Tag Archives: Cryptocurrency

Security News for the Week Ending May 6, 2022

Tomorrow is the one-year anniversary of the Colonial Pipeline attack. The government has done more to improve cybersecurity in the last year than it had done in the last 10 years. But there is still a lot more to do.

Jury Finds Norton/Lifelock Infringed on Two Columbia University Patents

Even in the world of cybersecurity, patent infringement is a problem. A jury decided that Norton’s use of emulators to detect malicious behavior violated patents owned by Columbia. Norton says they will stop using the technology and appeal the verdict. Among the Norton products affected are Norton Security and Symantec Endpoint Protection. Since the infringement was deemed to be willful, the judge could triple the $185 million judgement. The suit goes back to 2013. Credit: Data Breach Today

Data Broker Stops Selling Location Data of Planned Parenthood Visitors One Day After Being Outed

Yesterday I read a piece that one of the security trade magazines bought data on visitors to all Planned Parenthood visitors, including where they went after (home) and where they came from before (work). They paid $160. I think the company, SafeGraph, decided the incredibly negative PR wasn’t worth $160, so today they decided to stop selling it. That doesn’t mean other greedy data brokers will do the same – In the U.S. there is nothing illegal about it. Credit: Motherboard by Vice

Cryptocurrency Projects Are As Secure As a Screen Door

In just four days hackers stole over $100 million in cryptocurrency. Who pays for that? Fei Protocol lost $77 million, Saddle Finance $10 million, Deus Finance $13 million and Bored Apes $6 million. There is no government insurance for cryptocurrency owners. Credit: Metacurity

Ukrainians Figure Out How to Beat Russia – Shut Off its Booze

Ukraine’s army of hackers have figured out how to hit Russia where it hurts. Russia requires the booze industry to use a government run portal call EGAIS. Hackers have kept it out of commission, so stores can’t “receive” alcohol, factories can’t accept tanks of alcohol, and distributors can’t ship or receive products. As a result, factories are reducing or stopping production. Interesting attack. Credit: Bleeping Computer

Spain Admits It Hacked Some of its Politician’s Phones

After a week of public reporting that some Spanish politician’s phones had been hacked using the Pegasus spyware, a leading Catalan separatist politician said that Spain’s top intelligence official said that her agency did, in fact, hack some opposing politician’s phones. But, she said, it was all legal. Reports say that the court orders were for far fewer people than Citizen Labs found infected, so who hacked the rest of the phones? If you are high profile in any way you should assume your phone is not secure. Even secure message apps like Signal or iMessage would not be secure since the phone itself is compromised. This follows the disclosure, earlier in the week, that Spain’s Prime Minister and Defense Minister’s phones were both infected with Pegasus spyware by someone. Pegasus is so stealthy that even the government’s cyber sleuths did not detect it until the facts were reported in the media. Credit: ABC News

Treasury Sanctions Cryptocurrency Mixer BLENDER

Mixers are apps that are designed to obfuscate cryptocurrency transactions, to make them harder to track. I am not sure that sanctioning one of the hundreds of these mixers will really help, but I guess it can’t hurt. Credit: The Register

Security News for the Week Ending April 29, 2022

Sungard Files for Chapter 11 Bankruptcy Protection – Again

Sungard, the king of disaster recovery and business continuity needs to figure out a new business. They previously filed for Chapter 11 in 2019 and shed $800 million in debt, but they have a fundamental problem. As businesses move from private data centers to the cloud and from offices to work-from-home, they just don’t need Sungard anymore. And, likely never will. They REALLY need to reinvent themselves. Credit: Tech Target

Any Sign of the Supply Chain Returning to ‘Normal’?

One of the lists I am on asked this question and the answer seems to still be no time soon. High end network and server gear still is between 6-12 months or ‘unknown’ out. Manufacturers are reducing their chip and system product range to focus limited supply on the more important products and some customers are getting priority based on performance penalties in long term contracts. The NY Times has an extensive piece on all of the problems, none of which are easy to fix in the short term. Credit: NY Times

AWS Locks Up NSA Cloud Deal

Years ago Amazon (AWS) locked up a deal worth up to $10 billion to provide a secure, classified cloud to the CIA. That was before the days of contract protests over the cloud. Years later, the DoD tried the same thing, called JEDI. It died due to contract protests. DoD is still trying to build a classified cloud, now called JWCC. However, now the NSA has joined the CIA and awarded AWS a $10 billion contract to build them a classified cloud. The rest of the DoD is still waiting. Credit: Meritalk

Brazil Senate Passes Bill to Regulate Cryptocurrency

The Brazilian Senate has passed a bill that regulates the cryptocurrency market in an effort to protect consumers. Crypto exchanges would fall under the regulation of Brazil’s Central Bank. As one of the leaders in the crypto market, Brazil is also set to release a cryptocurrency pegged to the real, Brazil’s currency. It is not clear to me what the value of any cryptocurrency pegged to any country’s currency, but the good news (bad news?) is that since it is based on software, all of these new cryptocurrencies will likely be hacked and the hackers will make billions. At least someone will get rich. Credit: ZDNet

China, Russia and India Do Not Agree Not to Undermine Future Elections Using Misinformation

The United States, European Union, United Kingdom and 32 other nations have committed to not interfere with future elections by running online misinformation campaigns or illegally spying on people. On the other hand, Russia, China and India, unlike these 60 other countries, did not agree to the declaration. Not really a big surprise. Credit: ZDNet

OCC Enters Consent Order Against ‘Digital Bank’

The Office of the Comptroller of the Currency or OCC regulates federally chartered banks. Digital banks, AKA crypto vunder-kids, would like to get a bank charter for a number of reasons.

One reason is that they want access to the international banking network. Another is to show that they are all grown up.

But if you want to play with the big kids, you need to act like a big kid and in the cryptocurrency scam/racket (sorry, end of editorial), that is hard.

Enter Anchorage Digital Bank. Based in South Dakota, this was a conversion of Anchorage Trust Company. In January 2021, the OCC issued conditional approval of the conversion. As part of that, the OCC approved their operating agreement.

My guess is that this was a ‘canary in the coal mine’ and this month, the canary died.

The OCC entered a 25 page consent decree against the bank, which they did not dispute. The OCC is explaining, loud and clear, if you want to be part of the banking system, the rules that apply to every other bank, apply to you.

Okay, so what did they do wrong?

Remember that the main purpose of cryptocurrency is to hide stuff. Also to speculate, but mostly to keep the government out of their customer’s business. Even the Swiss discovered that there are limits to that and they, over the last 10 years, have begun to play nicer with the feds.

Note: to get a better picture of how hard it is for the government to stop hackers from using cryptocurrency to evade law enforcement, read this article from the Washington Post that describes North Korea’s efforts to wash the $600 million in crypto they stole last month. So far, they have washed about $100 million of it. If Anchorage Digital wants to play with the big kids, this is what they have to wrap their arms around.

Without repeating the entire consent decree, there are two major areas, not surprising, that the OCC is upset with. One is the Bank Secrecy Act, which requires banks to report suspicious activity. Aren’t most cryptocurrency transactions suspicious? That is hard to do. Second is anti-money-laundering. This requires banks to actually know who is conducting business. Like IDs and Corporate Resolutions. All that stuff that actual banks have done for years. Together these are known as BSA/AML.

Among the actions they have to complete are creating a compliance committee of outside directors within 15 days. That is no small task, given their business model. Who wants that liability? Those members have to be approved by the OCC. Then they need to create a plan of action with milestones and get that approved by the OCC. Finally, the committee has to report to both the board and directly to the OCC periodically (like quarterly) on their progress.

The consent degree is a bit geeky but easy to read and if you want to know the future of crypto currency banks and exchanges, this is kind of a road map. If you don’t follow this roadmap, the feds are pretty likely to shut you down. Maybe even throw a few people in jail as a signal to the others.

I found it a great read.

Credit: OCC

Cybersecurity News for the Week Ending April 1, 2022

How Many Times Do I Need to Say – Crypto is Software, Software Has Bugs, Your Money is at Risk

Decentralized Finance platform (DeFi) Revest Finance said that it lost $2 million due to a software bug and, oh yeah, (a) the can’t recover the funds, (b) they do not have the money to cover the losses and(c) they don’t have insurance to cover the hack. Unless we eliminate the software, we cannot eliminate all bugs. Credit: The Record

Russia Faces Internet Outages Due to Equipment Shortages

One of Russia’s tech unions says that Russian ISPs run the risk of Internet outages as the value of the Ruble goes down and foreign companies won’t sell them parts or new equipment. Right now the government is saying that is the Internet providers’ problem, but if it turns into widespread outages, they are likely to change their tune. Credit: Bleeping Computer

Cryptocurrency was Fun While it Lasted

EU Parliament committees have voted to require crypto exchanges to verify the identity of self-hosted wallets, meaning the end of anonymity for crypto transactions. The US Treasury (FinCEN) has also suggested that we do that, but it has not yet appeared in a bill. That means that the bad guys will need to do peer to peer crypto, minus the exchanges to deal in criminal activities. While this is harder than using exchanges, it is far from impossible. Given that the whole purpose (beside speculating) of crypto is to commit fraud, identifying yourself is probably not high on user’s wish lists. Credit: Vice

Senate Asks Companies About Hackers Creating Fake Warrants

Recently I wrote that hackers have figured out the the government’s search warrant process is as secure as, say, a screen door. Now that the facts have been outed and likely even more hackers will use that fact to steal even more data, a couple of Senators have started asked questions. That is a long way from Congress actually doing anything useful about it, but at least it is a start. Don’t expect anything to happen because it is a hard problem to fix. Credit: Brian Krebs

Apple Fixes More Mac, iPhone Zero Days

In case you haven’t noticed, the last 12 months have not been Apple’s friends when it comes to zero-day bugs. This week Apple patched two more that are actively being exploited in the wild and affect iPhones, iPads, iWatches and Macs. The versions you are looking for are iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively. Credit: Bleeping Computer

Senator to Introduce ‘Comprehensive’ Crypto Legislation

Senator Lummis from Wyoming plans to introduce legislation in early 2022 to attempt to rein in some of the wild west of the cryptocurrency world. Stay tuned.

Rumor is that it will add investor protections, rein in stablecoins and create a self-regulatory body under the SEC and the CFTC. That might be a tall order since a lot of crypto is peer to peer. Still, if we at least have some clarity over who gets to be the regulator, that would be good.

An aide to the Senator said that the proposal would fully integrate digital assets into the US financial system. If Congress can actually pull that off, then cryptocurrency could operate under similar rules to banks.

Still, what is different here is that cryptocurrency can be fully decentralized with no middleman to regulate. Do they plan to regulate software somehow? Software that, potentially, is not even made in the US? That sounds like a tall order.

What they might have is, rather than as the senator is calling it, comprehensive, a start to working on the problem.

Most consumers do go through crypto exchanges and at least those in the US would be relatively simple to regulate.

It also, could, possibly, cut down on crypto scam. It is possible.

As a example of how hard this is, many are suggesting that just the tax reporting requirements that are already in the just passed Infrastructure Investment and Jobs Act cannot be met. Imagine what happens if you want to take an entire industry that has never been regulated and try to regulate it. What could go wrong?

A group of Senators already wrote a letter to Secretary Yellen says that the current (new) law already tries to classify software developers as brokers, which it seems to me, they are not. You want software developers to send 1099s to people who download their software? Really?

Other members of the current administration are concerned as well and the Senate held hearings earlier this month on stablecoins. Senator Warren said that (in her view), the peer to peer nature of DeFi – decentralized finance – is the most dangerous part of the crypto world.

Visa just announced that it will partner with 60 cryptocurrency exchanges to allow consumers to make purchases with digital currency at more than 80 million global merchant locations. I want to see how that works out.

You might remember that cryptocurrency started out as a way to get around the banking system.

Now, like with Star Trek’s Borg, crypto looks like it could be assimilated into the banking system, basically eliminating any possible benefit that the people who originally championed it might be interested in.

It sounds like the crypto players may have gotten outplayed.

Credit: Data Breach Today

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today