BitCoin: Trust Going Bad

In 2009, Satoshi Nakamoto had an idea: a digital currency that could be used without bank or central entities, based on the trust the users had for each other. With the help of public-key cryptography and the Internet, members of this peer-to-peer network could tell if a user was legitimate and allow transactions from and to him or her, without revealing personal details that were separate from the public identity. So BitCoin was born.

It took a couple of years for this system to be known, used mostly by people who wanted to develop and experiment with something new. Little by little, as more people became members of the network, small business and professionals started to accept it as payment, and a currency exchange was started. Sites like Mt.Gox or TradeHill could let you buy and sell BitCoins for U.S. dollars or Euros, among others. Thus BitCoins became not only an electronic currency, but also a physical one that you could use in the “real world.” BitCoin prices started to grow at an awesome rate, from less than a cent to almost US$20. It was an excellent investment tool and its uses started to become more and more interesting and varied.

But as with all foundations based on trust, the slightest mishap can make the system crumble, and that is what happened here. BitCoins were used as currency for illegal digital drug markets. When those were taken down, the wrath of certain organizations was directed at BitCoin. They wanted to ban it for being supposedly untraceable and a great tool for criminals.

We must point out that BitCoin transactions are traceable, as every transaction is broadcast to the network with a public log. What is difficult is to learn who is the actual person behind any BitCoin user, because the transaction logs only the public key of the user.

With the system already under scrutiny, the second strike came. A user reported the theft of almost U$500,000 in BitCoins and the first weakness of the system appeared: Because this is peer-to-peer networking has no centralized database, it was impossible to confirm or refute the claim, even by the architects. A lot of doubt was cast over the report, because some people say that the system can’t handle such a big transaction, but that is not important. The key is that if a PC is compromised, the system is not secure and it can’t be trusted implicitly because you never know if the user is who he or she claims to be. You trust a user because he or she has the correct credentials, but you can’t really know there is impersonation going on.

That happened in early June. A couple of days later some malware was found. Designed just for infiltrating BitCoin computers, detecting the digital wallets and uploading them to an FTP server, it allowed whoever was behind it to do legal transactions with the wallets of other users because it had the correct credentials. Clever.

For the coup de grâce, the hacking of BitCoin’s biggest exchange site was reported. The media says that almost 60,000 accounts and passwords were stolen in the hack. The price of BitCoins has plummeted and site’s order to roll back has not been well received.

If you look at the big picture, is a logical chain of events. With the credentials that the malware stole, an attacker could access the currency exchange site of those particular users. Even when the trades were stopped until the situation was normalized, the implicit trust of the system was completely broken because of the new and unknown player. It is fair to ask if the same group that wrote the malware is the same group that compromised the exchange site. Coincidence? It’s difficult to say.

It is certainly hard to say whether this system could survive another “Black Thursday.” Trust from the users and from the environment, maybe, but can you trust something that is so distributed with no central verification?

Sources:

http://www.wired.com/threatlevel/2011/06/silkroad/

http://www.theregister.co.uk/2011/06/16/bitcoin_theft_claims/

http://forum.bitcoin.org/index.php?topic=16457.0

http://forum.bitcoin.org/index.php?topic=1958.0

http://www.zdnet.com/blog/security/new-bitcoin-malware-steals-bitcoin-wallets-infostealercoinbit/8804?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29

http://www.zdnet.com/blog/btl/bitcoin-a-guide-to-the-future-of-currency/50601

The Dangers of Shared Devices and Exec Lounges

One of the perks of travel is access to Executive Lounges. One of the perks of Executive Lounges is that they often have VERY cool devices on display for the weary traveler to use. In one particular lounge I am currently in resides a very nifty Motorola XOOM:

As I am in Korea at the moment the first thing I had to do was change the default language to English (which I admit took more than a few minutes) and then I decided that I would try to take a LONG stroll through the inner workings of this ‘droid. I had figured the device would be locked down to some extent and that I would have to get a bit creative….

Talk about being wrong.

I am kinda torn on the idea of shared devices. It’s great to have access to cool technology in a lounge or a store but you would kind of hope there would be SOME kind of protection or device management/lockdown going on. Who in their right mind would log into a wide open device and use it for their private email, twitter or Facebook use right? I think you guessed…. quite a few people.

This particular XOOM (and there were several in this lounge as well as at least one Motorola ATRIX) had what you would expect: Twitter, YouTube, FaceBook and such. All of these has multiple logins with the account data saved (which I will NOT show for obvious reasons) but in truth this was not what surprised me. Poking around I quickly noticed that I had full access to the main account that the device used:

Accessing the account settings I could have easily reset the password:

I also, however had access to the Marketplace account billing information:

Now remember that as I also had access to the main gmail account (the same the Marketplace used) I could have changed the password and began using this account on any Android device I wanted. Marketplace app 0wnage awaits! I should also note that all the devices in this lounge used the same account.

It would have been easy to lay waste to these devices and the pilfer the account used but I am a hacker and I have ethics. Think of the the flip side.

Let this be a lesson to you road warrior travelers out there – be VERY careful when using shared devices in lounges. They are wide open. In many cases they save account information (this one did): email, social media, website logins, etc… So it might be better to avoid using them at all and waiting to use your own devices. If you are going to let others use your device, lock it down!! There are quite a few apps and guides that can walk users of all levels through at least deploying these devices with some level of control.

Time to change language from Korean to English – 5 minutes. Time to get device main account access and full info – less than 1 minute. Advice? Spend MORE than 5 minutes and learn how to manage your devices and its settings. The identity you save just might be your own.

Fake-Alert Scam Targets Mac Users

One of the most prevalent families of recent Trojans is called fake alerts. These Trojans generate fake warning screens that look like they were generated by legitimate security or anti-malware software. The majority of malware within this family attempts to con users by convincing them that their systems are at risk and that they should purchase the full version of the software to clean and repair their systems. One reason these fake alert scams have been so prevalent recently is largely due to the success of these scams. The Trojans use ever more professional-looking alerts to convince more and more users that the software is legitimate. Many fake-alert products even use the names and logos of popular security software.

McAfee Labs recently analyzed one of these Trojans, MacDefender.

Some of my colleagues have authored a report to help computer users distinguish between legitimate security software and fake or rogue security products. The paper is still timely and well worth a read.

With the increasing popularity and market share of systems running Apple’s Mac OS, these devices have also become a larger target for malware. Fake alerts are not the only malware families that infect the Mac, however. Threat predictions show increasing trends in malware targeting OS X. Some other notable examples found in the wild include:

HellRaiser
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265239

BlackHole RAT
http://blogs.mcafee.com/mcafee-labs/blackhole-rat-eats-into-mac-os-x

OSX/Puper
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=154438

Regardless of your computer platform, take the proper precautions, remain updated, and surf safely.