A question no one is asking about the Colonial Pipeline ransom attack: what did the hackers do wrong?
Reading multiple reviews and analysis on recent ransomware attacks, especially the most famous one on Colonial Pipeline which paid a ransom of 75 bitcoins (about $4 million), I am seeing a lot of discussion about what the victims did wrong and how they can avoid such attacks in the future. But no one is asking (let alone answering) a very simple question: What did the hackers do wrong that allowed the FBI to recover at least a half of the ransom already successfully transferred to them by Colonial Pipeline? And an even more important question: How did they make the mistake of allowing their transaction to be traced?
For anyone working with blockchain tech, it is obvious that ransomware hackers who use bitcoin for the payoff don’t care much about their anonymity. People dealing with crypto know that bitcoin is a pseudonymous cryptocurrency, meaning that it does provide some basic degree of anonymity, but scrutinization of the bitcoin blockchain unleashes a lot of information about both the sender and the recipient. And, of course, all the details of transfers and their amounts are publicly visible to anyone. So using bitcoin as a payment method, especially for illegal activity such as ransom is extremely dangerous for the attackers. They can be easily traced and caught, and their money can be seized. The probability that the Colonial Pipeline attackers didn’t know such basics about crypto is near zero. They would certainly have known there are well-developed privacy-centric cryptocurrencies that provide almost absolute anonymity and security to their users.
Monero is one outstanding example; it hides all the details of its transactions from public view, including the sender, the recipient, and the transfer amount. And it is very liquid, with a market capitalization of more than $4.5 billion and a presence on most cryptocurrency exchanges. So why did the attackers not use it — or another privacy-centric cryptocurrency? There are two possible answers to this question. I don’t know which one is right.
The first possibility is that they simply didn’t care. Most are probably located in the hacker-haven countries such as Russia, China, North Korea, or Iran, that don’t have extradition agreements with the West. So they are not afraid of the FBI, not worried about being caught, and simply did not think the law enforcement agencies would be clever enough to find a way to seize their money. The second possibility is that they intentionally used bitcoin so that they would be traced and clues about their location would be exposed. In this scenario, the attack would have been more than just a commercial transaction; it would have been a demonstrative action.
As I said, I don’t know the right answer, but there is an important outcome of this attack, especially if it was a commercial one. Attackers are learning, and for the future attacks, other hackers, whose interests are purely commercial, will be using better methods that will allow them to slip away unnoticed while keeping their money (well, our money) safe. So it’s important that companies brace for impact.
While ransomware sounds terrible for most people, the security community knows how to avoid those attacks, so there is no reason companies shouldn’t be protected. A “Zero trust” architecture, with total multi-factor authentication coverage will deter hackers and prevent security breaches. Security is not free, but recent examples show that ignoring reality can be much more expensive.
This article was originally published by VentureBeat on June 13, 2021
A question no one is asking about the Colonial Pipeline ransom attack -
my article about the role of crypto in ransomware attacks:
A new wave in crypto has begun and its buzzword is DeFi—which stands for decentralized finance. The idea of decentralized finance is that financial institutions can be created that are run by computers, blockchains and rules that anyone can access free of gaining permission or having to show trust or be trusted, and these cyber financial institutions run on a network of computers anywhere in the world along anarcho-capitalistic lines designed to resist outside interference.
A nice dream (perhaps), now a tangible thing that exists.
Landry's, a popular restaurant chain in the United States, has announced a malware attack on its point of sale (POS) systems that allowed cybercriminals to steal customers' payment card information.
I can't believe it's happening again... Cyber deja vu. It's time for 2nd edition of Hacking Point of Sale!
"The PoS malware infected point-of-sale terminals at all Landry's owned locations, but, fortunately, due to end-to-end encryption technology used by the company, attackers failed to steal payment card data from cards swiped at its restaurants.
However, Landry's outlets also use "order-entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry's Select Club reward cards," which allowed attackers to successfully steal customers' payment data "in rare circumstances" when waitstaff mistakenly swiped payment cards on them."
"The restaurant chain did not speculate how many customers may have been affected, but it is "notifying customers" that "in rare circumstances, appear to have been mistakenly swiped by waitstaff on devices used to enter kitchen and bar orders, which are different devices than the point-of-sale terminals used for payment processing," the breach notification says.
The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems. In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name."
As Bitcoin and other digital assets continue to grow in adoption and popularity, a common topic for discussion is whether the U.S. government, or any government for that matter, can exert control of its use.
There are two core issues that lay the foundation of the Bitcoin regulation debate:
The digital assets pose a macro-economic risk. Bitcoin and other cryptocurrencies can act as surrogates for an international currency, which throws global economics a curveball. For example, countries such as Russia, China, Venezuela, and Iran have all explored using digital currency to circumvent United States sanctions, which puts the US government at risk of losing its global authority.
International politics and economics are a very delicate issue, and often sanctions are used in place of military boots on the ground, arguably making the world a safer place.
The micro risks enabled by cryptocurrency weigh heavily in aggregate. One of the most attractive features of Bitcoin and other digital assets is that one can send anywhere between a few pennies-worth to billions of dollars of Bitcoin anywhere in the world at any time for a negligible fee (currently around $0.04 to $0.20 depending on the urgency.)
However, in the hands of malicious parties, this could be very dangerous. The illicit activities inherently supported by a global decentralized currency run the gamut: terrorist funding, selling and buying illegal drugs, ordering assassinations, dodging taxes, laundering money, and so on.
Can Bitcoin Even Be Regulated? Before diving deeper, it’s worth asking whether Bitcoin can be regulated in the first place.
The cryptocurrency was built with the primary purpose of being decentralized and distributed– two very important qualities that could make or break Bitcoin’s regulation.
By being decentralized, Bitcoin doesn’t have a single controlling entity. The control of Bitcoin is shared among several independent entities all over the world, making it nearly impossible for a single entity to wrangle full control over the network and manipulate it as they please.
By being distributed, Bitcoin exists at many different locations at the same time. This makes it very difficult for a single regulatory power to enforce its will across borders. This means that a government or other third party can’t technically raid an office and shut anything down.
That being said, there are several chokepoints that could severely hinder Bitcoin’s adoption and use.
1. Targeting centralized entities: exchanges and wallets
A logical first move is to regulate the fiat onramps (exchanges) , which the United States government has finally been getting around to. In cryptocurrency’s nascent years, cryptocurrency exchanges didn’t require much input or approval from regulatory authorities to run. However, the government started stepping in when cryptocurrency starting hitting the mainstream.
The SEC, FinCEN (Financial Crimes Enforcement Network), and CFTC have all played a role in pushing Know Your Customer (KYC) protocols and Anti-Money Laundering (AML) policies across all exchanges operating within U.S. borders.
Cryptocurrency exchanges have no options but to adhere to whatever the U.S. government wants. The vast majority of cryptocurrency users rely on some cryptocurrency exchange to utilize their cryptocurrency, so they will automatically bend to exchange-imposed regulation.
Regulators might not be able to shut down the underlying technology that powers Bitcoin, but they can completely wreck the user experience for the great majority of cryptocurrency users, which serves as enough of an impediment to diminish the use of cryptocurrency for most.
2. Targeting users.
The government can also target individual cryptocurrency users. Contrary to popular opinion, Bitcoin (and even some privacy coins) aren’t anonymous. An argument can be made that Bitcoin is even easier to track than fiat because of its public, transparent ledger.
Combined with every cryptocurrency exchange’s willingness to work with U.S. authorities, a federal task force could easily track money sent and received from certain addresses and pinpoint the actual individual with it. Companies such as Elliptic and Chainalysis have already created solid partnerships with law enforcement in many countries to track down illicit cryptocurrency uses and reveals the identities behind the transactions.
Beyond that, we dive into the dark web and more professional illicit cryptocurrency usage. Although trickier, the government likely has enough cyber firepower to snipe out the majority of cryptocurrency-related cybercrime. In fact, coin mixers (cryptoMixer.io), coin swap services (ShapeShift) and P2P bitcoin transactions (localbitcoins.com) have been investigated for several years now and most of them have had to add KYC and adhere to strict AML laws.
Ultimately, it’s going to take a lot to enforce any sort of significant global regulation on Bitcoin, with the most important factor being a centralization and consensus of opinion. The majority of the U.S. regulatory alphabet agencies fall into the same camp of “protect the good guys, stop the bad guys”, but there isn’t really a single individual piece of guidance to follow. Currently, cryptocurrencies are regulated in the US by several institutions: CFTC, SEC, IRS, making it difficult to create overarching regulatory guidelines.
In short, yes– Bitcoin can be regulated. In fact, its regulation has already started with the fiat onramps and adherence to strict KYC & AML laws. While in countries such as Ecuador, Bolivia, Egypt and Morocco Bitcoin ownership is illegal, in the US, it would take some bending of the moral fabric of the Constitution in order for cryptocurrency ownership rights to be infringed.
However, it cannot be shut down. There are still ways to buy, sell, and trade Bitcoin P2P, without a centralized exchange. It would take an enormous effort by any government to completely uproot something as decentralized as Bitcoin, but that future seems more dystopian than tangible.
This article first appeared on albaronventures.com
Since Lyra ledger design (which we also call blocklist) is based on block lattice concept invented by Nano, I am often asked about the difference between Lyra and Nano. Although most info can be found on Lyra website or in Lyra whitepaper, I tried to summarize it in a single article.