Category Archives: Blockchain

My imagination – New way of money laundry evade regulations

We heard turmedous crypto currency heist this year (see below). Do you  think is it a trick? Let’s think it over. The refund of the fees after heist is a grey area of regulator custodian.Since the money is a new sources far away from criminal activities revenue.How to using legal regulation forfeiting their money.Let’s think it over. How to dick out the money on a secure platform. Is it luck or counterfeit message with phishing technique. I believe that this is a old technique. How to evade the legal enforcement proceed legal action to forfeiting their money. End of Jan 2018 – Coincheck $530 million cryptocurrency heist may be biggest ever 2nd week of Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million.

Feb 2018 – BitGrail Cryptocurrency Exchange Becomes Insolvent After Losing $170 Million:

https://www.youtube.com/watch?v=Sb2_ZBcS7NE

Jan 2018 – Coincheck heist discussion:

Doubt – $530 million cryptocurrency heist

Doubt – $530 million cryptocurrency heist

As we know the most common cryptocurrencies are Bitcoin, Ethereum,Ethereum Classic, Monero, Litecoin, OmiseGO, Ripple & Zcash. Fundamentally NEM Smart Asset System more secure than bitcoin. The NEM Blockchain utilizes a Proof-of-Importance calculation (rather than Bitcoin’s Proof-of-Work or PIVX’s Proof-of-Stake) to accomplish accord through a procedure that boosts dynamic support in the system. NEM is a peer-to-peercryptocurrency and blockchain platform launched on March 31, 2015. But the value of each coin is underestimation. Why hacker target to NEM. Do you think hacker willing to engage hacking in difficult way ?

Information update on 29th Jan 2018 – CNN claimed that this cryptocurrency heist is the biggest amount. Such huge value of financial lost wasn’t happened before! See below url for reference.

http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html

Another reference:

My speculation – How’s coincheck loses ¥58 billion dollars value of cryptocurrency

My speculation – How’s coincheck loses ¥58 billion dollars value of cryptocurrency

Incident background:

Japan-based company said hackers broke in at 02:57am local time on Friday (12:57pm EST on Thursday, 25 January).

Financial lost: ¥58 billion dollars value of cryptocurrency

Cryptocurrency type: NEM (XEM)

Victim: coincheck.com

Cyber attack historical incident record

The most recent cryptocurrency heist happened on February 2014. The victim firm is Mt. Gox. A bitcoin exchange in Japan. The heist value amount less than ¥48 billion. Coincheck started in August 2014 and is operated by Coincheck, inc. Similar of incident did not happen in past.

Coincheck current cyber defense mechanism

Coincheck provides Two-Factor Authentication and Cold Storage.

Remark: Cold storage in the context of Bitcoin refers to keeping a reserve of Bitcoins offline. Methods of cold storage include keeping bitcoins: On a USB drive or other storage media. On a Paper wallet.

Coincheck follow JBA’s guidelines to ensure customers can have use coincheck’s services in secure (For more details, please see below url for reference).

http://jada-web.jp/wp-content/uploads/2015/01/SummaryofGuidelinesforJADA_v1-0_20141023.pdf

Secure Random Number Genaration – Customer don’t need to worry about vulnerability because coincheck’s wallet use RFC6979, a secure way for generating random numbers.

Remark: RFC 6979 makes ECDSA DPA vulnerable at 2 levels.

  • Control all in first step of RFC, except x which is the secret key K=HMAC_K(V || 0x00 || int2bytes(x) || bits2bytes(h1))
  • s = kinv (h + r.d): kinv is not known but always fixed for the same input

Key factor found on this incident

Yusuke Otsuka, Chief Operating Officer of Coincheck, said the stolen funds were kept in an online ‘hot wallet’ as opposed to a much more secure offline ‘cold wallet.’ However the officical spokeman says that bitcoins are to be stored offline when they are not being traded. Meanwhile CEO Koichiro Wada said its bitcoins were indeed stored offline but that the more than 5 million NEM coins that were stolen were not.

Observation:

According to the NEM (XEM) platform architecture (refer to above diagram) and the statement provides by the CEO (see below). A hints bring my attention to their company internal network. See whether is there insider threat happen in their office?

Quote: “bitcoins were indeed stored offline but that the more than 5 million NEM coins that were stolen were not.”

Speculation:

It looks that implant malicious code then infiltrate malware to the distributed ledge system not easy to success. Since two factor authentication has been implemented. And therefore each transaction will be acknowledged on both parties (bitcoin exchange and end user). May be you can say hacker can counterfeit the SMS message by SS7  flaw. However such huge amount of transaction will be waken support staff.  So I believe that the cyber incident happen this time may have following possibilities.

  1. Phishing email embedded web site cross site scripting and CSRF token is a popular way to stolen the user credential.
  2. Admin console or workstation encountered malware infection.
  3. A Zero day encountered on their open source application.

Summary:

Above assumption is my speculation on hearsay evidence and headline news. Let’ me keep my eye open and provide the status update to you guys afterwards.

Reference – information update on 28th Jan 2018

https://www.japantimes.co.jp/news/2018/01/27/national/cryptocurrency-exchange-coincheck-loses-58-billion-hacking-attack/

https://www.reuters.com/article/us-japan-cryptocurrency/hacked-tokyo-cryptocurrency-exchange-to-repay-owners-425-million-idUSKBN1FH03D

Information update on 29th Jan 2018 – CNN claimed that this cryptocurrency heist is the biggest amount. Such huge value of financial lost wasn’t happened before! See below url for reference. As we know the most common cryptocurrencies are Bitcoin, Ethereum,Ethereum Classic, Monero, Litecoin, OmiseGO, Ripple & Zcash. Fundamentally NEM Smart Asset System more secure than bitcoin. The NEM Blockchain utilizes a Proof-of-Importance calculation (rather than Bitcoin’s Proof-of-Work or PIVX’s Proof-of-Stake) to accomplish accord through a procedure that boosts dynamic support in the system. NEM is a peer-to-peercryptocurrency and blockchain platform launched on March 31, 2015. But the value of each coin is underestimation. Why hacker target to NEM. Do you think hacker willing to engage hacking in difficult way ?

http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html

cpp-ethereum vulnerabilities do not ignore!

Preface:

The cyber attack wreak havoc today. Perhaps system applications and operation system hard to avoid vulnerability occurs because of short development cycle. Crypto currency might change the financial world. However there are more and more topics are under development.

Technology background

Ethereum is an open software platform based on blockchain technology that enables developers to build and deploy decentralized applications.

What language is Ethereum written in?

There are four official reference implementations available (see below)

Golang, C++, Python and  Java

The non-officially but fully working program language are Rust, Ruby, JavaScript and Solidity. However there are design limitation occurs on Golang which causes software developers decide not to use.

Why “Go” language not have been chosen by software program developers?

The question about generics in Go is years old, and has been discussed up and down and forth and back across the Go forums, newsgroups, and email lists. However Go is a language with an intentionally restricted feature set; one of the features that Go leaves out being user-defined generic types and functions.

In short, it looks that Go language lack of traditional program language flexibility. Perhaps Go (Golang) libraries work best for scientific computing. A comment consensus is that Go might evolve into the perfect high performance computing language for scientific use. And therefore programming developer prefer to make use of other programming language.

However cyber world similar a dangerous zone. The operation system, application and hardware are difficult to avoid their design weakness (vulnerabilities). The situation sounds like a cancer in Human body. The cancer evoluted by a normal human being cell.

There are vulnerabilities found on cpp-ethereum last year end. A status update released on 18th Jan 2018.

Should you have interest of this topic, please find below details for reference.

An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12113

An exploitable unhandled exception vulnerability exists in multiple APIs of CPP-Ethereum JSON-RPC. Specially crafted JSON requests can cause an unhandled exception resulting in denial of service.

https://nvd.nist.gov/vuln/detail/CVE-2017-12119

An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12116

An exploitable improper authorization vulnerability exists in miner_setEtherbase API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12115

An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12112

An exploitable improper authorization vulnerability exists in admin_peers API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12114

An exploitable improper authorization vulnerability exists in miner_stop API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12118

An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12117

An exploitable information leak/denial of service vulnerability exists in the libevm (Ethereum Virtual Machine) `create2` opcode handler of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read leading to memory disclosure or denial of service.

https://nvd.nist.gov/vuln/detail/CVE-2017-14457

Summary:

There were 40,135 transactions on Ethereum blockchain on 5/17/2017. On January 25, 2018 Ethereum now is a bit over $1050. Perhaps of the crypto currency value it will lure the interest of the hacker. As usual another vulnerabilities or zero day cyber attacks might happen later on. So make sure that you have remediation and mitigation procedure if your Ethereum back-end is develop by C++.

 

The stronger encryption power you have. The greater the risk being attacks.

A new mantra , some people quit the bitcoin business whereby some people catch up immediately! Such statement precisely describe current situation of bitcoin industry. A South Korean bitcoin exchange has filed for bankruptcy after being hacked again. They are decide to quit. It surprise to us with advanced secure platform causes such tragedy. But malware infection and DDoS attack not green to IT world today. Be brave to facing difficulties. Your new era is coming. A visible hints to re-engineering your cyber defense model in according  of  Lockheed Martin the Seven Ways (Cyber Kill Chain). You can figure out existing weakness of bitcoin technology architecture model. Perhaps sad feeling bring to bitcoin world is that they did not paid the attention on end-point wallet security management and manged security services. The trend is on the way, even though we are not belongs to this industry. Let’s you and me become the witness of this age!

More details of Youbit Bitcoin exchange quits operation see below url:

https://qz.com/1160573/bitcoin-exchange-youbit-files-for-bankruptcy-in-south-korea-after-latest-hack/

Dig out more in regards to e-wallet security information see below url:

Perspective of e-Wallet Vulnerability

Is Quantum technology an existential threat to blockchain?

The world are obsessed with Bitcoin.We heard Quantum Computing earlier this year.Quantum computing found quantum bit theory. Boolean Algebra base on ‘AND’, ‘OR’ And ‘NOT’ condition. Therefore implementing to Quantum bit might have problem(attach picture can provide hints)! Blockchain theory empower cryptocurrency powerful features.But blockchain technology work with tradition computer. So, Quantum technology is blockchain technology enemy! The quantum computing is the traditional currency bodyguard.Following url can provide the hints.

https://singularityhub.com/2017/11/05/is-quantum-computing-an-existential-threat-to-blockchain-technology/

Information security perspective -Hyperledger (Blockchain Technology) article shown as below:

Overview of hyperledger (Blockchain Technology) security design

 

Overview of hyperledger (Blockchain Technology) security design

Preface

The deluge push the earth to next generation. The scientists found Noah’s Ark fingerprint on top of the hill in India. The tremendous trend of the cryptocurrency (Bitcoins) like deluge. It such a way change the financial industry framework.

The fundamental technology concept

What is the difference in between blockchain and hyperledger?

A consensus of the blockchain technology foundation have the following idea. The blockchain technology feature better implement in public ledger that is crypto currencies. Hyerledger should have benefits to business industries. Since the fundemental of the cryptocurrencies concept is a direct electronic payment.The specific technology objectives encryption and integrity of the record (it cannot counterfeit), once the block is use it cannot be use reuse anymore.

 

As times go by, the cyber attack incidents on IT technology world bring the enhancement idea to blockchain technology. In order to cope with on-going technology and business perspective. Blockchain technology transform the technology focus to enhance its framework structure. And therefore hyperledger was born.The most popular hyperledger framework models are the following models.

Refer to the Hyperledger Modular Umbrella approach. Each Hyperledger framework empower different advanced function in order to cope with business industry requirements.

There are total 5 different framework of approach.

Burrow Framework

Provides a modular blockchain client with permissioned smart contract interpreter partially developed to the ethereum virtual machine (EVM) specification.

From security point of view: Eris makes use of Docker containers for its services and much of the Eris and Tendermint tooling is written in Go.You’ll need to have at least as many EC2 instances available as you want nodes. Again, you’ll need at least four nodes for the network to operate. If you don’t want to use AWS to host your nodes, you’ll need to have access to hosts that have Go version 1.4.x and Docker version 1.8.x installed. The programming language is Go. This development language not popular but it is secure. But it is hard to find programmer familiar with GO programming background.

Observation: (CVE-2016-3958/CVE-2016-3959) Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function (CVE-2016-3958).

Iroha

An blockchain framework designed for simple and easy incorporation into infrastructure projects requiring distributed ledger technology.

From security point of view: Since Iroha framework contains the following features:

  • Creation and management of custom complex assets, such as currencies or indivisible rights, serial numbers, patents, etc.
  • Management of user accounts
  • Taxonomy of accounts based on domains — or sub-ledgers in the system
  • The system of rights and verification of user permissions for the execution of transactions and queries in the system
  • Validation of business rules for transactions and queries in the system

Comparing the actual functions (see below diagram). My comment is that the integrity check looks run in precise way on each transaction. Iroha try to improve the anti-tamper solution of the data. The fundamental design concept of Iroha focuses on Blockchain-based Data Management.

Observation: Since Iroha focuses on blockchain based data management. How about the end point protection? It looks the design did not provide a clear visibility on the end point.

Remark: The Iroha project is a bit of an outlier within Hyperledger. It originated with some developers in Japan who had built their own blockchain technology for a couple of mobile use cases. It’s implemented in C++ which can be more high performance for small data.

A modular platform designed for building, deploying and running versatile and scalable distributed ledgers. Heard that the Sawtooth consensus software targets large distributed validator populations with minimal resource consumption. “It may give us the ability to build very broad and flat networks of hundreds to thousands of nodes,” said Behlendorf. “It’s harder to do with traditional consensus mechanisms without having the CPU burden of cryptocurrencies.”

From security point of view: No conclusion at this moment.

Fabric Framework

An implementation of block chain technology intended as a foundation for developing blockchain application or solutions. Fabric is Hyperledger’s most active project to date. Hyperledger Fabric intends to offer a number of SDKs for a wide variety of programming languages. The first two delivered are the Node.js and Java SDKs.

From security point of view: Since the first two delivered are the Node.js and Java SDKs. In order to avoid the denial of service or avoid unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. It is better to make use of GO for application development in future.

Below details are the recently vulnerabilities occurred on above 2 programming languages for reference.

http://www.cvedetails.com/cve/CVE-2017-10388/

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

Indy

Sovrin is a specific deployment of the Hyperledger Indy codebase. Sovrin developed the Indy code base as part of its mission to build a global public utility for self-sovereign identity. Sovrin Foundation contributed the code to Hyperledger under the Hyperledger Indy brand to expand the developer community and allow greater participation. But Sovrin and Indy are distinct. Sovrin is a specific, operating instance of the Hyperledger Indy code that contains identities that are interoperable at the global scale.

Remark: The best way to start develop Sovrin would be with the Indy SDK. (Indy is the technology under Sovrin, and its SDK provides a C-callable library.

From security point of view: Vulnerability (Slow nodes can be stalled after a view change)

Description – The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number

Detail explanation: What if A is malicious, and C and D during a catch up get inconsistent catchup messages from A and B? Perhaps the PRIMARY declaration message needs a root hash, and f+1 consistent responses for both Last Ordered Batch number AND Txn Root Hash

Remedy: The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number.

Summary:

IT security from 90’s encountered virus infection till today malware infection causes data breach. The appearance of blockchain (hyperledger technology) goal to mitigation the data leakage issue. The design objective of the data encryption is going to protect your data. As of today, an advanced technology enhanced server side and data storage. Block chain technology breakthrough traditional key algorithm encryption. The hash encryption technique and blockchain (accumulate) (N+1) data encryption scheme awaken the world. However the product design limitation let hacker exploit the vulnerabilities and such away expand the risk to application layer including programming language. On the other hand a hidden factor in client side (end point) looks without significant improvement. Apart from that the smartphone geometric level of growth . So, I forseen that information technology world requires a new revolution to end point platform. See whether there is a new concept of client platform technology announces tomorrow?

Note: AWS, Azure and Office 365 are ready for Blockchain (hyperledger) services (see above diagram). Be a innovative IT management. Don’t wait. Now please try to jump to Blockchain (hyperledger) services. You will love it!

Status update 19th Feb 2018 – The deluge push the earth to next generation.Bitcoin and hyperledger technologies such a way transform their new generation to the financial business world. Dubai a former big brother leading the natural resources supply to the world especially petroleum. Now they are keen to leads bitcoin and hypledger technologies. I wishes of their success. See whether what is the new technique can be renovate the blockchain and hyperledger world.

 

 

Sunday (10th Dec 2017) – Crypto currencies won the battle at this moment.

On Sunday (10th Dec 2017), Chicago Board Options Exchange has allowed investors to place their bets on crypto currencies commodities. Seems Crypto currencies won the battle at this moment. Perhaps we now living in digital world. IoT, BYOD, AI, and enterprise firm keen to do the digital transformation. Similar Charles Dickens said in his famous fiction (A Tale of Two Cities), it was the best of times, it was the worst of times. Let’s celebrates Chicago Board Options Exchange has allowed investors to place their bets on commodities from corn to steel (see below URL – CNN News)

New step for Bitcoin’s wild ride: Futures trading

http://money.cnn.com/2017/12/10/investing/bitcoin-chicago-board-options-exchange/index.html

Would you mind someone sharing your CPU power during your site visit?

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

https://hk.news.appledaily.com/local/daily/article/20171203/20233090

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.

 

Reveal block chain technology secret – he is the Genesis-of-Bible

Preface

Blockchain technology is the hottest topic last few years. Actually a similar of block technology already infiltrate into our world since genesis of the world. Do you still remember that in your student age attend chemistry lesson. A boring subject introduce the four principle orbitals (s, p, d, and f) which are filled according to the energy level and valence electrons of the element (see below for reference).  They are the block chain fundamental concept.

The genesis did not mentioned in high profile until blockchain technology do the renovation!

We are easy to find out the key elements of blockchain on internet. According to my observation so far, the result might not similar. My observation summary are function, element and the lifetime (life cycle). See below details for reference (another boring diagram)

The blockchain technology reveal those three items of key element since Bitcoin currency concept found 90’s. Bitcoin was invented by an unknown person or group of people under the name Satoshi Nakamoto and released as open-source software in 2009. The first impression of blockchain to the world is crypto currency (Bitcoin) until ENIGMA found another new idea of concept and announced to public in 2017.

Modern world concerning data privacy blockchain can do it better

In reference to technical article (Decentralized Computation Platform with Guaranteed Privacy) written by Guy Zyskind, Oz Nathan and Alex ’Sandy’ Pentland. It shown that an advanced encryption scheme (secure multi-party computation) provides more advance benefits comparing with key encryption concept.

Blockchain technology shown his expandable feature to the world he is not limit to cryptocurrency.

Enigma technology pioneer to introduce the expandability on blockchain features (see below):

Data marketplace, secure backend, internal compartmentalization, N-Factor authentication, identity,IoT, distrubuted personal data stores, crypto bank, E-Voting and Bitcoin Wallet.

Feature highlight

IoT: A fundamental weakness of IoT technology in regards to storage, manage and use (the highly sensitive) data collected by IoT devices in a decentralized area (trustless cloud). Blockchain technology is able to strengthen design weakness in data security area.

Transport layer security: We know traditional TLS (SSL) technology contained fundamental design weakness. Even though you are now using TLS 1.3, it is hard to guarantee the asymmetric cryptography will be encountered another vulnerability in future.

E-Voting: An data breach occurred last year (2016) on election of US president. Russian hackers targeted 21 US states’ election systems in last year’s presidential race. Blockchains are governed by a set of rules called the consensus protocol. These rules define which changes are allowed to be made to the database, who may make them, when they can be made. There are currently two main types of consensus protocol:

Proof of Work (PoW) and Proof of Stake (PoS)

Build a multi-environment secure infrastructure avoid data breach

We noticed that banking industry have tough and demanding compliance requirements. Some sort of policy they are not able to outsource the hosting facilities to cloud computing environment. As a matter of fact, I totally agree with their auditors concerns of data ownership and governance of data. We heard a data breach on Amazon Simple Storage Service (S3) — Cloud Storage this year. However the on-going technology trend is going to do the system integration to cloud computing. It looks that the IT world no way to escape the cloud technology integrate to their IT infrastructure. Block chain technology itself embedded strong encryption feature which can replace traditional network transport and data protection mechanism. Even though hacker break through the public cloud computing farm, hacker not easy to decrypt the data.

How about ransomware attack?

Blockchain solutions are decentralized – a scenario may happen that ransomware encrypted the data belongs to specifics cyber victim. But another range of clients may not affected.

Who’s is ready to playing this game?

Let’s do a review on current cloud facilities located in APAC country. In the meantime AWS did not install their hosting in China and Hong Kong. But service (blockchain-as-a-service) is available,The nearest zone which have AWS hosting facility installed is Singapore. In such a way bring the advantage to Microsoft Azure cloud became a market leader in this area (see below reference).

According to the blockchain key elements: function, element and life cycle. Blockchain can conduct like a theory apply to technology world without limitation.

Let take a closer look of blockchain processing sequence. The key elements are indicated on the diagram below.

Summary:

For those country who would like to implement the Smart City. Blockchain technology is the key project element which they cannot escape.

A Breakthrough for City Innovation driven by blockchain technology

  1. Single-sign-on facility provides every registered citizen with a free verified login with which they can securely connect and transact both locally and globally across both public and private services.
  2. A secure platform for innovation.
  3. Provides integrated solutions for local commerce across retailers, service providers, dining, and lodging internal system migrate to the cloud (blockchain-as-a-service).