the cut-throat side of the coin

I'm going to assume right off the hop that you know what a bitcoin is.  If you don't, watch this short video and then for a moment just put your first few questions on hold and assume for the sake of argument that it works as advertised, and that there are in fact many people who for various reasons consider bitcoins to be valuable and will happily trade traditional money (about $20 USD / coin at the moment) for them.

In fact, there are really quite a few people investing in bitcoins.  If not directly by purchasing them through one of the currency exchanges, or by exploiting classic foreign exchange tactics in a new medium, then indirectly by running dedicated mining computers filled with high end 3d video cards day and night to collect coins.  In the last two months bitcoin miners have stripped the commodity hardware market clean of the top performing Radeon 6990 cards.  Take a minute and try to find anyone who has them in stock.  Search for other models.  Try second hand sites.  At about $700 USD those top cards alone represent a pretty sizable dollar amount (invest in AMD!?), and of course on today's internet where there's money there are crooks.

While the saber rattlers are all very interested in the issues of drugs and money laundering, the more interesting crooks are taking to their keyboards. For some time there have been reports of bitcoin wallets being lifted via trojan horse, however these were upgraded on Saturday to full accounts of serious coin-jacking ($500k);  perhaps following in the footsteps of computer criminals of a more conventional sort.

Such as the fraudsters who started off acquiring individual online banking credentials but soon realized that siphoning the krill of the internet may work for whales like the big botnet operators, but the smaller scamming crews would need to be more strategic to maximize profits.  They began hijacking the accounts of entire businesses and found better spoils with less risk.

So on Sunday when someone monitoring the public (and mostly anonymous) bitcoin transaction log noted about $8M USD in coins being consolidated into one account there was of course some speculation that security concerns were a motivating factor. Semi anonymous currency transfers without the fuss of bank security standards, government mandated oversight and fraud reporting, and no knowledge of borders?  Oh yeah, strong concerns.

It get's weirder though.  As more people throw more mining hardware at the bitcoin network, the difficulty of mining itself increases in response. The system was designed to ensure that a steady stream of coins are mined no matter how furiously people are mining.  Because of this it is now quite impractical to mine coins alone with your desktop computer.  Well over half the miners out there are pooling their hardware together and splitting the rewards to stay in the game.  So while in theory the network is distributed and decentralized, in practice it has about 8-10 heads (pool servers) which can and have been cut off by interlopers.

There are plenty of theories and discussions out there regarding the reasons behind the many attacks against the most popular mining pools, but I think the most obvious is profit.  Due to the fact that the network increases difficulty at a slow and predictable rate it is possible for someone with a lot of mining power to double or triple their odds of mining a block of 50 coins by knocking down the top pools at the right moments.  Of course, renting a DDoS attack has been cheap for ages, and there's no doubt in my mind one could be purchased for bitcoins today.

The one I haven't seen yet but want to is forced pooling.  When web enabled java and javascript bitcoin mining programs were developed, people thought big.  "Topple Google's business model, serve a browser based bitcoin miner instead of an ad to monetize your site".  The rapid increase in mining difficulty killed that dream quickly, but it may be back in the form of modern browser interfaces to 3d graphics hardware.  WebGL and it's bastard nephew WebCL, very new technologies designed to do nifty graphics stuff in your browser, have already been used to implement web based hardware accelerated bitcoin mining software nearly on par with the dedicated mining programs.

At the moment it's limited to specific browsers with specific plugins, but barring a total collapse of the bitcoin market within a couple years as the tech matures into the mainstream it may well become far too profitable not to exploit.  Rather than serving drive by downloads of the latest banking trojan, your favourite recently hacked website could be pressing your video card into the service of mining bitcoins for the Russian Business Network right under your nose.

Perhaps the most amusing thing about all this is that Satoshi Nakamoto, the creator of bitcoin whose name is apparently a Japanese synonym for "John Smith" has quietly disappeared.

1. Drop crazy virtual currency on world.
2. Vanish silently with big stack of bitcoins.
3. Profit!!!

they know kung foo

Like many companies, my employer makes use of RSA SecureID tokens as part of it's security system, so when RSA (one of the worlds largest encryption software vendors) got hacked earlier this year I payed attention.  And laughed a little, I mean c'mon, really?

A few days later a memo was circulated around the office reminding all of us cube monkeys to be wary of anyone seeking information about our tokens and describing some enhancements to our security.  Based on that and RSA's public statement I, like some others surmised that by finding out the serial numbers of tokens in use the hackers might be able to work out all the one time passwords they would generate without needing access to the token itself.

According to a couple reports (and unfortunately for Lockheed Martin) it seems that guess was correct.

Whoever grabbed the RSA data used it, and likely quite a bit of other dark wizardry to penetrate the networks of one of the most sophisticated technology and aerospace government contractors operating today. Of course, they say that "our systems remain secure; no customer, program or employee personal data has been compromised".  But then again, RSA said "we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers" after their hack.

As of about 20 minutes ago when I logged on to review the memo I mentioned my token was still working fine, but I expect that to stop any moment now.  Good thing too, it's pretty beat up.  The serial number has rubbed right off so I guess I'm safer than most.

Interesting times indeed.

creative scamming

I found this interesting.  Some scammers are using trojans to inject bogus ads and articles into business sites praising their fake investment portals.

The trojan configuration also targeted sites such as Forbes and Yahoo Finance, injecting fake articles into pages suggesting the sites were partnered with "URS Investments" and were recommended by Forbes and Yahoo and offer links to sign up with the site. Other sites which are targeted by the trojan's configuration include AOL, Amazon, Apple, CNN, Citibank and ESPN

Next stop, injecting bogus stats into popular finance portals, rss feeds, and trading sites to aid pump and dump stock scams.  Sound far fetched?  Trojans that steal banking credentials and initiate fraudulent transfers have been hiding the rogue transactions from the victims browsers for years.

Some banking Trojans overwrites transactions sent by a user to the online banking website with the criminal’s own transactions. This overwrite happens behind the scenes so that the user does not see the revised transaction values. Similarly, many online banks will then communicate back to the user’s browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.

usb powered hockey rat trophy

Yeah you read it right.

Yesterday my dad and I were making our tipsy way home after watching the Jays take a beating at my local bar.  On the way in we saw what I guess someone who'd been moving had left by the service entrance to my apartment, boxes and miscellaneous junk.  I saw a weird rat statue with a USB cable sticking out of it and thought, whoa, USB powered rat!

Hell yeah!

So I grabbed it and said to pop and incidentally to a neighbor who was waiting for the elevator; "Yo check it out, USB rat statue!"

Dad: "Um, cool?"

We step into the elevator.

Girl: "Er, are you sure that's not just a rat statue with a USB cable hanging on it?"

Me: Pulling a random USB cable free of rat statue, "Um, nope".

So now what do I do with a non USB powered rat hockey trophy?  Suggestions welcome.