some cases.

Depends on YOUR level of paranoia.

Information for this post came from Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather