Tag Archives: Cryptocurrency

Senator to Introduce ‘Comprehensive’ Crypto Legislation

Senator Lummis from Wyoming plans to introduce legislation in early 2022 to attempt to rein in some of the wild west of the cryptocurrency world. Stay tuned.

Rumor is that it will add investor protections, rein in stablecoins and create a self-regulatory body under the SEC and the CFTC. That might be a tall order since a lot of crypto is peer to peer. Still, if we at least have some clarity over who gets to be the regulator, that would be good.

An aide to the Senator said that the proposal would fully integrate digital assets into the US financial system. If Congress can actually pull that off, then cryptocurrency could operate under similar rules to banks.

Still, what is different here is that cryptocurrency can be fully decentralized with no middleman to regulate. Do they plan to regulate software somehow? Software that, potentially, is not even made in the US? That sounds like a tall order.

What they might have is, rather than as the senator is calling it, comprehensive, a start to working on the problem.

Most consumers do go through crypto exchanges and at least those in the US would be relatively simple to regulate.

It also, could, possibly, cut down on crypto scam. It is possible.

As a example of how hard this is, many are suggesting that just the tax reporting requirements that are already in the just passed Infrastructure Investment and Jobs Act cannot be met. Imagine what happens if you want to take an entire industry that has never been regulated and try to regulate it. What could go wrong?

A group of Senators already wrote a letter to Secretary Yellen says that the current (new) law already tries to classify software developers as brokers, which it seems to me, they are not. You want software developers to send 1099s to people who download their software? Really?

Other members of the current administration are concerned as well and the Senate held hearings earlier this month on stablecoins. Senator Warren said that (in her view), the peer to peer nature of DeFi – decentralized finance – is the most dangerous part of the crypto world.

Visa just announced that it will partner with 60 cryptocurrency exchanges to allow consumers to make purchases with digital currency at more than 80 million global merchant locations. I want to see how that works out.

You might remember that cryptocurrency started out as a way to get around the banking system.

Now, like with Star Trek’s Borg, crypto looks like it could be assimilated into the banking system, basically eliminating any possible benefit that the people who originally championed it might be interested in.

It sounds like the crypto players may have gotten outplayed.

Credit: Data Breach Today

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Security News for the Week Ending August 20, 2021

Well That Seems Like a Bit Over the Top

A pharmacist in Illinois faces up to 120 years in prison for selling dozens of (I assume blank) Covid vaccine cards. The pharmacist sold 134 cards to 11 buyers for roughly $1276. He is being charged with theft of government property. That seems like a stretch, but maybe. Mostly they want to make a point that if you want a fake vaccine card, you should create them on Photoshop yourself. Yes, it will take you a few hours, but it isn’t very hard. That makes it harder for the feds to discover that you did that. And don’t brag about it on social media. Mind you, just because you do make it yourself doesn’t mean you aren’t breaking the law. Falsely using a government seal, for example, is crime, but it probably won’t get you 120 years, which is why the came up with this creative charge. Just doing a quick Google search, I found blank cards online, so I have no idea why anyone would buy one. Blank cards were also for sale on Amazon for a while – 10 for $12.99. Credit: Bleeping Computer

Another Day, Another Cryptocurrency Hack

Last week a hacker stole $600 million in cryptocurrency for fun … and then gave it back. This week hackers stole $97 million from the crypto exchange ‘Liquid’. This time it doesn’t appear to be a joke. The exchanges are getting better at freezing the money when this happens because the have so much experience at it. That is probably not a good thing. For the hackers, that is. Credit: Data Breach Today

Blackberry Says Older Versions of it’s QNX OS Vulnerable

Blackberry sells a real time operating system used in cars, medical equipment and other embedded equipment. This includes 175 million cars (this number doesn’t include the tens of millions of other devices which could have been bought pre-fix and are still in use in factories, warehouses and many other places). But the cars are older cars – Blackberry says that they fixed the bugs in 2012 – after denying for months that they existed. That likely (maybe) means that products that were DESIGNED after 2013 or 2014 are not vulnerable, but that could be a design date and not a manufacture date or sale date. Blackberry has released patches to manufacturers, but that doesn’t mean that patches have been installed. Credit: The Register

Ransomware 4.0? Maybe

First there was ransomware. Just encrypt your files and demand money. Then ransomware 2.0 – steal your data and demand money to get it back. Next came ransomware 3.0. With this generation, the hackers go directly to the businesses’ customers (one example was a psychotherapy practice where the hackers threatened to release the therapists’ notes if the patients didn’t pay up). Now comes version 4. With V4, the hackers offer employees of the intended victim a cut of the action if they release the ransomware into their employer’s network. Wow. This is getting out of hand. Credit: Brian Krebs

Security News for the Week Ending October 30, 2020

Louisiana National Guard Called in to Help Local Election Officials

According to tips, the state of Louisiana had to call out the National Guard after some number of small government offices across the state were hit by ransomware. Experts say the tools have the hallmarks of the North Koreans, so all of the major attackers – Russia, China, Iran and now North Korea – are all trying to compromise our elections. This problem is not going away. Credit: Business Insider

Attacks on Cryptocurrency Continue

A hacker stole $24 million of cryptocurrency service Harvest Finance, a company that allows users to arbitrage cryptocurrencies. The company was hit by a $570 million “bank run” after the attack. They claim they know who the attacker is. One more time, software has bugs and can be exploited. Who would have thunk? Credit: Coindesk

Ransomware Disables GA. County Election Database

This is both good news and bad news. Hall County, GA was hit by a ransomware attack earlier this month. The attack, disabled the voter database, along with other systems like phones. The county claims that they will still be able to run the election because they can manually verify signatures from voter registration cards. They are also using a state database that was not affected. This points out that attacking some small county in a state is probably not the best way to change the outcome of an election. Credit: Gainesville Times

Trump Website Briefly Defaced

One of the campaign’s websites was briefly defaced Tuesday night and the site was replaced by a message similar in style to the messages put on a website that the government seizes. The message looked like this:

Image

Of course the site had not been seized and it was returned to its normal state after a little while. To be honest, I am surprised not more has occurred given the other events going on in the country. This seems pretty childish, but we don’t know if the warning on the site is true; stay tuned.

Regarding the hack, CISA Director Chris Krebs said on Twitter, “Like I said yesterday, website defacements are noise. Don’t fall for these attempts designed to distract, sensationalize, and confuse. Ultimately they’re trying to undermine your confidence in our voting process.” Credit: Variety

Wisconsin Repubs Say Hackers Duped Them Out of $2 Million+

The Wisconsin Republican Party says that hackers scammed them out of more than $2 million of donors’ money using very traditional business email compromise attacks creating fake invoices from real vendors and paid to the hackers’ bank accounts. The Wisconsin Dems say that they have been targeted by over 800 attacks, but so far, none (that they know of) have been successful. Credit: AP

Security News for the Week Ending April 17, 2020

Covid-19 Driven Online Shopping Encouraging More Skimming Attacks

Since crooks go where the money is and since we are all doing a lot online shopping during the shelter in place directives, the crooks put two and two together to come up with an attack strategy.

Malwarebytes says that they are seeing a 26% increase in skimming attacks between February and March.  Also, apparently, Monday is the least safe day to shop.   Credit: SC Magazine

Ransomware Attacker Stops Accepting Bitcoin Due to Traceability

The operators of the Sodinokibi Ransomware want to stop accepting Bitcoin because the cops have figured out how to trace Bitcoin transfers.  While some people have said for a long time that Bitcoin is not traceable, the opposite is actually true.  Monero cryptocurrency combined with TOR has features designed to thwart that sort of tracking.  Credit: Bleeping Computer

Friendly Hackers Find 460 Bugs in “Hack the Air Force 4.0”

The hack, run by the U.K. Ministry of Defence, allowed good guy hackers to attack a particular but unidentified Air Force “platform”.  The hackers found over 450 security flaws in this one platform.  Remember the military runs thousands of systems and not all bugs allow a hacker to initiate a total meltdown, but still if this is a representative sample, this is indicative that with a modest amount of effort (this entire hackathon lasted less than a month), you might be able to identify hundreds of thousands of security flaws in systems where the system buyer understands that these systems need to be secure.    What then, could hackers find in normal commercial and home-grown systems, where price, time to market and features are way more important than security?  Credit: Fifth Domain

Small Business is Big Target for Ransomware

According to a new survey of senior execs, 46% of all small business have been the target of ransomware attacks.  Of those that have been hit, 73% say that they paid the ransom. 43% paid between $10k and $50k;  13% paid more than $100k.  Of those who paid, 15% did not get all of their data back.  Not great statistics.   Credit: Dark Reading

Security News for the Week Ending May 31, 2019

Baltimore Ransomware Attack Could Be Blamed on the NSA

I think this is what they call a tease.

Technically correct, however.

You may remember the NSA hacking tool that got out into the wild called EternalBlue?  It was leaked by the hacking group ShadowBrokers in 2017.  Before that, it exploited a Microsoft  bug that the NSA decided was  too juicy to tell Microsoft to fix – for five years.  Then it got out.  Now North Korea, China, Russia and others are using it.

So who’s fault is it?  Should the government tell vendors to fix bugs or should they risk not telling them and having a Baltimore or WannaCry which destroyed the British Healthcare system or NotPetya or many others.

Certainly you could blame ShadowBrokers, but as we have seen with other malware, as soon as you use it, you run the risk of it being detected and used against you.

In this case, I blame Baltimore because Microsoft patched the flaw in March 2017 and apparently, it is not deployed in Baltimore.

Three weeks and counting, Baltimore is still trying to undo the damage.  For lack of a patch.  To be fair, it might have happened anyway.  But it would not have spread like wildfire.   Source:  NY Times.

First. Time. Ever! – Moody’s Downgrades Equifax Due to Breach

Turnabout *IS* fair.

For the first time ever, Equifax is discovering what they do to others all the time when they downgrade consumer’s credit scores.

In this case, it is Moody’s that is downgrading Equifax’s score.

Moody’s downgraded Equifax from STABLE to NEGATIVE.

Likely because they just announced that they have spent $1.35 Billion fixing the breach damage and none of the lawsuits are settled yet.  This is likely to be the costliest breach ever.  Source: CNBC.

 

Cisco Warns Thangrycat Fix May Destroy Your Hardware

More information has come out about the Cisco Trust Anchor vulnerability called Thrangrycat.  The trust anchor is the root of all security in Cisco devices and if it gets compromised, then there is no security in the device at all.

The good news is that the hackers who found it said it was hard to find, BUT, now that the hackers know what to look for, expect an attack kit to show up for a few bucks on the dark web.

The problem is that Cisco has to reprogram a piece of hardware inside all of those switches, routers and firewalls.  THAT MUST BE DONE ONSITE.  Worse yet, there is a possibility that the reprogramming could turn your firewall into a really expensive brick.

Cisco says that if your device is under warranty or if you have a maintenance contract and they brick your device, they will mail you a new one.  The device will be down until you get the new one.

I am sure they will try hard not to brick things, but reprogramming FPGAs on the fly – its not simple and things could go wrong.

IF, however, you do not have a warranty or maintenance contract and the device gets bricked, you are on your own.

For those people, now might be the time to replace that Cisco gear with someone else’s.  That won’t be perfect either, however.  Source: Techtarget.

 

New Zealand Cryptocurrency Firm Hacked To Death

As I keep pointing out, “investing” in cryptocurrency is much like gambling with no insurance and no hedge.

In this case Cryptopia , a New Zealand based cyptocurrency exchange is filing for bankruptcy and still has millions in digital assets that belong to its customers.

But maybe not for long because their IT provider says that they owe millions and is threatening to take down the servers that contain the digital assets.  In the meantime, customers wait.  Source: Bloomberg.

 

Flipboard Says Hackers Were Roaming Inside For NINE Months Before Being Detected

Flipboard admitted that hackers were inside their systems from nine months between June 2018 and March 2019 and then again in April 2019, when they were detected.

Flipboard says that user passwords, which were salted and strongly hashed, were taken.  What they didn’t say, because they are not forced to by law, was what else was taken.  According to the security firm Crowdstrike, the best hackers move laterally from the system in which they entered, in 18 minutes.  The average hackers take 10 hours.  Where did they move in nine months?

If they want me to believe that nothing else was taken, they must think I am a fool.  I am not.  But the law doesn’t require them to tell you what else was taken.

Since they are not publicly traded, they don’t have to tell the SEC what else was taken.  In fact, they only have to tell the SEC if it materially affects the company – a term which is conveniently not defined.  Source: ZDNet.

Turnabout – Part Two

While President Trump shouts about Huawei spying for the Chinese, the Chinese are removing all Windows systems from their military environment due to fear of hacking by the US.   While this won’t have any significant financial impact on Microsoft, it is kind of a poke in their eye.

For some strange reason, they are not going to use Linux, but rather develop their own OS.  One reason might be that a unknown proprietary OS that only the Chinese military has the source code for would be harder to hack by the US than any other OS.  Source: ZDNet.