Category Archives: Generic

Some considerations on finance, security and Apple, JP Morgan and Sony attacks

0
Filed under Generic, Security

There is a side that seems to be unnoticed everytime there is a big attack that made me write this article – I wanted to do some considerations on how finance securitity and latest Sony attacks (but not only) are linked.

It seems that lately, big, widespread attacks make it on the news more often, and are becoming increasingly aggressive. Although I can make some technical considerations on this (and will do an an article later next week), I saw something strange in how the markets react to security breaches (and will go more into why companies should – and probably will – invest more on security later on).

Let’s start with JP Morgan.
The data of as many as 76 milion households and 7 milion businesses leaked – to an unknown extend (account details?). This will certainly expose those individuals/entities to easy social engineering attacks, which will be extremely hard to relate to the attack. So, what was the answer of the market to the attack?

None. Yes, that spike down later on might have been related to the attack, but as you have seen was soon recovered.

Let’s go a bit back in time to another story that made it on the headlines: Apple data leakage.
The attack involved hundreds of well known individuals in the end of August. Did the market react to this? Well, yes, for a period, but then again, no substantial loss.

Now, moving to Sony. Sony has faced issues with their security sistems since years. From the Playstation Network to Sony attacks, there is never an end.
Watching the Sony chart, it seems that the cause of the drop was not really related to the attack, but certainly that didn’t help for the future outlook. And the latest attack, didn’t seem to affect the market (see pointing up in the last tick).

I can do these examples for a while, but point is, it seems that attacks, at least in the short term, don’t affect the companies considerably. Is this then a good reason to reduce the costs of security?

Well, here are some considerations from my side:

  • Stock market seems to react more on the generic feeling of insecurity than a quantitative loss of customers/income given by the attack. This, I assume, is because it is extremely hard to quantitatively define the extent of the loss.
  • There are discussions, even driven by Wall Street, to improve cyber security regulations. The process might take a while to consolidate as it is a fairly new concern – the extent of attacks we have seen this year were seldom seen before. Litigations and regulatory fines will help Wall Street to quantify losses and protect investors.
  • Last but not least, the actual cost impact should be considered. A generic estimate considers the data leakage cost (including regulatory fines, fees, legal costs and so on) to be somewhere between 90$ to 300$ per user. In the case of JP Morgan, a conservative estimate would be 150$ * 80000000, accounting for an astonishing 12B$ loss.

Companies should be more concerned than ever on security as this is bound to become a huge topic in the future, particularly given the fact that 0 days vulnerabilities are extremely hard to tackle. But as always, only time will tell how the market will evolve in that sense…

…One side note…
JP Morgan announced it will double its spending on security since 2015 moving to 500M/year – good news. But then again, will those money be spent in the right places?

Why Facebook experiment doesn’t surprise me

1
Filed under Generic
Tagged as

I don’t generally express opinions, this is not the scope of my blog. But I have always been fascinated as social engineering was always seen as part of the “hacking” process. First hackers used social engineering quite a lot; anyone found of security read the story of Kevin Mitnik when young? A lot of his work involved social engineering, rather than pure hacking. And how not to mention the controversial Stanford experiment?

Many similar stories I am sure can be told and I won’t go through them here, but human manipulation is an extremely fascinating topic (though spooky): hacking the human being. 

Now, the discussion is around the latest research made by Facebook on how emotions can be ‘propagated’ and Facebook, by filtering negative emotions (friends posts), can manipulate the mood of the readers.

Why could this worry some?

Facebook is perceived as some kind of big brother (not going there, many sites expand on the topic), and this kind of manipulation is considered ‘evil’. The way I see it, this could be an ingenious way to improve sales.

Mood manipulation has always been used for sales – from the car salesman, to tv adverts – showing an image to the possible buyer that pleases him/her (like, an unlikely grateful kid because the mom used a new washing powder, or the car salesman asking the possible buyer to imagine him/herself driving the new car with all comforts). Putting people in a good mood helps selling in general; making people panic could help selling some other products (say, a pepper spray).

The problem here is that whenever we see an advert, or go and buy a car, we go in “defensive mode” so, we are expecting to be tricked. This time this happened without us being ‘conscious’; but are we sure this is news?

Let’s think now about something very common in Hollywood: product placement (i.e. when the cool, main character opens the fridge and drinks a fresh cola). Isn’t this the same principle?

As TV viewers decline, this is where the big bucks are, and I see Facebook research as just the next, logical step to product placement. After all, for the new generations, Facebook and youtube are the new TV, only this time product placement can be more emotional, personalised – hence more effective. 

So, is avoiding Facebook the answer? This is up to the reader.

Facebook will just have more ‘manipulation’ power, as the filtered information will come from our friends; but thinking that the problem is and will be limited to Facebook would be naive. Cookies and IP addresses are continuously collected, and our information is gathered online regardless of Facebook. All in all, it is important for the user to limit the shared information and remember that internet as a whole is mined by advertising. So, next time we want to hear an unbiased opinion, it might be best to just ring our friend, and just expect, whenever we switch on a monitor or a tv, to be bombarded by ads…

Plaid CTF

0
Filed under Generic, Security

Plaid hack catch the flag game – wanted to play a little bit before the weekend but seems that people would rather DDOS it.. I wonder why there must always be someone spoiling the game…Or is it a way to gain some time?

Bitcoin mining: how profitable?

0
Filed under Generic

Now that we have gone through the theory, it is time to talk money and roll up our sleeves.
(you can read part1 if you need to refresh the basis!)

So, how profitable is mining?
Here the bad news start.
Remember in the previous article the difficulty rating? Initially a CPU was sufficient. It was OK to just use the CPU for some mining. But as we know, generic processors (i.e. CISC) are not exactly the fastest around, although they are good for multi-purpose instructions.

Then people started to use GPUs. GPU can execute routine jobs much more easily as that is all they were build for: execute instructions. But again, GPUs were not really designed to process bitcoin blocks.
But the era of GPU is now closing to an end as ASIC (application specific integrated circuit) – these have been designed for the specific purpose of processing bitcoin blocks.
Now, while everybody at home has a CPU or a GPU, ASIC hardware is basically useless for anything else other than mining bitcoins. And while with a good GPU we might have got close to 500MegaHash/second, with a little USB ASIC we could easily get 2.5 GHash (like my little redfury).

And here we can start doing a bit of maths. Given I was curious to test ASICs, I bought the redfury sticks, which cost around 100$/120$ each



Now, remember the difficulty rating? While I bought two of those, someone might have bought a whole lot – creating huge arrays with an investment of over 1000$. Newer ASICS are coming out (i.e. ice fury) – some even have dedicated ASIC servers.
In the meantime, difficulty goes up.

Now I have been mining since one month – at 5GH/s I managed to get around 0.02, which makes roughly 8.5$.


Funny thing is, many “pool” services (more about this later), will not pay under a certain threshold (in the case of eclipseMC that I am using, is 0.2)

At this rate (so, without difficulty increase), to make up the cost of the sticks, it will take me two years; without counting electricity cost. Of course though, if I was to invest 3000$ in a specified machine, I would probably be able to make money much faster and probably pay for the investment much faster.

But is it really worth it? This is what I think:

  • Assuming we can get 4000$ in mined bitcoin, is it really a sound investment? Bitcoins will need to be sold or re-used, but the virtual shops accepting bitcoins are just a bunch, while the 3000$ of investment were very real…
  • What if an exploit is found that will invalidate the bitcoins in the meantime? What will happen of the 4000$? Though I guess there is a risk of each investment but…
  • What happen if a new ASIC with 4000GH/s is found in the meantime, that increases the difficulty so much to make any effort with the current hardware pointless?
  • What happens if bitcoins devaluate considerably?

Again, risks are around the corner everywhere, but in this case I would really consider these factors before investing seriously (because this is the only way to make a return) – it might be less risky to invest in stock market!
As far as I am concerned, I can always say that I am also fascinated by how the redfury work, maybe with some PCAP I might be able to decrypt hashed passwords? Looks quite complicated but you never know, time will tell…

What are the alternatives?

Litecoin are a good alternative right now and as I write this article ASIC hardware is a fairly new thing. But is it worth investing good money in litecoin when Bitcoin already exists?

Get started!

This tutorial is for linux box… But should be easy for windows as well
The first thing to do, is finding a mining pool. Mining alone is not suggested as awards are given on block solved, and solving a block alone with a mere 5 GH/s is nearly impossible. A list of mining pools can be found here; though I found myself well with Eclipse mining consortium (which will not pay below 0.02bc). To get paid we need a wallet – coinbase is a good place to start. Desktop software without services can also do this but it will be necessary to download the block-chain… Can take a loooong time. Coinbase will give a wallet address fast and with no fuss. The wallet can be configured in the mining pool.

Create a new worker and password, these will be your username and password for the miner.

The next step is to configure the mining software. For ASIC hardware (and CPUs), cgminer is the best solution. Addresses to connect can be found here for eclipse MC, being myself in europe, I will use stratum+tcp://eu.eclipsemc.com:3333.
Under manage worker, it will be possible to create a new worker, and set the password. The worker can then be specified when cgminer starts:

Login

Fingers crossed, you should see the workers green, and the hashes flowing:

Conclusions
Mining was not made to be profitable. But Bitcoins have a huge potential, and value might still go up. If you decide this is something you are interesting in investing, give it a go, but it won’t be cheap!
One thing I found nice is that, given that I always leave my PC switched on, I can make good use of it to make a few pennies – maybe in three years I will have paid off my red furies and might be able to claim I got myself a beer out of it! :)

 


Bitcoin mining: a human introduction to the theory

0
Filed under Generic

For anybody not familiar with bitcoin, it is basically a peer to peer system to handle transactions of virtual money.

Here is a bit of a summary of how it works:
block – A block contains a set of transactions. But not only. It contains a mathematical puzzle to be solved and a reference to the previous block and more (see link to the bitcoin wiki)
block chain – A series of blocks together will compose the big “bitcoin db”, and a set of blocks is called a block chain. Every transaction can therefore be tracked to its source on bitcoin (well, at least to its crypto alias)
mining – And this brings us to our topic. Adding transactions to the block of chains will be done by miners. Given all the stuff included in a block, this is not an easy task… But will cover this in a bit.
Mining is rewarded through bitcoins.

An element, difficulty, is changed on a block level every 2016 blocks. Difficulty is created for the sole purpose of making a miner’s life hard. If the network was flooded with miners, blocks would be added to the chain one after the other and maintaining (costwise) the network would become increasingly difficult. Basically, the more processing power there is, the lower the shared income of miners.

Now, two weeks are used as a metric for the difficulty. If the 2016 blocks are found before the two weeks, it means there is a lot of processing power, and therefore difficulty can increase.
On the other hand, if the 2016 blocks were found after the two weeks, difficulty decreases.

Comes automatic that the number of miners since the bitcoin came to exist increased, and with it the difficulty… But more about my experiences there on the next post.

Started!

0
Filed under Generic

Fabytes.com has just booted up.

I’ll try to update it with posts on various topics, including security and, most importantly, some of my projects.

The first project I’d like to make public is ANNFiD.

ANNFiD is a tool to detect file types from mangled up files (such as the ones you get from file carving), it uses neural network to detect the type from the byte pattern. This makes the tool extremely flexible – it was created with a nice GUI so training the tool to detect additional files is quite easy, even without any coding knowledge.

There is still much to do such as publishing some instructions and adding new projects and definitely improve the page CSS… But I believe it is time to make some of my ideas available so that they can be improved.

I guess I will write back some time soon!