Connect with us

Business

CRYPTOHACKERS BREACH STATCOUNTER TO STEAL BITCOINS

Published

on

Hackers planted malware on StatCounter to steal bitcoin revenue from Gate.io account holders, according to Eset researcher Matthieu Faou, who discovered the breach.

The malicious code was added to StatCounter’s site-tracking script last weekend, he reported Tuesday.

The malicious code hijacks any bitcoin transactions made through the Web interface of the Gate.io cryptocurrency exchange. It does not trigger unless the page link contains the “myaccount/withdraw/BTC” path.

The malicious code secretly can replace any bitcoin address that users enter on the page with one controlled by the attacker. Security experts view this breach as critical because so many websites load StatCounter’s tracking script.

“This security breach is really important considering that — according to StatCounter — more than 2 million websites are using their analytics platform,” Faou told TechNewsWorld. “By modifying the analytics script injected in all those 2 million websites, attackers were able to execute JavaScript code in the browser of all the visitors of these websites.”

Limited Target, Broad Potential

The attack also is significant because it shows increased sophistication among hackers regarding the tools and methods they use to steal cryptocurrency, noted George Waller, CEO of BlockSafe Technologies.

Although this form of hijacking is not a new phenomenon, the way the code was inserted was.

The growth of the cryptocurrency market and its emerging asset class has led hackers to increase their investments in devising more robust attempts and methods to steal it. The malware used is nothing new, but the method of delivering it is.

“Since the beginning of 2017, cryptocurrency exchanges suffered over (US)$882 million in funds stolen through targeted attacks across at least 14 exchanges. This hack adds one more to the list,” Waller told TechNewsWorld.

In this instance, attackers chose to target the users at Gate.io, an important cryptocurrency exchange, said Eset’s Faoul. When a user submitted a bitcoin withdrawal, attackers in real time replaced the destination address with an address under their control.

Attackers were able to target Gate.io by compromising a third-party organization, a tactic known as a “supply chain attack.” They could have targeted many more websites, Faoul noted.

“We identified several government websites that are using StatCounter. Thus, it means that attackers would have been able to target many interesting people,” he said.

Telling Financial Impact

Gate.io customers who initiated bitcoin transactions during the time of the attack are most at risk from this breach. The malware hijacked transactions legitimately authorized by the site user by changing the destination address of the bitcoin transfers, according to Paige Boshell, managing member of Privacy Counsel.

As a rule, the number of third-party scripts, such as StatCounter, should be kept to a minimum by webmasters, as each represents a potential attack vector. For exchanges, additional confirmations for withdrawals would have been beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves.

“Gate.io has taken down StatCounter, so this particular attack should be concluded, Boshell told TechNewsWorld.

The extent of the loss and the fraud exposure for this breach is not yet quantifiable. The attackers used multiple bitcoin addresses for the transfers, Boshell added, noting that the attack could have been deployed to impact any site using StatCounter.

Protection Strategies Not Foolproof

StatCounter needs to improve its own code audit and constantly check that only authorized code is running on its network, suggested Joshua Marpet, COO at Red Lion. However, most users will not realize that StatCounter is at fault.

“They’ll blame Gate.io, and anything could happen — loss of business, run on the bank,’ and even closing their doors,” he told TechNewsWorld.

Checking the code is not always a workable prevention plan. In this case, the malware code looked like the Gate.io user’s own instructions, noted Privacy Counsel’s Boshell.

“It was not easily detectable by the fraud tools that Gate.io uses to protect against and detect malware,” she said.

Network admins are not really affected in this type of breach, as the malicious code is processed at the workstation/laptop rather than on the webserver, according to Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust. It also does not provide any mechanism to gain control over the system.

“In essence, a lot of stars need to line up to make this a significant risk in that regard,” he told TechNewsWorld. “Effective vulnerability and privilege management would naturally limit the impact of any intrusion.”

That is a direction that admins need to look. There is nothing they can do to control the initial attack, assuming the targeted websites are accepted sites within their organization, Chappell added.

Even a well-protected website can be breached by compromising a third-party script, noted Eset’s Faou.

“Thus, webmasters should choose carefully the external JavaScript code they are linking to and avoid using them if it is not necessary,” he said.

One potential strategy is to screen for scripts that replace one bitcoin address with another, suggested Clay Collins, CEO of Nomics.

Using analytics services that have a good security reputation is part of that, he told TechNewsWorld.

“Folks with ad/script blockers were not vulnerable,” Collins said.

More Best Practices

Traffic analysis, website scanning and code auditing are some of the tools that could have detected that something was causing abnormal transactions and traffic, noted Fausto Oliveira, principal security architect at Acceptto. However, it would have been ideal to prevent the attack in the first place.

“If the Gate.io customers had an application that requires strong out-of-band authentication above a certain amount, or if a transaction is aimed at an unknown recipient, then their customers would have had the opportunity to block the transaction and gain early insight that something wrong was happening,” Oliveira told TechNewsWorld.

Using script blocking add-ons like NoScript and uBlock/uMatrix can put a measure of personal control in the website user’s hands. It makes Web browsing more challenging, noted Raymond Zenkich, COO of BlockRe.

“But you can see what code is being pulled into a site and disable it if it is not necessary,” he told TechNewsWorld.

“Web developers need to stop putting third-party scripts on sensitive pages and put their responsibility to their users over their desire for advertising dollars, metrics, etc.,” Zenkich said.

Beware Third-Party Anythings

As a rule, the number of third-party scripts should be kept to a minimum by webmasters, suggested Zenchain cofounder Seth Hornby, as each one represents a potential attack vector.

“For exchanges, additional confirmations for withdrawals would also be beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves,” he told TechNewsWorld.

Even third-party outsourcing solutions can open the door to cyber shenanigans, warned Zhang Jian, founder of FCoin.

“So many companies within the cryptocurrency space rely on third-party companies for different duties and tasks. The ramification of this outsourcing is a loss of accountability. This puts many companies in a tough spot, unable to locate attacks of this nature before it is too late,” he told TechNewsWorld.

Instead, network admins should work toward creating in-house versions of their tools and products, from beginning to end, Jian suggested, to ensure that control of these security measures lies within their reach.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Business

AMAZON ERROR ALLOWED ALEXA USER TO EAVESDROP ON ANOTHER HOME

Published

on

A user of Amazon’s Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of “a human error” by the company.

The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c’t reported.

“This unfortunate case was the result of a human error and an isolated single case,” an Amazon spokesman said.

The first customer had initially got no reply when he told Amazon about the access to the other recordings, the report said. The files were then deleted from the link provided by Amazon but he had already downloaded them on to his computer, added the report from c’t, part of German tech publisher Heise.

 

Continue Reading

Business

CRYPTOCURRENCY INDUSTRY FACES INSURANCE HURDLE TO MAINSTREAM AMBITIONS

Published

on

Cryptocurrency exchanges and traders in Asia are struggling to insure themselves against the risk of hacks and theft, a factor they claim is deterring large fund managers from investing in a nascent market yet to be embraced by regulators.

Getting the buy-in from insurers would mark an important step in crypto industry efforts to show that it has solved the problem of storing digital assets safely following the reputational damage of a series of thefts, and allow it to attract investment from mainstream asset managers.

“Most institutionally minded crypto firms want to buy proper insurance, and in many cases, getting adequate insurance coverage is a regulatory or legal requirement,” said Henri Arslanian, PwC fintech and crypto leader for Asia.

“However, getting such coverage is almost impossible despite their best efforts.”

Many asset managers are interested in digital assets. A Greenwich Associates survey, published in September, said 72% of institutional investors who responded to the research firm believe crypto has a place in the future.

Last month, Mohamed El-Erian, Allianz’s chief economic adviser said that cryptocurrencies would gain wider acceptance as institutions began to invest in the space.

Most have held off investing so far however, citing regulatory uncertainty and a lack of faith in existing market infrastructure for storing and trading digital assets following a series of hacks, as well the plunge in prices.

The total market capitalisation of crypto currencies is currently estimated at approximately US$120bil (RM502bil) compared to over US$800bil (RM3.3tril) at its peak in January.

“Institutional investors who are interested in investing in crypto will have various requirements, including reliable custody and risk management arrangements,” said Hoi Tak Leung, a senior lawyer in Ashurst’s digital economy practice.

“Insufficient insurance coverage, particularly in a volatile industry such as crypto, will be a significant impediment to greater ‘institutionalisation’ of crypto investments.”

Regulatory uncertainty is another problem for large asset managers. While crypto currencies raise a number of concerns for regulators, including money laundering risks, few have set out clear frameworks for how cryptocurrencies should be traded, and by whom.

Insurance might allay some of the regulators’ concerns around cyber security. Hong Kong’s Securities and Futures Commission recently said it was exploring regulating crypto exchanges, and signalled that the vast majority of the virtual assets held by a regulated exchange would need insurance cover.

Custody challenge

Keeping crypto assets secure involves storing a 64 character alphanumeric private key. If the key is lost, the assets are effectively lost too.

Assets can be stored online, in so-called hot wallets, which are convenient to trade though vulnerable to being hacked, or in ‘cold’ offline storage solutions, safe from hacks, but often inconvenient to access frequently.

Over US$800mil worth of crypto currencies were stolen in the first half of this year according to data from Autonomous NEXT, a financial research firm.

Some institutions have started working to solve this problem, and may provide fierce competition to the incumbent players.

This year, Fidelity, and a group including Japanese investment bank Nomura have launched platforms that will offer custody services for digital assets.

Despite the industry’s complaints, insurers say that they do offer cover. Risk advisor Aon, received some two dozen inquiries this year from exchanges and crypto vaults seeking insurance, according to Thomas Cain, regional director, commercial risk solutions, at Aon’s Asian financial services and professions group.

“It is not difficult to insure companies that hold large amounts of crypto assets, but given the newness of the asset class and the publicity some of the crypto breaches have received, applicants need to make an effort to distinguish themselves,” Cain said.

The industry also says it is getting closer to solving the custody problem.

“This year there have been a number of developments, and some providers have developed custody solutions suitable for institutional clients’ needs,” said Tony Gravanis, managing director investments at blockchain investment firm Kenetic Capital.

“Players at the top end of the market have also been able to get insurance,” he said.

But this is not the case for all.

One cryptocurrency broker, declining to be named because of the subject’s sensitivity, said insurers struggled to understand the new technology and its implications, and that even those who were prepared to provide insurance would only offer limited cover. “We’ve not yet found an insurer who will offer coverage of a meaningful enough size to make it worthwhile,” he said. – Reuters

 

Continue Reading

Business

PICHAI PUTS KIBOSH ON GOOGLE SEARCH ENGINE FOR CHINA

Published

on

Google is not working on a bespoke search engine that caters to China’s totalitarian tastes, and it has no plans to develop one, CEO Sundar Pichai told lawmakers on Capitol Hill Tuesday.

“Right now, we have no plans to launch in China,” he told members of the U.S. House Judiciary Committee at a public hearing on Google’s data collection, use and filtering practices.

“We don’t have a search product there,” he said. “Our core mission is to provide users access to information, and getting access to information is an important human right.”

Pichai acknowledged that the company had assigned some 100 workers to develop a search engine for totalitarian countries, however.

“We explored what search would look like if it were to be launched in a country like China,” he revealed.

A report about a Google search engine for China appeared in The Intercept this summer.

The project, code-named “Dragonfly,” had been under way since the spring of 2017, according to the report, but development picked up after Pichai met with Chinese government officials about a year ago.

Special Android apps also had been developed for the Chinese market, The Intercept stated, and had been demonstrated to the Chinese government for a possible rollout this year.

“We certainly hope they abandoned those plans,” said Chris Calabrese, vice president for policy for the Center for Democracy & Technology, an individual rights advocacy group in Washington, D.C.

“We didn’t think it was a good idea to build a search engine that would censor speech in order to go into the Chinese market,” he told the E-Commerce Times.

Google may have been testing the waters with its Chinese browser, maintained Russell Newman, assistant professor for the Institute for Liberal Arts & Interdisciplinary Studies at Emerson College in Boston.

“It’s an example of a firm seeing how far down the road it can go before it receives pushback,” he told the E-Commerce Times. “It discovers a limit, then pushes that limit a little more. I’d be surprised if they wholly gave up on the search engine for China.”

Mission: Protecting Privacy

In his opening remarks to the committee, Pichai declared that protecting the privacy and security of its users was an essential part of Google’s mission.

“We have invested an enormous amount of work over the years to bring choice, transparency and control to our users. These values are built into every product we make,” he said.

“We recognize the important role of governments, including this committee, in setting rules for the development and use of technology,” Pichai added. “To that end, we support federal privacy legislation and proposed a legislative framework for privacy earlier this year.”

Pichai also addressed a burning issue for Republican members of the panel.

“I lead this company without political bias and work to ensure that our products continue to operate that way,” he said. “To do otherwise would go against our core principles and our business interests.”

‘Bias Running Amok’

Among the Republicans on the committee who raised the issue of unfairness with respect to the way Google’s search algorithm treats conservative views was Mike Johnson, R-La.

“My conservative colleagues and I are fierce advocates of limited government, and we’re also committed guardians of free speech and the free marketplace of ideas,” he told Pichai.

“We do not want to impose burdensome government regulations on your industry,” Johnson continued. “However, we do believe we have an affirmative duty to ensure that the engine that processes as much as … 90 percent of all Internet searches, is never unfairly used to unfairly censor conservative viewpoints or suppress political views.”

Political bias is running amok at Google, charged committee member Louie Gohmert, R-Texas.

“You’re so surrounded by liberality that hates conservatism, hates people that really love our Constitution and the freedoms that it’s afforded people like you, that you don’t even recognize it,” he told Pichai, who was born in India.

“It’s like a blind man not even knowing what light looks like because you’re surrounded by darkness,” Gohmert added.

Despite Republican claims of liberal bias in Google’s algorithm, “there isn’t any evidence to back that up empirically,” Calabrese said.

Market Dominance

Committee members also were concerned about Google’s market dominance.

“I’m deeply concerned by reports of Google’s discriminatory conduct in the market for Internet search,” said David Cicilline, D-R.I.

Google has harmed competition in Europe by favoring its own products and services over rivals, and by deprioritizing or delisting its competitors’ content, he noted citing European Commission findings.

“It is important for the U.S. government to follow the lead of other countries and closely examine the market dominance of Google and Facebook, including their impact on industries such as news media,” observed David Chavern, CEO of the News Media Alliance in Arlington, Va., a trade association representing some 2,000 newspapers in the United States and Canada.

“We will continue to urge for more hearings to examine ways in which the duopoly impacts the business of journalism, which is essential to democracy and civic society,” he told the E-Commerce Times.

Prelude to Privacy Law

House and Senate hearings in recent months are just the prelude to data privacy legislation that could be introduced next year.

“We’re certainly going to see a wide variety of comprehensive privacy bills filed, and I think we’ll make some progress,” Calabrese said.

“Advocates have seen the need for privacy legislation for a long time,” he said, “and now that we have privacy legislation set to kick in in California in 2020, there’s a lot of companies who would rather be governed by a federal law than they would a bunch of different state laws.”

If a general privacy law is enacted, it shouldn’t use Europe’s General Data Protection Regulation as a model, maintained Alan McQuinn, senior policy analyst for the Information Technology and Innovation Foundation, a public policy and technology innovation organization in Washington, D.C.

“We don’t want to see the GDPR enacted here in the states,” he told the E-Commerce Times.

“It is highly likely to create a drag on the European economy and hurt innovation and businesses,” McQuinn explained.

Privacy rules should be styled to fit industries, such as healthcare, finance and commerce, he suggested.

“The sector-specific approach that the U.S. has taken toward privacy has allowed for more innovation,” McQuinn noted, “and created the powerhouse of the digital economy that we have here.”

Continue Reading
Advertisement

Trending