Tag Archives: bitcoin

The Latest on Blockchain and Cryptocurrency

Unless you’ve been living under a rock, most of the world is aware of Bitcoin’s recent record surge to more than $4,000 per coin—a somewhat surprisingly immediate increase after its long anticipated hard fork, which was essentially a “break-up” amongst its developers over differences in the platforms ability and plans to scale.

At the same time, Ethereum has rebounded nicely from its major mid-summer dip, where its coin, Ether, dropped to as low as 10 cents USD. Ether appears stable at its new floor of around $300, and is currently valued $370 at the time this post was written.

Thanks to Bitcoin and Ether activity/trading volumes, the Crypto market is currently a $150 billion industry, and growing…

While Bitcoin and Ether are breaking records and creating millionaires overnight, companies like Microsoft are unveiling plans to jump on the Blockchain bandwagon with the launch of its Confidential Consortium Framework, otherwise known as CoCo, designed to make Blockchain systems faster and more secure. A few weeks back, Fidelity Investments announced that it will be adding Bitcoin, Ether, and Litecoin prices and trade information via Coinbase to its customer’s online portfolios in Q3.

So, what does all this mean? It’s clear that Blockchain and Cryptos are maturing and gaining more mainstream attention. However, we’re still a long ways off from seeing Bitcoin, Ether, or Litecoin replace USD, or any other physical currency for that matter.

Regulation and security still pose the biggest questions among skeptics, optimists, and industry analysts. Up until recently, the SEC had been pretty mum on Cryptocurrencies. But with the explosion of the Initial Coin Offering (ICOs), the SEC has become a bit more vocal about taming the “wild west” that is Cryptocurrency investing.

As for security, each week we hear about new ICO being hacked, or coins being stolen from an exchange. Just a few days ago, Enigma—a project born out if MIT—was pilfered for $500,000 USD in Ether. While the project itself did not lose half a million dollars, the hackers we’re able to gain access into the unsecured accounts of members of the Enigma community via Slack, many of whom we’re planning to invest said Ether into Enigma’s ICO planned for September 11.

Needless to say, the next 6-18 months will be crucial for the development and mainstream adoption of Blockchain and Cryptos. Stay tuned for more from 10Fold on this topic.

In the meantime, we encourage our readers to share their thoughts. You can also check out a recent, related blog from our CEO: Cryptocurrency and the Digital Economy.

Enjoy your read? Check out our other content here.

Cryptocurrency and the Digital Economy

Today I had the pleasure of attending a Chertoff Group Conference, #TCGSecuritySeries. I was fascinated with the cryptocurrency discussion led by Jason Cook – Managing Director of the Chertoff Group.  Panel members included Rich Baich, Executive Vice President & Chief Information Security Officer of Wells Fargo & Company;  Dave Jevans, Chief Executive Officer at CipherTrace; and Mance Harmon, Chief Executive Officer & Co-Founder of Swirlds.

Below are just a few tidbits from this thought-provoking discussion.

What’s the big deal about cryptocurrencies?

  • Cryptocurrencies fuel a multi-billion dollar economy
  • In one year, if all continues on course, the cryptocurrency economy will represent more than a trillion Dollars – which has more value than Canada’s GDP. .
  • The vast majority of ransomware is powered by Bitcoin

What’s important to know in regards to cryptocurrencies and security trends?

  • The Darkweb is being used to sell your private data (credit cards).
  • There is now a whole class of crime called data extortion. This entails the theft of customer data and private information., which cybercriminals then threaten to make public unless they get paid a ransom.
  • One step organizations can take to address this threat is by developing a definition for an enterprise-grade consensus server for connecting organizations.
  • From there, they need to implement that consensus server — a trust layer to go across the internet to connect the organizations and take advantage of improved security models.

A Few Surprising Facts about Blockchain:

  • Blockchain, a digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly, has real potential from a currency perspective, but there is no real production Blockchain project underway.
  • If anyone wants to bring these systems into the open and transact for value, security is going to be a massive concern.
  • If we move to blockchain, every bank will have to develop a security system that is just as secure as SWIFT (the current security solution used by banks to transfer money).  This will be a huge challenge for banks.
  • Cryptocurrency is the killer app for blockchain technology. There are potentially thousands of others.

The Biggest Digital Economy Security Concerns

  • Distributed ledger technology is at the heart of the security concern because it’s the technology’s engine that acts like a database.  There may be multiple ledgers, and one or more may act as the master.  Copies are used for disaster recovery.  If you make the copies a master as well, you are writing to both simultaneously.  When you have a write conflict (two transactions come in simultaneously), then the community has to agree on the order to execute the transactions.  You can take a master out of one organization and give administration to a different party.  You can take all the masters and put them in control of many different organizations.  They can run each securely.
  • You should not be able to execute a DDOS attack against the network and bring it down.
  • You should not be able to change the actual order of transactions and no one should be prevented from transactions.
  • Protection of security encryption keys is also an issue.  If you have the encryption keys, you can effectively become the transacting party.

A Few Words of Security Advice

Going forward, organizations and the security community will need to:

  • Cultivate security education based on a deeper understanding of the threat
  • Implement regular “reality checks” of their security and compliance posture.
  • Thoroughly assess and prioritize risks and implement solutions and strategies for risk mitigation
  • Develop a government body for the crypto economy – possibly like the Federal Reserve Board for world governments.

Thanks to the Chertoff Group, and Secretary Chertoff, for inviting us to this very interesting event in Palo Alto, California.

By Susan Thomas

Enjoy your read? Check out our other content here.

10Fold Security Never Sleeps- Financial Malware, TalkTalk Breach

When it comes to cybersecurity, companies need force fields, not walls

“Dire threats seem almost imperceptible”

The public often views recent headlines like the DNC or HBO data breaches and don’t work up too much anxiety over their own personal information security or insidious malware programs lurking online. However, these occurences are growing increasingly common, and nearly everyone’s sensitive information could be at risk.

TalkTalk fined £100,000 for long-forgotten 2014 data breach

“Reputation has been revived as well as legal fees”

The TalkTalk data breach of 2014 has long since faded from public view, but the associated government proceedings certainly have not. The incident saw hackers accessing the personal details of over 150,000 customers, earning the firm over £400,000 in relevant fines.

‘Hack the Air Force’ challenge most successful military bug bounty yet

“Over 200 public facing bugs found”

 The Air Force has continued its “Hack the Air Force” program which crowdsources cybersecurity testing on its public systems. This uncovered 207 patchable security flaws in about one month that could be exploited y hackers and malware, prompting Marten Mickos, chief contractor of HackerOne, to comment “It was the most successful [Department of Defense] bug bounty so far.”

Uptick in Malware Targets the Banking Community

“Incredible amount of money stolen in recent months”

New and even relatively archaic tactics have allowed cybercriminals to make off with vast sums of cash from many financial institutions of late, with both traditional banks and cryptocurrency funds being looted. Banking and financial malware has been a growing concern among researchers, and recent trends do not ease those fears.

Enjoy your read? Check out our other content here.

10Fold- Security Never Sleeps- 196

WILL THE REAL SECURITY COMMUNITY PLEASE STAND UP

“Black Hat 2017 a vocab lesson”

Black Hat 2017 emphasized the importance of vocabulary, and it turns out that yes, words matter. Words such as nihilism, empathy and inclusion have to matter, because current advances matter so much.

Android users: beware ‘Invisible Man’ malware disguised as Flash

“Keylogging steals financial records”

Android users have yet another malware program to watch for. A keylogging malicious software that disguises itself as a Flash update and targets financial data. Needless to say, criminals in possession of your credentials will happily suck your bank accounts dry.

Be on the lookout for fileless malware, warns Trend Micro

“Infosec pros warn of illusive malware”

Security experts have been dealing with many new incoming malware programs, but cybercriminals continue to find new issues that pop up on networks every day in an effort to avoid better detection programs. Fileless malware is the latest in this campaign, which is designed to evade sandbox defenses looking for signatures. TendMicro has detected many examples of this.

Hackers have cashed out on $143,000 of bitcoin from the massive WannaCry ransomware attack

“Online wallets breached”

During the WannaCry ransomware attackshackers were able to withdraw about 52.2 bitcoins, or about $143,000, from online cryptowallets. The withdrawals were concerned by Elliptic, and highlights general security concerns over online currencies.

Enjoy your read? Check out our other content here.

10Fold- Security Never Sleeps- 190

Sweden Accidentally Leaks Personal Details of Nearly All Citizens

“Swedish Transport Agency breached”

Virtually all Swedish citizens personal vehicle details may have been leaked due to a mishandling of an outsourcing  deal with IBM. Swedish media reports that this breach extends to private vehicles and even police and military transportation as well.

Wells Fargo Gets Regulatory Questions After Data Breach

“Release of client details prompts questions”

Wells Fargo, despite already being a target of regulatory scrutiny from last years fake account scandal, has drawn even more attention to itself after a new leak. A lawyer working for the firm has released sensitive client data for tens of thousands of accounts, mostly of wealthy clients in the brokerage unit.

Second Major Ethereum Hack In a Week Leads to $34 Million Theft

“Popularity met with skepticism of security”

Cryptocurrencies like Ethereum and BitCoin have been rising fast in popular use, however many investors remain cautious due to concerns over vulnerabilities. Ethereum is not doing much to ease doubters, being majorly hacked for the second time in a single week.

Cybercriminals Kept Botnet That Infected 500,000 Computers Hidden For Five Years

“Stantinko is new creeping botnet”

The Mirai botnet and ransomware programs like WannaCry and Petya have often caught our attention, but have you heard of Stantinko? It’s been able to stealthily execute its criminal mission for over five years without attracting much, or perhaps any, media attention.

Enjoy your read? Check out our other content here.

My First Trendjack Experience at 10Fold

As a new addition to the 10Fold team, as well as being new to the cybersecurity practice in general, it has been important for me to monitor the news on a daily basis in order to get familiar with trending topics and identify what it is my clients can speak to with authority. Although many stories have caught my eye in the last two months since I started these daily news sweeps, the NotPetya cyber attack stood out to me above all others.  

Peyta/NotPetya/ExPetr/GoldenEye is an ongoing cyberattack that started Tuesday, June 26. It began with a cyberattack in Kiev, Ukraine, where this malware went on to hit around 2,000 computer systems, specifically targeting computers running the Microsoft Windows Operating system. While many people originally believed it to be a form of ransomware similar to the recent ‘Petya’ attacks, this malicious software has been categorized as a  “wiper.” It’s designed to cause mayhem and wipe computers – and is not actually ransomware – which is why this ongoing attack has adopted so many names. It’s similar, but also different in a lot of ways.

Although there were corporations and public sector agencies affected in more than 65 countries all over the world, Ukraine and Russia were hit the hardest, including Ukraine government ministries, banks, utilities, telecom operators, an airport and other major companies. Also attacked were Russian oil giant Rosneft and Russian web security firm group-IB. Computers at the Chernobyl nuclear plant were compromised as well, forcing workers to manually monitor radiation levels, which have their own inherent security and safety challenges. Others hit include companies in the UK, Germany, China and U.S., British advertising giant WWp, French Industrial group Saint-Gobain, Shipping giant A.P. Moller-Maersk, Cadbury, pharmaceutical companies, hospitals and many more.

What was interesting about Petya was that after encrypting files on the PC, it demanded $300 worth of Bitcoin Cryptocurrency in order to supposedly unlock them. It turned out that as the story evolved, the ransomware was later categorized as a wiper, as previously stated, and the computer’s’ files were completely destroyed. Some security experts claim that this attack is more harmful than WannaCry, because rather than spreading only via a weakness in Windows’ SMB, the NotPetya malware can also spread by finding passwords on the infected computer to move from system to system. It extracts passwords from memory and local filesystem. Once inside a corporate network, it works its way from computer to computer, destroying the infected machines’ filesystems.

There has yet to be a solid explanation on the attackers’ motive and what they were after. Researching the attack, NATO said it was likely launched by a state actor or by a non-state actor with support and approval from a nation state since the operation was extremely complex and likely very expensive. The Russian government has been suspected as a possible origin for NotPetya. The latest rumors suggested that it spread by accident by a Ukrainian tax software company, named MeDoc.

NotPetya is continually evolving and more information is exposed every day. As one of the more significant organized attacks in 2017, it should bring awareness to the fact that many are unprotected. Even though large-scale attacks like this are not new, they are important to watch because each time around they are getting stronger and more sophisticated.   

It will be fun keeping an eye on more of these trends as they pop up. The next one I’ll dive into is the recent disclosures of public cloud leaks from organizations using the popular AWS services!

By Kory Buckley

Enjoy your read? Read our other blog content here.

 

Sources:

http://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future

https://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P

http://www.darkreading.com/attacks-breaches/petya-or-not-global-ransomware-outbreak-hits-europes-industrial-sector-thousands-more/d/d-id/1329231

https://www.theverge.com/2017/7/2/15910826/nato-response-petya-attack-state-actor-russia-ukraine

http://www.csoonline.com/article/3204547/security/petya-wannacry-and-mirai-is-this-the-new-normal.html

https://www.forbes.com/sites/thomasbrewster/2017/07/05/notpetya-hackers-demand-256000-in-bitcoin-to-cure-ransomware-victims/#5f709ac86cf9

What are Blockchain and Crypto Currency, and why you should be paying attention…

Throughout the last two years we’ve heard rumblings about Blockchain, and more recently, Crypto Currency. But as these technologies graduate from buzz words to real-world technologies, many questions still remain…

This blog will be the first in a short series where we explore what pundits are dubbing the next gold rush, and quite possibly, the foundation for the Internet 2.0.

What are Blockchain and Crypto Currency?

Blockchain, as defined by Wikipedia, is a distributed database that maintains a continuously growing list of recordscalled “blocks”, which are secure from tampering and revision. Each block contains a timestamp and a link to the previous block. By design, Blockchains are resistant to data modification. Once recorded, the data in a block cannot be altered.

Crypto Currency, on the other hand, is designed to work as a medium of exchange for digital and tangible assets. It uses cryptography to secure said transactions, and to control the creation of additional units of the currency, called Double Spending—which is essentially the counterfeiting of digital currencies. Bitcoin, which we’re all familiar with, became the first decentralized Crypto Currency in 2009, gaining notoriety for its role in Silk Road.

Where does Crypto Currency fit into Blockchain?

Simply put, think of Crypto Currency as the monetary medium for “purchasing” or exchanging digital and tangible assets securely on the network, while Blockchain is the accountant tracking all said transactions in a public digital ledger.

So what’s next for Blockchain and Crypto Currency?

While the future looks bright, Cryptos still lack backing and regulation from financial institutions and government bodies, and pricing/valuation remains highly volatile. Standards have also yet to be established for the Blockchain. 2017, however, is shaping up to be perhaps the most important year for Blockchain and Crypto advancements to date, as use-case specific Blockchains and Cryptos are beginning to emerge.

Take Ethereum for example, a distributed public Blockchain network and Crypto Currency that recently partnered with the United Nations for a large-scale beta test to distribute funds to residents of a Jordanian refugee camp (read more here). Then there’s Litecoin, an open-source peer-to-peer Crypto Currency and software project released under the MIT/X11 license. The Australian Government recently committed nearly half a million dollars to Blockchain standardization, one of many standards efforts currently underway.  

Stay tuned for more from 10Fold as these technologies continue to evolve, as we’ll be diving into both Blockchain and Crypto Currency progress, news, etc. during the coming weeks.

10Fold- Security Never Sleeps- 137

The Malwarebytes Report: The 2016 Global Malware Landscape

“U.S. most targeted country”

Malwarebytes has reported that the United States has more than any other country been the target by malware in the most amount of categories. The only category that leads the United States is in banking Trojan programs, where Turkey tops the chart in breaches.

Busted: bitcoin mined using government server

“Federal Reserve employee caught mining on the job”

Apparently not everyone at the Federal Reserve discounts the value of Bitcoin. Now former employee Nicholas Berthaume was given a year probation and fined for using unauthorized software on a Board of Governors of the fed server.

Czechs Blame Foreign Power for Email Hack Similar to Attack in U.S.

“Tuesday hack mirrors infamous DNC breaches”

A hack on the Czech foreign ministry left the system employees utilized to email other accounts outside of the ministry. Foreign Minister Lubormir Zaoralek addressed the concerns with a focus on the severity of the situation, but assuring that all internal communications and classified documents appear unaccessed and safe.

Enjoy your read? Check out our other content here.

10Fold – Security Never Sleeps – 35

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Security researchers have found that nearly all versions of the Magento e-commerce platform allows hackers to embed malicious JavaScript code insider customer registration forms on millions of e-commerce sites. A symantec partner has allegedly been caught running a tech support scam by leveraging bogus threats to sell overpriced security software. Sixteen lawmakers are trying to end congress’ gridlock by offering new bills that would help ensure student and employee privacy. Blockchain has emerged as a more secure, transparent, faster and less expensive financial alternative and continues to push for adoption throughout various industry.

Bug In Magento Puts Millions Of E-Commerce Sites At Risk Of TakeOver – Publication: Ars Technica – Reporter name: Dan Goodin

Millions of online merchants are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform. The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.


Symantec Partner Caught Running Tech Support Scam – Publication: Network World – Reporter name: Gregg Keizer

According to San Jose, Calif.-based Malwarebytes, Silurian Tech Support ran a scam in which its employees, who billed themselves as support technicians, used obscure but harmless entries in Windows’ Event Viewer and Task Manager to claim that a PC had been overwhelmed by malware, then leveraged those bogus threats to sell overpriced copies of Symantec’s Norton security software and an annual contract for follow-up phone support.


5 Things Congress Should Learn From New State Privacy Bills – Publication: Wired – Reporter name: Any Greenberg

On Wednesday 16 states’ lawmakers, with the advice and coordination of the American Civil Liberties Union, introduced bills designed to shore up Americans’ privacy on a long list of issues that federal lawmakers have either ignored or allowed to become paralyzed in Congress’s endless gridlock. That collective legislative push, which the ACLU is calling Take CTRL, addresses everything from student and employee privacy to new police surveillance techniques. The bills, together, would cover more than a 100 million Americans, by the count of the ACLU’s advocacy and policy counsel Chad Marlow.


How Will Bitcoin And Blockchain ‘Cross The Chasm’? An Analysis Of 5 Strategies – Publication: Forbes – Reporter name: Laura Shin

Blockchain, or distributed ledger, technology is more secure, transparent, faster and less expensive than current financial systems. And it has applications in other sectors like identity issuance, land titles, provenance and more. But for all its superiority, it finds itself in what disruptive innovation author Geoffrey Moore would call “the chasm”: Right now, tech enthusiasts and other people who have strong reason to prefer this technology over existing options have adopted it, but the companies in the space now need to attract users outside the core believers.

10Fold – Security Never Sleeps – 32

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  Amazon will officially launch is “replenishment” service that will launch on Tuesday. A new linux malware has been discovered that takes a screenshot every 30 seconds. Lastly, two informative articles about the state of bitcoin and Network security vs. app security.

Printer, Washer Automatically Order From Amazon – Publication: USA Today – Reporter name: Elizabeth Weise

The day your house automatically orders whatever you’re running low on came a step closer Tuesday, with Amazon’ launch of what it calls a “replenishment” service. A printer, a washing machine and a blood glucose monitor are the first three products that will automatically order more supplies when they’re close to running out. Beginning Tuesday, selected Brother printer models will track their toner usage and consumption patterns and then – if the user has selected the service – automatically order more from Amazon when levels dip.


Linux Trojan Takes Screenshots Every 30 Seconds – Publication: Security Week – Reporter name: Eduard Kovacs

Detected by Dr. Web products as Linux.Ekoms.1, the malware takes screenshots every 30 seconds and saves them to a temporary folder in the JPEG format using the extension .sst. If the screenshot cannot be saved as a JPEG, Ekoms attempts to save it in the BMP image format. An analysis of the Trojan revealed that its developers are also working on a feature designed to record audio and save the recording in WAV format in a file with the .aat extension in the same temporary folder. While the sound recording feature exists, it’s not active in the Ekoms variant analyzed by Dr. Web.


Network Security VS. App Security: What’s The Diference, And Why Does It Matter? – Publication: CSO – Reporter name: Kacy Zurkus

The risk for that enterprise is in backups, disaster recovery, incident response and any other outsourced unedited, unencrypted, and unaudited connections. Paula Musich, research director, NSS Labs said, “Historically, network security has been focused on ports and protocols, and it has relied on the ability to scan network traffic—typically at the perimeter of the enterprise network.”


R.I.P. Bitcoin. It’s Time To Move On – Publication: Washington Post – Reporter name: Vivek Wadhwa

Not long ago, venture capitalists were talking about how Bitcoin was going to transform the global currency system and render governments powerless to police monetary transactions.  Now the cryptocurrency is fighting for survival.  The reality came to light on Jan. 14, when its influential developer, Mike Hearn, declared Bitcoin a failure and disclosed that he had sold all of his Bitcoins.  The price of Bitcoin fell 10 percent in a single day on the news, a sad result for those who are losing money on it.