Nov 27

Bitcoin emerges from the shadows, but just how safe is it?

WordPress recently announced it would be joining the growing number of vendors accepting bitcoins., which hosts 58 million blogs across the world, stated it will now accept payments for upgrades via bitcoin, the peer-to-peer digital currency so famous in the underworld. Some hotels and retailers have begun to accept bitcoins. Bitcoin has become versatile enough it can be used to purchase gold and silver. Some online software companies are accepting payments with bitcoins and offering up to 40% discount all products paid with the digital currency. Even some political parties accept Bitcoin. Reddit is considering accepting bitcoins as part of its subscription model.

What is Bitcoin?
Bitcoin is an unregulated, stateless and increasingly global currency. It is an electronic currency that uses a cryptographic system to verify transactions. A bitcoin is an encrypted number that is stored on a person’s computer. It has a fluctuating value based on market demand, and as of today, is worth around US$12.20.

Usages of Bitcoin
Person to person: Bitcoins provide for the anonymous transfer of virtual currency. Bitcoin’s payment network allows means two people can complete an exchange of goods without ever having to know anything more about each other than a 36-character string of numbers and letters, a bitcoin address or account.
Business to consumer: Merchants benefit since there are no chargebacks. Merchants do not need to collect sensitive personal information from users. The flip side of the coin: Bitcoin is traded online and can be exchanged into US dollars or other currencies easily. Bitcoin requires individuals to use a 3rd-party service to trade bitcoins for real currency, and money laundering is theoretically possible using these 3rd parties. Law Enforcement focuses on these third parties to monitor money movement between suspicious entities.
Bitcoins are no stranger to controversy. Potentially they create an untraceable method of moving money and so are feared by Governments. In 2010, when MasterCard and Visa cut off funding to Wikileaks, Wikileaks turned to Bitcoin, raising at least $32,000 USD using the virtual currency. In 2011, the US Senate examined bitcoins and their role as a payment currency for the notorious Silk Road drug site. Also in 2011, LulzSec, although riddled with FBI informants, raised $18,000 USD in bitcoins from their supporters. In September 2012, a group of hackers threatened to release Mitt Romney’s tax records unless he pay them $1m USD ransom in bitcoins. The blackmail money was not paid.

Decentralization of Bitcoin provides a major barrier for law enforcement. They have no doors to kick down, no lines to tap and no one to subpoena. Even if Bitcoin wanted to be regulated, its very structure would severely limit that. Cybercriminals use Bitcoin as another virtual currency, although they seem to prefer liberty reserve, e-Gold and webmoney. Drug dealers demand bitcoins on the Silk Road. Cybercriminals renting DDoS services and botnets are accepting bitcoins for payment. Even firearms are advertised on Tor with ‘global delivery options’ with payment in bitcoins, although many of these are likely scams. For cybercriminals, the lack of a money trail can be a great benefit. If their assets are seized subsequent to an arrest, law enforcement may be oblivious to their password-protected Bitcoin fortune.

How safe are your bitcoins from speculation and manipulation?
Unlike the printing presses of the US government, there is a limit of 21 million bitcoins that will be in circulation. Their value fluctuates according to demand. As more people want bitcoins, their value rises; in periods of rapid selling, their value plummets. In each case, currency speculation, or even manipulation, can make or destroy fortunes. When Mt. Gox, an exchange trade for bitcoins was hacked in 2011, the price of bitcoins dropped from $17.50 USD to pennies within minutes. This occurred because the hacker tried to unload 400,000 bitcoins rapidly. Bitcoin price is highly volume-centric, and the sale or purchase of large numbers of bitcoins can cause bitcoin value to spike or plummet rapidly. In August 2012, a Bitcoin Ponzi scheme unraveled, dropping the price of bitcoins from approx. $14 USD to $10USD. Bitcoin Savings & Trust promised 7% returns per week, approximately 3300% annually, and collected over five million dollars worth of investments. When it shut down, confidence in Bitcoin was affected; people sold their bitcoins, causing a mini-crash. In June 2011, Gawker published an article on the Silk Road and its bitcoin currency. Within days, the price of bitcoins doubled as readers may have tested the veracity of Gawker’s article by purchasing items from the Silk Road. The suspect in the Mitt Romney case allegedly possessed 37,000 bitcoins. Requiring Romney to purchase $1m USD in bitcoins would have increased the value of his existing bitcoins. Bitcoin value is very sensitive to external forces such as news articles, scams and government investigations. With the recent addition of respectable vendors accepting bitcoins, it will emerge from the shadows and grow in popularity. As it grows in use among non-criminal users, the latter will be targeted by malware seeking to steal bitcoins from their digital wallets. Already specialized malware has been created to do just that (infostealer.coinbit trojan), and more is likely in the works. Bitcoin is risky on multiple levels. But with great risk, comes great reward.

This is also posted at

Oct 12

Are bank DDoS attacks merely precursors to big attacks?

The DDoS attacks that are temporarily wiping US banks off the Internet are very different than anything we have seen before. Rather than being a temporary annoyance, they are likely the precursor for much bigger things.

Last years DDoS attacks emanated from so-called “hacktivist” groups like LulzSec and Anonymous. These attacks were primarily targeting bank home pages ( and used basic tools such as the Low Orbit Ion Cannon (LOIC). It was akin to attacking a heavily fortified building (bank infrastructure) with foot soldiers. The attacks mostly failed, and banks fortified themselves even further. For the hackivists, the outcome was much worse: LOIC identified the attackers’ IP addresses and landed many of them in trouble with law enforcement. The LulzSec leader, Sabu, was a FBI informant and handed over hacktivist leaders to the FBI on a plate. The attacks were a disaster.

This years attacks, at first, sounded like more of the same. Operation Ababil, led by the al-Qassam Cyber Fighters seemed doomed from the start. The tools to be used by Muslims outraged by the YouTube “Innocence of Muslims” video included some new ones, including the High Orbit Ion Cannon (HOIC) from Anonymous. The world prepared to yawn as this unknown hacktivist group threw digital stones at some of the world best fortified banks. Then something strange happened: David fired and Goliath went down. Hard.

Why are these attacks so effective?

Technology: The technology used in these attacks is mixed. Not only are footsoldiers being used (HOIC), but mercenary armies (multiple botnets) and heavy artillery too (compromised Joomla servers buried deep in data centers with access to huge data pipes). Instead of several hundred megabits of annoying traffic, they are generating up to a hundred gigabits of traffic, enough to knock very large sites off the Internet.

Targeting: The whole point of terrorism is to generate terror. A general state of unease and worry is not enough. These attackers brazenly publish details on pastebin of who they are going to attack, and when. Even now hundreds of bank sysadmins are clicking F5 on pastebin waiting for next weeks targeting blog to see if they are on the hit list. FS-ISAC and Federal Authorities’ are helping banks, but the attackers have a flawless record of victory to date. The banks being targeted are much broader in scope than before: the ‘too big to fail’ banks were all hit, now the regional banks are targeted, and the triggermen are going down the list of banks methodically.

Tactics: Rather than hitting just the home page, these attacks are targeting deep within the bank’s infrastructure. Key authentication and session management servers are being attacked. The attackers monitor bank countermeasures, then attack the new defenses. Banks have even switched service providers when attacked, but within minutes the attackers ‘take out’ the service providers at their weak points and cripple the banks again. The precision, adaptability and responsiveness of the attackers shows there are some talented snipers pulling the trigger.

Triggermen: We have no idea who is behind the attacks.  Did the al-Qassam cyber fighters just pop up from nowhere in Iran? Are some brilliant cybercriminals pushing the buttons? Is there a nation state preparing for cyberwar with the US and learning our weak points and defensive tactics? Is there some misguided group within the US doing this to heighten cyber war tension or push through legislation? Right now we don’t know.

The only other time DDoS attacks were effective against banks was the “dirtjumper” attackers taking place this time last year. The dirtjumper attackers were ambitious cybercriminals who generally operated Zeus botnets. If they were able to steal money via wire or ACH from a bank, usually a million dollars or more, they paid the operators of the dirtjumper botnet to take the bank web servers down. This had two benefits and one major drawback for the fraudsters. One advantage was that bank antifraud detection methods were paralyzed as everyone was focused on getting the bank up and running. The other benefit was the victim was unable to login to the site and see their money was missing. The main downside was once the pattern was identified, banks learned that the moment they were hit with a DDoS attack, they had likely experienced a major fraud event and should freeze and review large money movements. Cybercriminals are piggy-backing on the current attacks just like looters after a natural disaster, but do not seem to be the prime movers.

The motivation behind the current attacks are twofold. First, to create terror that banks (even when fortified by their allies) can be taken offline with ease. Second, to study how banks will react when hit an attack, to determine what their next moves will be and to ensure they can be defeated.

This is also published at

Feb 22

RSA releases 2012 Cybercrime report

Predicted trends:
Trend #1: Trojan Wars Continue, but Zeus will Prevail as the Top Financial Malware.
Trend #2: Cybercriminals will Find New Ways to Monetize Non-Financial Data.
Trend #3: Fraud-as-a-service Vendors Will Bring New Innovations.
Trend #4: Out-of-band Methods Will Force Cybercriminals to Innovate.
Trend #5: The Rise of Hacktivism.
Trend #6: Better Information Sharing will Lead to More Crackdowns on Cyber Gangs and Botnet Operators

Feb 22

Syria using malware against civilians

In Syria’s cyberwar, the regime’s supporters have deployed a new weapon against opposition activists — computer viruses that spy on them. A U.S.-based antivirus software maker, which analyzed one of the viruses, said that it was recently written for a specific cyberespionage campaign and that it passes information it robs from computers to a server at a government-owned telecommunications company in Syria. Supporters of dictator Bashar al-Assad first steal the identities of opposition activists, then impersonate them in online chats. They gain the trust of other users, pass out Trojan horse viruses and encourage people to open them. Once on the victim’s computer, the malware sends information out to third parties. –

Feb 22

Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data:

US legislators sent a letter to Apple CEO Tim Cook asking why the company does not require iOS developers to obtain permission from users before apps download users’ contacts. The inquiry follows close behind news that the Path app downloaded users’ address books without their permission. Apple has responded to the question with a promise to change that policy so apps requiring use of address book data request that information explicitly.

Feb 22

Twitter capturing smartphone address books

Twitter has joined the growing list of companies caught storing user’s data without making it explicit. The company has admitted that it is storing the entire address books of users for 18 months, if they use the “Find Friends” feature on its iOS and Android clients. The function searches through your existing address book looking for matches on Twitter, but doesn’t make it clear that Twitter will be storing the data, or for how long. –

Feb 22

Anonymous targets FTC

The Anonymous collective has again targeted the Federal Trade Commission, this time bringing down seven websites belonging to the consumer protection agency. The hackers, in a Pastebin file posted Friday, said they targeted the FTC because it failed to take action on Google’s newly announced privacy policy, which resulted in the agency being sued by the Electronic Privacy Information Center. –

Feb 22

RSA has denied there is a flaw with the algorithm for its X.509 public-key certificates

Security vendor RSA has denied there is a flaw with the algorithm for its X.509 public-key certificates, arguing that any problems stem from poor implementation of the technology. The company issued its response to Swiss researchers who claimed a smaller number of RSA public encryption keys offered “no security at all”. RSA responded by saying that the “exploding” number of Internet-connected devices were to blame and that the researcher’s findings pointed out the importance of proper implementation, rather than it being a problem with the algorithm. “True random number generation underpins nearly all cryptographic algorithms and protocols, and must be performed with care to protect against the weakening of well-designed cryptography,” –

Feb 22

95% of Enterprise Networks have security gaps

Only five per cent of enterprise security networks are free of security gaps, despite a combined annual spend of over $20bn. According to FireEye’s Advanced Threat Report for the second half of 2011, virtually all enterprises continue to be compromised by malware, with more than 95 per cent of them having malicious infections inside their network each week. It also claimed that almost 80 per cent of enterprises averaged an infection rate of more than 75 per week. Research from Kaspersky Lab this week revealed that more than half (62 per cent) of UK companies have been infected by malware. –

Feb 22

Author of Zeus bot also a spam kingpin?

The cybercrime underground is expanding each day, yet much of it is run by a fairly small and loose-knit group of hackers. That suspicion was reinforced this week when Brian Krebs  discovered that the author of the infamous ZeuS Trojan was a core member of Spamdot, until recently the most exclusive online forum for spammers and the shady businessmen who support the big spam botnets. Thanks to a deep-seated enmity between the owners of two of the largest spam affiliate programs, the database for Spamdot was leaked to a handful of investigators and researchers … –