Cryptocurrencies Under Attack

A story that seems to be repeated with way too much frequency is cryptocurrency attacks.  This is because most users don’t understand how easy these attacks are.

I am aware of *NO* attacks that compromised the cryptography of cryptocurrencies.  Always it is the software.  Sometimes on the user’s side.  Other times on the exchange’s side.

The cryptocurrency exchange called Coinrail lost $40 million to an attack.  Coinrail has taken its service offline and has moved what is left of its currency into cold storage to make it harder for the hackers and to help investigators figure out how the attackers got in (source: Techcrunch).

The Japanese exchange Coincheck lost $400 million to hackers.  They say they do not know how the attackers stole the money. They are considering compensating users who lost money – whatever that means. (Source: Techcrunch)

Tether, a cryptocurrency startup lost $31 million to attackers.  (Source: Techcrunch)

Bitcoin lost $500 of value in an hour after the most recent attack.  The industry as a whole lost $42 billion in value. (Source: Bloomberg)

As a coin speculator, what should you be doing?

First, you need to understand that you are a speculator in a wildly volatile commodity and that commodity has zero inherent value, unlike hog bellies or gold.

Second, understand that there is no insurance, very limited government regulation and no government protection from losses suffered.  This is about as risky as loaning money to your cousin Vinny.

Third, like all investments, diversify.  Whether that means stocks, bonds and Crypto or just different crypto exchanges (and not different currencies at the same exchange), diversify.  I recommend the first;  you do the second at your own peril.

Keep your wallet offline.  Hackers stole $20 million in Ethereum because users had opened a port on their local machines which allowed hackers to empty their wallets.  Offline is not a silver bullet, but it will stop that particular attack as long as the wallet stays offline.

Only run cryptocurrency transactions on a machine that you know to be secure.  One recent attack used DNS compromises on user’s machines to make their software think they were connecting to their exchange when, in fact, they were connecting to their attacker’s computers.

Bottom line – it is your money.  Treat it like it is important.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 8, 2018

One Vendor, Two Unprotected Servers Equal Disaster

Agilisium, a cloud storage vendor to Universal Music Group, exposed UMG’s internal FTP credentials, AWS Secret Keys and Passwords and the internal and SQL root password to the open internet – all via two instances of the Apache Airflow server with no password.

Your Vendor Cyber Risk Management Program (VCRM) manager needs to work with all vendors, especially those who are high risk, to make sure their cyber security program matches your risk, because you are the one who is going to take the heat (Source: Threatpost).

Online Ticket Service TicketFly Hacked, Shuts Down As a Precaution

Online Ticket Service TicketFly and some of the venues that it provides service for shutdown last week after it was hacked.  It came back up briefly but is down again today, June 4.  Concert venues that use TicketFly have had to delay ticket sales and concert goers that did not print out paper tickets for concerts going on during the outage will have to wait on line at the ticket office of the venue and hope they can get them tickets.  Ultimately, if that fails AND they paid for their ticket with a credit card, they will get their money back under federal law.  If they had to fly to the venue and didn’t get in, well that may be a different story.  The dangers of an always online world that is not always online.  Eventbrite bought TicketFly last year for $200 million (Source: CBS).

Stingrays in Use Near the White House

It has long been suspected that the Ruskies (or Chinese. Or both) have been using cell site simulators near sensitive areas to capture information.  When Sen. Wyden whined about it, DHS said that it wasn’t in the budget for them to protect the White House or Congress from those pesky Ruskies.  Well after they were sufficiently embarrassed, they did a small pilot and, well, it is true.  And, on top of it, the bad guys are hacking the public phone networks control system, called SS7, written in the 1980s, and which has very little security in it.  Fixing SS7 is a major world wide undertaking, would cost billions and take decades to fix.  So DHS still says that they don’t have money to fix it, but we do know that, along with hacking the elections, the Ruskies are hacking our phones.  (Source: The Register).

What Did Atlanta Lose?

When Atlanta got hit by a ransomware attack, they seemed to downplay the impact, but now they are telling a different story.  The city has spent $5 million in the aftermath of the attack, both to recover and to improve security, but it is not all sunshine.

The did lose years’ worth of police dashcam footage – never to be recovered.  If that was important evidence in a case, the case may need to be dismissed.  It did not affect body cam video, however.  What other files will be discovered to have been lost – that we will need to wait to find out (Source: We Live Security).

Facebooktwitterredditlinkedinmailby feather

Baby Monitor Takes Compromising Pictures of Mom

A 24 year old South Carolina mom, Jamie Summitt, got a rather rude lesson in cyber security.  She purchased a “smart” baby monitor that she could watch from her equally smart phone, only to wake up one day to find the baby monitor pointed at her.

She didn’t think much about that until she watched the camera move on its own to the spot where she breast feeds her 3 month old.

The camera, a very low end $34 camera from FREDI claims that it has NO RISK of PERSONAL INFORMATION and lifetime technical support.

When she and her husband were eating dinner together while the baby slept, her phone alerted her that the camera was moving.  That prompted an Oh (fill in the blank) moment.  Clearly they were not moving the camera.

Remember that consumers are not security experts and expecting to be so is doomed to failure.

To those of us in the security industry, this is not news, the hacking of baby monitors being a well worn road.  Since manufacturers are not liable for the security of their products, they choose not to spend money on something that doesn’t generate revenue.

She unplugged the camera and called the police, but when the police arrived and plugged the camera in again, the peeping Tom had actually locked them out of their own camera – likely having heard the conversation with the police.

She contacted Amazon, who pointed her to the manufacturer.  The lifetime tech support number was disconnected and they did not respond to email.  No surprise here.

I wrote a long time about about the tests that Rapid 7 did on baby monitor security and almost all of them got an F.

So what should you do?

The first thing to do is your own research on the security of whatever baby monitor you are considering purchasing.

See if your chosen vendor offers security patches to their monitors in the past.  No patches likely does not mean a secure product – just one that the vendor doesn’t care about after the sale.

Next, change the default password and make the new password something that is complex.  And hard to guess.

But another simple and low tech thing to do is…

Get an old ski cap and drop it over the camera when you are home. Or at least when you are in the room.  Take it off when you leave and put it back on when you come back.

At least that way the only thing the peeping Tom will see is your (hopefully) sleeping baby.

And not you in a compromising state of undress.

 

Information for this post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Security or Convenience – Manafort May Have Picked the Wrong Option

Paul Manafoft, President Trump’s former campaign manager, is in trouble with the Feds.  Again.

Federal prosecutors say that Manafort attempted to tamper with witnesses to make sure that their testimony coordinated with his.

How the feds found out is that they got a warrant for his iCloud account.  Whatsapp and Telegram messages backed up to iCloud are not encrypted.

Poof, his cover was blown.

Manafort has been charged with money laundering, tax evasion and failing to register as a foreign agent.  Now the feds may add witness tampering to that.

Since he is currently out on bond and possible witness tampering probably was not on the court’s approved list of things to do while you are out on bond, they could, possible, revoke his bond and send him to jail.  My guess is they will more likely use these new allegations to squeeze him some more.

So what should you do to avoid this situation?

Number one is don’t commit crimes.

Number two is if you are being prosecuted for possibly committing crimes, don’t commit even more crimes.

Number three is to remember that even if your end is secure, there is nothing to stop the recipients from giving you up.  The feds, for example, could say that they are going to charge the other person with a crime unless they cooperate.  Even if the charges are flimsy and don’t eventually hold up, they will still spend a lot of money and have their life turned upside down, so someone might decide to cooperate.

If you are creating records for yourself and you encrypt them, that makes it much harder for anyone to read them.  But you have to make sure that the software is well written and the keys are securely managed.  This is true whether you are planning a crime spree or just trying to protect your business.  Leaving the key in the locked door is not very secure. Happens to businesses all the time.  They think they are protecting their data by encrypting  it, but in reality, the keys are stored with the data. If you do it right, they (meaning the feds or hackers from China) might be able to get the data, but the data will still be encrypted.  Could they crack the encryption?  Maybe.  All that takes is time and money. Possibly a lot of both.  OR, they could hack your phone/computer and steal the encryption keys.

Bottom line – encryption is not a silver bullet;  even if you are not a crook.  It is hard to do right and easy to do wrong.

Information for this post came from Gizmodo.

 

Facebooktwitterredditlinkedinmailby feather

Colorado Governor Signs New Cyber Security Bill Into Law

Effective September 1, 2018, *ALL* companies doing business in Colorado will have just 30 days to notify residents if their data was breached.  That is just one of the new rules.

The rules apply to both government entities and businesses, which is a bit of a surprise.  Different laws, but basically the same requirements.

What will businesses need to do?

  • Have a written policy for the destruction or proper disposal of paper and electronic documents containing personal information.
  • Implement and maintain reasonable security procedures and practices that are appropriate to the nature and size of the business.  While this gives you a lot of wiggle room, you may need to justify to a judge or the attorney general why you called your practices reasonable.
  • If you use any third party services (which is pretty much everybody), you must require that third party to implement and maintain reasonable security practices and procedures unless you choose to be liable for their practices instead (which is not a great idea).
  • In case of a breach, notify residents providing specific information about the breach.  If the business does not have sufficient information to contact residents directly or if the cost of contacting residents will exceed $250,000 (or a couple of other reasons), an alternate notification process will kick in, which includes a prominent notice on the company’s web site and notification via state-wide media.
  • If the breach affects more than 500 people, the business must notify the attorney general and if it affects more than 1,000 people, the business must also notify the credit reporting agencies.  Consumers cannot waive these rights in a contract or other agreement.
  • If encrypted data is breached, notification is not required if the encryption mechanism is not compromised.  This means that if a powered off laptop which is encrypted is stolen, then notification is likely not required, but otherwise, it probably is required.
  •  Criminal charges may be brought against a business under certain circumstances.

This law leaves a lot of leeway for the Attorney General to interpret things and the current AG was very active in shaping this bill, so I would not count on him being lax when it comes to prosecution.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed