World’s Worst Bitcoin Mining Rig

Even if we don’t quite understand what’s happening in a Bitcoin mine, we all pretty much know what’s needed to set one up. Racks of GPUs and specialized software will eventually find a few of these vanishingly rare virtual treasures, but if you have enough time, even a Xerox Alto from 1973 can be turned into a Bitcoin mine. As for how much time it’ll take [Ken Shirriff]’s rig to find a Bitcoin, let’s just say that his Alto would need to survive the heat death of the universe. About 5000 times. And it would take the electricity generated by a small country to do it.

Even though it’s not exactly a profit center, it gives [Ken] a chance to show off his lovingly restored Alto. The Xerox machine is the granddaddy of all modern PCs, having introduced almost every aspect of the GUI world we live in. But with a processor built from discrete TTL chips and an instruction set that doesn’t even have logical OR or XOR functions, the machine isn’t exactly optimized for SHA-256 hashing. The fact that [Ken] was able to implement a mining algorithm at all is impressive, and his explanation of how Bitcoin mining is done is quite clear and a great primer for cryptocurrency newbies.

[Ken] seems to enjoy sending old computer hardware to the Bitcoin mines — he made an old IBM mainframe perform the trick a while back. But if you don’t have a room-size computer around, perhaps reading up on alternate uses for the block chain would be a good idea.

[via Dangerous Prototypes]

Raspberry Pi Malware Mines BitCoin

According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine BitCoins some form of cryptocurrency. The other trojan sets up a proxy server.

According to the site:

Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.

In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.

Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?

We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.

Bitcoin Price Ticker

Are you a Bitcoin miner or trader, but find yourself lacking the compulsive need to check exchange rates like the drug-fuelled daytraders of Wall Street? Fear not – you too can adorn your home or office with a Bitcoin Price Ticker! The post is in Italian but you can read a translated version here.

It’s a straightforward enough build – an Arduino compatible board with an onboard ESP8266 is hooked up with an HD44780-compatible LCD. It’s then a simple matter of scraping the Bitcoin price from the web and displaying it on the LCD. It’s a combination of all the maker staples, tied together with some off-the-shelf libraries – it’s quick, and it works.

[Ed: Oh boo!  The images of the LCD were photoshopped.  Please ignore the next paragraph.]

What makes the build extra nice is the use of custom characters on the LCD. The HD44780 is a character based display, and this project appears to use a screen with two lines of sixteen characters each. However, a custom character set has been implemented in the display which uses several “characters” on the screen to create a single number. It’s a great way to make the display more legible from a distance, as the numbers are much larger, and the Bitcoin logo has been faithfully recreated as well. It’s small touches like this that can really set a project apart. We’d love to see this expanded to display other financial market information and finished off in a nice case.

If you’re wondering what you can actually do with Bitcoin, check out the exploits of this robotic darknet shopper. Oh, and Microsoft will take them, too.

Global Cyber Attack Halted: Autopsy Time

Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.

Spread Halted?

It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident. As he was analyzing the code he noticed that the malware kept trying to connect to an unregistered domain name “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. So he decided to register the domain to see if he could get some analytics or any information the worm was trying to send home. Instead much to his surprise, this halted the spread of the ransomware. Originally he thought this was some kind of kill switch but after further analysis, it became clear that this was a test hard-coded into the malware which was supposed to detect if it was running in a virtual machine. So by registering the domain name, the ransomware has stopped spreading as it thinks the internet is a giant virtual machine.

Why was the UK’s NHS Hit So Badly?

According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later. There is still obvious problems facing the NHS as all outpatients appointment’s have been canceled at London’s Barts Health NHS Trust which happens to be the largest in the country. However [Amber Rudd], Home Secretary, said 97% of NHS trusts were “working as normal” and there was no evidence patient data was affected. Let’s just hope they update their systems and get back to fixing people as soon as they can.

Where Else Was Hit?

There was quite a few other places hit as well as the UK’s NHS including The Sunderland Nissan Plant also in the UK, Spanish telecoms giant Telefonica along with some gas companies in Spain. In the US FedEx was affected, France has seen production in some of it’s Renault factories halted. Finally, Russia reported 1000 governmental computer systems has been hit.

So is this the end for ransomware?

No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.

[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infection however there is always a few who live in the land where news doesn’t exist and will go a long their day until BAM! Ransom Ware installed and pockets emptied.]

BitCluster Brings a New Way to Snoop Through BitCoin Transactions

Mining the wealth of information in the BitCoin blockchain is nothing new, but BitCluster goes a long way to make sense of the information you’ll find there. The tool was released by Mathieu Lavoie and David Decary-Hetu, PH.D. on Friday following their talk at HOPE XI.

I greatly enjoyed sitting in on the talk which began with some BitCoin basics. The cryptocurrency uses user generated “wallets” which are essentially addresses that identify transactions. Each is established using key pairs and there are roughly 146 million of these wallets in existence now

If you’re a thrifty person you might think you can get one wallet and use it for years. That might be true of the sweaty alligator-skin nightmare you’ve had in your back pocket for a decade now. It’s not true when it comes to digital bits —  they’re cheap (some would say free). People who don’t generate a new wallet for every transaction weaken their BitCoin anonymity and this weakness is the core of BitCluster’s approach.

Every time you transfer BitCoin (BTC) you send the network the address of the transaction when you acquired the BTCs and sign it with your key to validate the data. If you reuse the same wallet address on subsequent transactions — maybe because you didn’t spend all of the wallet’s coins in one transaction or you overpaid and have the change routed back to your wallet. The uniqueness of that signed address can be tracked across those multiple transactions. This alone won’t dox you, but does allow a clever piece of software to build a database of nodes by associating transactions together.

Mathieu’s description of first attempts at mapping the blockchain were amusing. The demonstration showed a Python script called from the command line which started off analyzing a little more than a block a second but by the fourth or fifth blocks hit the process had slowed to a standstill that would never progress. This reminds me of some of the puzzles from Project Euler.

bitcluster-how-it-worksAfter a rabbit hole of optimizations the problem has been solved. All you need to recreate the work is a pair of machines (one for Python one for mondoDB) with the fastest processors you can afford, a 500 GB SSD, 32 GB of RAM (but would be 64 better), Python 64-bit, and at least a week of time. The good news is that you don’t have to recreate this. The 200GB database is available for download through a torrent and the code to navigate it is up on GitHub. Like I said, this type of blockchain sleuthing isn’t new but a powerful open source tool like this is.

Both Ransomware and illicit markets can be observed using this technique. Successful, yet not-so-cautious ransomers sometimes use the same BitCoin address for all payments. For example, research into a 2014 data sample turned up a ransomware instance that pulled in $611k (averaging $10k per day but actually pulling in most of the money during one three-week period). If you’re paying attention you know using the same wallet address is a bad move and this ransomware was eventually shut down.

Illicit markets like Silk Road are another application for BitCluster. Prior research methods relied on mining comments left by customers to estimate revenue. Imagine if you had to guess at how well Amazon was doing reading customer reviews and hoping they mentioned the price? The ability to observe BTC payment nodes is a much more powerful method.

A good illicit market won’t use just one wallet address. But to protect customers they use escrow address and these do get reused making cluster analysis possible. Silk Road was doing about $800k per month in revenue at its height. The bulk of purchases were for less than $500 with only a tiny percentage above $1000. But those large purchases were likely to be drug purchases of a kilo or more. That small sliver of total transactions actually added up to about a third of the total revenue.

bitcluster-logoIt’s fascinating to peer into transactions in this manner. And the good news is that there’s plenty of interesting stuff just waiting to be discovered. After all, the blockchain is a historical record so the data isn’t going anywhere. BitCluster is intriguing and worth playing with. Currently you can search for a BTC address and see total BTC in and out, then sift through income and expense sorted by date, amount, etc. But the tool can be truly great with more development. On the top of the wishlist are automated database updates, labeling of nodes (so you can search “Silk Road” instead of a numerical address), visual graphs of flows, and a hosted version of the query tool (but computing power becomes prohibitive.)

Network Security Theatre

Summer is nearly here, and with that comes the preparations for the largest gathering of security researchers on the planet. In early August, researchers, geeks, nerds, and other extremely cool people will descend upon the high desert of Las Vegas, Nevada to discuss the vulnerabilities of software, the exploits of hardware, and the questionable activities of government entities. This is Black Hat and DEF CON, when taken together it’s the largest security conference on the planet.

These conferences serve a very important purpose. Unlike academia, security professionals don’t make a name for themselves by publishing in journals. The pecking order of the security world is determined at these talks. The best talks, and the best media coverage command higher consultancy fees. It’s an economy, and of course there will always be people ready to game the system.

Like academia, these talks are peer-reviewed. Press releases given before the talks are not, and between the knowledge of security researchers and the tech press is network security theatre. In this network security theatre, you don’t really need an interesting exploit, technique, or device, you just need to convince the right people you have one.

Continue reading “Network Security Theatre”

I Am Satoshi Nakamoto

OK, you got me. I’m not. Neither is Dorian Nakamoto, pictured above, and neither is this [Craig White] guy. Or at least, his supposed proof that he is “Satoshi” doesn’t stand up to scrutiny. Indeed, you can re-create it yourself and pretend to be “Satoshi” too.

If you haven’t been following along, “Satoshi Nakamoto” is the person or group of people who invented Bitcoin, and who holds a decent fortune’s worth of the currency. He’s been exceedingly careful at keeping his identity secret. So much so, that upon hearing another “We Found Satoshi” story in the news, we actually laughed at our wife this morning. But then it was picked up by the BBC and is forthcoming in the Economist. Serious journalism.

Well, if you read the BBC piece, they note that “Security expert Dan Kaminsky said the procedure was almost ‘maliciously resistant’ to validation.” Hint: If Dan “DNSSEC” Kaminsky can’t verify a signature, there’s a good chance it’s not the real deal.

The really embarrassing part is that this [Craig White] character claimed to be Satoshi in December 2015. If he actually were Satoshi, who is probably a cryptographic genius, do you think it would take him five months to figure out a cryptographically sound way of proving his identity? Nope.

So here’s how he did it, according to [Patrick McKenzie]’s GitHub, linked above. There is a hashed secret out there that only “Satoshi” knows. Hashes are one-way functions; they produce a number that’s easy to calculate if you know the original data, but devilishly hard to work from the hash backwards to get the data out. This hashed value is public, and part of the blockchain, so we can be pretty sure that it hasn’t been altered.

[Craig] claimed to have some text from Sartre hashed with “Satoshi’s” key, and that this proves his identity. But instead of providing the hash of the Sartre text, [Craig] apparently substituted a hash from the blockchain. When this supposed Sartre hash is validated against the blockchain, of course, it works. In short, he swapped hashes, and people failed to notice.

So I’m not “Satoshi”, and neither is this guy. Who is? The mystery continues. And given how careful “Satoshi” has been so far, it’s likely to remain so for a long while. But one thing’s for sure, when “he” does choose to reveal himself, it won’t be difficult to verify. After all “Satoshi” knows “Satoshi’s” password.

Image via the BBC, of another guy who isn’t “Satoshi”.

(Late Edit: Here’s another really nice writeup, this one by [ErrataRob].)