The use of blockchain technology has increasingly focussed on uses other than cryptocurrencies. One challenge being addressed is how do you deal with someone who you don't know, may never have met, and yet with whom you wish to exchange cryptocurrency for goods and services, especially as the transaction is ostensibly anonymous on both sides. Well, the answer, many feel, is in the form of Smart Contracts, which can be supported by the blockchain itself.
However, as with so much in technology, smart contracts have a darker side. A paper that popped up this week gives a very good summary and analysis of various scenarios in which smart contracts could be used between criminals. The scenarios include everything up to an including hiring an assassin: how can you be sure that the assassin will do the job if you pay him or vice versa how can the assassin be sure of being paid if he kills the poor victim.
The paper, entitled "The Ring of Gyges: Investigating the Future of Criminal Smart Contracts" explores some ideas I had never thought of, but which are quite fascinating. The types of criminal contract demonstrated in the paper are:
Showing posts with label Cybercrime. Show all posts
Showing posts with label Cybercrime. Show all posts
Saturday, 9 April 2016
Sunday, 18 December 2011
Is Anonymous Cyber Cash Good Or Bad?
Online currencies are not new. Since the dotcom boom there have been those who have sought to provide a service that enables non-traditional means of payment online. However, most of the mechanisms that survived have a formal linkage to some real-world form of payment. For example, PayPal is linked to credit cards or bank accounts. It provides a level of abstraction when entering details of payment online, thereby isolating the risks of your bank details being captured to the one place.
But, there has been a rise in another form of online payment which seeks to provide complete anonymity. Whereas, if they wished, law enforcement agencies could trace back some transaction via, say, PayPal to a real person via their bank, the new forms of exchanging funds aim to isolate the user completely from any investigation. There are a few of these new services:
In a previous Blog I talked about how cyber criminals were selling information in a growing "market", that enabled other cyber criminals to mount very powerful attacks. Whilst the obvious information, such as credit card and identity details, are "for sale", the really high stakes involve the selling of zero day exploits. If one hacker finds a previously unknown vulnerability s/he can sell it online; sometimes for hundreds of thousands of dollars.
There is a proper exchange rate between real-world currencies and Bitcoin. Hence, we can tell by looking at some of the transactions online just how much these zero day exploits are worth to the cyber criminals. And, its not necessarily just "criminals" that are operating in this new market. The Stuxnet attack of 2010 used 20 zero day exploits. If that attack was mounted by a nation state then you can't help but conclude that they must have bought the knowledge of at least some of the zero day exploits used.
The systems of anonymous banking rely upon public key encryption but the key to their power is "blind signatures". It is worth noting that this is a peer-to-peer process, and that it relies upon a web of trust developing. One of the simplest forms of blind signature is the RSA blind signature. But as you might expect this has already been attacked and so further more robust algorithms have (and contine to be) developed. Buy why? Why develop algorithms that can so easily be used to enable anonymity in online transactions. Well, not all online transactions requiring anonymity are criminal. For example, e-voting. In a secret online ballot I do not want the person running the systems to necessarily know who I voted for.
It's also worth noting that the physical banking system also has several methods for unregistered transfer of money, so this is not a unique feature of the online world. Bearer bonds are perhaps the best known. And, of course, cash is untraceable for most of the transactions in which it is involved. Having said that, most jurisdictions have a variety of means to discourage mechanisms like bearer bonds or transportation of large amounts of cash.
Of course, the virtual currency has to be converted at some point into currencies that can be used in real-world transactions. And there's the rub. These new online currencies have an exchange rate just like any other and that rate is influenced very strongly by the faith that the markets have in it. Whilst Bitcoin started strongly, there is evidence that it may be tailing off (see conversion rate below).
So, the big questions for debate are:
But, there has been a rise in another form of online payment which seeks to provide complete anonymity. Whereas, if they wished, law enforcement agencies could trace back some transaction via, say, PayPal to a real person via their bank, the new forms of exchanging funds aim to isolate the user completely from any investigation. There are a few of these new services:
- eCache: an anonymous bank operating over the Tor network.
- Bitcoin: a de-centralised, (Peer-to-peer), digital currency
- Pecunix: an anonymous digital gold currency.
In a previous Blog I talked about how cyber criminals were selling information in a growing "market", that enabled other cyber criminals to mount very powerful attacks. Whilst the obvious information, such as credit card and identity details, are "for sale", the really high stakes involve the selling of zero day exploits. If one hacker finds a previously unknown vulnerability s/he can sell it online; sometimes for hundreds of thousands of dollars.
There is a proper exchange rate between real-world currencies and Bitcoin. Hence, we can tell by looking at some of the transactions online just how much these zero day exploits are worth to the cyber criminals. And, its not necessarily just "criminals" that are operating in this new market. The Stuxnet attack of 2010 used 20 zero day exploits. If that attack was mounted by a nation state then you can't help but conclude that they must have bought the knowledge of at least some of the zero day exploits used.
The systems of anonymous banking rely upon public key encryption but the key to their power is "blind signatures". It is worth noting that this is a peer-to-peer process, and that it relies upon a web of trust developing. One of the simplest forms of blind signature is the RSA blind signature. But as you might expect this has already been attacked and so further more robust algorithms have (and contine to be) developed. Buy why? Why develop algorithms that can so easily be used to enable anonymity in online transactions. Well, not all online transactions requiring anonymity are criminal. For example, e-voting. In a secret online ballot I do not want the person running the systems to necessarily know who I voted for.
Of course, the virtual currency has to be converted at some point into currencies that can be used in real-world transactions. And there's the rub. These new online currencies have an exchange rate just like any other and that rate is influenced very strongly by the faith that the markets have in it. Whilst Bitcoin started strongly, there is evidence that it may be tailing off (see conversion rate below).
So, the big questions for debate are:
- Should such virtual, anonymous currencies exist at all?
- Will they ultimately be undermined by a lack of confidence?
Wednesday, 14 December 2011
When Does A "Tool" Become A "Weapon"?
As with so many tools, security vulnerability detectors can be misused to exploit rather than defend. The Metasploit Project is an extremely valuable tool and many of us in cyber security use it to research and probe for potential problems. However, a recent development which was revealed by Security Labs in India demostrates just how easily the Metasploit Framework can be used to develop malicious payloads that avoid detection by the usual Anti-Virus and Firewall software.
By installing a few extras with BackTrack 5 (another tool-set that penetration testers know well) it is possible to run a script based upon Metasploit that generates a "reverse TCP payload". In essence, all of your Internet data is carried using a protocol called TCP/IP, where the IP part gives the "addresses" of the sender and receiver, and the TCP part ensures that the entirety of the data is reconstructed correctly once received as it is chopped up into small "packets" for transmission across the Internet. This "reverse payload" method means that you receive the unwanted data without realising it. Hence, it will bypass detection by the types of traps to are usually employed to capture unwanted code.What could you do with this? Well, imagine you could use the technique to deliver a "backdoor" to a machine. Actually, you don't need to imagine as that is exactly what was done. All of a sudden you have the means to take over machine remotely without the user knowing, and in such a way that most users would stand very little chance of detecting the attack: certainly not using routine Anti-Virus and Firewalls software.
It's such a shame that these tools are used in this way. Or is it? Perhaps that's the very reason they exist. After all this has shown a vulnerability and a form of attack vector that may not have been thought about by the AV and Firewall vendors.
By installing a few extras with BackTrack 5 (another tool-set that penetration testers know well) it is possible to run a script based upon Metasploit that generates a "reverse TCP payload". In essence, all of your Internet data is carried using a protocol called TCP/IP, where the IP part gives the "addresses" of the sender and receiver, and the TCP part ensures that the entirety of the data is reconstructed correctly once received as it is chopped up into small "packets" for transmission across the Internet. This "reverse payload" method means that you receive the unwanted data without realising it. Hence, it will bypass detection by the types of traps to are usually employed to capture unwanted code.It's such a shame that these tools are used in this way. Or is it? Perhaps that's the very reason they exist. After all this has shown a vulnerability and a form of attack vector that may not have been thought about by the AV and Firewall vendors.
Monday, 12 December 2011
Hackers Serve Notice Of An Interesting Year To Come
To paraphrase Douglas Admas' mega computer, "Deep Thought", I speak not of the attacks that have happened in 2011 but of those that are to come. 2011 has been dubbed by many in the press as "the year of the hacker". I think they may be mistaking the calm before the storm. One has only to read the various Tweets and Blogs by those involved in the hacking to realise that, if anything, they feel emboldened. I don't mean those involved in cybercrime or cyber warfare, but the hacktivists.
The hacktivists such as TeamPoison, Anonymous and LulzSec have found that hacking can be a very effective means of making a political statement. In times of increasing economic peril, widening gaps between rich and poor, and behaviours by some that appears to be worse than Gordon Gekko, its not surprising that those identified as the cause of the problem are subject to attack.
Whilst many involved in cyber security are seeking to secure systems that could lead to financial loss or interruption of critical infrastructure, I can't help but wonder if those in the sights of the hacktivists have taken the necessary precautions. I suspect their focus may be elsewhere. But, when it comes they can't say they weren't warned. And I don't mean by folk like me. The hacktivists themselves have quite blatantly set out their intentions - see below - ignore it at your peril (DO NOT WATCH THIS IF YOU ARE EASILY OFFENDED):
The hacktivists such as TeamPoison, Anonymous and LulzSec have found that hacking can be a very effective means of making a political statement. In times of increasing economic peril, widening gaps between rich and poor, and behaviours by some that appears to be worse than Gordon Gekko, its not surprising that those identified as the cause of the problem are subject to attack.
Whilst many involved in cyber security are seeking to secure systems that could lead to financial loss or interruption of critical infrastructure, I can't help but wonder if those in the sights of the hacktivists have taken the necessary precautions. I suspect their focus may be elsewhere. But, when it comes they can't say they weren't warned. And I don't mean by folk like me. The hacktivists themselves have quite blatantly set out their intentions - see below - ignore it at your peril (DO NOT WATCH THIS IF YOU ARE EASILY OFFENDED):
Monday, 5 December 2011
It's Not Junk Email That Is The Worry But What Lies Behind Them
It’s quite scary how many home computers are unwittingly aiding and abetting cyber criminals: 6% according to the latest study reported by the BBC. And it’s not just spam email that is the problem.
One of the issues that those tackling the problem have is that spammers are becoming ever more cunning in their use of email content. Whilst spam filters look for obvious content, often through key word monitoring, the spammers subtly change the content so that it might appear readable to a recipient but not to an automated process. The classic is replacing a letter (say “l”) with a number (say “1”).
With the latest estimates saying that spam, and malware laden emails, account for over 70% of all email traffic, this is undoubtedly significant problem. Although, attempts over the last year have seen some inroads into reducing the volumes. Microsoft report in their latest Security Intellignce Report that machines running their software (and despite the wishes of the Apple lobby the vast majority of PCs run Microsoft operating systems) have seen a significant decrease in spam emails.
Having said that, there it is a valid debate as to who should be trying to stop the email. With landmark cases such as that in European Court of Justice two weeks ago which relieved ISPs of responsible for ensuring traffic does not contravene copyright laws, who is to say that the ISPs should stop spam. After all, the Post Office does not stop junk mail by default. There is a view that we should all take more responsibility for our own machines and have email clients that can stop junk email and catch malware before it jumps from our email to our PCs.
Having said that, there it is a valid debate as to who should be trying to stop the email. With landmark cases such as that in European Court of Justice two weeks ago which relieved ISPs of responsible for ensuring traffic does not contravene copyright laws, who is to say that the ISPs should stop spam. After all, the Post Office does not stop junk mail by default. There is a view that we should all take more responsibility for our own machines and have email clients that can stop junk email and catch malware before it jumps from our email to our PCs.
This volume of spam does not mean great economic loss through reading adverts for illegal Viagra, cheap loans or free legal advice. Rather, the criminal activity comes from so called “phising” emails. You might think it rather daft to respond to, for example, someone calling themselves the ex-President for Nigeria who, if only you would deposit £1000 in his account, could release millions and he would reward you tenfold. We’ve all had them. But if you send enough of them, then someone will fall for the scam.
There is classic hacker trick where you obtain a phone book for a company. Then you ring around each number in the book saying you are “technical support” and that you have called to help them with their problem. Eventually you will reach someone who has a problem and lodged a call for help. You then ask for the username and password, which of course they are happy to provide as you have proven you are technical support by responding to their call. How else woul dyou have known to call them? The current equivalent are the emails. We all receive emails from banks saying that they are responding to our call for assistance and would you just click this link and enter your details in the very authentic looking website. The medium is different but the con is the same. With billions of spam emails each day, the spammers can collect a frightening number of credentials.
There is classic hacker trick where you obtain a phone book for a company. Then you ring around each number in the book saying you are “technical support” and that you have called to help them with their problem. Eventually you will reach someone who has a problem and lodged a call for help. You then ask for the username and password, which of course they are happy to provide as you have proven you are technical support by responding to their call. How else woul dyou have known to call them? The current equivalent are the emails. We all receive emails from banks saying that they are responding to our call for assistance and would you just click this link and enter your details in the very authentic looking website. The medium is different but the con is the same. With billions of spam emails each day, the spammers can collect a frightening number of credentials.
However, in my opinion, the fact that such large proportion of home machines host unknown malware hides a bigger threat than simply spreading large volumes of annoying and phising emails. By hijacking so many PCs it is possible to mount a massive probing operation that can seek out high value targets that are susceptible to classic hacking attacks. A good example is what is known as “SQL Injection” attacks. If an attacker had to manually probe every system using SQL to see if it was vulnerable his/her arms would fall off before they found a victim. But, automate the process across many thousands of “bots”, each of which is reporting success or failure back to some master criminal machine, and you’ll have an embarrassment of victims from which to choose. In fact, this is so effective that an industry is growing up in which one set of criminals will find the vulnerable machines and then sell the list to other criminals.
So, am I worried about junk email? No. Am I worried about those same hijacked PCs supporting criminal hacking. Yes. The graphs show that the junk email is beginning to be tackled but what is less clear is if the hidden activity of these botnets is being tackled. My guess is not.
Monday, 28 November 2011
Analysis Emerges About Government Cyber Strategy
It's fascinating to watch the various interpretation that have emerged over the weekend following the release on Friday of the UK Government Cyber Strategy. Some do appear to have come up with some quite extreme interpretations such as that from ZNet (http://www.zdnet.com/blog/london/uk-government-8216planning-to-launch-stuxnet-like-attacks-against-hostile-states/1128) who read from the document that the UK was about to go on the offensive with attacks such as the Stuxnet attack of 2010 through clandestine means. However, as if to salve their own journalistic conscience they did add that it had been worded "vaguely". Quite.
Of more interest are those that have picked up on the fact that the MoD will be involved in developing capability alongside GCHQ. British Forces Broadcasting Service of all people gave a succinct interpretation which I thought was really rather good, although a tiny bit of irony perhaps in having to admit that they had lost quite so much data:
Saturday, 26 November 2011
Cyber Defence Through Community Action
Today sees the start of Malcon (http://malcon.org/) in India. The clue is in the name: it is a conference about malware. However, it has some important differences to the now infamous DEFCON gathering in Las Vegas each year, where hackers attend to learn from each other how best to attack systems around the world. Malcon has a degree of involvement from the Indian government. Not hidden or disguised: totally in the open. Whereas DEFCON has a "spot the fed" competition, Malcon appears to welcome government involvement.
The Indian government formed a centrally run register of those who can help organisations to counter and respond to cyber attack. It is known as the National Security Database (http://nsd.org.in/web/). The government certifies the individuals they list so that users of the register can trust those that they call upon. Whilst it has existed for some time, the NSD is due to be launched (or some would say re-launched) at Malcon. The NSD was conceived after the terror attacks in Mumbai in 2008 when India realised it was as vulnerable as anyone else to attack, including cyber attack, particularly on critical national infrastructure.
In many ways the NSD look a lot like some elements of the planned "hub" in the UK. How successful either model will be has yet to be seen, but at least the Indians have taken action and have put the NSD in place.
In many ways the NSD look a lot like some elements of the planned "hub" in the UK. How successful either model will be has yet to be seen, but at least the Indians have taken action and have put the NSD in place.
In a further demonstration of how a community can (apparently) come together to help defend itself, a not-for-profit organisation has been formed called the Indian Cyber Army (http://www.cyberarmy.in/). Their ambitions appear very laudable in trying to engage white and black hat hackers in defence rather than attack. Whats more, they are trying to engage them from a very early age. However, whether this works or is simply a magnet for black hat hackers to collaborate through will only become clear over time.Friday, 25 November 2011
UK Government Cyber Security Strategy published today
The new government cyber strategy is out today. The main response is not a technological one but one of education: advising companies as well as government departments when and how they are under attack, and the simple steps, already within their gift, that they can take to repel these attacks.A key element of the strategy is information sharing. When one organisation suffers an attack then the details and how to cope with it need to be made available to others so they can be suitably prepared should the attack turn in their direction. In a connected world, the very thing that makes cyber-attacks relatively easy can be used to help defend against them. Afterall tehre is no point in receiving a quarterly update that simply tell you what happened. What you want is
real-time infromation to allow to pre-empt an attack.Why is all of this so important. It is not just that between 5 and 10% of our GDP is directly dependent upon the Internet, and is growing very fast. The real issue is the theft of intellectual property. Earlier this year the Cabinet Office issued a report showing that of the estimated £27bn loss of cybercrime £21bn was related to stealing other people’s ideas (http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime ). Companies that are key to the UK economy such as Rolls Royce are constantly under attack with the attackers looking to steal valuable commercial ideas such as engine designs and alloy compositions which have taken many millions to develop. And the same is happening elsewhere with examples in recent days of the Norwegian oil industry losing commercially sensitive data through cybercrime.
But the danger does not stop there. In recent days we have seen yet more attacks on infrastructure with the techniques first seen disrupting the Iranian nuclear facilities now evolving to be used to disrupt things like the water supply in Houston, USA.
So, the UK Government strategy will not be about protection government assets alone. The UK Government has a significant role to play in helping UK PLC avoid major commercial losses and serious disruption.
Go judge for yourself: http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy
Subscribe to:
Posts (Atom)