Tag Archives: Bitcoin

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.

 

Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.

 

Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.

 

Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .

 

Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .

 

Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.

Facebooktwitterredditlinkedinmailby feather

Hackers Steal Millions in Bitcoin Using Only A Phone Number

Just after midnight on August 11th, Jered Kenna in Medellin, Columbia  was notified that two of his email accounts had their passwords reset.

He tried regaining control of the accounts by getting the services to send him a text, which he never received.

When he called his phone company (T-Mobile), they said that he didn’t have a phone with them, the number was transferred to another phone company.

It turns out that it is relatively simple, using a fake ID and some social engineering to steal someone’s phone account at a phone company.

Once you have control of someone’s phone number, you can reset account passwords since most websites will send you a text or email with a code or URL to reset your password.

After all, your phone is secure, right?

Not so much.

Within 7 minutes, his access to 30 accounts was lost.

Among the accounts that he lost control of were two bank accounts, a Paypal account, two Bitcoin services and his Windows account, which locked him out of his PC.  This is one reason why I tell people NEVER use a Microsoft Online account to log in to your PC at home, even though Microsoft actually makes it difficult for you not to use one (there is a trick to it).  The hacker can’t lock you out of your PC remotely if you do not use a Microsoft Online password.

Kenna was an early Bitcoin miner, having millions in Bitcoin.  For security, the Bitcoin had been stored offline, but for some stupid reason, a few weeks earlier he had brought the Bitcoin online to move them to a more secure service.

Apparently not.

Suffice it to say, he lost millions of dollars.

He says he now has only about 60 Bitcoin (worth something less than $60,000).

He still doesn’t have his phone number back.

In January 2016, there over 2,000 Bitcoin theft reports filed with the FTC.  Remember that 99+% of the time, if you lose your Bitcoin, they are gone forever.  No way to get them back.  No insurance.  No recourse.

Coinbase, the highest volume cryptocurrency exchange, says the number of cryptocurrency fraud cases is on track to double between November and December.

It would seem that this attack was very specifically targeted at Kenna.

The fundamental problem here is that ALL service providers think customer service first, security second.

So when someone contacts your phone company pretending to be you, even though you (AKA they) violate all of the security protocols, the prime directive prevails – CUSTOMER SERVICE FIRST, SECURITY LAST.

In this case, it cost someone millions of dollars.

If you lost access to your phone number, then your email(s), then your bank accounts then:

  • What would you do?
  • What would the consequences be?

In the case of bank accounts, it is likely that you will be able to eventually get your money back.

In the case of other digital assets, the story is not so clear.  If someone gains access to say, your iTunes account, you MAY, EVENTUALLY, get it back, but the attacker likely still has all of your data.  If you recall the event called “The Fappening” a couple of years ago, a number of celebrities lost control of their iTunes accounts and thousands of nude photos appeared on the Internet.  Try to get that genie back in the bottle.

Many service providers from Facebook to banks offer an extra level of security called two factor authentication.  Only 10 percent, at most, of people use two factor authentication.  It is a little bit complicated and it is a little inconvenient.   But it is also a little inconvenient to lose all the money in your bank or brokerage account.

When convenience bumps up against security, in almost all cases, convenience wins.  Many banks use text messages as the second factor but if you lose control of your phone, that doesn’t help because the hacker gets the text messsages.  The government (NIST) says that SMS text messages as the second factor is not sufficiently secure and they want people to stop using it and replace it with encrypted, data based second factor authenticators.

Still, using SMS as the second factor is WAY more secure than not having a second factor.

In this case, it was millions of dollars of Bitcoin.

Who knows what the next case is.

So when Marissa Mayer, CEO of Yahoo (who seems to have lost control of 1.7 billion user accounts) says it is too inconvenient to put a password on her phone, I get it.  After all, compared to 1.7 billion accounts, what could she lose that is more valuable than that?

And remember, even though you MAY, EVENTUALLY, get control back of your email, your bank accounts, your phone number, it may take weeks and you may have to expend a LOT of time and money to do so.

So when you say who would want to steal my stuff, you might want to reconsider that statement.  I am sure that Jered Kenna wishes he did some things differently.

And when it comes to corporate intellectual property, it is likely that you will never be able to undo the damage unless the crook is very stupid or you are very lucky.

Food for thought.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

IRS Going After Bitcoin Users

It is common mythology that Bitcoin users are thieves, hackers and tax cheats.  The IRS doesn’t like tax cheats.

The IRS is asking a court for a “John Doe” summons asking Coinbase, a Bitcoin exchange, to turn over information on any customers that match a certain criteria.

The summons applies as long as the government can’t get the information elsewhere and has “a reasonable basis for believing that such person or group or class of persons may fail or may have failed to comply with any provision of the tax laws.”

The group that the IRS is asking for information on is every customer of Coinbase between 2013 and 2015 in the U.S.  Suffice it to say that this is not a small list.

The reasonable basis?  “a public perception that tax evasion is possible with virtual currency.”  The IRS’s proof for this is limited to a Huffington Post article.

Where did this article appear?  A pretty staid publication called American Banker.  Granted, the banking community has a dog in this fight.  The IRS could ask banks for a list of all of their customers between, say, 2013 and 2015 who deposited or withdrew cash, since cash is used to pay for drugs.  That might upset some customers.

American Banker says that this is a fishing expedition and Coinbase complies with regulations and cooperates with law enforcement on a regular basis, so why attack them.

I think, although my evidence is about as strong as that HuffPo article, that there could be a different reason.

It is liekly that smart crooks are not going to use a U.S. bitcoin exchange.  After all, it seems likely that some government agency might ask questions.  That means that, at best, the IRS will only catch dumb crooks.

Since there are plenty of offshore exchanges in places like Switzerland, Malta, The Netherlands, China, India, Bulgaria, Belize and other places, why not use an offshore exchange?

Of course, you don’t need to use a Bitcoin exchange at all.  In fact, the smart crooks will do transfers that are less demanding of ID such as LocalBitcoins or Bitcoin ATMs.  These methods allow you to use cash and many do not require IDs, since cash, as long as it is not counterfeit, is a pretty safe trade.

The downside of some of these methods is that the buyer and seller have to meet or, in the case of ATMs, you have to visit the ATM.  For many people, one of these methods is perfectly satisfactory.  After all, we visit ATMs to get cash all the time, so why not get Bitcoin instead.

Given that the feds don’t like cash transactions, I can only imagine how they feel about Bitcoin transactions.  Conspiracy theorists might say that the IRS is trying to spook people who are using Bitcoin.  I don’t know, but I certainly would not rule that out.  However, since Bitcoin is basically fancy arithmetic stored in a (digital) ledger, it will be hard to outlaw.  That doesn’t mean that people won’t try.

As of a few hours ago, the court granted the summons.  This is only the first step in a potentially long battle.  Coinbase said they expected this and will begin fighting it when they are served with the order.

The order is asking:

For any customer between 12/31/13 and 12/31/15 with a U.S. address, phone number, email domain or bank account, the following information.

User profiles, preferences, security settings, history, payment methods and funding sources.

Also, all records of activity including date, amount, type of transaction, name, transfer instructions and correspondence.

Given that Bitcoin seems to maintain a lot of documentation, I would think that only stupid people would use it for tax evasion given there are many other much more secretive ways to deal with this, but who knows.

Stay tuned for the cat and dog fight.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

Another Bitcoin Breach – 120,000 Bitcoin Missing

A lot of big financial institutions are ‘investigating’ the use of the blockchain technology that the digital currency Bitcoin uses.  I would point out that this is very different that endorsing the use of Bitcoin.

In 2014 the Mount Gox Bitcoin exchange filed for bankruptcy after a breach lost $460 million.

In May of this year, Hong Kong based Gatecoin announced a breach of their exchange.  It was smaller – around $2 million.  They decided to hack their own blockchain to stop the attacker from being able to liquidate the stolen bitcoin.  Granted, they did it very publicly, but still that is scary.

Over the last 4 or 5 years, there have been dozens of Bitcoin exchange breaches and failures.

This week another Hong Kong based Bitcoin exchange, Bitfinex, announced a breach of 120,000 Bitcoin valued at about $72 million, depending on the current value of a Bitcoin.  Bitfinex immediately halted all trading and shut down their web site as they try to figure out what happened.  That means that customers lost access to their money and don’t even know if their accounts were among the ones hacked and therefore, whether they have any money left in Bitfinex.

With very minor exceptions, most Bitcoin exchange are not even willing to talk about insurance, never mind offering it.  2 or 3 of the dozens of exchanges do offer some insurance, but the rules are convoluted and only cover a fraction of your deposits.  The rest won’t even talk about the subject.

When Bitfinex halted services, the value of Bitcoins dropped about 20 percent, but they have recovered some since.

Given the apparent fragility of the Bitcoin exchange world, why are people running to put their money in Bitcoin?

I think that is a good question – one that I don’t have an answer for.

The problem, I think, is not with the math behind Bitcoin.  It is a problem with the software and/or the business process.  Given the state of modern software development – Microsoft, Google and Oracle, just to name three vendors, collectively release probably a thousand software patches a year – it is kind of amazing that Bitcoin exchanges are not hacked more frequently.

It is a hard problem and I predict it is not going away any time soon.

I think now is a good time to make some popcorn, open a beverage of your choice and watch the Bitcoin exchanges do their thing.  Over the next few years we will likely see more breaches and more bankruptcies.  But I doubt we will see more insurance because the premiums, unlike with U.S. based banks and the FDIC,  are likely to be astronomical because the insurance companies have no idea who is going to be breached next and how big the loss will be.

Enjoy that popcorn!

Information for this post came from Reuters and Inside Bitcoins.

Facebooktwitterredditlinkedinmailby feather