Tag Archives: Cryptocurrency

Security News for the Week Ending October 30, 2020

Louisiana National Guard Called in to Help Local Election Officials

According to tips, the state of Louisiana had to call out the National Guard after some number of small government offices across the state were hit by ransomware. Experts say the tools have the hallmarks of the North Koreans, so all of the major attackers – Russia, China, Iran and now North Korea – are all trying to compromise our elections. This problem is not going away. Credit: Business Insider

Attacks on Cryptocurrency Continue

A hacker stole $24 million of cryptocurrency service Harvest Finance, a company that allows users to arbitrage cryptocurrencies. The company was hit by a $570 million “bank run” after the attack. They claim they know who the attacker is. One more time, software has bugs and can be exploited. Who would have thunk? Credit: Coindesk

Ransomware Disables GA. County Election Database

This is both good news and bad news. Hall County, GA was hit by a ransomware attack earlier this month. The attack, disabled the voter database, along with other systems like phones. The county claims that they will still be able to run the election because they can manually verify signatures from voter registration cards. They are also using a state database that was not affected. This points out that attacking some small county in a state is probably not the best way to change the outcome of an election. Credit: Gainesville Times

Trump Website Briefly Defaced

One of the campaign’s websites was briefly defaced Tuesday night and the site was replaced by a message similar in style to the messages put on a website that the government seizes. The message looked like this:

Image

Of course the site had not been seized and it was returned to its normal state after a little while. To be honest, I am surprised not more has occurred given the other events going on in the country. This seems pretty childish, but we don’t know if the warning on the site is true; stay tuned.

Regarding the hack, CISA Director Chris Krebs said on Twitter, “Like I said yesterday, website defacements are noise. Don’t fall for these attempts designed to distract, sensationalize, and confuse. Ultimately they’re trying to undermine your confidence in our voting process.” Credit: Variety

Wisconsin Repubs Say Hackers Duped Them Out of $2 Million+

The Wisconsin Republican Party says that hackers scammed them out of more than $2 million of donors’ money using very traditional business email compromise attacks creating fake invoices from real vendors and paid to the hackers’ bank accounts. The Wisconsin Dems say that they have been targeted by over 800 attacks, but so far, none (that they know of) have been successful. Credit: AP

Security News for the Week Ending April 17, 2020

Covid-19 Driven Online Shopping Encouraging More Skimming Attacks

Since crooks go where the money is and since we are all doing a lot online shopping during the shelter in place directives, the crooks put two and two together to come up with an attack strategy.

Malwarebytes says that they are seeing a 26% increase in skimming attacks between February and March.  Also, apparently, Monday is the least safe day to shop.   Credit: SC Magazine

Ransomware Attacker Stops Accepting Bitcoin Due to Traceability

The operators of the Sodinokibi Ransomware want to stop accepting Bitcoin because the cops have figured out how to trace Bitcoin transfers.  While some people have said for a long time that Bitcoin is not traceable, the opposite is actually true.  Monero cryptocurrency combined with TOR has features designed to thwart that sort of tracking.  Credit: Bleeping Computer

Friendly Hackers Find 460 Bugs in “Hack the Air Force 4.0”

The hack, run by the U.K. Ministry of Defence, allowed good guy hackers to attack a particular but unidentified Air Force “platform”.  The hackers found over 450 security flaws in this one platform.  Remember the military runs thousands of systems and not all bugs allow a hacker to initiate a total meltdown, but still if this is a representative sample, this is indicative that with a modest amount of effort (this entire hackathon lasted less than a month), you might be able to identify hundreds of thousands of security flaws in systems where the system buyer understands that these systems need to be secure.    What then, could hackers find in normal commercial and home-grown systems, where price, time to market and features are way more important than security?  Credit: Fifth Domain

Small Business is Big Target for Ransomware

According to a new survey of senior execs, 46% of all small business have been the target of ransomware attacks.  Of those that have been hit, 73% say that they paid the ransom. 43% paid between $10k and $50k;  13% paid more than $100k.  Of those who paid, 15% did not get all of their data back.  Not great statistics.   Credit: Dark Reading

Security News for the Week Ending May 31, 2019

Baltimore Ransomware Attack Could Be Blamed on the NSA

I think this is what they call a tease.

Technically correct, however.

You may remember the NSA hacking tool that got out into the wild called EternalBlue?  It was leaked by the hacking group ShadowBrokers in 2017.  Before that, it exploited a Microsoft  bug that the NSA decided was  too juicy to tell Microsoft to fix – for five years.  Then it got out.  Now North Korea, China, Russia and others are using it.

So who’s fault is it?  Should the government tell vendors to fix bugs or should they risk not telling them and having a Baltimore or WannaCry which destroyed the British Healthcare system or NotPetya or many others.

Certainly you could blame ShadowBrokers, but as we have seen with other malware, as soon as you use it, you run the risk of it being detected and used against you.

In this case, I blame Baltimore because Microsoft patched the flaw in March 2017 and apparently, it is not deployed in Baltimore.

Three weeks and counting, Baltimore is still trying to undo the damage.  For lack of a patch.  To be fair, it might have happened anyway.  But it would not have spread like wildfire.   Source:  NY Times.

First. Time. Ever! – Moody’s Downgrades Equifax Due to Breach

Turnabout *IS* fair.

For the first time ever, Equifax is discovering what they do to others all the time when they downgrade consumer’s credit scores.

In this case, it is Moody’s that is downgrading Equifax’s score.

Moody’s downgraded Equifax from STABLE to NEGATIVE.

Likely because they just announced that they have spent $1.35 Billion fixing the breach damage and none of the lawsuits are settled yet.  This is likely to be the costliest breach ever.  Source: CNBC.

 

Cisco Warns Thangrycat Fix May Destroy Your Hardware

More information has come out about the Cisco Trust Anchor vulnerability called Thrangrycat.  The trust anchor is the root of all security in Cisco devices and if it gets compromised, then there is no security in the device at all.

The good news is that the hackers who found it said it was hard to find, BUT, now that the hackers know what to look for, expect an attack kit to show up for a few bucks on the dark web.

The problem is that Cisco has to reprogram a piece of hardware inside all of those switches, routers and firewalls.  THAT MUST BE DONE ONSITE.  Worse yet, there is a possibility that the reprogramming could turn your firewall into a really expensive brick.

Cisco says that if your device is under warranty or if you have a maintenance contract and they brick your device, they will mail you a new one.  The device will be down until you get the new one.

I am sure they will try hard not to brick things, but reprogramming FPGAs on the fly – its not simple and things could go wrong.

IF, however, you do not have a warranty or maintenance contract and the device gets bricked, you are on your own.

For those people, now might be the time to replace that Cisco gear with someone else’s.  That won’t be perfect either, however.  Source: Techtarget.

 

New Zealand Cryptocurrency Firm Hacked To Death

As I keep pointing out, “investing” in cryptocurrency is much like gambling with no insurance and no hedge.

In this case Cryptopia , a New Zealand based cyptocurrency exchange is filing for bankruptcy and still has millions in digital assets that belong to its customers.

But maybe not for long because their IT provider says that they owe millions and is threatening to take down the servers that contain the digital assets.  In the meantime, customers wait.  Source: Bloomberg.

 

Flipboard Says Hackers Were Roaming Inside For NINE Months Before Being Detected

Flipboard admitted that hackers were inside their systems from nine months between June 2018 and March 2019 and then again in April 2019, when they were detected.

Flipboard says that user passwords, which were salted and strongly hashed, were taken.  What they didn’t say, because they are not forced to by law, was what else was taken.  According to the security firm Crowdstrike, the best hackers move laterally from the system in which they entered, in 18 minutes.  The average hackers take 10 hours.  Where did they move in nine months?

If they want me to believe that nothing else was taken, they must think I am a fool.  I am not.  But the law doesn’t require them to tell you what else was taken.

Since they are not publicly traded, they don’t have to tell the SEC what else was taken.  In fact, they only have to tell the SEC if it materially affects the company – a term which is conveniently not defined.  Source: ZDNet.

Turnabout – Part Two

While President Trump shouts about Huawei spying for the Chinese, the Chinese are removing all Windows systems from their military environment due to fear of hacking by the US.   While this won’t have any significant financial impact on Microsoft, it is kind of a poke in their eye.

For some strange reason, they are not going to use Linux, but rather develop their own OS.  One reason might be that a unknown proprietary OS that only the Chinese military has the source code for would be harder to hack by the US than any other OS.  Source: ZDNet.

What is 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V ?

Some of you probably figured out that it is a cryptocurrency (AKA Bitcoin) wallet.  But there is something that makes this bitcoin wallet different from the tens of millions of Bitcoin wallets out there in the wild.

Making a payment to this Bitcoin wallet may classify you a terrorist and subject you to arrest and prosecution.

But, you say, you were hit by a ransomware attack and you need your data back.

Sorry, says the government, you are still a terrorist.

Enough, you say, with this riddle.  Explain what the **bleep** is going on.

OK, here is the story and most of it is not news to anyone who has worked in financial services.

The U.S. Treasury Department has an office (AKA Department) called OFAC or Office of Foreign Asset Control.  Predecessors to the current OFAC department have around at least since the 1940s.

The idea behind OFAC is to make sure that U.S. businesses and citizens do not send money to terrorists.  In fact, when I was in the title and escrow business, we checked each and every payment, both inbound and outbound to make sure that we were not accepting money from terrorists nor sending money to terrorists.  We had special software to do this since we made tens of thousands of payments a day.

OFAC manages a list of what they call Specially Designated Nationals (SDN) or, basically, terrorists or people that help them.  As of today, that list is contained in a PDF file that is 1254 pages long.

As a way to try to squeeze terrorists, the government has started adding cryptocurrency wallet addresses to the SDN list.  The government expects that every time you make a cryptocurrency transaction, you check to make sure that the recipient is not on the SDN list.  If you use a service like Coinbase or one of its competitors, they do that for you.  If you arrange for the Bitcoin transfer yourself, they expect you to do it.

Since the Bitcoin blockchain (unlike many other blockchains) is publicly visible, it is pretty easy for the government to look at transactions and see if anyone in the U.S. is sending money to that wallet.  Since transfers are relatively anonymous if done carefully (like you only use that wallet for one transaction and other restrictions), the government may or may not try and find you if you violate the OFAC rules, but if you are a money handler, they will definitely come after them.  If you put money into a Bitcoin wallet from a bank account to pay the hacker, anonymity is totally gone – FYI.

Penalties, recently, for violating OFAC rules varied from a low of $87,000 to a high of $53,966,000 .  Big range, although $87,000 is still a large number.

There is a mechanism for requesting a waiver to send money to a person on the SDN list (called a blocked person or blocked entity), but I doubt the process is simple or quick, two things that are probably important when you are trying to unlock your data.

The simple solution is don’t get attacked by ransomware (easier said than done) or only get hacked by friendly hackers or hope that your attacker is not on the SDN list.  Otherwise, check and see if the person you are paying is on the bad guy list. 

We live in interesting times.  Information for this post came from Bleeping Computer and information on OFAC and the SDN list can be found here.

Cryptocurrencies Under Attack

A story that seems to be repeated with way too much frequency is cryptocurrency attacks.  This is because most users don’t understand how easy these attacks are.

I am aware of *NO* attacks that compromised the cryptography of cryptocurrencies.  Always it is the software.  Sometimes on the user’s side.  Other times on the exchange’s side.

The cryptocurrency exchange called Coinrail lost $40 million to an attack.  Coinrail has taken its service offline and has moved what is left of its currency into cold storage to make it harder for the hackers and to help investigators figure out how the attackers got in (source: Techcrunch).

The Japanese exchange Coincheck lost $400 million to hackers.  They say they do not know how the attackers stole the money. They are considering compensating users who lost money – whatever that means. (Source: Techcrunch)

Tether, a cryptocurrency startup lost $31 million to attackers.  (Source: Techcrunch)

Bitcoin lost $500 of value in an hour after the most recent attack.  The industry as a whole lost $42 billion in value. (Source: Bloomberg)

As a coin speculator, what should you be doing?

First, you need to understand that you are a speculator in a wildly volatile commodity and that commodity has zero inherent value, unlike hog bellies or gold.

Second, understand that there is no insurance, very limited government regulation and no government protection from losses suffered.  This is about as risky as loaning money to your cousin Vinny.

Third, like all investments, diversify.  Whether that means stocks, bonds and Crypto or just different crypto exchanges (and not different currencies at the same exchange), diversify.  I recommend the first;  you do the second at your own peril.

Keep your wallet offline.  Hackers stole $20 million in Ethereum because users had opened a port on their local machines which allowed hackers to empty their wallets.  Offline is not a silver bullet, but it will stop that particular attack as long as the wallet stays offline.

Only run cryptocurrency transactions on a machine that you know to be secure.  One recent attack used DNS compromises on user’s machines to make their software think they were connecting to their exchange when, in fact, they were connecting to their attacker’s computers.

Bottom line – it is your money.  Treat it like it is important.

 

 

Yet Another Digital Currency Heist

There is a lot of attention focused on digital currency and the potential it represents – maybe too much attention.

In May I wrote about the Bitcoin exchange Gatecoin, that was hacked to the tune of $2 million.

This week hackers made off with with $50 million in another virtual currency, Ether, but this time it is a little different.

The victim this time is an organization called The DAO for Decentralized Autonomous Organization which spent $150 million building a bitcoin look alike called Ether.  But this is not a currency exchange like Gatecoin.  Instead, people invest money in The DAO and The DAO invests in companies.  The DAO investors get a vote, based on how much money they put in, regarding which projects to fund.  More money, more votes.  No fund manager to may messy investment decisions.

In theory, the distributed nature of it means that no one could run off with the money.  Except they did.  Sort of.

What they did is move $50 million in Ether into a clone of The DAO that MAY delay payouts for four weeks like The DAO does.  If so, then The DAO has a couple of weeks to figure out an answer.

Like Bitcoin, Ether is not anonymous, so it would be difficult for the attacker to actually spend the money.  Maybe.

Ether transfers are a form of “smart contract” where the “terms” of the contract are cryptographically encoded into the Ether.  That, supposedly, makes it impossible for any to modify the contract in a way that is not detectable.

While they have not figured out exactly how the hack worked, the assumption is that the hacker exploited a bug in the code.

In this case, IF they do not recover the money, it is the investors who lose.  Just like any investment, there is no guarantee of success.

Some people want The DAO to hack their own code and create a new version of the code that makes it look like that transaction never took place.  Talk about a kludge with a capital K.

In any case, they have a little time still, they think, to figure this out.

No matter what they do, it is a black eye for virtual currencies.

If they change the rules by releasing a new version of the code that destroys that hacker’s transactions, what does that say for the integrity of digital currency and any money that you store in digital currency.

If they don’t hack the software but instead let the investors lose $50 million, what does that do?

In the long term, digital currencies and smart contracts are not going away.  In the short term, one might be advised to treat this like gambling – don’t put  more money into digital currencies than you are OK with completely losing.  Not necessarily the message that the creators of digital currency want to deliver.

However, unlike your local bank, there is no government agency to bail you out.

And, likely, no cyber insurance either.  This may be too risky for the insurance companies to swallow.  They have not said whether they have insurance, but I assume that if they did have insurance, they would have said so.

Stay tuned as they decide what to do.

Information for this post came from Wired.