Lightning Network – LN Network DDOS’d and Attacked By Organized Group

A group calling itself Bitpico has bragged about attacking the LN (Lightning Network).  The group claims it is stress testing the network and the LN developers responded that they are analyzing and trying to close any attack vectors before the currency is used more.

It is almost a traditional DOS attack where nodes were flooded with false transactions to overwhelm them so no real transactions could get through (similar to a web attack that opens frivolous connections to overwhelm the server).

Inevitably almost all networks go through this and it really is a typical cat and mouse game in any public, permissionless blockchains.  It is really an IT security nightmare where no one is authenticated or vetted whatsoever.  There is little disincentive for organized and well-funded groups not to attack blockchains if they have enough motivation, and clearly many do.

 

Verge XVG Mining Exploit Results in $1.1M Heist

In all fairness it was just 3 hours, they have corrected the issue and have apologized which is the way to handle it.  This won’t make me panic sell my Verge coins.


XVG-Verge-ApologiesforMiningAttack
However, a scam closely followed right into the tweet discussion about this with a fake Verge account scamming users by apologizing for the hack (very ironic).

 

 

Because of how well they handled it I have a lot of faith in their team.  Lately a lot of blockchains have been attacked and exploited which is only natural.  Contrary to popular belief blockchain is not invincible or infallible.  Likewise, the people who code the applications and algorithms that run them are only human, so let’s give them a break.

To close this attack vector permanently it looks like a hardfork will be necessary (I generally dislike hardforks but this is a case of necessity).  But once again I’ll say it is a flaw in the majority of permissionless blockchains.  The client side shouldn’t care about this (just as we don’t care about the backend of our bank we only care about using our money).

I see the value of XVG has plummeted as a result, even though similar issues have happened with Bytecoin and Monero due to a flaw that allowed the creation of extra coins in Cryptonight.  I would fathom that a lot, if not most blockchains have been attacked and this has gone undetected and/or unreported.  It is likely just a matter of time.  This still puzzles me more because I think the Ethereum, parity issue, Bitcoin Gold Scam and what I suspect was a similar issue with Raiblocks didn’t impact the value as much.  With that said, this is one more reason I feel PoW is unsustainable and doesn’t help secure networks at all, as even without technical exploits you can still cause damage by having more hashing power than others.

I am not overly concerned about this issue and a big part of that is how the team handles things and it looks like they’ve taken ownership of the problem and have corrected it (something rare in this industry).

Nano AKA Raiblocks XRB and Bitgrail Scam $150M Lost!

A good friend of mine asked me about Nano and I honestly haven’t paid much attention to it.  I didn’t even know what it was until I realize it was recently rebranded from Raiblocks (XRB).  That alone set off alarm bells, aside from it being confusing I suspected there must be more of a reason.

The technical side is impressive although I haven’t used it, they have this block-lattice technology which doesn’t use traditional PoW mining.  It confirms transactions individually between two wallets instead of the entire blockchain.  This is a huge plus but the weakness is that they only seem to focus on transaction speed.  The algorithm described that seems to automatically allow successive transactions to be confirmed sounds dangerous.  I may be missing something from the implementation but it sounds like a potentially vulnerability that an attacker could use after doing a transaction with you.  In addition they still use a public ledger so essentially they are solving the transaction speed alone but they may also have introduced a huge attack vector and vulnerability.

They do have some interesting features such as instant transactions and being infinitely scalable.  But I take issue with any team claiming anything is infinite.  To infinitely scale there would have to be infinite computing resources available which there are not.  It could just be marketing but this stuff does catch my attention.  Combined with the timing of their rebrand and a lot of insider trading and selling I am very skeptical of this team.  At the very least, hiding from the Bitgrail fraud by renaming just before the news broke doesn’t seem honest at all.

I think we have it here straight from their own blog.  I believe the Raiblocks team knew of a massive fraud about to go down with Bitgrail well before they let on or claim to have known something was wrong.  I am not saying they were involved but the timing of their re-branding is extremely suspicious.

This is because on January 31st they suddenly announce the rebrand to Nano.

Raiblocks-Rebrands

Then just 8 days later the Bitgrail $150M loss of XRB happened.  As you will see from the Raiblocks own timeline it appears they were possibly aware for weeks or months that something was going down.

Raiblocks-Rebrands1

The Raiblocks own timeline seems to imply they were aware of issues for weeks if not months before.   It does not mean they were directly involved but it gives the appearance that for publicity and to shrug off this massive fraud associated with their project they rebranded just before things hit the fan.

Raiblocks-XRB-ScamOn 10/19 – 2017 it is not clear if Raiblocks knew about the suspicious transaction but they definitely did in February.  Being under maintenance for no good reason to withdraw is always cause for concern on January 8th.  I am sure when the Bitgrail owner left the joint Telegram channel for Raiblocks they knew something was very amiss on 2018-01-25 (6 days before the rename and about 2 weeks before the public announcement of fraud).  I find this timing to be highly suspicious, it reminds of the Bitcoin Gold scam and I have no confidence in this team or currency because of that alone.

Bitgrail in March 2018 has gone on to make a statement claiming they are reopening and that they insist there is a flaw in Raiblocks that caused the theft.  Of course both sides may have motivation to blame the other.  In all fairness at least Bitgrail has pledged to offer some ERC20 tokens they are creating and that users will have access to all of their coins upon reopening (aside from the lost XRB of course).

Cash Fund dedicated to the victims of the NANO theft In view of the forthcoming reopening of Bitgrail.com (we will soon announce the exact date), BitGrail srl intends to inform its users of the details of the soon to be established cash fund dedicated to NANO owners, victims of the theft that was communicated on February 9 2018. Prior to that, a premise concerning the suffered theft and Bitgrail's obligations arising from the theft itself. BitGrail S.r.l intends to stress having been subject to theft, a crime made possible by taking advantage of faults in the team NANO's softwares (rai_node and the official block explorer) and therefore, for these reasons and in accordance with the law, it is not in any way responsible for the situation. We confirm that an investigation led by the legal authorities is underway The purpose of the investigation is to shed light on the theft, therefore we have already provided all the useful elements in order to reconstruct the facts, including the evidence concerning those involved in the fraudolent activity, who took advantage of the vulnerability of NANO's software, thus not Bitgrail's. Those grounds are alone sufficient to relieve BitGrail S.r.l of any refund obligation and/or repayment of the stolen amounts. However, as further demonstration of the good intentions and seriousness of the company, in order to meet its users half-way though without recognition of any liability, BitGrail S.r.l intends, on a voluntary basis, to establish a cash fund (by creating a token) dedicated to the users damaged by the theft. Doing so, they'll be enabled to recover their stolen funds over time. We must specify that, since they are not victim of the theft, users that didn't own NANO will have full access to their coins at the site reopening. (all the coins are safe, apart from XRB). Token BGS (BitGrail Shares) A new token (BGS, BitGrail Shares) is already present on the wallet page. 15.6 MLN of them have been distributed in a 1 to 1 ratio with the stolen NANO. The users who have been damaged by the theft (Meaning solely and exclusively all the NANO owners on Bitgrail) can already see their 20% updated XRB balance and, at the same time, the remaining part (80%) converted into BGS. Access and ownership to/of the BitGrail's token is granted only to users who will accept the settlement agreement, as stated in the next point. The new BitGrail Shares token will have its own market on Bitgrail's platform. It will be possibile to trade the token, but not deposit it or withdraw it. It is not excluded that the abovementioned token could be converted into an apposite cryptocurrency, thus enabling withdrawal and deposit. The first of the month BitGail will use the 50% of the previous month trading fees income in order to reacquire the BGS token, proportionally among the users who have them in their Balance. The tokens' buyback will occurr at the fixed price of 10.5 $ per unit (in Bitcoin), considering an average of BTC/USD pair among various exchanges ( Bitfinex, Binance, Bitstamp...) As said, it will be possible to trade BGS on the platform. Users who own said token will be able to buy and/or sell at a different pricing from the one required for the buyback. Doing so, users will have the chance of liquidating their BGS in advance, whenever there is an adequate market situation with the desired price. Any amount that can, in case, be recovered from those who have perpetrated the unauthorised withdrawals (therefore materially in the availabilty of BitGrail S.r.l) will be immediately destinated to the tokens' owners up to the extent of the pro rata sums subracted from the damaged users. (with value of 10.5$) Agreement with the users With the reopening of the site, the use of the platform for the victims of the theft will be bound by the signature of a settlement agreement. The latter will be characterised by an expressed renouncement from the users to every type of legal action, and will have to be formalized through the compilation of a form. The last will have to be printed, signed and uplodaded with the attached documents. Such renouncement will allow the availability of the BGS tokens above described. In denegata hypothesis, subjects who won't accept the settlement agreement will have no alternative except for the account termination in compliance with the TOSs. Extra UE users As already anticipated in the past, BitGrail won't be able to guarantee the trading to the extra UE users for a limited period of time. Our intention is to reopen the access to the whole world as soon as possible. Extra UE users will be able to deposit and withdraw. The BGS token buypack will also be available. Implementations of the platform With the purpose of guaranteeing a faster execution of the plan concerning the purchase of the tokens owned by the victims of the theft who have accepted the agreement, BitGrail S.r.l. will immediately work on the implementation of the site, focusing on: Markets/pair increasing by adding other criptocurrencies Interface and charts improvements an APP for smartphone / tablet the realization of a referral link system A voting system based on the BGS tokens for the list of new emergent criptocurrencies will be implemented. Thanks for the attention. Bitgrail S.r.l.

It’s hard to know for sure what has gone on in this case.  But this week XVG (Verge Coin) was hacked due to a flaw in how coins are mined, and something similar with Cryptonight for Monero and Bytecoin was also disclosed recently.    Who is to say that the Coincheck NEM issue also wasn’t due to a similar but unknown or undisclosed flaw?

Meltdown and Spectre Analysis and Current Status

There seems to be a lot of complacent or feel-good news that Meltdown and Spectre will solve themselves or that no worry or care should be taken from users but this couldn’t be further from the truth.  In reality while CPU makers say “there are no known cases of exploits” doesn’t do much to allay fears of those in the know.  This is because Spectre and Meltdown will not leave any trace or evidence that you’ve been hacked.  Although it can be argued that there may be some signs of unauthorized access if that was how access was gained.

However, the nature of Spectre and Meltdown allow for normal authorized users, programs and even scripts on websites to exploit you.  This is why it is so scary as there’s really no way to be certain you haven’t been breached.

It’s an issue for everyone because these exploits could impact anything from your bank, transportation/transit, airplanes, nuclear power plants, and basically anything else that relies on computing security since Meltdown and Spectre are a complete breakdown of those barriers.  I won’t go into more of the basic details but I did make a quick “take on the issue here“.

The good news

There were patches quickly released for a lot of Linux, Windows and Mac devices.  However this doesn’t mean that the users installed the patches or that all users have the ability or access to do so.  Take for example physically remote computers, devices and perhaps some that are running headless that may not be easily accessible or that for some reason have patches disabled (this is more common than you’d think in production or mission critical environments).

Then what about old and unsupported versions of operating systems or that old security system, phone, or TV box, or even ATM whose manufacturer may not be around anymore or is just simply not offering support?

It’s the same issue with many common worms and viruses, patches, and fixes may be issued but millions or more are often still affected long after for various reasons.

The bad news

Even if we assume that Google discovered these flaws first, and if we assume they weren’t mandated to be put there via ARM, AMD and Intel what about insiders who know about this back in June or even earlier on?   From that point a number of individuals and groups could have compromised or damaged sensitive data and computer systems.  There’s still time since a lot of devices and people will not be patched yet.

And to make things worse, the only true way to solve this issue is with a CPU microcode update, which is not simple to deploy especially on embedded devices and any mistake can lead to a bricked device.

These OS patches are just that “patch work”, a hack or work around to mitigate the issue.

Then there’s the question of “we know there are 3 variants or vectors of attack”.  What if there are others that are not yet discovered?  You can be well equipped and funded organizations/hacking groups are working on this as we speak and they certainly won’t be disclosing it.  Until all devices have microcode updates there’s no way to certain we are safe from unknown vectors related to Spector and Meltdown.

What can you do?

Simply look out for the latest updates for your devices/phones/computers and install the update but don’t falsely assume a new update means you are protected unless you’ve read so that “this update fixes the Spectre and Meltdown” issue.

My Take On Meltdown and Spectre Computer Security Flaws

Spectre and Meltdown allow a non-privileged user (non-root/non-Admin)  to access memory they aren’t supposed to essentially dissolving the majority of computing security and privacy barriers.  This could be a guest user collecting sensitive information/passwords for an entire database, group of users, network etc..

If you are using any computing device whether it be an ARM based device, Intel CPU (although Intel is the worst offender at this point), AMD CPU this issue affects you and billions of other devices and users around the world.  Whether you are on Linux, Unix, Windows, Mac this applies to you.  It is really an unmitigated scandal and disaster for both privacy, security and even safety with long lasting and wide ranging ramifications that will continue to playout for years.

I’ve made a comment in the past about security, IOT and how there are many devices that are now unsupported or can’t be updated leading to huge security issues.  We are now unfortunately there and have been since 1995.

This issue was first reported by Google Project Zero and they are known as the Meltdown and Spectre Vulnerabilities that affect all microprocessors made since 1995 (the modern computing era).

To make it worse there are 3 known “variants” or attack vectors known (I suggest there may be more that are undisclosed or not yet known to the public).  With variants 1,2 being very similar (known as Spectre) and variant 3 known as Meltdown.

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

The attack is possible due to “speculative execution” where CPUs (computer chips) essentially try to predict future work needed and will actually do sometimes unneeded work as the performance hit for doing this is less than waiting to execute the instructions later.   This means the computer sometimes performs work that isn’t needed and not used to increase performance, where things have gotten bad is through this feature, it’s possible for a normal user/process to gain unrestricted access to memory that you shouldn’t have access to.

What is Spectre?

The primary variants (1,2) that make up Spectre  rely on the user exploiting the speculative feature of the CPU to write to memory under their control.  This allows a normal user to read basically all memory processes allowing keys, passwords and confidential data to be intercepted.  AMD Claims that Variant #2 does not impact them as well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

What is Meltdown?

Meltdown is the third and more serious and nasty variant that still relies on the speculative execution exploit/flaw but actually allows the attacker to read arbitrary memory (so basically anywhere at will).  The key feature of Meltdown is that it is the easiest attack to perform and it has been demonstrated on the Intel platform already.

The only good news is that apparently this Meltdown attack only affects Intel and not AMD.

https://access.redhat.com/security/vulnerabilities/speculativeexecution

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Redhat has also done an excellent writeup about the issue here:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

How To Protect Yourself

First and foremost you should update your devices as soon as patches become available.  In Linux enabling KPTI can protect you.   However for some major distributions of Linux users are still waiting for a patch.

If you are vulnerable and performing critical operations it’s time to make tough choices including possibly turning off your machines or denying all non-admin users access to a server/services if possible.

Ensuring rotation of keys and passwords can also mitigate your risks even if passwords have been compromised.

It comes down to good security practices all around such as segregating services to different physical machines, restricting physical and virtual user access.

If possible remove all non-essential or untrusted applications from your device/computer/server.

Dedicated Servers Will Become More Popular

There has been a huge trend to put everything into the Cloud, one that I have reservations with despite owning companies that offer our own private Cloud.

Fortunately we haven’t been impacted by Spectre and Meltdown and are not vulnerable but it does raise questions from our clients that we’ve mentioned before.

I’ve always advocated for physical segregation, which means that if possible you should have your own physical dedicated server that is encrypted and running a minimum set of services with as a few users as possible.  By doing this you significantly reduce your risk in a scenario like this by putting your company database, e-mail, VPN, websites, file server on physically different servers.

Serious Questions and Concerns Raised

I would raise the question that is it really possible that such a wide-ranging exploit was completely unknown for this long until a team from Google discovered it?  Considering the budgets of major intelligence agencies around the world who are constantly looking to find exploits of their own it is conceivable that this vulnerability may have been exploited for far longer than it was publicly known by specific groups.

Another one is Intel’s response to it by apparently being accused of singling out AMD when as of now, Intel is far more vulnerable.

Since these chip makers are all US based is it possible they were mandated by law to introduce speculative execution in such a similar way that this vulnerability would be possible?  Considering recent revelations I don’t think it would be inconceivable.

Are there more than 3 variants and if we assume that no one else really knew about Variants 1-3 is it not possible that a well-armed team could find new ways to exploit them?

Long-term Value for Intel, AMD and ARM

At the time of writing Intel’s stock was down about 3% but this could get worse for either of these companies if one’s vulnerabilities keep increasing and/or one of them is hit with a larger exploit.

Conclusion

It’s hard to give an honest conclusion as we’re just getting started and this is all we know about the Variants 1,2 (Spectre) and Meltdown.  So far it looks like we were lucky to choose AMD.  The key issue that will come out of this is how many devices and users will remain vulnerable by being unable to patch or if they have a device that cannot be easily patched or there is no longer any support from the vendor?  This would increase the amount of zombies and data security breaches several fold.

This is also a good time and a wakeup call for all companies to do a security audit and if they don’t have dedicated security staff, to bring in some good IT and security auditors to assess and mitigate these risks before they become costly losses.

My Take On WannaCry

Reading media coverage of the WannaCry, ransomware attack has been excruciatingly frustrating because little to no information was offered on how infection happens and how to protect yourself.

This issue has been a bit frustrating and unhelpful as an IT professional and user if I didn’t find the right answers there is something seriously wrong.  I couldn’t find the important information in any of the mainstream articles so certainly a novice or amateur user would have no chance of protecting themselves.

How Did WannaCry Infect and Spread?

Long version here from Malwarebytes

One of the key ways is still the oldest “phishing” trick in the book, via e-mail which many users are tricked into opening infected attachments.  This was not readily available in media coverage and this simple warning or announcement could have prevented a lot of new infections.  I believe this is a key factor that has not been discussed since many networks will be behind NAT and external SMB services would be blocked, having users on the LAN install the worm is an easy way to get inside and spread the infection to areas that are hardened on the outside.

The more technical explanation there is an exploit called “ETERNALBLUE” which was a hacking tool leaked from the NSA which exploited a weakness in Microsoft’s implementation of SMB (Server Message Block/filesharing protocol).   This has been widely reported but the simple way to prevent automatic infection through this method has not.

Once infected the worm essentially scans your LAN and then the internet to spread the infection further which quickly multiplied the damage and scope of this attack.

How to protect yourself?

  1. First and foremost is to update your Microsoft Windows regardless of OS (whether you have XP, Vista, 7, 10, 12 or any Server) because all Microsoft versions are apparently impacted by MS17-010 ETERNALBLUE/WannaCry
  2. Disable SMB/Filesharing in Windows and if that is not possible at least use firewall settings to block SMB/filesharing/CIFS.
  3. If the above is not possible you should physically unplug any impacted machines from the network (it could be a simple as disabling all ports on your network/switch or even unplugging entire switches if possible).

Who is to blame?

There is plenty of blame to go around but currently a lot of it is coming from Microsoft who is blaming users for not patching and the NSA for hoarding these exploits and not notifying them or users beforehand.

In all fairness Microsoft did issue patches for even unsupported OS’s like Vista and XP on March 14th, 2017.

Many have mused that the NSA should have at last notified Microsoft the moment they realized their hacking tools were leaked.

At the end of the day the question is how could Microsoft have left open such a serious vulnerability for so long?  Was it an intentional backdoor and was it collaboration between Microsoft and the NSA or other third parties?

Some Can’t Patch

Some systems may be running on internal networks on their own LAN but were still infected so they wouldn’t be patched.  To make matters worse the chances are these would more likely be critical data and infrastructure that are impacted in this case.

Other machines are not managed properly or remotely and are deployed with internet access making them sitting ducks for these types of attacks.

There are also some who just don’t patch because the risk to impacting existing services is too great.  Although I would argue the risk is much higher to not patch and not upgrade or migrate your applications to a more secure platform if you get hit with ransomware like this.

These Issues Are Nothing New

With the Snowden revelations many have worried that US tech companies being forced to provide backdoor access to the NSA would be vulnerable should other hackers discovery the vulnerabilities or intentional backdoors on their own, or in this case when the tools and exploits were somehow leaked.

In the wider scope of things Microsoft has seen worms of this scale in the past, it’s nothing new.  There are no worldwide protocols for notifying users or defending against such worms and this will certainly become an increasingly problem with more and more devices online especially with IoT and so many devices that are connected that we don’t think about, and that don’t get patched or may not have an easy or automatic way of updating.