Connect with us

Cyber Security

‘Illegal Crypto Mining is a Huge Drain on a Nation’s Power Resources’



'Illegal Crypto Mining is a Huge Drain on a Nation’s Power Resources’
Illegal Crypto mining

Hackers and ransomware groups have benefitted immensely by leveraging blockchain and cryptocurrencies to secure multi-million-dollar payouts. Cryptocurrency transactions are untraceable and not regulated by any government or authority. But hackers are now taking this further by attacking crypto exchanges and stealing coins from user wallets. They also indulge in illegal crypto mining activities – using thousands of compromised computers to mine coins. Crpto mining utilizes a great amount of electricity from the grid. Due to this, there have been power shortages in some countries.

CISO MAG got in touch with Amit Jaju, a Senior Managing Director with Ankura Consulting, to discuss these challenges.  It was startling to learn from Amit that global temperatures will increase by two degrees by 2024 due to crypto mining activities. You will be amazed to learn how much power is consumed for every cryptocurrency transaction when the blockchain ledgers are updated. Amit offered some suggestions for crypto exchanges during our discussion to protect user wallets. He also suggests what regulators and governments can do to protect consumers.

Amit leads the Data & Technology Segment at Ankura Consulting in India. He has over 17 years of experience in forensic technology consulting covering data analytics, cyber, e-discovery, software licensing, and information governance. He has created market-leading solutions around financial crime, cyber incident response, analytics, and software licensing and delivered engagements for global and Indian clients in over 20 countries. His experience spans multiple sectors, including Financial Services, Information Technology, Pharmaceuticals, and Media & Entertainment.

He has led many complex global data analytics engagements, including implementing and managing enterprise-wide fraud and AML monitoring solutions for banks and implementing terrorism monitoring over the internet for defense services. He has delivered sanctions diagnostics, and investigation engagements across Europe and the Middle East for large US sanctions matters and has developed a sanctions analytics platform to deliver end-to-end sanctions diagnostics and monitoring.

Before joining Ankura, Amit was a Senior Managing Director and India head for FTI Consulting, Partner with Ernst & Young for nine years as Head of Forensic Technology in India and Markets. He was responsible for setting up and leading Forensic Technology in EMEIA. Before EY, Amit was the Forensic Technology lead at KPMG in India for five years. Previous to joining the Big Four, Amit worked with a boutique information security consulting firm.

Edited excerpts from the interview follow:

We have seen a lot of illegal crypto mining activities around the world in countries like Iran, Venezuela, Malaysia, the UK, Kazakhstan, and the U.S. Tremendous computational power is required for Bitcoin mining, which even leads to power outages directly impacting electricity prices. Are there any studies to back this? What impact will this have on the environment and resources like power?

That is a very important point, and it is getting missed out in many conversations around crypto. I think this is one of the most important points on adopting  crypto and the blockchain itself. A few months ago, I made a LinkedIn post to initiate a conversation with my network on this aspect. One study said that just with crypto mining, the global temperature will shoot up by two degrees centigrade by 2024. That is two degrees in two years, and it is a significant increase.

A Cambridge Institute study says that around 0.5% of global electricity production could be utilized by crypto mining. That is roughly the annual energy utilization of small countries like Sweden or Malaysia. That is how bad it is. And when you look at carbon emission, we have some data points, but of course, it needs further verification. I see a trend in terms of where all the numbers are. So, just for larger countries where a lot of this mining is happening, for instance, in China, they say that 130 million metric tons of CO2 is the net contribution.

I talked to a friend of mine running a carbon credit trading company. It is a listed company. I was surprised by the numbers he gave me. And very few know about these numbers. Look at it in terms of a single cryptocurrency transaction. You are running complex mathematical calculations to validate that transaction. This requires tremendous computational power, which consumes a lot of power. In terms of energy consumption, if you do a Bitcoin transaction, it uses the equivalent power to process two million standard credit card transactions. That is the energy it takes to watch up to 160,000 hours of YouTube videos. So, imagine YouTube servers running and consuming all that energy. You have to watch 160,000 hours of video for one Bitcoin transaction because you need certain numbers of confirmations to validate a transaction at the end of it. This transaction will replicate across all ledgers at the end of the day. So, by the time that replication happens, that is the amount of energy it will use. In simpler terms, it is equivalent to 70 days of the total energy that a typical U.S. household will consume for one Bitcoin transaction.

What impact could this have on the energy resources of a nation? How do governments address this?

I think we need to at least start talking about the problem. Awareness related to the environmental impact of cryptocurrency and crypto mining is not at the forefront. We need to discuss it, get different experts to provide their opinions, and formulate some policies. You must create a framework around it and involve the experts. For example, if you need to identify illegal crypto miners who use hundreds or thousands of machines for illegal crypto mining, you need to use data analytics for that. In Venezuela, for instance, they have a history of illegal miners, and because of this, they had a power crisis. So, they used data analytics to identify 100 miners and take legal action.

We need regulation and then analytics. I know India has a draft bill on cryptocurrencies. It will be interesting to see whether crypto mining is addressed in it — or is it just about trading cryptocurrencies, because mining itself is an important piece. This is especially true for India, where most of our power gets generated from non-renewable sources. Today, we are fast moving towards renewable sources. And I have seen that a lot of miners go towards colder regions. That is because less cooling is required, and it is a very thin margin kind of enterprise. So, if you can reduce your cooling bill, that is a lot of savings. It is generally concentrated towards colder regions of the world where they do that. I think governments need to proactively address this through various means.

Cryptocurrency Exchanges are the new attack targets for hackers. A recent example is BitMart, which lost approx. $150mn in cryptocurrency assets. Attackers had stolen a private key and compromised two of the exchange’s hot wallets on the Ethereum (ETH) blockchain and the Binance smart chain (BSC), making off with approximately $150 million worth of assets; in a “large-scale security breach.”

What can the exchanges do to protect themselves and their users? What do users need to do to protect their Hot Wallets? Since these are not centrally regulated, what kind of legal provisions are in place to enable the exchanges to penalize attackers when they are traced? We have seen how the big exchanges were brought down completely, and some went out of business overnight. And that is the weak link; crypto exchanges do not make only trades, but they are quasi custodians of your wallet, and they have access to your wallet because your private key is stored with them. It is on the blockchain, though. It is impossible to offer 100% protection for exchanges, because cyber is an area where you always have to plan for contingencies.

But I am reading more about the zero-trust model, which I think is valuable for exchanges. It is often an insider attack, or the attack vector is within the company, which gets exploited. It could be an employee or vendor who has access to maintenance. Or perhaps a developer writing the code for the trading platform has intentionally created some backdoors. There are incidents where ransomware hackers pay employees a commission of up to 20% to run a file on the server. You can never rule out insider involvement.

To address this, you need to look at independent custodians; for our capital market exchanges, we have CDSL (Central Depository Services Limited) and NSDL (National Security Depository Limited) as independent custodians of our DMAT accounts. That is where our shares reside. So, these independent custodians will ask us for an OTP verification for the transaction – and not the exchanges. Similarly, we could have independent custodian firms as custodians of the wallets. There could be a model where the offline wallets are with the end customer. And the offline wallet could automatically sync with the exchanges. So, the exchanges are not keeping your coins or tokens.

The offline wallet (cold wallet) could be backed up to a USB pen drive, laptop, or phone. It could be on a piece of paper. You could print out certain words, and that is your coin. So having a tiered approach to storing these coins is more secure. On the other hand, having all your coins with the exchange is risky because they also have your private key.

So, to strengthen their defenses, a zero-trust model with independent custodians, plus a hybrid wallet model, also de-risks the exchanges. Of course, that will result in some disruption to their business models. For example, some exchanges deposit your coins for an annual percentage return. This may not be possible in such cases, but the risk is far higher for an exchange that has your wallets online with them (hot wallets).

Are you suggesting a mix of cold and hot wallets? What else could be done to ensure resiliency and minimize downtime due to code vulnerabilities being exploited?

Yes, hybrid wallets. You have the wallet at the exchange keeping the user data, but then it gets transferred T +1 or end of the day to the user’s wallet (cold wallet), which resides with them offline. Both cold and hot wallets could be used during a trading session.

I think trading platform resilience is very important. That is always the case, with capital market exchanges or crypto exchanges. Trading platforms are high-frequency platforms, so you have millions of texts transmitted in one second, resulting in an order getting placed. The coding of that must be robust to facilitate the performance. But at the same time, looking at it from a security perspective is very important. It is about making sure every source code or application developed is reviewed thoroughly by multiple parties. Changes should be tracked from a security perspective, not just a functionality perspective. If something goes down, they should revert to the older version to ensure that the exchange runs. Crypto exchanges run 24×7 unlike our captive market exchanges, which shut down in the afternoon or the evening. Market exchanges have time for maintenance and upgrades. But that is more difficult for crypto exchanges since they run 24×7. So, they must have backup environments. And it’s slightly complicated, but by ensuring that the trading platform is thoroughly checked, they can provide defenses to implement two-factor at every stage. And when you implement a zero-trust model, a lot of that gets addressed.

What do you see as the big trends coming in 2022? What are the opportunities that exist?

I closely monitor the developments around quantum computing. Some companies are very close to building a retail version of a quantum computer. Whenever such a computer is available, it will transform this space overnight.

I also look at the zero-trust model and how it is evolving because I think that is a very good model to address all the challenges we face with our existing perimeter security and access control model.

I am also looking at the personal data protection regulation and the new challenges and opportunities that it will create. Compliance is a challenge for corporations trying to protect their data assets. It is also about individuals knowing their privacy rights and options if that data gets stolen or compromised.

There are opportunities too. The multinationals will have to build an infrastructure within India to address all the data-related challenges within the country (data residency). There is a huge demand for workforce and technology components, which India can address because we have a lot of talent. But we must see how different sectors adopt it. We already see financial services adapting to data localization, even though some companies take longer. I am seeing this with other industries such as pharmaceutical and life sciences, from data privacy and data confidentiality perspectives. Here they will focus more on protecting their IP and their data within the country. I see the measures they must put in place because these companies also deal with sensitive personal information of many people.

Take hospitals, for instance. Many U.S. hospitals have been impacted by ransomware in the past two years because they have sensitive personal data. Hackers know that they will not benefit much if they attack a steel company. But hospitals have critical data on which they rely for their operations, so the risks are higher.

In terms of technologies, we will see more use cases for blockchain. It will be used for transmitting documents and maintaining integrity, which is crucial.

Cybersecurity and forensics will also use blockchain. If you have an evidence chain of custody logs, how do you maintain the integrity and authenticity of that data? This is most important when something goes wrong. The insider threat is an area where companies will not trust a user because they are employees. They have to look at a customer, a vendor, or an employee, and observe how they behave. Based on that, they will profile the person and then create rules and access controls around the person’s behavior. Machine learning will play a key role because it is a rule-based analysis, and it cannot be done manually. All of this will be machine learning-based with human input for authorization. We will see more use of machine learning and artificial intelligence in cybersecurity. This is a space to watch out for.

About the Interviewer

Brian PereiraBrian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

More stories from Brian

Source link

Cyber Security

JSON-based SQL injection attacks trigger need to update web application firewalls



Security researchers have developed a generic technique for SQL injection that bypasses multiple web application firewalls (WAFs). At the core of the issue was WAF vendors failing to add support for JSON inside SQL statements, allowing potential attackers to easily hide their malicious payloads.

The bypass technique, discovered by researchers from Claroty’s Team82, was confirmed to work against WAFs from Palo Alto Networks, Amazon Web Services (AWS), Cloudflare, F5, and Imperva. These vendors have released patches, so customers should update their WAF deployments. However, the technique might work against WAF solutions from other vendors as well, so users should ask their providers if they can detect and block such attacks.

“Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud,” the Claroty researchers said in their report. “This is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems. WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems.”

Bypass found while investigating other vulnerabilities

The Claroty researchers developed this attack technique while investigating vulnerabilities they found in a wireless device management platform from Cambium Networks called cnMaestro that can be deployed on premises and in the cloud. The cloud service operated by Cambium provides a separate isolated instance of the cnMaestro server for each customer and uses AWS on the backend.

The team found seven vulnerabilities in cnMaestro including a SQL injection (SQLi) flaw that allowed them to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes from the server database. SQL injection is one of the most common and dangerous web application vulnerabilities and allows attackers to inject arbitrary SQL queries into requests that the application would then execute against the database with its own privileges.

After confirming their exploit worked against an on-premises deployment of cnMaestro, the researchers attempted it against a cloud-hosted instance. From the server response, they realized that the request was likely blocked by AWS’s web application firewall, which detected it as malicious.

Instead of giving up, the researchers decided to investigate how the AWS WAF recognizes SQL injection attempts, so they created their own vulnerable application hosted on AWS and sent malicious requests to it. Their conclusion was that the WAF uses two primary methodologies for identifying SQL syntax: searching for specific words in the request that it recognizes as part of SQL syntax and attempting to parse different parts of the request as valid SQL syntax.

“While most WAFs will use a combination of both methodologies in addition to anything unique the WAF does, they both have one common weakness: They require the WAF to recognize the SQL syntax,” the researchers said. “This triggered our interest and raised one major research question: What if we could find SQL syntax that no WAF would recognize?”

WAF vendors overlooked JSON in SQL

Starting around 10 years ago, database engines started to add support for working with JSON (JavaScript Object Notation) data. JSON is a data formatting and exchange standard that’s widely used by web applications and web APIs when talking to each other. Since applications already exchange data in JSON format, relational database engine creators found it useful to allow developers to directly use this data inside SQL operations without additional processing and modification.

PostgreSQL added this capability back in 2012, with other major database engines following over the years: MySQL in 2015, MSSQL in 2016 and SQLite in 2022. Today all these engines have JSON support turned on by default. However, WAF vendors did not follow suit, probably because they still considered this feature as being new and not well known.

“From our understanding of how a WAF could flag requests as malicious, we reached the conclusion that we need to find SQL syntax the WAF will not understand,” the Claroty researchers said. “If we could supply a SQLi payload that the WAF will not recognize as valid SQL, but the database engine will parse it, we could actually achieve the bypass. As it turns out, JSON was exactly this mismatch between the WAF’s parser and the database engine. When we passed valid SQL statements that used less prevalent JSON syntax, the WAF actually did not flag the request as malicious.”

After confirming that the AWS WAF firewall was vulnerable and they could use JSON to hide their SQLi exploit, the researchers wondered if other WAFs might have the same loophole. Testing of WAFs from several major vendors proved that their suspicion was correct, and they could use JSON syntax to bypass SQLi defenses with only minimal modifications among vendors.

The researchers reported the issue to the vendors they found vulnerable but also contributed their technique to ​​SQLMap, an open-source penetration testing tool that automates SQL injection attacks. This means the bypass technique is now publicly available and can be used by anyone.

“Team82 disclosed its findings to five of the leading WAF vendors, all of which have added JSON syntax support to their products,” the researchers said. “We believe that other vendors’ products may be affected, and that reviews for JSON support should be carried out.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

In-house vs. Outsourced Security: Understanding the Differences



Cybersecurity is not optional for businesses today. Ignoring security can result in a devastating breach or a productivity-sapping attack on the organization. But for many small- and medium-sized businesses (SMBs), the debate often revolves around whether to hire a third party or assemble an in-house security operations team.

Both options have their own pros and cons, but SMBs should weigh several factors to make the best decision for their own unique security needs. An in-house team, a managed security services provider (MSSP), or even a hybrid approach can make sense for various reasons.

Before choosing to build an in-house security team or outsource to an MSSP, businesses must first evaluate their unique needs to ensure the choice lays a foundation for future success.

Weighing control vs. costs

The obvious reason for assembling your own security team is control and immediate knowledge of what goes into your security operations.

“Handling security internally means you will sometimes have better visibility and centralized management,” says Scott Barlow, vice president of global MSP and cloud alliances at Sophos. “That said, if you outsource with the right service provider, visibility into what is going on should not be an issue.”

For many smaller organizations, the cost of running an in-house security program is prohibitive. Hiring skilled security specialists is expensive, and they are often difficult to find. They require regular training, and certifications must be kept fresh – typically at a cost to the employer.

“When you outsource to an MSSP, you will be paying a lot less than paying a senior security executive,” Barlow says. “I suggest that organizations conduct a cost analysis of outsourcing compared to paying salaries. Much of the time, it’s better to outsource.”

There are also technology and license costs to consider. Keeping software licenses up to date can consume both time and money, whereas working with an MSSP means access to the latest technology without worrying about license costs.

If both are important, try a hybrid model

Of course, some large organizations might need an in-house security presence.

“Generally, the larger you become, the more you need someone internally. That is where a co-managed model makes the most sense,” Barlow says.

In a hybrid model, companies tap outside support to collaborate with an internal security executive or team. This approach allows for more scalability while also providing the business with plenty of expertise through their relationship with the MSSP.

“Maybe you want to outsource a portion of the services because you can’t cover 24-7. Or maybe you need coverage on weekends,” Barlow says.

One major benefit to tapping outside support: your in-house team will have more time to focus on mission-critical objectives.

“With a hybrid approach, the internal IT and security teams can pivot to focus on more revenue generating activities,” Barlow says.

Click here to learn more.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Prevention or Detection: Which Is More Important for Defending Your Network?



When it comes to physically protecting a building, you have two primary defenses: prevention and detection. You can either prevent people from entering your property without your permission, or you can detect when they have already trespassed onto your property. Most people would prefer to prevent any trespassing, but a determined adversary is always going to be able gain access to your building, given enough time and resources. In this scenario, detection becomes the only alternative.

The same holds true for protecting assets in the digital world. We have the same two primary defenses: prevention and detection. And just like in the physical world, a determined adversary is going to gain access to your digital assets, given enough time and resources. The question will be: How quickly are you able to determine that an adversary has penetrated your network?

If you can’t prevent, you must discover

This is where detection comes in. Do you have the right tools and procedures in place to find attacks quickly when they are occurring? Most businesses do not. It takes days, weeks, and often even months before an attack is discovered. The gap between breach and discovery is known as dwell time, which is estimated to be more than 200 days in most cases and, according to IBM, as many as 280 days in some instances. If it takes this long to discover that an attack is in process, it may be impossible to determine the root cause if you don’t have enough historical data to review.

Therefore, it is just as important, and maybe even more important, to spend money increasing your ability to detect when a breach has occurred rather than to determine when a breach is actively occurring or to see that specific firewall (FW) or intrusion detection system (IDS) rules have actively prevented an attack. New attacks are taking place all the time, and bad actors are constantly coming up with new ways of infiltrating your network. It is important to understand that, at some point, a bad actor is going to get through and penetrate your network. What will be vitally important is whether you are able to see the attack when it is taking place, or shortly after, or whether instead the attack will be discovered weeks or months after the fact. In the latter case, do you have enough historical data to go back and determine when the attack started, or will that data be long gone by the time you notice something is wrong?

Saving the data you need

It is important to have several months’ worth of data so that you can go back and determine the initial compromise on your network. Having an advanced network detection and response (NDR) tool such as NETSCOUT’s Omnis Cyber Intelligence (OCI) can ensure that you have the data you need. OCI stores all of the relevant information, including layer 2-7 metadata and packets that you need to determine the root cause of an attack—not just flow data that won’t help in this situation.

How much historical network traffic are you storing? Do you have enough data to go back and research the start of an attack if it occurred 200 days ago? Or are you going to rely on catching bad actors faster than the industry average? It is important to understand the need for leveraging both prevention and detection capabilities and ensuring that you have enough storage to thoroughly investigate an attack when it occurs.

Watch this video to see how NETSCOUT can help your back-in-time investigation.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading