Cyberweekly #80 - How secure are cryptocurrencies

Sent on 2019-11-30

With China making clear moves that it intends to have some form of Government backed digital currency. Whether that is a "cryptocurrency" and based on a blockchain or whether it is some other managed digital currency, a government backed digital currency has potential to change quite a lot in finance.

But if watching the news around cryptocurrencies, what I see is that we have even less controls and security around many cryptocurrencies than we do around existing money systems.

SWIFT and the international money markets are regulated in order to ensure that money can be tracked from sender to receiver. This is vital for ensuring that fraud can be tracked, that criminal theft of money can be discovered and reversed and to ensure that international regulations on money transfers can be adhered to.

Cryptocurrencies were born out of a desire to have currencies that cannot be tracked, where the money can be sent from person A to person B without having to prove any real identity, just possession of the wallet. This means that it's remarkably easy if you steal someones bitcoin, to run it through a mixer and get the money out without the original person having any comeback.

The same can be said about cash, but the interesting thing is that we very rarely make large purchases with cash, instead choosing to use either direct banking transfers (which are regulated and tracked) or in some cases bonded transfers via solicitors (which are regulated and tracked).

We've seen so many thefts of cryptocurrencies, whether from malware infested wallets, or sim hijacking to transfer online accounts, and we haven't yet built a model that is understandable, that works for normal people, and is appropriately secure for transferring large amounts of money.

How Digital Currency Could Be China’s Ultimate Soft-Power Tool | Observer
https://observer.com/2019/11/china-crypto-digital-currency-bitcoin-power-tool/

Perhaps most significantly, China’s central bank is working on a “Digital Currency Electronic Payment System,” a sort of fiat Bitcoin. Chinese bankers plan to launch the Chinese cryptocurrency sometime next year. In stark contrast to how coins in Western countries are used—they’re essentially stocks or other speculative commodities that only have “value” in relation to cash (as opposed to other commodities) and must be exchanged into cash before they can be used to purchase things or pay taxes—Chinese citizens and those doing business with the state would be able to use a “native digital currency” instead of cash.

Bitcoin exchanges are still banned in China, but why would China reverse itself so quickly? Power.

A cashless economy is a command economy—more command than even China’s brand of “state capitalism” has enjoyed. As TechCrunch observed, 82% of Chinese adults made digital payments in 2017. If all transactions were digital—and all transactions used a state digital currency—there would be no exchange of goods or services for money without government knowledge and potential disruption.

This is not something I saw coming, but a state issued and controlled electronic payment system makes a lot of sense. WeChat Payments and AliPay are already showing that the desire and market to pay for things electronically in China is huge, with 92% of the population in China's largest cities using one of those two systems as their main means of payment in 2018, and nearly 50% in rural china as well (for an overall 82%.

The interesting question will be whether any other countries decide to follow suit and whether their policy intent will be about the same command and control (as I'm sure many western politicians would love to "prevent benefit claimants spending their money on inappropriate things"), or whether it will be about enabling better, faster digital payments for citizens (assuming that fiat coins can provide that of course)

Crisis simulation maps national security risks of digital currency – Harvard Gazette
https://news.harvard.edu/gazette/story/2019/11/crisis-simulation-maps-national-security-risks-of-digital-currency/

The situation was hypothetical, but the proliferation of so-called virtual cryptocurrencies, like Bitcoin, poses real-world threats because they allow unmonitored movement of large sums of money on decentralized networks. “The fundamental nature of money is changing,” said Neha Narula, director of the Digital Currency Initiative, part of the MIT Media Lab, playing the assistant to the president for digital currencies, aka the Currency Czar. She then outlined various potential scenarios, like cyberattacks on individual banks and the international SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking network, acts of aggression that can be secretly funded by cryptocurrencies, which cannot be easily traced.

This is a worry for US interests because the US is used to being the dominant currency around the world. That comes with a lot of power, from regulation of the finance markets, regulations to inhibit funding of terrorist organisations and of course the implementation of sanctions against countries. Of course it's not just the US that is affected by this, many international organisations also work to maintain these systems, but the US has a strong foothold in this area due to the power of its currency. A move away from that control, whether international, US led or combinations thereof is a direct strike against the power of the US.

The Hague Program for Cyber Norms - News & Events
https://www.thehaguecybernorms.nl/news-and-events-posts/policy-brief-a-coalition-of-the-unwilling-chinese-russian-perspectives-on-cyberspace

The approaches and policies of Russia and China are often married together under the heading of "the Sino-Russian approach". This rings true not only in cybersecurity and -defence related discourse, but in West vs. East geopolitics in general. The Sino-Russian approach is often contrasted to the Western or "likeminded" approach, which represents the liberal world order. At the same time, little attention has been paid to the question, how united this Sino-Russian front is. Is it "us against the world"? Is the Sino-Russian approach "likeminded" in its grouping? Or are there discrepancies in this united front? Having a one-dimensional view of the Chinese-Russian relationship and omitting the different motives and goals of both actors undermine the intricacies and possibilities that a deeper understanding of the cyberspace-related policies of both countries might bring to western analysts and policy makers.

A good read if you want to understand some of the politics going on at the moment at the UN, which just passed the first stage of a bill around tackling cybercrime that was sponsored by Russia.

I think this quote sums up the differences in their offensive cyber policies.

Neither China nor Russia has ever publicly admitted to cyber operations they allegedly committed. Nevertheless, it is quite clear how they can be justified within their respective worldviews. China, seeking economic development and political stability, has combined a politically defensive stance with cyber activities serving to enhance economic capabilities and competitiveness with the United States. Russia, with its more limited economic interests and a greater influence of military and intelligence services, is applying its information security doctrines against external targets in order to effect political destabilization and paralysis. Yet its preferred endgame is less clear than China’s, and its chaos-based tactics more prone to escalation and unintended consequences.

You can see the differences in the aims of the countries and how those aims are achieved, but you can also see points of conflict in the Sinoa-Russian agreements, points that the west may be able to exert diplomatic effort to ensure that it doesn't just become "us-vs-them".

FSI | Cyber | Internet Observatory - New White Paper on GRU Online Operations Puts Spotlight on Pseudo-Think Tanks and Personas
https://cyber.fsi.stanford.edu/io/news/potemkin-pages-personas-blog

A deeper understanding of hack-and-leak operations. GRU hack-and-leak operations are well known. This tactic — which has been described in detail in the Mueller Report — had a particularly remarkable impact on the 2016 U.S. Election, but the GRU conducted other hack-and-leak operations between 2014 and 2019 as well. One of the salient characteristics of this tactic is the need for a second party (such as Wikileaks, for example) to spread the results of a hack-and-leak operation, since it is not effective to leak hacked documents without having an audience. In this white paper we analyze the GRU’s methods for disseminating the results of its hack-and-leak operations. While its attempts to do so through its own social media accounts were generally ineffective, it did have success in generating media attention (including on RT), which led in turn to wider coverage of the results of these operations. Fancy Bear’s own Facebook posts about its hack-and-leak attack on the World Anti-Doping Agency (WADA), for example, received relatively little engagement, but write-ups in Wired and The Guardian ensured that its operations got wider attention. 

This is a really long report, and even if you just read the summary it's worth reading.

It highlights the sorts of disinformation campaigns that the GRU has been behind over the last few years and shows that the GRU has never really operated the same way as the Internet Research Agency. It has a poor understanding or use of social media and instead focuses on trying to get contentious lines to be discussed or picked up in mainstream press. This method of using a "cut-out" is classic spycraft applied to the modern era, and shouldn't really be a surprise to anyone.

The problem is that while we can tell citizens to be more mindful of what they see and share on Facebook (and I think that's a lost cause anyway), it's really hard to tell people that they may not be able to trust the mainstream media that they read all the time because the journalists were fooled into covering a story. How you counter this form of information warfare is much harder problem, one that ideally would be fixed by journalists doing their jobs and being critical of sources, but I think in todays media landscape that might just be wishful thinking

Cryptocurrency exchanges across China halt services amid crackdown | The Japan Times
https://www.japantimes.co.jp/news/2019/11/28/business/chinas-crackdown-cryptocurrencies-claims-first-victims/

At least five local exchanges have halted operations or announced they will no longer serve domestic users this month, after regulators issued a series of warnings and notices as part of a cleanup of digital currency trading.

China is stepping up scrutiny of its massive cryptocurrency industry just weeks after President Xi Jinping ignited a market frenzy by declaring Beijing’s support for the blockchain technology that underpins the sector. But financial watchdogs including the Chinese central bank have in past weeks ordered cryptocurrency firms to shutter and warned investors to be wary of digital currencies, seeking to rein in a market prone to excesses. Weibo, a Chinese Twitter-like service, suspended accounts operated by major exchange Binance Holdings Ltd. and blockchain platform Tron.

Taken together, the latest wave of shutdowns and restrictions represent the biggest cleanup of the sector since an initial Chinese clampdown in September 2017. Although exchanges that allow users to buy Bitcoin and Ether with fiat money were banned, trading had remained rampant in China through over-the-counter platforms or services that deal with cryptocurrency assets only

This shutdown is probably a sign that the Chinese authorities are trying to clear up the market and areas before they make an official move. It's hard for any official currency to make waves if there are already lots of alternatives that don't come with government tracking, and so clearing those out and making them far less attractive is necessary if you want to control the market.

APT33 has shifted targeting to industrial control systems software, Microsoft says
https://www.cyberscoop.com/apt33-microsoft-iran-ics/

But in October and November, the number of targeted organizations fell to about 2,000 per month, while the number of targeted accounts per organizations jumped tenfold.  Many of those recent targets, Moran said, were ICS vendors and suppliers, and the consulting firms that work in that sector. He did not elaborate on the targets. But APT33, also known as Holmium and Refined Kitten, has previously focused on U.S. and Saudi Arabia-based organizations, including those in the defense, transportation, and oil and gas sectors.

Moran cautioned attendees not to mistake APT33’s noisy behavior — the password-spraying isn’t hard for Microsoft to notice — with a lack of sophistication.

“They are operationally, very sophisticated, and they pay careful, careful attention to op-sec,” Moran said.  “They’re deliberate. They make subtle changes to their tactics over time.”

This is your regular reminder that "Advanced Persistent Threats" can be highly capable, well funded and have strong operational processes, and still use password spraying as an attack vector because it's cheap, easy and just works.

It’s Way Too Easy to Get a .gov Domain Name — Krebs on Security
https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/

Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley. No doubt a great number of smaller cities also haven’t figured out they’re eligible to secure their own .gov domains. That said, some of these cities do have .gov domains (e.g. nyc.gov), but it’s not clear whether the GSA would allow the same city to have multiple .gov domains.

In addition to being able to convincingly spoof communications from and websites for cities and towns, there are almost certainly a myriad other ways that possessing a phony .gov domain could be abused. For example, my source said he was able to register his domain in Facebook’s law enforcement subpoena system, although he says he did not attempt to abuse that access.

The discussion about whether the US's General Services Administration, or whether the Department for Homeland Security should manage the .gov domain is an interesting one. A domain is an administrative tool that has become critical to security in many ways. The fact that someone can get one easily is more than slightly worrying, especially when Krebs has pointed out, that access to emails coming from a gov domain gets you access to all kinds of other systems.

As a staging attack to get personal data, steal email accounts or whatnot, the security of that domain is critical to a lot of our infrastructure.

What is shitposting? And why does it matter that the BBC got it wrong?
https://www.newstatesman.com/politics/media/2019/11/what-is-shitposting-and-why-does-it-matter-bbc-brexitcast-laura-kuenssberg-got-it-wrong

The Brexitcast team wasn’t wrong to think the Tory political ads were shitposts – they are intentionally terrible graphics made terrible for the purpose of getting people to click on them and share. Kuenssberg likely read a variety of commentary on Twitter (potentially even this piece by the New Statesman) about how these graphics were shitposts at the end of October and presumed this to be the definition of all shitposting. A simple Google search could have shown her the real definition, the first three results being a Wikipedia article, an Urban Dictionary definition, and an explainer on Know Your Meme. And any of these would have shown her that political party posts are far from the only type of shitpost and are, actually, a fairly new incarnation of what a shitpost can be. 

This might seem like a basic mix-up from the BBC, making you wonder “who cares beyond a seeming lack of due diligence?” But the implications of misunderstanding internet terminology go far beyond a minor misread. The opaqueness of this language to journalists, law enforcement, and even average people who spend any time online means that dangerous language can go undetected – and recent events have shown that, when it has, it has deadly (and devastatingly preventable) consequences. 

The shitposting explainer from Robert Evans at Bellingcat mentioned above came after the Christchurch shooting – an event perpetrated by a man who was extremely, inextricably, deeply online. The shooter posted a manifesto before the shooting which was effectively one long ironic shitpost and even posted on notoriously horrific forum 8chan that it was “time to stop shitposting and time to make a real effort” just before murdering dozens of people.

I think this is interesting, because nobody is denying that what the political ads were a form of shitposting. I see the mistake as understandable, but as outlined a bit further down, the opaqueness and lack of understanding of the language is what leads to confusion and ignorance of what is being communicated. This is a repeat of previous generational differences, but with the added complexity of ubiquitous real time and always on communications, it's far more in your face.

Think Like An Attacker? Flip that advice!
https://adam.shostack.org/blog/2014/11/think-like-an-attacker-flip-that-advice/

Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They don’t know how an attacker approaches a problem. Telling people to think like an attacker isn’t prescriptive or clear

[...]

If you, oh great security guru, cannot think like a developer, for heavens sake, stop asking developers to think like attackers

(via Jon) . This is a great point by Adam. Security has a history of pushing the hard work to other people, whether it be pushing password complexity to users, blaming users for clicking links in phishing or refusing to give security advice because "it depends".

Saying "think like an attacker" is not a useful framing of advice to give to developers or development teams. They need structures, examples and systemic processes to help them understand what attackers actually want and how they want to get it.

Official Monero website is hacked to deliver currency-stealing malware | Ars Technica
https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-deliver-currency-stealing-malware/

The official site for the Monero digital coin was hacked to deliver currency-stealing malware to users who were downloading wallet software, officials with GetMonero.org said on Tuesday.

The supply-chain attack came to light on Monday when a site user reported that the cryptographic hash for a command-line interface wallet downloaded from the site didn't match the hash listed on the page. Over the next several hours, users discovered that the miss-matching hash wasn't the result of an error. Instead, it was an attack designed to infect GetMonero users with malware. Site officials later confirmed that finding.

Irony at its best.

Nobody has sorted out the trust problems when it comes to cryptocurrency. Almost all of the systems require you to download some software, and verifying the integrity of it is beyond most peoples capability. Let alone the verification of whether the software itself actually does what it says, that transfers do the right thing. And then you need to protect your online wallet against theft, and since almost all account recovery gets tied back to either email or SMS (or both), you still have these weird trust anchors that just aren't as secure as we'd like to imagine.

A tweet from the National Police in Spain - Twitter
https://twitter.com/policia/status/1185099947387084800?s=20

Are you an employee of a company? ... Be suspicious if they send you an email and, in addition to a transfer, they ask you: - Urgency - Confidentiality - Involvement - The status of the accounts - No telephone contact with the sender.

^^^ Google translate

(Joel) The message is actually useful, you should be weary if someone claiming to be inside your company asks you to do something (likely a financial transaction or tangential to it) urgently, in secret and doesn't want to speak on the phone...

... but really I'm including this for the chosen picture. It is amazing.

Previous Editions