fintech security
TRANSCRIPT
Unifying the
Global Response
to Cybercrime
FinTech Security
Glib Pakharenko
gpaharenko (at) gmail.com
2016-04-02
Unifying the
Global Response
to Cybercrime
FinTech is under attack
Unifying the
Global Response
to Cybercrime
36 exchanges no longer operate
13 exchangers claim to have been hacked. In total, more
than 950,000 bitcoins have been stolen from their rightful
owner.
1. AllCrypt
2. Bitcoin
3. Bitcoin Brasil
4. Bitcoinica
5. Bitfloor
6. BitMarket.eu
7. Bitomat
8. Bitspark
9. Bitstake
10. BitYes
11. Britcoin
12. Coin
13. CoinEX
14. Coin.Mx
15. Comkort
16. Crypto
17. Cryptorush
18. Excoin
19. FXBTC
20. Harborly
21. Intersango
22. Kapiton
23. LibertyBit
24. McxNOW
25. Melotic
26. MintPal
27. MtGox
28. Prelude
29. SwissCEX
30. The Bitcoin Market
31. Tradehill
32. UpBit
33. Vault of Satoshi
34. Virtex
35. WeExchange
36. Yacuna
Unifying the
Global Response
to Cybercrime
Dead altcoins
Unifying the
Global Response
to Cybercrime
Malware steal bitcoins
Unifying the
Global Response
to Cybercrime
Is bitcoin-core secure?
Unifying the
Global Response
to Cybercrime
Is bitcoin-core secure?
Unifying the
Global Response
to Cybercrime
Mining software is vulnerable
Just a quick view revealed multiple bugs in mining clients BFGMiner,
SGMinger, CGMiner:
CVE 2014-4501 describes an attacker’s ability to overflow a stack
buffer via a long URL argument in the “client.reconnect” message.
CVE 2014-4502 enables an attacker to send a large or negative
nonce length parameter to the client which causes the miner to
calculate an insufficient buffer size for new Blocks and overwrite
heap memory.
CVE 2014-4503 An attacker in the middle of a connection can send
a “mining.notify” message with malformed parameters to the client.
Unifying the
Global Response
to Cybercrime
Mining software is vulnerable (cont.)
An attacker can sniff the cleartext credentials in the mining.authorize
message. These credentials may be used elsewhere across the
internet and may lead to account compromise.
An attacker in the middle of a connection can replace the Bitcoin
address in the username field of a mining.authorize message with
their own to steal the users’ payouts from the pool.
An attacker can spoof a “client.reconnect” message from the pool
to redirect the miner to a private pool. This reconnection would not
be initially obvious to the users and the pool would not need to
payout any shares of the Block rewards.
An attacker or malicious pool can send a message containing a
malicious payload that remotely executes code on a victim’s
machine. This can be used to install malware such as rootkits and
keyloggers.
An attacker can perform a Dos attack against pool members.
Unifying the
Global Response
to Cybercrime
Mining issues
The chain of events lead to financial loss
for miners:
• late software update
• dependency on the OpenSSL software
• hard fork
• SPV nodes conflicted with up2date full
nodes
Unifying the
Global Response
to Cybercrime
Randomness issues
The problem:
• weakness in the random generation with the aid of Java
Cryptography Architecture (JCA) for Android
• use of the http://random.org site to get random numbers over
unencrypted connection and without server error handling
Unifying the
Global Response
to Cybercrime
Passphrase wallets weakness
Unifying the
Global Response
to Cybercrime
Insider threats
Unifying the
Global Response
to Cybercrime
Cold wallet is not enough
Unifying the
Global Response
to Cybercrime
51% issue
Unifying the
Global Response
to Cybercrime
Bitcoins can be just lost
Unifying the
Global Response
to Cybercrime
Lawenforcement can take your
bitcoins
Unifying the
Global Response
to Cybercrime
Lawenforcement can take your
bitcoins
Unifying the
Global Response
to Cybercrime
What to do?
Manage the project risk and recognize the IT security risk
Use the power of Blockchain:
• MULTISIG
• Key derivation
• Rely on Blockchain (record the transaction)
• Cold wallets
• Backups
• Use recent achievements in Blockchain technology and smart contracts
Use the application security standards:• Open Application Security Maturity Model (OpenSAMM)
• Application Security Verification Standard (ASVS)
• OWASP Proactive controls
• OWASP TOP 10 for web and mobile
Manage the security (use ISO27001 and Cobit 5)
Unifying the
Global Response
to Cybercrime
Let’s get in touch!