Tag Archives: Bitcoin

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Security News for the Week Ending September 10, 2021

Signal Provides Customer IP Address to Swiss Police

While police all over the world complain about the universe going dark on them, that is only true to an extent. Proton maintains no logs, but they can capture data in real time. In this case they received an order from the Swiss Federal Department of Justice, which they complied with. I don’t have a lot of heartburn over this. If people break the law they should assume that cloud providers will not ignore that fact and pretend everything is okay. Note that they cannot provide any content in this case, so really it is a person’s IP address that was exposed. Smart crooks might access their mail via changing VPNs or Tor, but apparently, in this case, they were not smart enough to do that. One positive thing is that the suspects were required to be notified of the data being turned over, unlike in most countries. Credit: Proton Reddit

McDonalds in El Salvador (and Everyone Else) Now Accept Bitcoin

El Salvador’s Bitcoin law went into effect this week, requiring all businesses and government agencies to accept Bitcoin. Of course everyone needs to figure out how to do that. For large companies that can afford to spend millions, that can be done, even if it is clunky. For small business, that is a different story. That doesn’t protect any company from the huge swings in Bitcoin price. In one direction, the company is okay; in the other, not so much. We shall see if this is a trend, but I doubt it. Tesla was accepting Bitcoin for cars, but stopped after realizing that they might sell a car for $30,000 but only recover $20,000 when they cashed in the Bitcoin. Credit: Vice

Corporate Execs Fear That SEC Investigation Will Uncover Other Breaches They “Forgot” to Report

As the SEC investigates the reach of the SolarWinds attack, it is asking companies to turn over “any other” data breach or ransomware attack information since the start of the SolarWinds attack in 2019. This will likely turn over rocks that companies would prefer remain right side up. Companies could lie and say they don’t have anything, but if a whistleblower informs the SEC of the truth, or the SEC figures out the truth by itself, now companies have really big problems. A consultant working with some of these companies says that “most” companies have had unreported breaches and they don’t know how the SEC might deal with that. The SEC said that companies would not be penalized if they shared data about the SolarWinds attack voluntarily, but they didn’t say they would give companies amnesty for other breaches that they should have reported. Credit: Reuters

WhatsApp Promises End to End Encrypted Backups on iCloud

Apple’s backups on iCloud are readable by Apple and that fact has allowed Apple to turn over data to police and was the core of the Apple spying service that they recently postposed. Facebook (WhatsApp) says that they are about to roll out end to end encrypted WhatsApp backups to iCloud for iPhone users and Google Drive for Android users. Assuming they are correct, this is the first time that someone offered fully encrypted backups for two billion users. Credit: The Register

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.

 

Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.

 

Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.

 

Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .

 

Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .

 

Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.